Authentication with AngularJS, session management and security issues with REST Api WS

Question

I started developing a web-app with angularJS and I\'m not sure that everything is right secured (client and server side). Security is based on a single login page, if cred

Answer 1

First, there is no short or only one answer to what you have asked. In addition to what has already been answered, let me try to add something more. At enterprise level , there are four major components ,

1. UI
2. User Authentication Server - Here you validate user credentials and generate necessary cookies for user to move forward on UI. If this step fails, user gets stopped right there. This server has nothing to do with API token generation & you need this for non - API based systems too.Google Authentication is one example.

Extension:Siteminder Authentication

SiteMinder Cookies, their Usage, Contents and Security

Building a Java authentication server for Chatkit

3. API Token Server - This server generates API tokens based on cookies generated on step # 2 i.e. you send cookies to server and get a token
4. APIs - You use token generated in step # 3 to make API calls.

Its better that you deploy & manage these four components independently for better scale . e.g. in this article, they have mixed up authentication & token generation in single end point & thats not good - Microservices with Spring Boot — Authentication with JWT (Part 3)

By your write up, it looks that you have written component two & three on your own - usually folks utilize some ready made tools for this like CA SiteMinder - How CA Siteminder works – Basics

Any tips on how to generate a unique strong token?

I would suggest that you go via standardized way for better maintainability & security i.e. you choose JWT format. JSON Web Token (JWT) Authentication Scheme

Your token will be signed & encrypted so You would also need an encryption key server & a mechanism to rotate these keys at regular intervals.

JSON Web Tokens - How to securely store the key?

What is the difference between JWT and encrypting some json manually with AES?

CA person has attached a detailed pdf guide on this community portal - that will help you to understand the overall flow.

Sample Code / App to use of REST JWT token API

Your API code will need to fetch the encryption key and decrypt & decode the token to authenticate token. If token is tampered or missing, you need to flag it as such. There are libraries available for this.

Is it better to store the token inside a new cookie or in localStorage?

local Storage if UI & API are on different domains & Cookies if on same domain.

Should JWT be stored in localStorage or cookie?

Cross-Domain Cookies

Security of an application is also dependent on deployment model and that part you haven't specified in your question. Sometimes , developers might leave as simple flaws in their code as SQL Injection :)

What if JWT is stolen?