针对Laravel后端的Angular Auth [英] Angular Auth against Laravel backend
问题描述
我正在使用Laravel创建一个应用程序,并构建一个小的内部API与Angular前端连接.
I am creating an app using Laravel and building a small internal API to connect to with an Angular frontend.
我正在使用身份验证,但是想确保这是一种可以接受的登录用户的方式,并确保所有内容都是安全的.
I have the auth working, but wanted to ensure that this is an acceptable way to log in a user, and to make sure everything is secure.
会话控制器:
public function index() {
return Response::json(Auth::check());
}
public function create() {
if (Auth::check()) {
return Redirect::to('/admin');
}
return Redirect::to('/');
}
public function login() {
if (Auth::attempt(array('email' => Input::json('email'), 'password' => Input::json('password')))) {
return Response::json(Auth::user());
// return Redirect::to('/admin');
} else {
return Response::json(array('flash' => 'Invalid username or password'), 500);
}
}
public function logout() {
Auth::logout();
return Response::json(array('flash' => 'Logged Out!'));
}
拉威尔(Laravel)路线:
Laravel Route:
Route::get('auth/status', 'SessionsController@index');
Angular工厂:
Angular Factory:
app.factory('Auth', [ "$http", function($http){
var Auth = {};
Auth.getAuthStatus = function() {
$http({
method: "GET",
url: "/auth/status",
headers: {"Content-Type": "application/json"}
}).success(function(data) {
if(!data) {
console.log('Unable to verify auth session');
} else if (data) {
console.log('successfully getting auth status');
console.log(data);
// return $scope.categories;
Auth.status = data;
return Auth.status;
}
});
}
return Auth;
}
]);
然后,我基本上将整个应用程序包装在一个类似"appController"的东西中,然后将"Auth"工厂声明为依赖项.然后,我可以调用Auth.getAuthStatus()并根据用户状态隐藏/显示内容,因为它实际上是SPA.
I would then essentially wrap the whole app in something like an "appController" and declare the 'Auth' factory as a dependency. Then I can call Auth.getAuthStatus() and hide / show things based on the user state since this will essentially be SPA.
我意识到我还需要隐藏/auth/status URI,以防止任何人查看/点击它,并且想知道如何做到这一点.有点一般性的问题,但是任何见识都会受到赞赏.谢谢.
I realize I also need to hide the /auth/status URI from being viewed / hit by anyone, and was wondering how to do that as well. Kind of a general question but any insight would be greatly appreciated. Thanks.
推荐答案
好问题.我之前已经回答过同样的问题,所以我会说同样的事情.
Great question. I've answered this same question before so I will say the same thing.
在SPA中,身份验证有点不同,因为您将Laravel应用程序和Angular几乎完全分开了.Laravel负责验证,逻辑,数据等.
Authentication is a bit different in SPAs because you separate your Laravel app and Angular almost completely. Laravel takes care of validation, logic, data, etc.
我强烈建议您阅读底部链接的文章.
I highly suggest you read the article linked at the bottom.
您可以使用Laravel的路由过滤器来保护您的路由免受未经授权的用户的侵害.但是,由于您的Laravel应用程序现在仅成为端点,因此前端框架将在身份验证和授权方面进行繁重的工作.
You can use Laravel's route filters to protect your routes from unauthorized users. However, since your Laravel application has now become an endpoint only, the frontend framework will be doing the heavy lifting as far as authentication and authorization.
一旦设置了路由过滤器,就不会阻止授权用户尝试执行未经授权的操作.
Once you have route filters set, that doesn't prevent authorized users from attempting to do actions that they are not authorized to do.
例如,我的意思是
您有一个API端点:/api/v1/users/159/edit
You have an API endpoint: /api/v1/users/159/edit
端点是RESTful 7之一,可用于编辑用户.任何软件工程师或开发人员都知道这是一个RESTful端点,并且如果得到您的应用程序的授权,则可以将带有数据的请求发送到该端点.
The endpoint is one of the RESTful 7, and can be used to edit a user. Any software engineer or developer knows that this is a RESTful endpoint, and if authorized by your application, could send a request with data to that endpoint.
您只希望用户159或管理员能够执行此操作.
You only want the user 159 to be able to do this action, or administrators.
一个解决方案是角色/组/权限,无论您想称呼它们为什么.在Angular应用程序中为您的应用程序设置用户权限,并可能将该数据存储在已发行的令牌中.
A solution to this is roles/groups/permissions whatever you want to call them. Set the user's permissions for your application in your Angular application and perhaps store that data in the issued token.
(在AngularJS中)阅读这篇精彩的文章,了解如何使用前端JavaScript框架正确地进行身份验证/授权.
Read this great article (in AngularJS) on how to authenticate/authorize properly using frontend JavaScript frameworks.
这篇关于针对Laravel后端的Angular Auth的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
