1

I am creating SPA application using Angular. This will serve my two purpose for middle layer on mobile as well website.

Now trying to security my application from XSS, CSRF and also wanted secure authentication mechanism. My services will be Resful stateless services.

This is the flow which I think will help me.

  1. Client App send User ID, Password to server.
  2. Server validate the request and generate token which will get stored in db.
  3. This token = userId + Random Number + TimeStamp
  4. token will send back to client APP.
  5. client APP will store it in local storage or cookie.
  6. With every subsequent request i will validate the token with one store in db.

Problem areas

  1. Where should the token stored? Cookie or local storage?
  2. On server, token need to be stored somewhere. If stored in db that will increase load on DB.
  3. Since I am going to use AJAX request, how should I pass token value Header or body?
  4. Since this same codebase I will use for my website also, How secure is this approach for website?
  5. How to tackle CSRF attack in this case?

I have referred Securing a JavaScript Single Page App with RESTful backend also. But the storing the user id in again Cookies will create security hole. Because both userid and token are stored on client side.

Community
  • 1
Dhiren Patel
  • 113
  • 3
  • The most important part I would think of, is obfuscating all my JavaScript source code, specially when the business logic is exposed partially on the client side. – elsadek Jul 07 '14 at 22:25

1 Answers1

1

I would recommend utilizing OpenID for authentication. This way you do not have to handle authentication and the storage/maintenance of user credentials in your own DB.

regarding CSRF, with angular its simple. Angular has a built in mechanism that will look for a CSRF token in a specific cookie and than send it as a http header in each request made with Angular's $http module. What your backend needs to do is populate (once per session) the cookie with a cryptographically secure random token (Angular recommend a digest of the user authentication token with a salt) and then validate the correctness of the http header upon request in your REST API.

aviv
  • 1,267
  • 7
  • 8
  • I might sound novice. But can you please elaborate. I am sending request from mobile to server with user id + password. What will be response from Server? How will I create the token and where should I store it on server so that I can avoid frequent DB call to validate user token? – Dhiren Patel Jul 07 '14 at 11:50
  • For example, using Google as your provider - the user logs in with their google credentials (they do not need to create a user and password on your site). You receive an access token and the email of the authenticated user from google. Your client side can send the token to the server side which can then validate it with google. It is then up to you to decide if you want to re validate the token on each request to your REST API or keep it in session. This way you do not need a DB at all. Google documentation: https://developers.google.com/+/web/signin/add-button – aviv Jul 07 '14 at 13:45
  • Not planning to use OPEN ID right now. Anyway searched over the net, either I should store the token in cache or DB. There is no other option. – Dhiren Patel Jul 07 '14 at 15:30
  • From your name I suppose you are doing your server side in .NET? If so you can use .NET forms authentication for the management of the user authentication. .NET in that case will handle the mechanism for you. If you insist to handle authentication yourself (which i do not recommend) I suppose you could just keep the token in the session in order to authenticate the user in subsequent requests. If you do that, do use some safe session management framework such as the ones out of the box from .NET or Java and dont try to invent one yourself. – aviv Jul 08 '14 at 15:08
  • It's not .Net now. Application is SOA based SPA. Cant use those security framework. – Dhiren Patel Jul 08 '14 at 16:42