backbone.simple-auth
A basic cookie-based client-side auth service for Backbone apps.
Motivation
Some client-side apps need to send a token stored in a cookie along with each request to an API under the Authorization header. This library manages that for you.
It also provides a central location for your app to determine if the user is authenticated or not.
When should I use this library?
- Your application stores authenticated user tokens in cookies
- Your API follows the Bearer Token spec for the Authorization header. Github's API is an example of an API that accepts this format.
Dependencies
Other than Backbone (and Backbone.$), this library depends on
Cookies. Don't worry – it's only 1kb.
Basic Usage
Your server should be configured to set the authentication token as a cookie. When that happens, and your app loads...
// Load up the modulevar Auth = ; // Create a new instance of auth. If the cookie with the given// name exists, then `auth` will set the value of the `Authorization` HEADER// for future AJAX requests to be `Bearer COOKIE_VALUE`auth = cookieName: 'user-token'; // Returns true if the cookie existsauth; // Get the tokenauth; // Destroy the cookieauth;That's all there is to it.
Attributes
Auth is a Backbone Model. As such, you can use the Model API when interacting with it. There are three attributes on Auth:
cookieName
The name of the cookie to search for the token on. Defaults to token.
authenticated
A boolean representing whether or not the user is authenticated. Defaults to false.
token
The value of the token. Defaults to undefined.
API
determineAuth()
Searches for a cookie with the same name as auth.get('cookieName'). If it exists,
then its value is assumed to be the token, and the user is set to be authorized.
This is called when auth is first created. You may also wish to call it later if
your application allows for logging in on the client.
If the cookie is found, the authenticated event is triggered.
logout()
If the user is logged in, then the cookie will be destroyed. The value of authenticated is
set to false, and the value of token is set to undefined. Lastly, the logout event is
triggered.
Events
authenticate
The user has logged in. Called when auth is first loaded. The value of the token is passed
as the first argument.
logout
The user has been logged out.
FAQ
How do I log the user in from the client?
This library does not handle creation of cookies containing auth tokens, because there are so many
ways to accomplish such a task. You will need to build your own system to generate the token. Once
you've done that, and you can generate a token for authenticated users, then you must set it as the
cookie. Once that is done, call auth.determineAuth() to notify the auth model that the user is
logged in.
Is this library secure?
It might seem strange that this library considers a user authenticated if there is any value stored in the cookie. As surprising as it may seem, this is not a security concern. The fact is that there is simply no way for the client to be certain that the user really is authenticated. At most, you can make an educated guess. Even a token that once authenticated the user could be remotely revoked at any time.
In this light, assuming that the user is unlikely to tamper with cookies is a reasonable assumption to make.
These assumptions are always checked against the API whenever sensitive data is requested. Consequently, even a user who does mess with the cookies, or otherwise has an invalid token, will be unable to access any sensitive data. At most, they will see an empty UI interface.
Contributing
Unit tests
In Node
Run gulp to execute the test suite in Node.
In the browser
Run gulp test:browser to start a server. Then, navigate to http://localhost:7777/test/runner.html to run
the suite.
Building the library
gulp build