justmaier / angular-spa-security Goto Github PK

What's a point of enter in Modified SPA demo? I didn't find a main page View.

I would like to ensure that Security.user is set (without having to $watch). Is there a way to call
Security.authenticate() to return a promise, and or block until Security.user is set?

I am accessing security.user.role in child controllers. If I can have a hook to see that user is set, then I can use a route resolver.

Upgrade Request

@JustMaier Is there any plan to upgrade angular-spa-security with angular 6?

Hi,

I'm using your code to integrate Angular SPA with ASP.NET MVC5 and it is very usefull.

I can't resolve a little but important issue. I can login, and everything goes well, but if i press F5 on the browser the object security.user is null. Why? :)

I'm missing something? You persist user info somewhere? I need to "re-authenticate" to get userinfo again?

Thanks for the great work. Not sure of the value of the "ConfirmEmail" if login is still permitted without having confirmed the email. Is there something I'v missed?

IIS after recycling do not understand headers and return 401 to every request (not only for [Authorize] methods, even to static content).

Client treats himself as authenticated.
In the LoginCtrl first line redirectAuthenticated('/') redirects.
Security.logout() failed with 401.
Only deleting browser history helps.

First: Great work! Thanks! your provider saved me from a lot of headache‎.

When logging in with or without remember me, the object security.user contains the returned values from the server:

{"access_token":"XXX-LOOONG-XXX","token_type":"bearer","expires_in":1209599,"userName":"admin",".issued":"Tue, 11 Feb 2014 20:18:28 GMT",".expires":"Tue, 25 Feb 2014 20:18:28 GMT"}

Perfect, thats excactly what i want to know about the user from a security aspect. 👍

But, when you refresh the browser / open a new window security.user contains:

{"UserName":"admin","Email":"[email protected]","IsConfirmed":false,"HasRegistered":true,"LoginProvider":null}

The only interesting thing here from a security aspect is UserName. 👎 This will not help much for future api calls when a user has ticked rememberme or a browser refresh is made. (Internet Explorers "security" warnings that all the time....! And some users too.)

As a small workarround i have modified your initialize function to have at least the access token.

Api.getUserInfo(accessToken()).success(function (user) {
                    Security.user = user;
                    Security.user.access_token = accessToken();
                    if (securityProvider.events.reloadUser) securityProvider.events.reloadUser(Security, user); // Your Register events
                });

Maybe you should store all the infos from the /token response into session / local storage and return those here instead of the user info object.

Merging userinfo with the security related infos would not be a good idea in my opinion. In my case this would be arround 40 properties. Maybe you can simply copy your code into a new method? security.getUserInfo()?

Hi!
IMHO, there's a piece of code with is a copy/paste issue:
if (securityProvider.events.login) securityProvider.events.logout(Security);

There is 'login' instead of 'logout' in if condition

When login success will redirect url, i know can set something, maybe return url or securityProvider.urls.home. But in my case, I get return url after login, if this code exist, it will go to A url then B url, it's bad.

Security.redirectAuthenticated(redirectTarget() || securityProvider.urls.home);

Can remove this code or add param to ignore it?

Not sure this is an 'issue' as such. What you have done so far is amazing and I'm grateful for that alone.
But might you consider extending it to work with 3rd Party Login providers?

In angular-spa-security.js, simply add:
1)

    setPassword: '/api/account/setPassword',

        setPassword: function (data) {
            return $http({ method: 'POST', url: Urls.setPassword, data: data });
        },

        Security.setPassword = function (data) {
            var deferred = $q.defer();

            Api.setPassword(data).success(function () {
                deferred.resolve();
            }).error(function (errorData) {
                deferred.reject(errorData);
            });

            return deferred.promise;
        };

HttpContext.Current.User.Identity.GetUserId() returns null
How to get userId on server side?