alexbeletsky
commented
11 years ago hey @mic0331
- Thanks for pointing to
backbone.basicauth- looks like nice plug. Anyway, the solution by @Vijar a bit more, since it's very simple and actually delegating setting auth headers to jQuery (which is for me bit more robust). - As for invalidating tokens: this is really good point you mentioned. I'm currently implemented HMAC based auth for one of my projects and had the same question. Unfortunatelly, what I can see - it's not possible to invalidate HMAC based token (except the fact it's expired). So, I set expire period for rather small value (24 hours).
Anyway, I'm going to ask few smart guys about and update ticket with info :)
Vijar
Hi @alexanderbeletsky
thanks for your tweet about the authentication snippet for backbone ;-) I finally spent some time integrating your code into a project of mine and find this backbone.basicauth that might be very useful when using your hmac security scheme.
https://github.com/fiznool/backbone.basicauth
So far your security solution is working well but i'm questioning now about the logout phase. How to permanently log out a user? As far as i know basic auth is not offering any solution to permanently log out a user. What do you think ?
My webapp is using cookies authentication so at logout i can destroy the cookie and the user cannot access secure pages anymore BUT on the other hand, my REST api is hosted on a different server and therefore is not using the cookies auth but just the basic auth system. At logout from my app i cannot access the webapp anymore but the REST endpoints are still accessible... Any idea on how to make a proper basic auth logout via jquery or backbone ?
Also something to consider in your boilerplate, i'm using passeport.js with local strategy. This plugging hugely simplify the code and offer something proven for a big app.