API-key based authentication

[WonderPanda]

Hi, awesome work on putting together a starter app for sails that includes authentication! Its definitely something thats lacking and for someone who's new to a full stack JS dev environment its extremely helpful. Was wondering about whether or not you're still planning on adding API-key based authentication? I'm extremely interested in how that might be implemented as I'm currently working on an Angular-Sails based app through which the client side interacts exclusively with the server using API REST calls. There aren't a lot of good resources online for implementing this kind of thing so I'm eagerly awaiting any light you might be able to shed on the issue.

[ragulka]

Hey, yes that is still on the pipeline. It is actually done on my local system, but I need to figure out how I can bypass CSRF for HTTP Basic Auth, since CSRF requires sessions. (See https://github.com/balderdashy/sails/issues/1022 and https://github.com/balderdashy/sails/pull/1038).

If your Angular app is on the same server as Sails, then you should probably use regular good-old sessions-based auth (the same thing that is already implemented). API-key based authentication makes sense if 3rd party apps need to use your API for something.

I might add some basic Angular code/views to demonstrate this approach sometime.

[WonderPanda]

Hi thanks for the extremely fast reply! I'm currently working on a mobile app that I'm building using Angular and publishing out to the various platforms using Phonegap so API based authentication is very desirable for my situation. Since right now the only access to the API would be through mobile clients I'm wondering if CSRF is as much of an issue right now? Perhaps I could get away without it?

Excuse my ignorance this is a very new journey for me as I come from a C# background working in a financial company so there's a lot to take in as I try to transition to being able to develop for the web.

Would you be willing to commit the API based authentication to GitHub? Even if its not completely done I'd love to get a chance to start playing around with it and perhaps I could even be useful in helping to make the starter app better. Thanks again!

[ragulka]

@WonderPanda I just pushed a major update that includes API-key based authentication. I am actually not at all familiar with Angular, so I cannot give you specific instructions, but you need to authenticate requests by setting both the username and password in the Authorization header match the API key of an user.

Please note that you need to turn off csrf in config/csrf.js.