Outline chapter on authentication

[gvwilson]

Create point-form outline for chapter on authentication with Angular

[winkerVSbecks]

@gvwilson does this work?

• [ ] Theory
  • [ ] Authentication vs. Authorization
  • [ ] Token vs cookie
  • [ ] CSRF
  • [ ] Client-Side vs Server-Side
• [ ] Execution
  • [ ] Setup a thin HTTP wrapper which would allow us to handle errors and authentication in a centralized location
  • [ ] How to create a basic auth flow:
  • block all requests for user specific data until user is logged in
  • login ➡️ get token ➡️ save token in app state and local storage
  • use token for all user specific data requests
  • On log out wipe out token from local storage and hard reload app
  • [ ] Authentication flow with Redux
  • same as above except auth state and tokens are managed by redux
  • We could potentially demo patterns such as merging two observables (one for auth and one for request) when requesting user specific data.
  • [ ] XSRF token with Angular 2

A lot of content could be repurposed from: ngCourse 1.0 – authentication

[gvwilson]

This is a great start - a couple of questions:

1. Will you show people how to block access the right way with Angular? I presume there's a middleware decorator thingy?
2. Am I right in assuming this plan stores credentials locally? If so, can you get into OAuth flow and how to implement that (since we probably want people to use external credential stores rather than rolling their own, and it's a chance to talk about other architecture issues).

Thanks, Greg

[winkerVSbecks]

Will you show people how to block access the right way with Angular? I presume there's a middleware decorator thingy?

I don't know if there is a right way. It depends on the architecture. I prefer the HTTP wrapper approach. The other option is to use HTTP interceptors.

Am I right in assuming this plan stores credentials locally? If so, can you get into OAuth flow and how to implement that (since we probably want people to use external credential stores rather than rolling their own, and it's a chance to talk about other architecture issues).

Only the auth token. Doesn't matter where this token comes from. I wanted to focus on client side only.

We could talk about OAuth with Google/Twitter/etc. However, they all require a backend component.