node.jsauthenticationsails.jswaterlock

sails + waterlock, how to implement the workflow with corresponding HTML templates

Background

About 6 months ago, I started developing a web app with Sails. I was hoping to easily implement Authentication and Permission using sails-auth or sails-generate-auth and sails-permissions. 6 months later I realize that these modules aren't well maintained anymore. I decided to fall back using Waterlock.

Questions

I am newbie when it comes to NodeJS, Express & Sails. Coming from Rails, I had biased expectation. I need to be taken by the hand...

I was able to install Waterlock properly, and was able to play with the API.

1. Login

POST http://localhost:1337/auth/login

Passing email and password in the form-data (See screenshot bellow):

which returned (in POSTMAN):

{
  "auth": {
    "password": "$2a$10$5swWYJLZ.KbKWA9.8Hg8eOr.8HiCBiddWDyHyGSB3y7bluJZwvjDS",
    "email": "my.email@mydomain.com",
    "createdAt": "2016-10-04T13:01:17.594Z",
    "updatedAt": "2016-10-04T13:01:17.607Z",
    "id": 12,
    "user": 13
  },
  "createdAt": "2016-10-04T13:01:17.603Z",
  "updatedAt": "2016-10-04T13:01:17.603Z",
  "id": 13
}

I guess my user was created and stored along with his encrypted password.

enter image description here

Next I tried implementing the UI (that's where I need guidance):

UserController.js:

'new': function(req, res) {
    res.view();
},

user/new.ejs:

<h1>Sign up</h1>
<form action="/auth/login" method='POST'>
    <input type='text' placeholder='me@mydomain.com' name='email'>
    <input type='password' placeholder='password' name='password'>
    <input type='submit' value="Create account">
</form>

Question 1: After create/login the user i.e. auth/login, how do I redirect to another URL? e.g. /user/show/:id id of the user just created.

I tried adding the login action the AuthController, but that just overrides the actual useful action.

UPDATE: I found that waterlock.js has Post actions hooks, but still don't know how to redirect to /user/show/:id of the user just created or logged in.

Question 2: Shouldn't I remove the "password": "$2a$10$...ZwvjDS", returned?

2. JWT

Alright, JSON Web Tokens. So I am authenticated, and next I create a JWT that I can pass in the header of my next request.

With POSTMAN

POST http://localhost:1337/user/jwt

{
  "token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiIxM3x1bmRlZmluZWQiLCJzdWIiOiJzdWJqZWN0IiwiYXVkIjoiYXBwIG5hbWUiLCJleHAiOjE0NzYxOTIxNDc3OTgsIm5iZiI6MTQ3NTU4NzM0Nzc5OCwiaWF0IjoxNDc1NTg3MzQ3Nzk4LCJqdGkiOiI5ODgyYWY2MC04YTM1LTExZTYtODI0Yy1mNTZhYWE0MDhiZmIifQ.GYT4f49ggW8VwaEqTy0JskX6nHWZUMvM0A92KD1EC4I",
  "expires": 1476192147798
}

Question 3: I am authenticated, a session was created right? Why do I need a JWT? Is it better than sessionAuth?

Actually found my answer here

Question 4: Right after LOGIN, I need to POST http://localhost:1337/user/jwt to obtain a JWT. How should I implement that in Sails?

3. How do I how use my access_token

Question 5: Where do I store the access_token and use it in the next request ? (the best practice for Sails)

Solution

  • Ad. 2) Certainly yes. Client shouldn't have access to his encrypted password

    Ad. 4) JWT should be in service, no controller, because is more secure way. So, yep. It should be done in server side and client shouldn't have access to JWT logic.

    Ad. 5) Whatever you want. IMHO header is best place.