angularjsauthenticationasp.net-web-apiowinform-authentication

AngularJs - Displaying username password in url


I have a AngularJs application with Webapi (c#). I have a login page but some times when I click on Login button, it adds the user credentials in url which causes security issue.

I am using OWIN for auth.


Solution

  • I have been puzzling a similar error in my application for a bit. I was confused because we definitely weren't explicitly adding the username & password to the URL, and it only happened in certain scenarios - not all the time.

    Eventually, today, I got down to the bottom of it.

    I discovered that it's default HTML behaviour to add form parameters to the URL when you don't specify an action or a method. A form method defaults to GET which explains why the parameters get added to the URL.

    I then discovered that the Angular controller method specified in "ng-submit" for the form element was not being called at all.

    When I examined the Javascript errors logged in the Console, I realised that the Angular container was not being loaded due to an unhandled exception that was thrown when the login page was being rendered.

    Our specific situation was that the frontend (Angular) application was unable to communicate with the backend (Java) API - when we loaded the login page before the backend server container was started up. When that happened, some of the API calls we made during initialisation to load constants from the application's database failed and our application constants were not initialised correctly in the error function. This caused an "Unknown Provider" exception to be thrown which caused the Angular framework to abort initialisation which resulted in the submission of the form being handled by default HTML behaviour!

    So I suggest that anyone else facing this issue looks to see if there are any errors being thrown during initialisation of your Angular app.