Auth
In general idea, user auth starts on Login screen, where user provides login and password, clicks button and is redirected to Home screen. During this process Web Backend generates JWT for this user and sends it back to Web Frontend, where it's secured in cookie file. When JWT is saved in cookie, user can access Home screen's UI and Web Backend's endpoints. If user want to logout, there's a "Logout" button in Sidepanel of UI. When user clicks this button, Web Frontend deletes cookie and redirects user to Login screen.
- Handles user name and password, sends them to Web Backend,
- Receives JWT, creates cookie with it,
- Manages routing for auth, provides "Unauthorised" page,
- Adds JWT to HTTP "Authorization" header,
- Receives user name and password, checks them in database,
- Generates JWT and returns it to Web Frontend, when credentials are correct,
If user send request to secured endpoint, than Web Backend:
- Checks JWT for correct credentials,
- Gets user's data from JWT,
- Retrieves requested data from DB, based on user's name,
NO! This authentication system is NOT SECURE on many bases, some of them are:
- Password is not encrypted when sending between Web Frontend and Web Backend,
- Login form lacks basic validation,
- Login endpoint on Web Backend is not caching JWTs for users, meaning it's possible to create multiple JWTs for single user,
- Auth cookie file lacks "httpOnly" flag (limitations of
ngx-cookie-servicelibrary), - Passwords in DB are not encrypted,
- App is not tested against XSS, CSRF, MitM, etc.
This implementation is purely for R&D purposes, so it's not suitable for any serious production use. If you really want to use Binder in real-world production, I recommend hiding entire app's communication behind VPN.