I'm using ember simple-auth library with ember simple-auth-token.
However, every time I perform a logout action, django does not delete the token of the logged in user.
I should point out that the frontend works like a charm!
I am wondering if there should be a change in the frontend or in the backend code.
The invalidate() method should normally take care of the token refresh action, right?.
Here is my code, which is pretty much the same as the code presented in the README of ember simple auth.
controller/application.js
import Ember from 'ember';
export default Ember.Controller.extend({
session: Ember.inject.service('session'),
actions: {
invalidateSession() {
this.get('session').invalidate();
}
}
});
Thanks in advance!
ember-simple-auth-token's authenticators don't implement the invalidate method that called upon session invalidation and can be used to send a request to the backend to invalidate the token. Without that method being implemented Ember Simple Auth simply deletes the token on the client side.
You should be able to extend the ember-simple-auth-token authenticator you're using and implement the invalidate method so that it sends a token invalidation request to the backend. Be sure to return a promise though.
Related
I have an ember app that connects with github, but the authentication flow returns the authorization code, not the access token, and I don't really know how to do the exchange...well, at least I didn't found any examples on the internet.
I'm kinda new to ember, this is what I got so far
authenticator/torii.js
import Ember from 'ember';
import ToriiAuthenticator from 'ember-simple-auth/authenticators/torii';
export default ToriiAuthenticator.extend({
torii: Ember.inject.service()
});
torii-providers/github.js
import GithubOauth2Provider from 'torii/providers/github-oauth2';
export default GithubOauth2Provider.extend({
fetch(data) {
return data;
}
});
I know I may have to change something in the provider, but I don't really know where to start
I've used Torii to do GitHub auth myself. Here's my advice:
Drop ember-simple-auth and just use Torii directly. Ironically, ember-simple-auth's Torii wrapper isn't "simple".
You should go over Torii's docs to familiarize yourself with the library.
In your config/environment.js, configure Torii. Example:
torii: {
sessionServiceName: 'session',
providers: {
'github-oauth2': {
// your api key goes here
apiKey: '',
// link to your app goes here
// in development mode, it should be http://localhost:4200
redirectUri: '',
// specify OAuth scope here
scope: ''
}
}
}
Create a file called torii-adapters/application.js. Here you will need to implement the three methods .open(), .fetch(), and .close(). Note that you will receive the authorizationCode as a parameter for .open(), which you should exchange (with your auth backend) for an access token.
Oh, and you'll need an OAuth backend that keeps your client secret private. You send the authorization code from your Ember app to your OAuth backend, and the OAuth backend responds with an access token.
If none of that made any sense to you, check out this blog post, which has a good summary of OAuth. You should understand the big picture so that filling in the details is easy. :)
I use ember-simple-auth to manage authentication in my ember app.
The addon provides a session library which apparently stores the response from API server when I login using token authentication. The response contains typical oAuth2 response like access token, refresh token, expiry time etc. The library provides a boolean variable which tells if the user is authenticated or not currently.
I use an instance initializer which uses this boolean variable to fetch and store current user details. The code looks like this:
// app/instance-initializers/current-user.js
import Session from "ember-simple-auth/services/session";
export default {
name: "current-user",
before: "ember-simple-auth",
initialize: function(container) {
Session.reopen({
setCurrentUser: function() {
if (this.get('isAuthenticated')) {
container.lookup("service:store").find('user', 'me').then((user) => {
this.set('currentUser', user);
});
}
}.observes('isAuthenticated')
});
}
};
This works fine when I login and navigate across different routes in the app. The problem comes when I reload some page. The current user details somehow get erased and this setCurrentUser is also called but it gets called after all the hooks in the current route are called. So in hooks like model, beforeModel, setupController etc. session.currentUser is not set and it is set only after all these hooks are called.
How to avoid this? How to make the current user details available in route hooks on page reload?
New Answer
Completely ignore the below answer for now. Try to change your initializer to only fire after ember-simple-auth, like below:
// app/instance-initializers/current-user.js
import Session from "ember-simple-auth/services/session";
export default {
name: "current-user",
after: "ember-simple-auth",
Have a look at this part of the docs, some more information there regarding the initializer, and the let me know if you are using the following route mixin:
import ApplicationRouteMixin from 'ember-simple-auth/mixins/application-route-mixin';
Previous Answer
I recommend you read through the session stores in the readme and try switch between session stores temporarily to see if that fixes your problem. Otherwise implement your own custom session store with local storage to make sure the persist & restore hooks work like expected.
The object you'll extend in that case looks like this(copied from readme):
// app/session-stores/application.js
import Base from 'ember-simple-auth/session-stores/base';
export default Base.extend({
persist() {
…
},
restore() {
…
}
});
The page to login to our application is a jsp hosted on another machine. I have managed to get requests firing to this machine by modifying authenticated-route-mixin by allowing window.location.replace to be called if the route start with http.
beforeModel(transition) {
if (!this.get('session.isAuthenticated')) {
Ember.assert('The route configured as Configuration.authenticationRoute cannot implement the AuthenticatedRouteMixin mixin as that leads to an infinite transitioning loop!', this.get('routeName') !== Configuration.authenticationRoute);
transition.abort();
this.set('session.attemptedTransition', transition);
debugger;
if (Configuration.authenticationRoute.startsWith('http')) {
window.location.replace(Configuration.authenticationRoute);
} else {
this.transitionTo(Configuration.authenticationRoute);
}
} else {
return this._super(...arguments);
}
}
This is working but when I am redirected back to my application, ember-simple-auth thinks I am no longer logged in and redirects be back to the remote machine, which then sends me back to the application in an infinite loop.
Obviously I need to set something to let ember-simple-auth know that it it is actually logged in. Why is it not doing this automatically? What am I doing wrong?
I am pretty new to oAuth so I could be missing some basic setting here.
Here is the URL.
ENV['ember-simple-auth'] = {
authenticationRoute: 'https://our-server.com/opensso/oauth2/authorize?client_id=test-client-1&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fsecure'
};
Instead of modifying the AuthenticatedRouteMixin, I'd recommend handling your app-specific login in an Authenticator-- the key configuration primitive that Ember Simple Auth provides as part of its public API.
To the best of my understanding, on first loading the app, and checking to see if a user is authenticated, Ember Simple Auth will use the restore method, defined as part of the Authenticator API.
You can return a promise from restore that resolves or rejects to indicate whether the user is authenticated. How you check this is an implementation detail of your auth system.
I don't know how you're storing credential(s) on the client (would be great if you could provide more detail), but here's an example flow, using cookies for authentication:
Ember boots, ESA attempts to restore the session.
restore makes a simple AJAX request to a secured, "dummy" resource on your Java server-- and checks if it gets back a 200 or a 401.
We get a 401 back. The user isn't authenticated, so reject in the Promise returned from restore.
Let ESA redirect the user to your authentication route. Ideally, don't override the AuthenticatedRouteMixin-- instead, use the beforeModel hook in the authentication route to send users to your JSP login page.
The user correctly authenticates against the JSP form.
In its response, your Java server sets some kind of encrypted, signed session cookie (this is how it generally works with Rails) as a credential. In addition, it sends a redirect back to your Ember app.
Ember boots again, ESA calls restore again.
restore pings your Java server again, gets a 200 back (thanks to the cookie), and thus resolves its Promise.
ESA learns that the user's authenticated, and redirects to the 'route after authentication'.
Keep in mind that, at its core, ESA can only indicate to the client whether the backend considers it 'authenticated' or not. ESA can never be used to deny access to a resource-- only to show something different on the client, based on the last thing it heard from the backend.
Let me know if any of that was helpful.
I need to modify adaptive.js in ember-simple-auth for my app.
Ultimately I want the restore method to look for two particular cookie security tokens that is shared across our platforms and construct the simple auth localstorage object based on these cookies as a last resort if localStorage authentication data does not already exist in order to determine if the user is already authenticated.
I realise you can create a custom authenticator however the problem with extending Base is that when restore is called on your custom authorizer ember-simple-auth has already looked up localstorage for your auth data. If this isn't available restore never gets called. For this reason I believe I need to extend or modify the simple auth node module to my requirements.
Below is my simple attempt at trying to modify adaptive.js in ember-simple-auth within my app however when restore gets called it's never through the below:
import AdaptiveStore from 'ember-simple-auth/session-stores/adaptive';
AdaptiveStore.reopenClass({
restore(){
alert('do custom stuff here');
}
});
Using reopen worked for me:
import AdaptiveStore from 'ember-simple-auth/session-stores/adaptive';
export default AdaptiveStore.reopen({
restore(){
alert('do custom stuff here');
}
});
I'm using oAuth2.
The DataAdapterMixin automatically adds the Authorization header to all Ember Data requests. The session service authorize method can be used to add it to Ajax calls, but how can I ensure the header is added to GET requests made from the browser. I've tried creating a custom authorizer as explained in the docs, but the authorize method is not called.
The my application stores scans of invoices and statements (usually pdfs) which can only be seen by an authorized user. Based on the user's actions, I am changing the data attribute of an object tag.
This
<object data={{attachViewURL}} width="800px" height="1200px">
is rendered as something like this:
<object data="/scans/attachments/11" width="800px" height="1200px">
This works fine except the authorization.
Any advice would be most appreciated. I'm new to Ember, so if I am going about this the wrong way, please let me know.
In lieu of you answering my comment, i'm just going to put my solution here:
import Ember from 'ember';
import SimpleAuth from 'simple-auth/authorizers/base';
export default SimpleAuth.extend({
authorize: function(jqXHR) {
var token = this.get('session.secure.token');
if (this.get('session.isAuthenticated') && !Ember.isEmpty(token)) {
jqXHR.setRequestHeader('Authorization: ', 'Bearer ', token);
}
},
});
You'll likely want to do a bit more checking etc, but that's pretty much all you need to do to actually set the header; just overriding the authorize function that is built in to ember-simple-auth to set a header once the authorization has passed (As defined by both the session.isAuthenticated boolean and passed token
EDIT:
I forgot that you need to also define that you're using your local authorizer in your simple-auth config (that tripped me up for a while because I assumed that ember-simple-auth would use the overriden local authorizer by default):
ENV['simple-auth'] = {
authenticationRoute: 'login',
authorizer: 'authorizer:local',
session: 'session:user-session',
routeAfterAuthentication: 'dashboard'
}
I'll try and dig up where I got this from (because the ember-simple-auth docs aren't particularly good at describing self-rolled authorization mechanisms...)
EDIT 2:
As marcoow pointed out (and he should know, he wrote ember-simple-auth!), this is pre-1.0 behaviour. The authorizer is now part of the session service, which needs to be injected into the application. See ember-simple-labs pre-1.0 upgrade
The only approach I've managed to get working is to include the access token in the generated URL and then manually authenticate on the back end.
The URL ends up looking something like:
<object data="/scans/attachments/11?token=a0a59197-afab-438a-b6cf-11237e51a2d5" width="800px" height="1200px">
I'm not proud of this workaround. It's horrible programming, but it's the only thing I've gotten working so far.