Ember Simple Auth for a cookie based simple user/pass login


#1

Ember simple auth is very hard to get it working with custom auths since there is no example at all for custom authenication. here is my server side auth -

  • check user name and password from database
  • store user’s id and name in a secure cookie

Would be really nice to have a simple tutorial for such kind of simple auth.


#2

Hey @v3ss0n I feel you there, it’s a lot to take in at first. Part of the problem is that custom auth varies greatly so there’s no tutorial that is really going to fit everyone’s setup. The ember-simple-auth dummy app is actually a pretty good example for you to check out. It uses a cookie store as it sounds like you’d like to, and it demonstrates several different authentication methods including OAuth2 password grant, which is what you’d like to use.

For starters you’ll want to define an authenticator which extends the Ember Simple Auth (ESA) oauth2-password-grant authenticator, a session store which extends the ESA cookie store, an authorizer which extends the ESA oauth2-bearer authorizer, and then using the application route and protected route mixins from ESA in the appropriate routes in your application. Again, the dummy app can be a great example for defining all of this.

I certainly can’t claim I’m some sort of authentication expert but I’ve used ember simple auth for both OAuth2 Password Grant and OAuth2 Implicit Grant auth and I actually contributed a little bit to the implicit grant PR so I may be able to answer any specific questions you might have.


#3

Thank you very much for the help @dknutsen! The web-framework i use (Python , Tornado) do not have oauth2 by default so i am doing my own simple auth (user/pass registration and login).

Do you think developing my own Oauth2 service ( i am not familiar with oauth2 services , only used fbconnect and google auth before, ) is a good idea? I am a bit outdated in that area.

Back to ESA , i have started a custom authenicator it is working (not properly tho)

import Base from 'ember-simple-auth/authenticators/base';
import Ember from 'ember';
// import fetch from 'fetch';

export default Base.extend({
  restore(data) {
    return new Ember.RSVP.Promise((resolve, reject) => {
      if (!Ember.isEmpty(data.user)) {
        resolve(data);
      } else {
        reject();
      }
    })
  },
  authenticate(udid, user) {
    return new Ember.RSVP.Promise(function (resolve, reject) {
      Ember.$.ajax({
        type: "POST",
        url: '/login',
        contentType: 'application/json;charset=utf-8',
        dataType: 'json',
        withCredentials: true,
        data: JSON.stringify({
          udid: udid,
          username: user
        })
      }).then(
        function (response) {
          Ember.run(function () {
            resolve(response);
          });
        },
        function (xhr, status, error) {
          // console.log(error)
          Ember.run(function () {
            reject(xhr.responseJSON || xhr.responseText);
          });
        });
    });
  },

  // invalidate(data) {}
});

#4

you might want to use JWT with ember-simple-auth.

An example Login Form Component Code:

import Ember from 'ember';

export default Ember.Component.extend({
   classNames: ['container-fluid'],

   authManager: Ember.inject.service('session'),

   actions: {
      authenticate: function() {
         var credentials = this.getProperties('identification', 'password');
         this.get('authManager').authenticate('authenticator:jwt', credentials).catch((reason) => {
         this.set('errorMessage', reason.error);
         console.log(reason);
         console.log(reason.message);
      });
    }
  }
});

#5

JWT is not an auth mechanism but way to generate tokens right?


#6

@v3ss0n correct, you can use JWTs for many different authentication setups. We use JWTs in our OAuth2 implicit grant setup. I can’t say I’m as familiar with the server side of the authentication but I’d consider using an OAuth mechanism for your login. It’s very common and widely used and there are many existing implementations for a variety of frameworks. If you can implement the OAuth password grant spec then using ESA (or any other front-end auth library) would be trivial.


#7

Thank you , what i am building right now is UDID Base login-less approach , i am not sure it is feasibile with OAuth (OAuth expect user/pass right?)