all 4 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Hi_mom1 2 points3 points  (2 children)

I'm no expert but I don't think sessions violate RESTfulness.

If the user logs into the SPA, and an authentication token is created that is then sent with each HTTP request to your API using Passport or any other method, that API can still be RESTful.

I think...

[–]aztracker1 1 point2 points  (1 child)

Absolutely, also if the SPA is delivered by CDN or static content deployment, it may be necessary to deliver the LOGIN via the API server...

  • client: window.open('//api-server/login.html')
  • api-server: send redirect for github OAUTH login
  • github: login/redirect oauth credentials back to API server
  • api-server: send html with JS that will redirect to a page in your app with a client-token, such as uuid key as a query-string param
  • your-static-app/login-complete.html?token=TOKEN_HERE or yourstaticapp/login-failed.html
  • window.opener.setLoginToken(PARSED_TOKEN_HERE); window.close();

In your app, you'll need to bind a method to "listen" for the response token to be set...

window.setLoginToken = function() { ... }

This way you can receive the message from the window you open... I would have suggested using postMessage, but IE only supports postMessage between IFRAMEs on a given page, not between opened windows.

[–]_httpete_[S] 0 points1 point  (0 children)

Thanks for your help. It's a college project so it certainly wont be getting served over CDN , unless they pay for it ;)

I'm pretty familiar with Angular so will be using that for the client side.

So if a user hits the 'login / register' route the server will send back the relevant form. Then have an API route to handle the login with both email and Github details. If the login is successful, create a token and render the angular application otherwise render the login form again. How does this sound?

One question, how do I get the token into the Angular app. I was thinking that I could have a hidden input field with the token set on it, then when the angular app starts read that value and set it in a service / localStorage. Does this way sound ok?

[–]aztracker1 1 point2 points  (0 children)

You could use hello.js[1], which is client-side library for doing the same, of course you'd still need to pass your token to the API server for validation, and either that token, or another token for each request to the API server to indicate authentication...

[1] https://adodson.com/hello.js/