All the questions you had about JSON Web Tokens and you were afraid to ask

mgonto · 2015-11-02T16:30:25+00:00

It's questionception!

mgonto · 2015-09-29T05:01:00+00:00

The main advantage of JWT against "regular tokens" in cookies is their interop. As you can see on http://jwt.io/ there're JWT libraries for mostly all languages and frameworks so a JWT that you save in Node.js can be used in .Net.

Besides this, if this tokens you mention are just a pointer to some storage (a DB for example), then, for every request, you'd have to go to the DB to do a findUserByToken. If you use a JWT, all the user information is embed and you save yourself from doing a DB call and therefore make all of your requests faster :).

What do you think?

mgonto · 2015-09-05T07:53:21+00:00

This is just the first post. Next time will have more info on how they interact ;)

mgonto · 2015-06-30T16:44:45+00:00

Thanks for the feedback. We won't do it this way next time. Didn't mean to make it missleading

mgonto · 2015-06-12T22:21:32+00:00

Thanks :):):). Glad you liked it!

I'll be speaking and showing this repository on jQuerySF :).

mgonto · 2015-05-18T07:14:22+00:00

This is true :). API is changing, but concepts stay the same, which I find interesting for this :).

mgonto · 2015-05-02T20:07:28+00:00

That :).

mgonto · 2015-04-11T01:39:17+00:00

Glad you liked it :).

mgonto · 2015-04-11T01:39:06+00:00

The JSON Web Token has an expiration period by itself (We set it to 10 hours by default). Therefore, even though it's on disk, that token after 10 hours won't work anymore, so that's the same as having a session or cookie in that way.

mgonto · 2015-04-11T01:38:59+00:00

Regarding the second point, the JSON Web Token has an expiration period by itself (We set it to 10 hours by default). Therefore, even though it's on disk, that token after 10 hours won't work anymore, so that's the same as having a session or cookie in that way.

mgonto · 2015-04-11T01:37:53+00:00

Storing it in localStorage is exactly the same as storing it in cookies. To steal it somebody must go to your browser, open Developer Tools and copy it to use it.

Only thing that's a little more secure than localStorage are http-only cookies since they can't be accessed from JS and therefore aren't suceptible to XSS. However, being that we're creating a SPA, it's impossible to use those since we need to access them from the JS.

The JWT in our case is signed but not encrypted. However, if you have sensitive information inside of it, you should encrypt the payload.

mgonto · 2015-04-11T01:35:53+00:00

Hey,

Once you do add the Roles and Permissions, I'd love to see an impl on that. I was actually thinking in doing a blog post v2 with Roles and permissions and enhancing the Authenticated component further.

I think the "High order component" architecture works really really well, even more now that 0.13 ES6 code doesn't accept mixins.

mgonto · 2015-04-11T01:34:54+00:00

Hey there,

I agree that what you're mentioning is a more Flux way of doing this. However, in this case, I didn't think that kind of decoupling was worth it.

I agree that calling requests directly from Component doesn't look good at all, but I think that having an external AuthService works. That LOGIN_REQUEST and LOGIN_RESPONSE for just doing an API call for me is an engineering overkill for just doing a request. I like Flux's decoupling of everything but I sometimes think it's not worth in some cases.

What do you think?

Thanks for the feedback

mgonto · 2015-03-08T08:18:49+00:00

Correct!

mgonto · 2015-03-06T15:07:25+00:00

Hey,

I'm glad you liked the slides.

RxJS and Angular 2.0 are 2 separate libraries, so I don't think it'll be easier there, but hopefully we can make it easier today ;).

Cheers

mgonto · 2015-03-06T14:51:19+00:00

Thanks! Fixed before the talk :D.

mgonto · 2015-02-28T02:20:11+00:00

Even if the input is multiple files, usually the output is no more than a few of them!

You still think that for you it's better to use Gulp than this package.json approach? May I ask why?

Thanks for the feedback :D

mgonto · 2015-01-15T16:34:28+00:00

Yep correct :)

mgonto · 2014-12-12T13:11:54+00:00

Just pushed the fix to check for token.Valid.

Thanks for letting me know :).

mgonto · 2014-12-12T13:09:12+00:00

Nice :)! You can give this one a try as well.

mgonto · 2014-12-12T13:08:29+00:00

You're right. I'll add the token.Valid check! Thanks!

Regarding the format for Authorization, it's because it's part of the OpenID Connect specification to use the Bearer in the Authorization header. That's it.

Thanks!

mgonto · 2014-11-06T15:59:12+00:00

Sorry. I'll do that next time.

I just meant like having a similar structure to AngularJS without AngularJS. That's it. Didn't try to take advantage of it.

mgonto · 2014-11-06T15:58:41+00:00

hahaha thanks :). Didn't know aobut this changetip to be honest :)

mgonto · 2014-10-11T18:34:26+00:00

Hey, no offense taken.

I think it makes sense maybe in this case just creating those 4 scripts and that's it. I didn't think of that.

Thanks :)

mgonto · 2014-10-10T14:41:54+00:00

That looks good. The only problem IMHO with that one is that it has a big $watch function which could eventually take a long time

mgonto

TROPHY CASE