0

I am fairly new to AngularJS

I have a resource that I use for user management which is part of a service following this article.

Once sending the login request to the server I am getting a response with a set-cookie as part of the header.

What is the best practice to add this cookie to every request I am sending to the server?

myApp.factory('UserService', ['$resource', function ($resource) {
    var userRes = $resource('http://<MyDomain>/api/v1/user/:param',
        {param: '@param'},
        {
            login: {
                method: 'POST'
            },
            logout: {
                method: 'DELETE'
            }
        });

    var user;
    return {
        signIn: function () {
            user = userRes.login({param: 'login'}, {"email": "[email protected]", "password": "test1"});
            userRes.get({param: '1'});
        },

userRes.login has set-cookie header in on the response userRes.get does not send the cookie that was just received.

Cheers

Improve this question
8
  • It should be attached automatically. Commented Dec 26, 2013 at 19:35
  • @Stewie - I would think so but it does not. I have updated my question and added a code snippet. Commented Dec 26, 2013 at 20:06
  • Is angular hosted at the same domain as API? Commented Dec 26, 2013 at 21:12
  • @Stewie No, I am working on this code from my localhost and making calls to a our Server API. Does it mean that I have to deploy it to see if it actually works? Commented Dec 26, 2013 at 21:17
  • Well, you got yourself a problem of sharing a cookie across different domains. Cookies are, by default, bound to the issuer domain. The bottom line is that Angular does not care and does not need to know about your cookies. Cookies are sent automatically, by the agent (browser), if domains are matching. Commented Dec 26, 2013 at 21:25

1 Answer 1

Reset to default
1

Since your API is in a different domain you can't use cookies in this case. We've tried and we failed to put it simple there is no way, not only it doesn't work with CORS but also it doesn't work if you embed an iframe. The iframe trick fails on safaris mostly but it is not reliable.

What we usually do is to return a JWT (Json Web Token) from the API and attach a header then to every API request as Authorization: Bearer JWT.

This JWT can be decoded using a public key from the front end (and it will contain the user profile) and validad with a private key in the backend.

JWT is simple and there are plenty of libraries for every language/technology.

Auth0 is an authentication broker that can validate with any identity provider or custom databases, and it returns JWTs using standars. It provides a clientID that can be used to decode the profile in the front end and a secret to validate the tokens in the backend as well as client side library to do this.

Disclaimer: I work for auth0.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.