2

okay.

I think I have failed to understand an elemental part of token based authentication.

I am using node with express and am using jwt to prevent access to my site if you haven't logged in. I can create a token on the login page, and I can send it back to the client and store it in localStorage/cookie. Now if the user wants to navigate to another page they will type in a url and trigger a get request.

How do I access that token from localStorage/cookie and pass it to the server before I load the page as part of the get request. My assumption is that there should be a way of passing the token to the server - intercepting it in the middleware - and loading the page if the token is legit, or redirecting to the login page if the token isn't validated correctly.

On a post request this would be much simpler as you can fetch the token and pass it as part of an ajax call, after the page has loaded.

I have seen references to including the token as part of the request header (authorization bearer). I assume this only works for post, because if you were able to set the header parameter 'globally' then why would you bother storing on the client side in a cookie/localStorage.

So as you can see I am a little confused by the workflow. It seems like I am going against the grain somehow. Any clarity would be much appreciated.

reabow
  • 219
  • 1
  • 6
  • 18
  • 2
    If you are sending token in cookie, then it will be received in any get/post request by the client. – Hiren S. Aug 09 '15 at 16:19
  • @Hiren I have tried this document.cookie = result.token in the callback from the login post request. I have looked through the keys in the subsequent get request and I can't see req.cookie for example. Where should I be looking. – reabow Aug 09 '15 at 16:31
  • on node.js server, you can read using request.headers.cookie and hope you have included cookie-parser module – Hiren S. Aug 09 '15 at 16:34
  • @Hiren - wow I can't believe that. I was logging the keys for res instead on req - and that is why I missed the cookie in the headers! I guess I won't be getting those hours back :) Thanks for the help though, I would have been stuck reading blogs for many more hours otherwise. -as a sidenote - if you don't use cookies how are you supposed to get the token? – reabow Aug 09 '15 at 16:50
  • hah! that is the question I am after, not many body seems to be willing to answer that, all my searches have reached something that is not concentrated and exceptionally excluding that part, how to send the token from client to server without using cookies. Would be glad to hear if you managed to understand the whole workflow picture from so many separated, partial data on the web. – sçuçu Jan 08 '16 at 03:50

1 Answers1

0

If you are using localStoage in order to store the JWT, then the easiest way to pass it to the server is by retrieving first the token from the localStorage with localStorage.getItem('token') (or whatever your token name is) and then inserting it in the header of the request (either it is GET or POST/PUT/DELETE). Depeding on the library you are using to handle your http requests on the client, there are different ways of doing so. In jQuery for example, you can do the following inside the AJAX request:

$.ajax({
    url: API_URL + "/endpoint",
    method: "GET",
    beforeSend: function(request){
        request.setRequestHeader("Authorization", "BEARER " + localStorage.getItem('token'));
    }
})

After this, on the server side simply access the parameters by accessing request.header options just as you would normally do. Hope this helps!

Rubén López
  • 56
  • 4
  • The way I understand it, the question was about when the http request is not made by JavaScript (with or without a library) at all, but rather by the browser itself first loading the page. So any JavaScript-based approach won't work. – user1837296 Jul 30 '17 at 16:50