Authentication is handled using a JSON web token generated on the server and then passed in each API call from the client.
The client auth methods are located within the AuthProvider defined in /client/src/app/auth.js
These methods handle signing in, signing out and checking user permissions.
The authentication process is:
- User signs in
- /controller/authController authenticates the user
- The token is generated by /model/auth.js
- The authController passes the token and permission to the client and AuthProvider stores the token, permission and user's name in localStorage.
- When making an API call, authToken is passed to the server
- Tokens are verified using Express middleware in api.js to check the user has permission to make the request
Permissions passed from the server are also used to protect routes on the client-side using the <ProtectRoute> component located in /client/src/app/auth.js
Server Side Authentication
API calls are also protected on the server, you can use the verify(permission) function to ensure your endpoints can only be accessed with the correct permission.
api.get("/api/account", auth.verify('owner'), use(accountController.get));