33

I have a angular app that I needed to redirect outside to a non angular html page, so I thought I could just use the $window.location.hrefto redirect the angular app to my external site. This actually works fine, however, I have a nodejs/express backend that checks for auth token before serving up any content(even static content).

This requires a auth token to be sent in the header of the http request. Now the question:

Can/How do you add an auth token to the request that is made by changing the $window.location.href before it is sent off?

Improve this question

2 Answers 2

Reset to default
40

When you use $window.location.href the browser is making the HTTP request and not your JavaScript code. Therefore, you cannot add a custom header like Authorization with your token value.

You could add a cookie via JavaScript and put your auth token there. The cookies will automatically be sent from the browser. However, you will want to review the security implications of using a cookie vs. a header. Since both are accessible via JavaScript, there is no additional attack vector there. Unless you remove the cookie after the new page loads, there may be a CSRF exploit available.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

great answer, I wonder if angular-cookies would work for this. Anyways thanks for the right direction.
2

This answer is NOT a safe way, as the token is exposed in the URL, which is logged in browser history, access logs, etc. Use a domain cookie instead. I'll leave the answer as it can be an easy way to debug in your local setup.

I am using JWT as authentication on a Laravel PHP backend, and it works by putting ?token=... in the URL. For example, when using AngularJS with satellizer plug-in, I add ?token=' + $auth.getToken() to the URL.

Improve this answer

5 Comments

well embedding token as URL parameter is the last thing that i would like to do.
Even in SSL a sniffer could read the URL of the request so it is WORST way to pass a token to a request. If you're using SSL you should put the token in headers or in body.
"in SSL a sniffer could read the URL of the request" This is not true, only the hostname/ip can be detected, not the url.
Two vulnerabilities of doing this are: (1) The token is in the IIS logs (2) Drive by hacking, e.g. someone looks at your browser url or grabs it from your browser history while you make a cup of coffee
This solution must be avoided for security reason as well explained by @tony

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.