Skip to content


heartsentwined edited this page Oct 18, 2013 · 12 revisions
Clone this wiki locally


I have enabled foo and bar modules, and they are misbehaving.

Examine the order of the modules first. Module declaration order is significant, because they allow different assignment of priority as per requirements of each app. Example: urlAuthenticatable or rememberable - which should take priority?

Why token authentication?

Traditional server-side webapps utilize sessions and cookies to track the signed-in state. However, unlike server-side webapps, we do not have the luxury of redirection and setting cookies by the server. We can do this on the client-side ember app, but there is no guarantee that it will not be tampered with, nor even that it will sync to the server.

We need an authentication mechanism that can be verified by the server at every request. This lends naturally to an authentication token that is sent on every API request; besides it is already a de-facto standard for providing API services for consumption.

For the curious, there is also an alternative solution to this problem: set up an HTTP persistent connection, and verifying signed-in state by the presence of such a connection. This is, however, out of scope of this module; unless ember-auth is refactored to be a generic auth module that supports different authentication strategies... Pull requests, anyone?

Why pass the authentication token on the token destruction route by default?

This is the best way to minimally secure a sign out request.

First we need a way to identify the user, as we are not operating by cookies.

The "simple" solution of allowing a route like DELETE /sign_out (param: user_id = 1) will allow anybody to sign out any user, as long as one knows the user ID.

Requiring an authentication token will (1) allow the server to uniquely identify the user, and (2) ensure that only the signed in user can send a correct sign out request.

Therefore, the default sign out API end point is expected to be something like: DELETE /sign_out (param: auth_token = jaFJ23rJFLSDH)

I want a client-side-only authentication solution.

Restating the obvious: ember apps are client-side apps. All code is stored and accessible client-side, no matter how minified or obfuscated it be. If an ember app draws all its data from the client-side script, then anybody can dig into the script and view it regardless of authentication. A pure client-side authentication solution is useless.

Something went wrong with that request. Please try again.