Examine the order of the modules first. Module declaration order is
significant, because they allow different assignment of priority as per
requirements of each app. Example:
which should take priority?
Traditional server-side webapps utilize sessions and cookies to track the signed-in state. However, unlike server-side webapps, we do not have the luxury of redirection and setting cookies by the server. We can do this on the client-side ember app, but there is no guarantee that it will not be tampered with, nor even that it will sync to the server.
We need an authentication mechanism that can be verified by the server at every request. This lends naturally to an authentication token that is sent on every API request; besides it is already a de-facto standard for providing API services for consumption.
For the curious, there is also an alternative solution to this problem:
set up an HTTP persistent connection, and verifying signed-in state by the
presence of such a connection. This is, however, out of scope of this module;
ember-auth is refactored to be a generic auth module that supports
different authentication strategies... Pull requests, anyone?
This is the best way to minimally secure a sign out request.
First we need a way to identify the user, as we are not operating by cookies.
The "simple" solution of allowing a route like
DELETE /sign_out (param: user_id = 1)
will allow anybody to sign out any user, as long as one knows the user ID.
Requiring an authentication token will (1) allow the server to uniquely identify the user, and (2) ensure that only the signed in user can send a correct sign out request.
Therefore, the default sign out API end point is expected to be something like:
DELETE /sign_out (param: auth_token = jaFJ23rJFLSDH)
Restating the obvious: ember apps are client-side apps. All code is stored and accessible client-side, no matter how minified or obfuscated it be. If an ember app draws all its data from the client-side script, then anybody can dig into the script and view it regardless of authentication. A pure client-side authentication solution is useless.