However, I think it’s still not enough for us to use Ionic Auth in server side because of there still no solution to:
Validate JWT directly, instead of asking ionic server. Ionic should enable this by letting us set the JWT secret keys for our Ionic app in the dashboard. Then we can use it in our server-side, which could enable us to do more complicated jobs;
How can I search a specific user in my backend? Say, I want to get the user whose email is ‘email@example.com’. It seems the API of Ionic Auth is not support any query now?
If Ionic Auth API does not meet those requirements, I believe it’s not possible to use it in a production environment.
@zixia@godavid33 - Hi Zixia. I hear what you’re saying, although I do believe it can work in a production environment as there’s nothing being validated on the client unless I’m missing your point. I do agree validating the JWT’s directly would be nice, but there’s always so much back and forth on the true security of JWT’s in production or highly sensitive environments it’s actually a nice thing to have an almost 2-prong authentication in this way.
As far as your point #2, I completely see what you mean. Let me play around with that a bit and get back to you. I think there’s a secure way to do it, but I have to try a few things first.
Sorry for the late reply. I’m currently storing the user in my MongoDB and also in Ionic. Here is the following code I use for authenticating the JWT (using the jwt module):
try {
var incomingToken = jwt.verify(req.query.token, secret);
var email = incomingToken.data.email;
var password = incomingToken.data.password;
} catch (ex) {
console.error(ex.stack);
if(typeof req.body.email != "undefined" && typeof req.body.password != "undefined"){
var email = req.body.email;
var password = req.body.password;
}else{
return res.status(401).send('jwt error');
}
}