Angular module:
https://github.com/lynndylanhurley/ng-token-auth<p>Rails gem:
https://github.com/lynndylanhurley/devise_token_auth<p>I've been working hard to make this the most simple, flexible, and secure token auth system in existence. I believe that I'm close to succeeding. I'd love to hear your thoughts on what I can do to improve what I have so far.
Oh man, I wish this was around about a year ago. I actually coded most of this for a client and it was extremely painful to get correct. We are using the Doorkeeper OAuth2 gem which uses slightly different tokens and has some different features, though.<p>Couple of things/feature you might want to consider:<p>* You might want to track the expiration time of the tokens if the API provides it. If the token isn't expired, potentially skip the verification step.<p>* Potentially you might want to add another HTTP interceptor that catches 401 (Unauthorized) responses. If a response returns a 401, you can prompt the user to re-authenticate and hold all HTTP requests until the user does. Then when there is a new token available, you can replay requests. This, coupled with saving the expiration time, can make page load times faster and still be robust.<p>* I'd make the HTTP interceptor that adds the Authorization header only add the header if the request URL is going to an API endpoint. The library user should be able to specify a function or regex that takes a URL string and returns true if the URL is an API url (and thus needs an Authorization header). Otherwise you'd include the token on unrelated requests to 3rd parties.<p>Nice job though, I'll definitely check this out next time I need to do token auth on Angular.
Some questions that I have:<p>Is the documentation clear?<p>Is there anything that I can do to further simplify anything?<p>Are the security measures too aggressive? Not aggressive enough?