alexanderscott / backbone-login Goto Github PK

Shouldn't you use Backbone.ajax instead $.ajax calls?

For example here.

When my account was compromised a spam issue was created in this repo. I sincerely apologize. Cleaning up such issues via script.

Hi, thanks for the demo. I'm trying to follow some of these patterns in my project. Quick question, what is to stop someone from just doing:

var app = require('app');
app.session.user.set('logged_in', true);

in their console and gaining access to protected routes?

Firstly I'd like to thank you for your contribution. This is a really great explanation of how to implement backbone login, and it was very useful for me.

However, I've noticed that the session.user is not updated correctly when the event 'change:logged_in' is handled by the view / template.

I have a slightly different setup than your example, I'm using Backbone Marionette and Backbone.Marionette.Handlebars helpers (hbs) to render / manage view templates. What I noticed was that when the 'change:logged_in' event fires as a result of a successful user log in, that the user model when accessed via session.user was still the invalid user model. It doesn't update correctly until the page is refreshed, which defeats the object!

My scenario is that I use the session model as the model of one of my views. I have a handlebars template which looks first at 'logged_in', if this is true is looks to render the user's name using user.username. My problem is that user.username is still the unauthenticated user response/ model.

I fixed my problem with the following change to postAuth function in SessionModel.js.

-self.updateSessionUser( res.user || {} );
-self.set({ user_id: res.user.id, logged_in: true });
+self.set({
logged_in: true,
user_id: res.user.id,
user: _.pick(res.user, _.keys(self.user.defaults))
});

Basically if you set the user model as part of the session model set, the new user model is available via App.session.user, otherwise it is not. Plus a similar change was needed in checkAuth for consistency.

I realise your example is structured slightly differently and what you have works for your example, but I think the user model should be set correctly at the point the session logged_in state is set.

Another suggestion....I would consider not using any cookie helpers. Cookies should be locked and not accessible by JavaScript for security reasons. If someone manages to inject malicious code, the user's cookies could be stolen.

Hiya

Can't see from the code where the cookie is actually getting saved.

Looking to use something similar but with a laravel back end, Set Cookie is coming through but not getting set. See in your Utils that you have a createCooke method.. new to backbone so just trying to peice it together

Cheers

Set-Cookie:user_id=eyJpdiI6Ik9xYjFhMTkzdUd1TlF3b09IdmlmdHc9PSIsInZhbHVlIjoiRENGaGxFbjZjVTdsVW5JTmhoSHB0UT09IiwibWFjIjoiYzhlOTIzZWU4NzcyZjg4YmY4YzcwYjJiNDgyZWE3ZTAzOTYzNzYwN2I5ODY0NDkwNzY0YmQwYTdmOGI2Y2VhNCJ9; expires=Sun, 12-Oct-2014 15:51:34 GMT; path=/

Thanks for your contribution!
Just FYI - something i think might be problematic..

Here is a quick suggestion. Instead of using app.session = new SessionModel({ }); you can return new SessionModel() in SessionModel.js and that way you can enforce the singleton pattern. No need to set it in app.session. Any place you'd want to use the SessionModel just require it directly. Given the way require works, you would get the already instanciated SessionModel.

Hello,
I've noticed that within the public/router.js file , line 36 ,you used a function called "close" but... I don't know where it is created.
Could you possibly add it or tell me where is it declared?
Thanks ;D