10

My PHP api requires a user token be submitted with every request from my front-end Backbone app to make sure the user...

  1. Is active
  2. Has permissions to access the resource

What is the easiest way to set this up in Backbone? I am guessing the only way is to overwrite Backbone.sync, but what would the code look like? CoffeeScript preferred.

EDIT

Two more things
1. I would like to redirect the user to /login if I get a 403: Access Forbidden Error
2. I pull the user model which includes the token from localStorage when the app is bootstrapped
3. I have a baseModel and baseCollection which all models / collections come from

imrane
  • 1,542
  • 2
  • 16
  • 29
  • 1
    How does the server want the access token? In the URL, as a HTTP header, or in the request body / JSON? I've answered a similar question here: http://stackoverflow.com/questions/13763280/add-access-token-in-backbone-js – jevakallio Jan 07 '13 at 21:40
  • generic $_REQUEST['token'] - looking at your answer, I already have $.ajaxPrefilter over-riding the base url - if I add token as a data param will that work? – imrane Jan 07 '13 at 21:47
  • I don't know what `$_REQUEST['token']` is - some PHP catchall that includes body, headers, session etc. in the same bucket I guess? If so, just add it to the `headers` object in the jQuery ajax settings. But not sure. – jevakallio Jan 07 '13 at 21:52

4 Answers4

19

Backbone uses jQuery's $.ajax, so you can use $.ajaxSetup to "set default values for future Ajax requests":

$.ajaxSetup({
   headers: {
     "accept": "application/json",
     "token": YOUR_TOKEN
   }
});

Update: an improvement to this idea (thanks to @Glen) is to use $.ajaxSend to check for the existence of a token each time before setting it in the headers of the request:

$(document).ajaxSend(function(event, request) {
   var token = App.getAuthToken();
   if (token) {
      request.setRequestHeader("token", token);
   }
});

Where App.getAuthToken() is a function in your Backbone app.

jairbow
  • 1,294
  • 1
  • 9
  • 13
jackocnr
  • 17,068
  • 10
  • 54
  • 63
  • 4
    The jQuery documentation does not recommend using `$.ajaxSetup`. See here: http://api.jquery.com/jQuery.ajaxSetup/ The alternative would be to use `$.ajaxSend` to add the appropriate headers. – Glen Selle Nov 23 '13 at 15:47
  • 4
    Also check out this talk on OAuth 2.0 and how they are using `$.ajaxSend` to pass the token with every request: http://youtu.be/khnmMv4_RCE?t=13m40s – Glen Selle Nov 23 '13 at 15:50
  • 4
    `$.ajaxSend` should be changed to `$(document).ajaxSend` according to `As of jQuery 1.9, all the handlers for the jQuery global Ajax events, including those added with the .ajaxSend() method, must be attached to document.` [Link](http://api.jquery.com/ajaxSend/) – Marco Nov 30 '15 at 06:36
  • `ajaxSend` and `ajaxSetup` should be avoided in this case in favor of an application specific solution. – Emile Bergeron Feb 01 '17 at 23:17
11

You could do this:

var _sync = Backbone.sync;
Backbone.sync = function(method, model, options) {

    if( model && (method === 'create' || method === 'update' || method === 'patch') ) {
        options.contentType = 'application/json';
        options.data = JSON.stringify(options.attrs || model.toJSON());
    }

    _.extend( options.data, {
        "access_token": "some-token"
    });

    return _sync.call( this, method, model, options );
}

And just listen for the fail event of fetch/save method to redirect a user to /login

model.fetch().fail( /* redirect */ )
Simon Boudrias
  • 42,953
  • 16
  • 99
  • 134
  • Thanks - gone with this solution for now – imrane Jan 08 '13 at 19:26
  • One question - this doesn't work for POST/UPDATE/CREATE requests...how would I get around that? – imrane Jan 08 '13 at 20:27
  • let me ask you Simon - is there a better way to authenticate a single page backbone app then sending a login token on every request – imrane Jan 08 '13 at 21:05
  • Well, that's a good way for cross-domain authentification (at least if token follow the OAuth standards). But if it's on the same domain, session cookies (or just cookies) may be easier. – Simon Boudrias Jan 08 '13 at 21:07
  • is there a way to send it as part of the headers rather than in each data object? – imrane Jan 08 '13 at 21:12
  • A straight access_token not really. But via a cookie it's possible. – Simon Boudrias Jan 08 '13 at 21:15
  • 3
    Hey, I came across a discussion today, and this made me think about your issue. Maybe you could use [$.ajaxSetup](http://api.jquery.com/jQuery.ajaxSetup/) to set defaults header containing you access token (see `headers` option of [$.ajax](http://api.jquery.com/jQuery.ajax/)) – Simon Boudrias Jan 11 '13 at 16:27
  • Interesting - yea this may work - how would I collect it on the server - same way with $_POST or $_GET or $_REQUEST – imrane Jan 12 '13 at 18:48
  • I'm no PHP expert, but I think you'll have to parse the HTTP headers to get it: http://php.net/manual/en/function.getallheaders.php http://php.net/manual/en/function.http-get-request-headers.php – Simon Boudrias Jan 12 '13 at 19:36
  • Why are you calling _.extend on a string? [since options.data might be = JSON.stringify(options.attrs || model.toJSON());] – David Da Silva Contín Jul 23 '13 at 15:08
3

Authentication is a responsibility of the app.

For a Backbone app, the auth logic should be within the Backbone code and changing the global jQuery's ajax behavior should be avoided at all cost.

Cons of ajaxSetup or ajaxSend

From the jQuery doc on ajaxSetup:

Note: The settings specified here will affect all calls to $.ajax or Ajax-based derivatives such as $.get(). This can cause undesirable behavior since other callers (for example, plugins) may be expecting the normal default settings. For that reason we strongly recommend against using this API. Instead, set the options explicitly in the call or define a simple plugin to do so.

ajaxSend has the same problem as mentioned above. The only advantage it has over ajaxSetup is calling a function each time, giving you more flexibility than the object based options passed to ajaxSetup.

The safest way, the AuthModel and AuthCollection

Put the authentication logic into a base model and collection. This is the most scoped solution.

Here, you could use your already existing BaseModel, but I'd still favor separating the BaseModel from the AuthModel as you may want to create a custom model which uses your base model but also uses a different external API for example.

Since the new sync function for the model and the collection are similar but both may have a different parent implementation, I made a simple function generator.

/**
 * Generates a new sync function which adds the token to the request header 
 * and handles a redirect on error.
 * @param  {Function} syncFn the parent `sync` function to call.
 * @return {Function}  a new version of sync which implements the auth logic.
 */
var authSyncFunction = function(syncFn) {
    return function(method, model, options) {
        options = options || {};

        var beforeSend = options.beforeSend,
            error = options.error;

        _.extend(options, {
            // Add auth headers
            beforeSend: function(xhr) {
                xhr.setRequestHeader('Authorization', "Bearer " + yourTokenHere);
                if (beforeSend) return beforeSend.apply(this, arguments);
            },

            // handle unauthorized error (401)
            error: function(xhr, textStatus, errorThrown) {
                if (error) error.call(options.context, xhr, textStatus, errorThrown);
                if (xhr.status === 401) {
                    Backbone.history.navigate('login');
                }
            }
        });

        return syncFn.call(this, method, model, options);
    };
};

Use the generator on both a model and a collection.

var AuthModel = BaseModel.extend({
    sync: authSyncFunction(BaseModel.prototype.sync)
});

var AuthCollection = BaseCollection.extend({
    sync: authSyncFunction(BaseCollection.prototype.sync)
});

Then you're ready to use these on models and collection you're sure will need authentication. Since you were already using a base model and collection, it would be just a matter of changing the BaseModel.extend to AuthModel.extend.

While I know you asked for a redirect on a 403 Forbidden response, I think it should be on a 401 Unauthorized. See 403 Forbidden vs 401 Unauthorized HTTP responses

Overriding Backbone's sync

If you don't feel like changing all models and collections at this point, but still want to follow good practices and avoid changing the global ajax setup, overriding the Backbone.sync function is an easy alternative.

Using our previously defined sync generator:

Backbone.sync = authSyncFunction(Backbone.sync);

Managing the local storage and the authentication

To manage the data in the local storage, check Backbone-session.

It's a nice implementation of a Backbone model which syncs with the local storage instead of a REST API. It also provides a nice interface to manage the authentication.

// Extend from Session to implement your API's behaviour
var Account = Session.extend({
  signIn: function () {},
  signOut: function () {},
  getAuthStatus: function () {}
});

// Using the custom Account implementation
var session = new Account();
session.fetch()
  .then(session.getAuthStatus)
  .then(function () {
    console.log('Logged in as %s', session.get('name'));
  })
  .fail(function () {
    console.log('Not yet logged in!');
  });
Community
  • 1
  • 1
Emile Bergeron
  • 17,074
  • 5
  • 83
  • 129
-4
Backbone.$.ajaxSetup({
   headers: { 'sid': 'blabla' }
});
Roman Paraschak
  • 175
  • 1
  • 9