0

i am working with angular JS and REST API, i have two sign in pages one for admin and another sign in page for the users, sign in functionality for admin and users is working fine.. but when the user tires to sign in through the admin page.. authentication is performed and the user enters into the home page.. but users can access only the fields which are assigned for the user. how can i restrict users signing through the admin page??

this is the sign in function used in admin controller.js

$scope.signin = function() {
            $http.post('/auth/signin', $scope.credentials).success(function(response) {
                // If successful we assign the response to the global user model
                $scope.authentication.user = response;

                // And redirect to the index page
                $location.path('/');
            }).error(function(response) {
                $scope.error = response.message;
            });
        };

server side sign in for both user and admin

  /**
 * Signin after passport authentication
 */
exports.signin = function(req, res, next) {
    passport.authenticate('local', function(err, user, info) {
        if (err || !user) {
            res.status(400).send(info);
        } else {
            // Remove sensitive data before login
            user.password = undefined;
            user.salt = undefined;

            req.login(user, function(err) {
                if (err) {
                    res.status(400).send(err);
                } else {
                    res.jsonp(user);
                }
            });
        }
    })(req, res, next);
};
Y k
  • 11
  • 6

1 Answers1

0

i got my solution to this question, by using we different functions for both adminsign-in and user sign-in with a restriction. i used this code for restring the user at the admin sign-in 

exports.adminsignin = function(req, res, next) {
    passport.authenticate('local', function(err, user, info) {
        if (err || user.username!='gtm_admin') {
            res.status(400).send({message:'you are not signin to login here'});
        } else {
            // Remove sensitive data before login
            user.password = undefined;
            user.salt = undefined;

            req.login(user, function(err) {
                if (err) {
                    res.status(400).send(err);
                } else {
                    res.jsonp(user);
                }
            });
        }
    })(req, res, next);
};

and for user sign-in, i.e., for restricting the admin i used this logic

exports.signin = function(req, res, next) {
    passport.authenticate('local', function(err, user, info) {
        if (err || !user ) {
            res.status(400).send(info);
        } 
        if (err || !user  || user.username =='admin') {
        res.status(400).send({message:'Admin conont signin here sign through adminsignin'});
        } else {

            user.password = undefined;
            user.salt = undefined;

            req.login(user, function(err) {
                if (err) {
                    res.status(400).send(err);
                } else {
                    res.jsonp(user);
                }
            });
        }
    })(req, res, next);
};
Y k
  • 11
  • 6
  • one approach in dealing with authentication/authorization for server and client side is to define a user.role property, when the user is first created. Such property will have values such as: "ADMIN" or "USER". Use only one login screen. Then protect API endpoints on the server side with middleware functions that check the user role and allow/deny access as desired, and on the client side show/hide elements or design behavior based on the user.role – klode Jan 12 '15 at 18:20
  • If you may find it useful, this is the link to an answer I wrote wich contains an example of server side authorization based on user.role: http://stackoverflow.com/questions/20000195/how-can-i-protect-an-api-endpoint-with-passportjs/20170110#20170110 – klode Jan 12 '15 at 18:29