This video is part of the Angular Security MasterClass - Web Security Fundamentals Course - https://angular-university.io/course/angular-security-course
We will start at the beginning: we will see the proper way of doing User Management and Sign Up: we will learn how to store passwords in a database, and we will introduce cryptographic hashes in an approachable way.
Once we have the Sign-Up functionality in place, we will implement Login and understand the need for a temporary identity token. Our first implementation will be stateful login, where the token is kept at the server level.
And at this point we could think we have authentication in place, but we decide to prepare our application for scalability, so we decide to try a JWT (JSON Web Tokens) based approach, because we know that this is what services like Firebase and Auth0 use.
We will use a couple of Auth0 packages to quickly refactor our Login to be JWT based, and learn the advantages of using JWT, and some potential disadvantages as well. And with this in place, we could think that we had a solid security solution.
Its at this point that we will realize that this application is not secure at all!! We will put on our Black Hat, and we will conduct step-by-step an XSS script injection attack and we will steal the identity of another user and send it to an attack server.
We decide to first protect our authentication token from theft, and then deal with XSS injection attack later. We try to move the JWT to Cookie storage, only to realize that it made us vulnerable to another attack: CSRF request forgery!
We will proceed to further attack the application, and take the time to really understand the attack.
At this point feeling more confident with the security of the application, we have decided to tackle the original XSS vulnerability and see how Angular provides built-in defenses for that, and when to bypass those defenses and why.
With these protections in place, we will realize with some shock that our application, despite all these built-in defenses is still vulnerable!!
We will realize at this stage a huge design vulnerability of the application that was there from the beginning, and fix it. We will learn that some of the best security defenses for our application is good design.
We will then recommend a couple of practical ways to do authentication in a project: via a third-party JWT-based service like Auth0 if doing a public internet project with alternative social login, or a pre-authentication based solution if doing an enterprise application that runs behind a firewall.
We will then cover how to do UI-level role-based functionality in Angular using the Angular Router, and a custom directive for showing or hiding certain parts of the UI depending on the role of the user. We will learn why the Router cannot enforce actual security.
We will also talk about server-side Authorization, and we will implement a commonly needed security-related Admin Level functionality: The Login As User service, that allows an admin to login as any user, to investigate a problem report. We can see why we would need to secure this functionality!
At the end of all these vulnerabilities and security fixes, we will have a well secured application and we will have learned a ton of security-related concepts along the way in a fun and practical way!
What Will you Learn In this Course?
With this course, you will have a rock-solid foundation on Web Application Security Fundamentals, and you will have gained the practical experience of applying those concepts by defending an application from a series of security attacks. You will have done so by actually performing the attacks while in Black Hat mode!
You will have learned these concepts in the context of an Angular/Node application, but these concepts are applicable to any other technology stack.
You will learn what built-in mechanisms does Angular provide to defend against security problems, and what vulnerabilities it does NOT defend against and why.
You will be familiar with best practices for password storage, custom authentication service design and implementation, you will know the essentials about cryptographic hashes, be familiar with JWT and several commonly used open source Auth0 packages.
You will be familiar with the following security vulnerabilities: Dictionary attacks, Cross-site Scripting or XSS attacks, identity token highjacking techniques, the browser same-origin policy, how to combine cookies with JWTs and why, Cross-Site Request Forgery or CSRF, common design vulnerabilities, and more.
For more videos tutorials on Angular, check the Angular University website - https://angular-university.io
Twitter - https://twitter.com/AngularUniv
Google+ - https://plus.google.com/u/1/113731658724752465218
Facebook - https://www.facebook.com/angular.university
Check out the PDF E-Books available at the Angular University - https://angular-university.io/my-ebooks