I'm building a single page app with AngularJS and Drupal as the backend. I'm using the RESTful module. However, I do not have much to go on to build a user authentication workflow.
There are several techniques to authenticate users with a SPA. For example, storing session information in a cookie or in a token. In order to keep a persistent authentication with a token, AngularJS stores the token in local storage. I've been reading that this causes security risks because other scripts are able to access local storage.
Also, RESTful comes with a token authentication module which stores tokens on the server.
The first question is which form of persistent authentication to use? Do I have to completely make the SPA headless Drupal? If the app is headless, using token authentication, do I have to completely remove all the out of box user authentication workflow, for example, resetting a user's password, from the app? Is there a hybrid solution? If the information is being consumed and altered by mobile apps and other non standard means, is using cookie authentication out of the question? If that is the case, on a desktop app, how do I prevent users from accessing user URIs? Basically, I have no clue what is going on and there isn't much information about secure solutions.
Do headless means no layout and block display at all ? i believe u can leave CAS drupal module do the job ( and a connection menu )