“Turn on all security features like two-factor authentication. People who do that generally don’t get hacked. Don’t care? You will when you get hacked. Do the same for your email and other social services, too.” — Robert Scoble
“Extra layer of security” — who doesn’t need it? Is your website having a provision to enable Two-Factor authentication (TFA) for your users? Yes, you would definitely need your user-base to be more secure than just having a password based authentication.
In this tutorial we’ll learn how to easily enable and integrate the 2-Factor Authentication in an Angular-7 app using Node JS as the back-end technology along with Google Authenticator, that provides Time based — One Time Password(TOTP). By the end of this post, you will be able to create an application that has a simple login and registration feature along with the 2-Factor Authentication.
GitHub repository to be followed: angular-node-mfauth (https://github.com/Narendra-Kamath/angular-node-mfauth)
Application Demo Video
- Node JS (LTS) — [Download] (using v10.15.3 LTS in the tutorial)
- Google Authenticator — [Download: Android] [Download: iOS]
After having the above mentioned tools being installed, the next step would be to create the API services for the application.
Step 1: Server-side Application
For creating the API services, we would be using the minimal and flexible web framework for Node.js called as Express.js. Let us now create a dedicated directory ‘back-end’ for our server-side app and navigate into that folder in the terminal/ command prompt and install the required project dependencies.
> mkdir back-end > cd back-end > npm init -y > npm install --save express body-parser cors qrcode speakeasy
Now, we have created a directory ‘back-end’ and initialized it as a Node.js project by installing the following dependencies:
- express — This is a minimal and flexible web framework for creating API services.
- body-parser — In order to parse the HTTP method’s body data, this package is being used.
- cors — This package is used in order to enable the client side web application to communicate with the API services and to avoid the cross-origin issue.
- qrcode — In this application we would be generating the QR-code as a base64 image data, and thus we require qrcode package.
- speakeasy — This is the package that enables our application to provide with the secret key and the T-OTP algorithm that the Google Authenticator uses and is also useful for the verification of the Auth code being provided.
We will now create a few API services, with app.js as the main file of execution. For the simplicity of learning process, separation of concerns is followed for the scaffolding of the application.
The API services will expose the features of login, registration and TFA with the following routes:
- Login service: The login service for the application would include the basic functionalities for a login using the username, password and Auth Code if TFA is enabled or else just with the username and password.
In this tutorial we wouldn’t be using a Database to store the user object and hence we would be using a common and shared user object on the server side.
2. Registration service: The registration of a user in the application would be just to add the username and password to the userObject as well as to reset the already existing userObject information. Since the login and registration modules are made just for the demonstration purpose, the application will support only a single user login and registration.
3. TFA service: This service is to provide a feature for the setup of the two factor authentication along with the verification of the T-OTP code generated by Google Authenticator. The service would include the functionalities to GET the existing TFA configuration as well as to enable or disable the TFA for a userObject.
The above mentioned routes are exported for a common integration and single entry file in the root directory ‘app.js.’ This would start the express generated HTTP server on the localhost with port number 3000.
Thus we have setup the server side code for our web application. The server script could be started and let it Rest In its Place ;)
Now the next step would be to create a simple Angular 7 application to consume these created services.
Step 2: Angular 7 application
For creating an Angular 7 application, we should first install Angular globally. After installing angular, we’ll create an app by the name ‘front-end’ and we’ll also install the local dependency of ‘bootstrap’ (link the bootstrap.min.css in styles.css) by navigating to front-end directory.
> npm install -g @angular/cli > ng new front-end > cd front-end > npm install --save bootstrap > ng serve
After successfully creating the angular app and launching the app server, we’ll generate a few components, guards and services required for the application.
For the purpose of demonstration we would be creating a LoginService and two guards — ‘Auth Guard’ and ‘Login state management Guard.’
> ng g s services/login-service/login-service --spec=false > ng g g guards/AuthGuard > ng g g guards/Login
The guards generated here are the CanActivate guards. The login-service would include the HTTP calls to the services created at back-end.
The AuthGuard would restrict the user to navigate to the Home page without login.
The login-guard would not allow the user to navigate to login or registration page if the user is already logged-in.
Since we have completed with the backbone for our application by creating the services and guards, we’d now create a few major components and also configure the routing for the application.
> ng g c components/header --spec=false > ng g c components/home --spec=false > ng g c components/login --spec=false > ng g c components/register --spec=false
After creating the necessary components for the app, we’ll now configure the routing for the app, by linking the respective guards for activating the routes.
Let’s now have some code done on the components created, before which we have to remove the default code in app.component.html, and we’ll just mention the common header component and the router-outlet.
- Header Component: This is a common component for the other components, that includes a navigation bar for the application. The visibility of the links in the header are controlled by the getAuthStatus() of LoginService.
In the background of this HTML, we would require the *.ts file as well, for the header component.
2. Login Component: This is a simple component to accept the username, password and the AuthCode (if TFA is enabled) from the user and to verify it with the back-end services. If the user information is valid, then the user will be navigated to the HomeComponent.
We would also be verifying the status received from the back-end to display appropriate messages to the user.
3. Registration Component: As stated earlier in this post, we would be able to register a single user in the whole application and we would require the user to enter any username and password (certainly the one that you would remember :P ) for the registration purpose.
In case you forget your username or the password provided for the application or in case if you miss the TFA secret key in your device, then simply provide a new username and password in the registration page (basically you would be resetting the userObject :P).
Once the user is registered and logged in with the username and password, the user will be provided with an option to enable or disable the Two-Factor Authentication in the HomeComponent.
4. Home Component: In this component, we would be allowing user to setup and verify the TFA. As soon as you land on this page, there will be an option to setup the TFA, where the QR-Code, which is to be scanned in the Google Authenticator app. As soon as you scan, the T-OTP (TFA element) linked with the userObject will be included in the Google Authenticator app. The AuthCode will be displayed on time basis in the app and the same code should be entered in order to verify and enable TFA for the userObject.
If the user has enabled TFA, then the current settings with the QR-Code and Secret Key will be displayed, along with an option to disable the TFA linked with userObject.
Hurray!! If you have reached till this length of the post, then you have successfully learnt of how to easily integrate the Two-Factor Authentication in your Angular 7 application. For any debugging process, you may look at the console of either the front-end application or the back-end application. Hope it was easy to integrate Two-Factor Authentication with your Angular 7 app… Cheers!!
Kindly share your views in the responses section :) Thank you!