You cannot authorize anything in angularjs, because the user has full controll of the execution environment (namely, the browser). Each check, case, if - anything you can think of - can be tampered with. There are javascript libraries that use asymmetric keys to perform local encryption to store local data somewhat safely, but they are not what you are looking for, really.

你不能在 angularjs 中授权任何东西，因为用户完全控制了执行环境（即浏览器）。每个检查、案例，如果 - 你能想到的任何东西 - 都可以被篡改。有一些 javascript 库使用非对称密钥来执行本地加密以在某种程度上安全地存储本地数据，但它们实际上并不是您想要的。

You can, and you should, authorize things on the server - the standard way you would do it in an ordinary application - using session; no special code is necessary, ajax calls use ordinary session cookies. Application does not need to know whether it's authenticated or not. It only needs to check what server thinks.

您可以而且应该在服务器上授权——这是您在普通应用程序中执行的标准方式——使用会话；不需要特殊代码，ajax 调用使用普通会话 cookie。应用程序不需要知道它是否经过身份验证。它只需要检查服务器的想法。

From the perspective of your angularjs application, being "logged in" or "logged out" is merely a gui hint for the user.

从您的 angularjs 应用程序的角度来看，“登录”或“注销”只是用户的 gui 提示。

Probably you found a solution, but currently I made up an authenticaiton scheme I'm implementing in my Angular App.

可能你找到了一个解决方案，但目前我制定了一个身份验证方案，我正在我的 Angular 应用程序中实施。

On .run the app is registered with an ActiveSession set to false. It then checks if the browser has a cookie with a token and a userId.

在 .run 上，应用程序注册时将 ActiveSession 设置为 false。然后它检查浏览器是否有一个带有令牌和用户 ID 的 cookie。

If YES, check token+userId on server and updates the token on both server and local (token it's a server generated key unique for each user)

如果是，请检查服务器上的令牌+用户 ID 并更新服务器和本地上的令牌（令牌是服务器生成的每个用户唯一的密钥）

If NO shows login form, check credentials and again if they are valid does a server request t get a new token and saves is locally.

如果 NO 显示登录表单，请检查凭据，如果它们有效，服务器是否会请求获取新令牌并在本地保存。

The token is used to make a persistent login (remember me for 3 weeks) or when user refreshes the browser page.

该令牌用于进行持久登录（记住我 3 周）或当用户刷新浏览器页面时。

Thank you

谢谢

I asked this question three months ago.

我三个月前问过这个问题。

I would like to share what has become my favourite approach when I've to deal with user authentication in a web app built over AngularJS.

当我必须在基于 AngularJS 构建的 Web 应用程序中处理用户身份验证时，我想分享成为我最喜欢的方法。

Of course fdreger's answer is still a great answer!

当然 fdreger 的回答仍然是一个很好的答案！

You cannot authorize anything in angularjs, because the user has full controll of the execution environment (namely, the browser).

From the perspective of your angularjs application, being "logged in" or "logged out" is merely a gui hint for the user.

你不能在 angularjs 中授权任何东西，因为用户完全控制了执行环境（即浏览器）。

从您的 angularjs 应用程序的角度来看，“登录”或“注销”只是用户的 gui 提示。

So, briefly my approach consists in:

所以，简而言之，我的方法包括：

1) Bind to each route additional information about the route itself.

1)绑定到每条路由关于路由本身的附加信息。

$routeProvider.when('/login', { 
    templateUrl: 'partials/login.html', controller: 'loginCtrl', isFree: true
});

2) Use a service to mantain the data about each user, and their authentication status.

2)使用服务来维护每个用户的数据，以及他们的身份验证状态。

services.factory('User', [function() {
    return {
        isLogged: false,
        username: ''
    };
}]);

3) Everytime the user try to access a new route, check if they have the grant to access.

3)每次用户尝试访问新路由时，检查他们是否有权访问。

$root.$on('$routeChangeStart', function(event, currRoute, prevRoute){
    // prevRoute.isFree tell me if this route is available for all the users, or only for registered user.
    // User.isLogged tell me if the user is logged
})

I also wrote about this approach (more in detail) on my blog, users authentication with angularjs.

我还在我的博客上（更详细地）写了关于这种方法的文章，使用 angularjs 进行用户身份验证。

First of all: Client-side data can always be manipulated or tampered with.

首先：客户端数据总是可以被操纵或篡改的。

As long as valid session IDs aren't easily guessable and measures like associating session tokens with the client's IP there is no big deal about it.

只要有效的会话 ID 不容易被猜测，并且采取诸如将会话令牌与客户端的 IP 相关联的措施，就没有什么大不了的。

You could, in theory, also encrypt the cookie, as long as you do so on the server side.

理论上，您也可以加密 cookie，只要您在服务器端这样做。

For details on how to encrypt your cookies, see the docs of your server-side (e.g http://expressjs.com/api.html#res.cookiefor Express.js)

有关如何加密 cookie 的详细信息，请参阅服务器端的文档（例如http://expressjs.com/api.html#res.cookiefor Express.js）

You need to learn about the server side / database end of it.

您需要了解它的服务器端/数据库端。

User logins need to be stored somewhere - 99.9% of the time this is in a server side database.

用户登录信息需要存储在某个地方 - 99.9% 的时间是在服务器端数据库中。

Ideally for a really secure system you want a backend (server side) membership system that stores the session in a database table that is related to the member table that holds the encrypted password, but also provides a RESTful interface where you can build your api calls to.

理想情况下，对于真正安全的系统，您需要一个后端（服务器端）会员系统，该系统将会话存储在与保存加密密码的成员表相关的数据库表中，但还提供了一个 RESTful 接口，您可以在其中构建 api 调用到。

One Script that I've used successfully a lot has been Amember https://www.amember.com/. It's a really cost effective way to go although there are a lot of other script out there, I've had a lot of success with this one.. It's also PHP so you can build your build out an API for your angular http calls really easily.

我经常成功使用的一个脚本是 Amember https://www.amember.com/。尽管还有很多其他脚本，但这是一种非常划算的方法，我在这个脚本上取得了很大的成功。它也是 PHP，因此您可以为您的 angular http 调用构建 API容易地。

All of these javascript frameworks are great but the effect is that now too many are focusing too much on the front end of things - learn the database / backend as well! :-)

所有这些 javascript 框架都很棒，但结果是现在太多的东西过于专注于前端——还要学习数据库/后端！:-)