Ember.js Authentication Token for Ember-Data + AMS => JSON or HTTP Header?

Question

CONTEXT:

I have an Ember.js 1.1.0-beta.1 application that exchanges JSON data with a Rails-API server (Rails 4). JSON data exchange is accomplished with Ember-Data 1.0.0-beta.2 and Active Model Serializers 0.8.1 (AMS). I'm using the default recommended configurations for both Ember-Data and AMS, and am compliant with the JSON-API spec.

On any given RESTful call, the client passes the current authentication token to the server. The authentication token is verified and retired, and a new authentication token is generated and sent back to the client. Thus, every RESTful call accepts an authentication token in the request, and provides a new authentication token in the response that the client can cache and use for the next RESTful call.

QUESTION:

Where do I put the authentication token in each request and response?

Should it be part of each object's JSON in request and response? If so, where is the token placed in the existing object's JSON structure (which has nothing to do with authentication)?

Or should they be placed in the HTTP header for each request and response object?

What is "The Ember Way" that one might eventually expect to find in the new Ember Guides Cookbook?

MORE CONTEXT:

I'm already familiar with the following links:

• @machty 2 Embercasts: http://www.embercasts.com/episodes/client-side-authentication-part-2
• @wycats tweet: https://twitter.com/wycats/status/376495062709854209
• @cavneb 3 blog posts: http://coderberry.me/blog/2013/07/08/authentication-with-emberjs-part-1
• @simplabs blog post: http://log.simplabs.com/post/53016599611/authentication-in-ember-js

...and am looking for answers that go beyond these, and are specific to Ember-Data + AMS.

With the exception of the need to pass a new token back to the client in the response via Ember-Data, assume my client code is otherwise similar to the @machty Embercast example on GitHub: https://github.com/embercasts/authentication-part-2/blob/master/public/js/app.js

Thank you very much!

Answer 1

I've got a similar stack - ember, ember-data and rails-api with AMS. Right now, I'm just passing the authentication token (which I store in localStorage) in a header (though you could pass it on the query string) by modifying the RESTAdapter's ajax method.

My initial thought would be to avoid resetting the token on every request. If you're particularly concerned about the token being sniffed, it might be easier to just reset the token on the server at a regular interval (say, 10 minutes). Then, if any request from the client fails due to an old token, just fetch the new token (by passing a'reset token' that your server gives you at login) and replay the initial request.

As for where to put the token, there isn't really an "Ember Way" - I prefer passing it in a header since passing it in the query string can mess with caching and is also more likely to be logged somewhere along the way. I'd definitely avoid passing it in the request body - that would go against what ember-data expects, I'd imagine.