@delon/auth Authentication & Authorization Skill
This skill helps implement authentication and authorization using @delon/auth library.
Core Principles
Token Management
- JWT Storage: Secure token storage using DA_SERVICE_TOKEN
- Auto Refresh: Automatic token renewal before expiration
- Interceptors: Automatic token injection in HTTP requests
- Logout: Clean token removal and session cleanup
Authorization
- RBAC: Role-based access control
- Permissions: Fine-grained permission checking
- Guards: Route protection with role/permission checks
- ACL Integration: Works with @delon/acl for UI-level controls
Configuration
App Config
// src/app/app.config.ts
import { ApplicationConfig } from '@angular/core';
import { provideDelonAuth, DA_SERVICE_TOKEN, ITokenService } from '@delon/auth';
import { JWTTokenModel } from '@delon/auth';
export const appConfig: ApplicationConfig = {
providers: [
provideDelonAuth({
token_send_key: 'Authorization',
token_send_template: 'Bearer ${token}',
token_send_place: 'header',
login_url: '/passport/login',
ignores: [/\/login/, /assets\//],
allow_anonymous_key: 'allow_anonymous',
executeOtherInterceptors: true,
refreshTime: 3000, // Refresh token check interval (ms)
refreshOffset: 6000 // Refresh token before expiration (ms)
})
]
};
Token Model
// src/app/core/models/auth-token.model.ts
import { JWTTokenModel } from '@delon/auth';
export interface AuthTokenModel extends JWTTokenModel {
token: string;
uid: string;
email: string;
displayName: string;
role: string;
permissions: string[];
exp: number;
}
Authentication Service
// src/app/core/services/auth.service.ts
import { Injectable, inject } from '@angular/core';
import { Router } from '@angular/router';
import { DA_SERVICE_TOKEN, ITokenService } from '@delon/auth';
import { Auth, signInWithEmailAndPassword, signOut, User } from '@angular/fire/auth';
import { AuthTokenModel } from '@core/models/auth-token.model';
import { signal, computed } from '@angular/core';
@Injectable({ providedIn: 'root' })
export class AuthService {
private auth = inject(Auth);
private tokenService = inject<ITokenService>(DA_SERVICE_TOKEN);
private router = inject(Router);
// State
private currentUser = signal<User | null>(null);
private authToken = signal<AuthTokenModel | null>(null);
// Computed
isAuthenticated = computed(() => this.tokenService.get()?.token != null);
userRole = computed(() => this.authToken()?.role);
userPermissions = computed(() => this.authToken()?.permissions || []);
constructor() {
// Listen to Firebase Auth state
this.auth.onAuthStateChanged(async (user) => {
this.currentUser.set(user);
if (user) {
await this.refreshToken();
} else {
this.clearSession();
}
});
}
/**
* Login with email and password
*/
async login(email: string, password: string): Promise<void> {
try {
const credential = await signInWithEmailAndPassword(this.auth, email, password);
const token = await credential.user.getIdToken();
const tokenData = await this.parseToken(token);
// Store token in @delon/auth
this.tokenService.set(tokenData);
this.authToken.set(tokenData);
// Navigate to dashboard
await this.router.navigateByUrl('/dashboard');
} catch (error) {
console.error('Login failed:', error);
throw error;
}
}
/**
* Logout
*/
async logout(): Promise<void> {
try {
await signOut(this.auth);
this.clearSession();
await this.router.navigateByUrl('/passport/login');
} catch (error) {
console.error('Logout failed:', error);
throw error;
}
}
/**
* Refresh token
*/
async refreshToken(): Promise<void> {
const user = this.currentUser();
if (!user) return;
try {
const token = await user.getIdToken(true); // Force refresh
const tokenData = await this.parseToken(token);
this.tokenService.set(tokenData);
this.authToken.set(tokenData);
} catch (error) {
console.error('Token refresh failed:', error);
await this.logout();
}
}
/**
* Check if user has specific role
*/
hasRole(role: string): boolean {
return this.userRole() === role;
}
/**
* Check if user has specific permission
*/
hasPermission(permission: string): boolean {
return this.userPermissions().includes(permission);
}
/**
* Check if user has any of the specified permissions
*/
hasAnyPermission(permissions: string[]): boolean {
const userPerms = this.userPermissions();
return permissions.some(p => userPerms.includes(p));
}
/**
* Check if user has all of the specified permissions
*/
hasAllPermissions(permissions: string[]): boolean {
const userPerms = this.userPermissions();
return permissions.every(p => userPerms.includes(p));
}
/**
* Parse JWT token
*/
private async parseToken(token: string): Promise<AuthTokenModel> {
// Decode JWT payload
const payload = JSON.parse(atob(token.split('.')[1]));
// Load user permissions from Firestore (custom claims)
const permissions = await this.loadUserPermissions(payload.uid);
return {
token,
uid: payload.uid,
email: payload.email,
displayName: payload.name || payload.email,
role: payload.role || 'member',
permissions,
exp: payload.exp
};
}
/**
* Load user permissions from Firestore
*/
private async loadUserPermissions(uid: string): Promise<string[]> {
// Implementation: query user's permissions from Firestore
// This is placeholder - implement based on your schema
return ['read:tasks', 'write:tasks'];
}
/**
* Clear session
*/
private clearSession(): void {
this.tokenService.clear();
this.authToken.set(null);
this.currentUser.set(null);
}
}
Auth Guard
// src/app/core/guards/auth.guard.ts
import { inject } from '@angular/core';
import { Router, CanActivateFn } from '@angular/router';
import { AuthService } from '@core/services/auth.service';
/**
* Guard to protect routes requiring authentication
*/
export const authGuard: CanActivateFn = () => {
const authService = inject(AuthService);
const router = inject(Router);
if (authService.isAuthenticated()) {
return true;
}
return router.createUrlTree(['/passport/login']);
};
Role Guard
// src/app/core/guards/role.guard.ts
import { inject } from '@angular/core';
import { Router, CanActivateFn, ActivatedRouteSnapshot } from '@angular/router';
import { AuthService } from '@core/services/auth.service';
/**
* Guard to protect routes by role
*/
export const roleGuard: CanActivateFn = (route: ActivatedRouteSnapshot) => {
const authService = inject(AuthService);
const router = inject(Router);
const requiredRole = route.data['role'] as string;
if (!requiredRole) {
console.warn('Role guard used without required role');
return true;
}
if (authService.hasRole(requiredRole)) {
return true;
}
// Redirect to unauthorized page
return router.createUrlTree(['/exception/403']);
};
/**
* Usage in routes:
* {
* path: 'admin',
* component: AdminComponent,
* canActivate: [authGuard, roleGuard],
* data: { role: 'admin' }
* }
*/
Permission Guard
// src/app/core/guards/permission.guard.ts
import { inject } from '@angular/core';
import { Router, CanActivateFn, ActivatedRouteSnapshot } from '@angular/router';
import { AuthService } from '@core/services/auth.service';
/**
* Guard to protect routes by permissions
*/
export const permissionGuard: CanActivateFn = (route: ActivatedRouteSnapshot) => {
const authService = inj