{"id":222,"date":"2013-08-11T20:30:01","date_gmt":"2013-08-11T20:30:01","guid":{"rendered":"http:\/\/thomasgr.im\/shares\/?p=222"},"modified":"2014-05-12T17:02:17","modified_gmt":"2014-05-12T17:02:17","slug":"making-app-with-phonegap-jqm-part-3-stateless-authentication-layer","status":"publish","type":"post","link":"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/","title":{"rendered":"Making An App With PhoneGap & jQm Part III: A Stateless Authentication Layer"},"content":{"rendered":"

If you missed Part II: Loading JavaScript Properly<\/a>, you may want to go there and grab the code we wrote so far so that you can follow more easily what we’ll do in this part.<\/p>\n

Today, we’ll see how to implement a REST<\/abbr>ful, stateless authentication layer in our application. Let’s first talk a bit about REST<\/a>; the acronym stands for “REpresentational State Transfer<\/em>” and describes a way of handling client-server transactions in a uniform, layered, stateless, scalable and cacheable way. I know that’s a lot of adjectives to process so I won’t delve into much more details here. We’ll focus on the stateless<\/em> constraint, which requires that the exchanges have no memory per se<\/strong>, they always contain all the information that the other party has to know to process them correctly.<\/p>\n

I have tried to simplify my code examples as much as possible. The goal being “stateless authentication<\/em>“, I have focused on that, which means that for now we will deal with “ugly<\/em>” URLs like https:\/\/foo.bar\/server.php?a=b&id=123; we’ll see in a while how to do the same with “clean<\/em>” URLs like https:\/\/foo.bar\/users\/bob<\/div>\n

The REST philosophy is widely considered one of the best ways to solve communication challenges between a client and a server over the Internet. You may want to read the linked Wikipedia article for more details about the how and why.<\/p>\n

Now what we’re interested in is the design of a system in which we can “phone home<\/em>” from our application to an online server. This is needed for applications which have to pull data from a remote host like news items or score boards, or on the contrary push data to a remote host like creating a new account or updating profile information. Obviously such a system must allow for authentication<\/strong>, or we could end up with users accessing or modifying other users’ data at will!<\/p>\n

Phoning Home (Cross-Domain) With jQuery<\/h2>\n

Phoning home is surprisingly easy with PhoneGap & jQuery, and at the same time it can prove hard to do it right. What I mean is that on the one hand jQuery provides us with powerful tools like jQuery.ajax()<\/kbd><\/a>, which we can leverage in order to query our servers; on the other hand, there is a bunch of things we need to do so that our query is not blocked by the anti-cross-domain security features embedded in web browsers like Chrome.<\/p>\n

<\/p>\n

Thanks to jQuery, the client code is rather straightforward; we simply need to add a function like this to our App<\/kbd> namespace:<\/p>\n

\t"servers": {\r\n\t\t"public": {\r\n\t\t\t"URL": "https:\/\/foo.bar\/public.server.php",\r\n\t\t\t"query": function (action, data, callback) {\r\n\t\t\t\tconsole.log("[public.query]");\r\n\t\t\t\tjQuery.ajax(App.servers.public.URL, {\r\n\t\t\t\t\t"type": "GET",\r\n\t\t\t\t\t"dataType": "json",\r\n\t\t\t\t\t"data": {"action": action, "data": data},\r\n\t\t\t\t\t"contentType": "application\/json",\r\n\t\t\t\t\t"success": callback\r\n\t\t\t\t});\r\n\t\t\t}\r\n\t\t}\r\n\t}<\/pre>\n
As for the server, you can hack something quite quickly in pure PHP:<\/p>\n
<?php\r\nfunction successJSON ($content, $die=true) {\r\n\twrapJSON('SUCCESS', $content, $die);\r\n}\r\nfunction errorJSON ($content, $die=true) {\r\n\twrapJSON('ERROR', $content, $die);\r\n}\r\nfunction wrapJSON ($code, $content, $die=true) {\r\n\t\/\/ encode content as {foo:bar,foobar:baz}\r\n\t$content = json_encode((object)$content);\r\n\t\/\/ strip the first character '{' from the json encoded string\r\n\t$content = substr($content, 1, strlen($content)-1);\r\n\t\/\/ add the "code" part to the string\r\n\t$buffer = '{"code":"'.$code.'",'.$content;\r\n\r\n\techo $buffer;\r\n\tif ($die) {\r\n\t\tdie;\r\n\t}\r\n}\r\n\r\n\/\/ empty request?\r\nif (empty($_REQUEST['action'])) {\r\n\terrorJSON(array("message" => "empty_request"));\r\n}\r\n\r\nswitch ($_REQUEST['action']) {\r\n\tcase 'test':\r\n\t\t$data = 'yeepee';\r\n\t\tif (!empty($_REQUEST['data']['foo'])) {\r\n\t\t\t$data = $_REQUEST['data']['foo'];\r\n\t\t}\r\n\t\tsuccessJSON(array('foo' => $data));\r\n\t\tbreak;\r\n\tdefault:\r\n\t\terrorJSON(array("message" => "access_denied"));\r\n\t\tbreak;\r\n}<\/pre>\n
Change the URL<\/kbd> content in your client code and you can test the function from anywhere in your application:<\/p>\n
App.servers.public.query("test", {"foo":"bar"}, function (response) {\r\nif (response && response.code) {\r\n\tif (response.code === 'SUCCESS') {\r\n\t\tPGproxy.navigator.notification.alert(response.foo);\r\n\t} else {\r\n\t\tconsole.log("error while phoning home!");\r\n\t}\r\n});\r\n\/\/ should result in an alert box saying "bar"<\/pre>\n
I wrote “should<\/em>” specifically because if you try it locally (on your MAMP<\/abbr>\/LAMP<\/abbr>\/WAMP<\/abbr> stack) with a remote server, it’s actually probable that it won’t work as expected. Here’s the thing: querying cross-domains from PhoneGap on a smartphone is typically not a problem, but doing so on your desktop system can be, due to browsers’ security policies.<\/p>\n
To fix this, we have to (1) make the server tell the client it allows it<\/strong> to perform queries from a remote origin, and (2) make jQuery and jQuery.Mobile know they are allowed<\/strong> to perform cross-domain calls.<\/p>\n
First, simply add the following lines to the top of your PHP file:<\/p>\n
header("Access-Control-Allow-Origin: *");\r\nheader('Access-Control-Allow-Methods: POST, GET, OPTIONS');\r\nheader('Access-Control-Max-Age: 1000');\r\nheader('Access-Control-Allow-Headers: Content-Type');\r\nheader('Content-Type: application\/javascript');\r\nif ($_REQUEST['method'] === 'OPTIONS') {\r\n\techo '1';\r\n\tdie;\r\n}<\/pre>\n
What does this code do? Basically, jQuery.ajax()<\/kbd> will always start by pinging the remote URL with an HTTP OPTIONS<\/kbd> request and checking the response headers; if it detects Access-Control-*<\/kbd><\/a> headers and in particular Access-Control-Origin<\/kbd> matches the source domain, then it will perform the “real” query. We die early if the request method is “OPTIONS<\/kbd><\/em>” in order to prevent our script from processing the same data twice!<\/p>\n
Then, make sure you have those lines in your jQuery.Mobile configuration code:<\/p>\n
\t\t\tjQuery.support.cors = true;\r\n\t\t\tjQuery.mobile.allowCrossDomainPages = true;<\/pre>\n
Now you should be able to run the example call successfully on both your desktop browser and your Android smartphone!<\/p>\n
Stateless Authentication Using Public\/Private Tokens<\/h2>\n
Now that’s great and all, but how about sensible queries like updating a user’s account information or posting things in his name? As I wrote earlier, surely we can’t use this public server queries implementation, or we’d allow anyone to mess with our system!<\/p>\n
In order to solve this problem, we’ll use an additional server script named private.server.php<\/kbd>, which will only accept authenticated queries. Users will authenticate themselves using an email\/password, like they do on most websites. The REST philosophy then requires us to pass authenticating information inside all our requests, as opposed to, say, using session cookies. We’ll use private\/public tokens to securely authenticate the user across requests to our API<\/abbr> without passing its login information<\/strong>, which is very sensible in essence, in every request. <\/p>\n
Here’s how the login process works:<\/p>\n
\n
App: Present the user a login form<\/dt>\n
User enters his\/her login info (email\/pass, username\/pass, etc.)<\/dd>\n
Send the login information to public.server.php<\/kbd><\/dd>\n
Server: Find user in the database based on the login info<\/dt>\n
Retrieve his\/her public & private tokens<\/dd>\n
Send the two tokens back to the app<\/dd>\n
App: Store the two tokens locally for future reference (using localStorage)<\/dt>\n<\/dl>\n
Having those two tokens, we can authenticate every subsequent query that needs so:<\/p>\n
\n
App: Construct a hash from the private token and another value, say the timestamp<\/dt>\n
We’ll use the sha1()<\/kbd> algorithm: hash = sha1(private_token + timestamp)<\/kbd><\/p>\n
App: Send a query to private.server.php<\/kbd> passing additional variables<\/dt>\n
We’ll need hash, timestamp and public_token added to action & data<\/dd>\n
We’ll automate this using an additional query method: App.servers.private.query<\/kbd><\/dd>\n
Server: Find user in the database from the public token<\/dt>\n
We actually only need the private_token field from our users table<\/dd>\n
Construct the same hash from the (retrieved) private token and the (passed) timestamp<\/dd>\n
Compare (reconstructed) hash to (passed) hash. If the two match, the query is authenticated<\/dd>\n<\/dl>\n
Stateless Exchanges While Logged In<\/h2>\n
Let’s assume we’re logged in. As we’ve seen, this means that we have stored our public and private tokens on the mobile device. Now all we have to do is create a brand new App.servers.private.query()<\/kbd> method, which we will use for every authenticated query. I’ve actually written a wrapper method called App.servers.query<\/kbd>, which allows us to have cleaner code. Here is the whole thing; take your time reading it, it should be quite easy to understand but please do not hesitate to post a comment if you need me to explain anything:<\/p>\n
"servers": {\r\n\t"query": function (url, type, data, callback) { console.log("[query "+url+"]");\r\n\t\tjQuery.ajax(url, {\r\n\t\t\t"type": type,\r\n\t\t\t"dataType": "json",\r\n\t\t\t"data": data,\r\n\t\t\t"contentType": (type==="GET" ? "application\/json" : "application\/x-www-form-urlencoded"),\r\n\t\t\t"success": callback\r\n\t\t});\r\n\t},\r\n\t"public": {\r\n\t\t"URL":  "https:\/\/foo.bar\/public\/",\r\n\t\t\/\/ perform unauthenticated query\r\n\t\t"query": function (action, data, callback) { console.log("[public.query]");\r\n\t\t\tApp.servers.query(App.servers.public.URL+action, "GET", {"data": data}, callback);\r\n\t\t}\r\n\t},\r\n\t"private": {\r\n\t\t"URL": "https:\/\/foo.bar\/private\/",\r\n\t\t\/\/ perform authenticated query\r\n\t\t"query": function (action, data, callback) { console.log("[private.query]");\r\n\t\t\tif (!localStorage || !localStorage.getItem("token_public") || !localStorage.getItem("token_private")) {\r\n\t\t\t\tconsole.log("can't do private query: empty private\/public tokens!");\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\t\/\/ used as seed for hashing the private token\r\n\t\t\tvar timestamp = Math.round(+new Date()\/1000);\r\n\t\t\tApp.servers.query(App.servers.private.URL+action, "POST", {\r\n\t\t\t\t\t"timestamp": timestamp,\r\n\t\t\t\t\t"token_public": localStorage.getItem("token_public"),\r\n\t\t\t\t\t"hash": sha1(timestamp+localStorage.getItem("token_private")),\r\n\t\t\t\t\t"data": data\r\n\t\t\t}, callback);\r\n\t\t}\r\n\t}\r\n}<\/pre>\n
That’s it, basically: once you’re logged in, you can run whatever type of query you want in a very simple, unobstrusive way:<\/p>\n
App.servers.public.query('deposit_cash', {"account":1,"amount":"\u20ac4,321.00"}, function (result) { \/* ... *\/ });\r\nApp.servers.private.query('wire_money', {"account":2,"amount":"\u20ac1,234.00"}, function (result) { \/* ... *\/ });<\/pre>\n
As for the private server, here’s what you could have set up:<\/p>\n
\r\n\/\/ reject incomplete requests\r\nif (empty($_REQUEST['token_public']) || empty($_REQUEST['hash']) || empty($_REQUEST['timestamp'])) {\r\n\terrorJSON(array('message' => "empty_tokens"));\r\n}\r\n\r\n\/\/ try to find a user from the public token we've been sent (die if not found)\r\ntry {\r\n\t$User = User::find('first', array('conditions' => array('token_public = ?', $_REQUEST['token_public'])));\r\n} catch (Exception $e) { errorJSON(array('message' => "invalid_tokens", "e" => $e->getMessage())); }\r\n\/\/ make sure the hash hasn't been tampered\r\nif ($_REQUEST['hash'] !== sha1($_REQUEST['timestamp'].$User->token_private)) {\r\n\terrorJSON(array('message' => "invalid_tokens"));\r\n}\r\n\r\n\/\/ try and parse any additional data we've been sent\r\nif (!empty($_REQUEST['data'])) {\r\n\tparse_str($_REQUEST['data'], $_REQUEST['data']);\r\n}\r\n\r\nswitch ($_REQUEST['action']) {\r\n\tcase 'check_tokens':\r\n\t\t\/\/ if we've arrived this far, it's all good\r\n\t\tsuccessJSON(array('message' => "all_good"));\r\n\t\t\/\/ shouldn't happen\r\n\t\tbreak;\r\n\tcase 'wire_money':\r\n\t\t\/\/ [...]\r\n\t\t\/\/ [...]\r\n\t\tsuccessJSON(array('message' => "tranfer_order_placed"));\r\n\t\t\/\/ shouldn't happen\r\n\t\tbreak;\r\n\tdefault:\r\n\t\terrorJSON(array('message' => "invalid_action"));\r\n\t\t\/\/ shouldn't happen\r\n\t\tbreak;\r\n}<\/pre>\n
How To Authenticate For The First Time<\/h2>\n
Now how about logging in? Let’s start slowly with the addition of two fields in the users<\/kbd> table: public_token<\/kbd> and private_token<\/kbd>, both as VARCHAR(40)<\/kbd>, NOT NULL<\/kbd> and with an index so that we can retrieve their associated record quickly later on. You will then have to generate the two tokens in a random way upon registration, and I encourage you to generate new ones regularly.<\/p>\n
Here’s a App.handleLogin<\/kbd> function launched when the user submits the login form:<\/p>\n
"handleLogin": function () { console.log("[handleLogin]");\r\n\tvar m = jQuery("#input-Login_mail").val();\r\n\tvar p = jQuery("#input-Login_pass").val();\r\n\r\n\tif (m.length === 0 || p.length === 0) {\r\n\t\tconsole.log("! empty fields");\r\n\t\tPGproxy.navigator.notification.alert("empty fields", function() {});\r\n\t\treturn false;\r\n\t}\r\n\tApp.servers.public.query("login", {\r\n\t\t"mail": m,\r\n\t\t"pass": p\r\n\t}, App.callbacks.handleLogin, true);\r\n\treturn false;\r\n}<\/pre>\n
… and finally the App.callbacks.handleLogin()<\/kbd> callback:<\/p>\n
"handleLogin": function(r) { console.log("[callback: handleLogin]");\r\n\tif (r && r.code && r.code === "SUCCESS" && r.token_private && r.token_public) {\r\n\t\tconsole.log("user is now logged in!");\r\n\t\tlocalStorage.setItem("token_private", r.token_private);\r\n\t\tlocalStorage.setItem("token_public", r.token_public);\r\n\t\tlocalStorage.setItem("id", r.id); \/\/ you can store whatever other data you want\r\n\t\treturn;\r\n\t} else {\r\n\t\tPGproxy.navigator.notification.alert("login failed", function() {});\r\n\t}\r\n}<\/pre>\n
Those functions were rather simple and intuitive, the most interesting part to my mind comes from the servers and their handling of the requests. Here’s a rough example in PHP<\/kbd> of the code could have in your public server<\/strong>:<\/p>\n
switch ($_REQUEST['action'])\r\n{\r\n\tcase 'login':\r\n\t\t\/\/ exit early if obviously invalid fields\r\n\t\tif (empty($_REQUEST['data']['mail']) || empty($_REQUEST['data']['pass'])) {\r\n\t\t\terrorJSON(array('message' => "invalid_fields"));\r\n\t\t}\r\n\t\t\/\/ get corresponding user or exit early\r\n\t\ttry {\r\n\t\t\t$User = User::find('first', array('conditions' => array(\r\n\t\t\t\t"email = ? AND password = ?", $_REQUEST['data']['mail'], sha1(SOME_SALT.$_REQUEST['data']['pass'])\r\n\t\t\t)));\r\n\t\t} catch (RecordNotFound $e) { }\r\n\t\tif (empty($User)) {\r\n\t\t\terrorJSON(array('message' => "invalid_credentials"));\r\n\t\t}\r\n\r\n\t\t\/\/ send the tokens back to the app & die\r\n\t\tsuccessJSON(array(\r\n\t\t\t"token_private" => $User->token_private,\r\n\t\t\t"token_public" => $User->token_public,\r\n\t\t\t"id" => $User->id\r\n\t\t));\r\n\t\t\/\/ shouldn't reach this\r\n\t\tbreak;\r\n\t}\r\n}<\/pre>\n
Note that here I’m using a very simple ORM<\/kbd> called PHP ActiveRecord<\/a> to manage my models and their relations. Feel free to use anything else, as long as it suits you and sends queries in a secure way<\/a>!<\/div>\n<\/p>\n
Wrapping Up<\/h2>\n
Phew, that was a long post. I hope that these snippets and explanations will be somewhat useful to you; if you would like me to give more details on something specific please do tell me in the comments or send me a mail through the contact form, I’ll try my best to reply. This public\/private tokens system is quite simple to handle<\/strong> once you’ve grasped the concepts around it, it is reasonably secure<\/strong> and is completely platform independant<\/strong>. I wanted to include a section on how to add even more security features to it like using a user-specific salt instead of a global one or implementing a retry limit, however the article was becoming way too long so I’ll talk about it in another part ;) Thanks for reading!<\/p>\n","protected":false},"excerpt":{"rendered":"
If you missed Part II: Loading JavaScript Properly, you may want to go there and grab the code we wrote so far so that you can follow more easily what we’ll do in this part. Today, we’ll see how to implement a RESTful, stateless authentication layer in our application. Let’s first talk a bit about REST; …read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[10,2],"tags":[21,12,13,14,15,11,48,20],"class_list":["post-222","post","type-post","status-publish","format-standard","hentry","category-mobile","category-programming","tag-api","tag-javascript","tag-jquery","tag-jquery-mobile","tag-oop","tag-phonegap","tag-php","tag-rest"],"acf":[],"yoast_head":"\nMaking An App With PhoneGap & jQm Part III: A Stateless Authentication Layer - ThomasGR.IM<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Making An App With PhoneGap & jQm Part III: A Stateless Authentication Layer - ThomasGR.IM\" \/>\n<meta property=\"og:description\" content=\"If you missed Part II: Loading JavaScript Properly, you may want to go there and grab the code we wrote so far so that you can follow more easily what we’ll do in this part. Today, we’ll see how to implement a RESTful, stateless authentication layer in our application. Let’s first talk a bit about REST; ...read more\" \/>\n<meta property=\"og:url\" content=\"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/\" \/>\n<meta property=\"og:site_name\" content=\"ThomasGR.IM\" \/>\n<meta property=\"article:published_time\" content=\"2013-08-11T20:30:01+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2014-05-12T17:02:17+00:00\" \/>\n<meta name=\"author\" content=\"Thomas\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/2013\\\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/2013\\\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\\\/\"},\"author\":{\"name\":\"Thomas\",\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/#\\\/schema\\\/person\\\/a9f452898a055ceb0f17967802c852da\"},\"headline\":\"Making An App With PhoneGap & jQm Part III: A Stateless Authentication Layer\",\"datePublished\":\"2013-08-11T20:30:01+00:00\",\"dateModified\":\"2014-05-12T17:02:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/2013\\\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\\\/\"},\"wordCount\":2482,\"commentCount\":33,\"keywords\":[\"API\",\"JavaScript\",\"jQuery\",\"jQuery.Mobile\",\"OOP\",\"PhoneGap\",\"PHP\",\"REST\"],\"articleSection\":[\"Mobile\",\"Programming\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/thomasgr.im\\\/shares\\\/2013\\\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/2013\\\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\\\/\",\"url\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/2013\\\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\\\/\",\"name\":\"Making An App With PhoneGap & jQm Part III: A Stateless Authentication Layer - ThomasGR.IM\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/#website\"},\"datePublished\":\"2013-08-11T20:30:01+00:00\",\"dateModified\":\"2014-05-12T17:02:17+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/#\\\/schema\\\/person\\\/a9f452898a055ceb0f17967802c852da\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/2013\\\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/thomasgr.im\\\/shares\\\/2013\\\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/2013\\\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Making An App With PhoneGap & jQm Part III: A Stateless Authentication Layer\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/#website\",\"url\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/\",\"name\":\"ThomasGR.IM\",\"description\":\"Geeky Musing\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/#\\\/schema\\\/person\\\/a9f452898a055ceb0f17967802c852da\",\"name\":\"Thomas\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/24002a8c89532079ac75ffa31bf174b5f4b88ef34601417767fd11b3d48436b7?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/24002a8c89532079ac75ffa31bf174b5f4b88ef34601417767fd11b3d48436b7?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/24002a8c89532079ac75ffa31bf174b5f4b88ef34601417767fd11b3d48436b7?s=96&d=mm&r=g\",\"caption\":\"Thomas\"},\"sameAs\":[\"https:\\\/\\\/thomasgr.im\\\/\"],\"url\":\"https:\\\/\\\/thomasgr.im\\\/shares\\\/author\\\/thomadmin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Making An App With PhoneGap & jQm Part III: A Stateless Authentication Layer - ThomasGR.IM","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/","og_locale":"en_US","og_type":"article","og_title":"Making An App With PhoneGap & jQm Part III: A Stateless Authentication Layer - ThomasGR.IM","og_description":"If you missed Part II: Loading JavaScript Properly, you may want to go there and grab the code we wrote so far so that you can follow more easily what we’ll do in this part. Today, we’ll see how to implement a RESTful, stateless authentication layer in our application. Let’s first talk a bit about REST; ...read more","og_url":"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/","og_site_name":"ThomasGR.IM","article_published_time":"2013-08-11T20:30:01+00:00","article_modified_time":"2014-05-12T17:02:17+00:00","author":"Thomas","twitter_card":"summary_large_image","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/#article","isPartOf":{"@id":"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/"},"author":{"name":"Thomas","@id":"https:\/\/thomasgr.im\/shares\/#\/schema\/person\/a9f452898a055ceb0f17967802c852da"},"headline":"Making An App With PhoneGap & jQm Part III: A Stateless Authentication Layer","datePublished":"2013-08-11T20:30:01+00:00","dateModified":"2014-05-12T17:02:17+00:00","mainEntityOfPage":{"@id":"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/"},"wordCount":2482,"commentCount":33,"keywords":["API","JavaScript","jQuery","jQuery.Mobile","OOP","PhoneGap","PHP","REST"],"articleSection":["Mobile","Programming"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/","url":"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/","name":"Making An App With PhoneGap & jQm Part III: A Stateless Authentication Layer - ThomasGR.IM","isPartOf":{"@id":"https:\/\/thomasgr.im\/shares\/#website"},"datePublished":"2013-08-11T20:30:01+00:00","dateModified":"2014-05-12T17:02:17+00:00","author":{"@id":"https:\/\/thomasgr.im\/shares\/#\/schema\/person\/a9f452898a055ceb0f17967802c852da"},"breadcrumb":{"@id":"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/thomasgr.im\/shares\/2013\/making-app-with-phonegap-jqm-part-3-stateless-authentication-layer\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/thomasgr.im\/shares\/"},{"@type":"ListItem","position":2,"name":"Making An App With PhoneGap & jQm Part III: A Stateless Authentication Layer"}]},{"@type":"WebSite","@id":"https:\/\/thomasgr.im\/shares\/#website","url":"https:\/\/thomasgr.im\/shares\/","name":"ThomasGR.IM","description":"Geeky Musing","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/thomasgr.im\/shares\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/thomasgr.im\/shares\/#\/schema\/person\/a9f452898a055ceb0f17967802c852da","name":"Thomas","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/24002a8c89532079ac75ffa31bf174b5f4b88ef34601417767fd11b3d48436b7?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/24002a8c89532079ac75ffa31bf174b5f4b88ef34601417767fd11b3d48436b7?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/24002a8c89532079ac75ffa31bf174b5f4b88ef34601417767fd11b3d48436b7?s=96&d=mm&r=g","caption":"Thomas"},"sameAs":["https:\/\/thomasgr.im\/"],"url":"https:\/\/thomasgr.im\/shares\/author\/thomadmin\/"}]}},"_links":{"self":[{"href":"https:\/\/thomasgr.im\/shares\/wp-json\/wp\/v2\/posts\/222","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thomasgr.im\/shares\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thomasgr.im\/shares\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thomasgr.im\/shares\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thomasgr.im\/shares\/wp-json\/wp\/v2\/comments?post=222"}],"version-history":[{"count":0,"href":"https:\/\/thomasgr.im\/shares\/wp-json\/wp\/v2\/posts\/222\/revisions"}],"wp:attachment":[{"href":"https:\/\/thomasgr.im\/shares\/wp-json\/wp\/v2\/media?parent=222"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thomasgr.im\/shares\/wp-json\/wp\/v2\/categories?post=222"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thomasgr.im\/shares\/wp-json\/wp\/v2\/tags?post=222"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}