If your API is using HTTP Basic Authentication, sending the username and password with each XHR request via the open method is sufficient. However, if your API (like ours) uses a different authentication mechanism, you'll need to handle this appropriately.
In our case, authentication is initially handled by calling the login method provided by our API. Since this requires a CSRF token, we also have to call get-csrf-token
. Once the token is received, we then POST
a response that contains the token in the header and the username and password in the body.
At this point, the server responds with either a 401 error (Unauthorized) or session information that we need to keep. The former indicates that the backend cannot authenticate the user, while the latter indicates that the server created a session for the user.
Once authenticated, additional requests send a token in the header (x-auth-token
). This token is initially received from the login response data...