Login and Authentication With Angular 6

Every application need some some sort of authentication. In this tutorial we are going to create a simple login page. If the login is successful, the user could see home page. If the login is not successful, then you would stay in login page. This tutorial is for understanding what we need to consider and it is the simplest way. You need to do more than this in production environment.

There is three aspect in each login:

1- Getting Token from server and storing it.

2- Use the stored token in order to access restricted APIs.

3- Guard restricted pages

Getting token from server and storing it

This step is very simple. All you have to do is to create a form, send the data to server, get the token and storing it. We use localstorage for storing our token.

First we need to create an authentication service.

ng generate service auth

And you change the authService file like this:

import {Injectable} from '@angular/core';
import {HttpClient, HttpHeaders} from '@angular/common/http';
import {Observable, of} from 'rxjs';
import {catchError, tap} from 'rxjs/internal/operators';
const httpOptions = {
    headers: new HttpHeaders({'Content-Type': 'application/json'})
    providedIn: 'root'
export class AuthService {
    private url = '/login/';
    constructor(private http: HttpClient) {
    login(data): Observable<any> {
        return this.http.post<any>(this.url, data, httpOptions).pipe(
            tap((result) => this.save_token(result)),
    private handleError<T>(operation = 'operation', result?: T) {
        return (error: any): Observable<T> => {
            return of(result as T);
    private save_token(data) {
        if (data.success) {
            localStorage.setItem('token', data.token);

We have a constructor and three function in this service. The constructor is responsible to initiate the httpClient. In login method, we create a post request with the data that is provided by our component. We then send this request to the server (with /login url) and get the response. Login method needs to return an observable. We use pipe and tap in order to achieve this.

Pipe is set to chain some operations and return an observable that is result of all the operations. The tap method is responsible to perform an action on the result and returns an observable that is identical to the source. We use tap to save the token.

In save_token function if the result of login is successful, then we save the token in to the localStorage. After that the tap method sends returns the result observable. The catchError method is responsible to handle error. Our handleError does pretty much nothing.

Then we create a login component. In this component we create a form that gets the data from user and send it to the service

ng generate component login

And the component should look like this:

import {Component, OnInit} from '@angular/core';
import {NgForm} from '@angular/forms';
import {Router} from '@angular/router';
import {AuthService} from '../auth.service';

    selector: 'app-login',
    templateUrl: './login.component.html',
    styleUrls: ['./login.component.css']
export class LoginComponent implements OnInit {

    constructor(public authService: AuthService, public router: Router) {

    data = {username: '', password: ''};

    ngOnInit() {

    goTo(path): void {

    login(form: NgForm): void {
            .subscribe(result => {
                if (result.success) {


The login function gets the form info and send it to authService (which is initiated in constructor). If the result is successful to goTo function redirects to home page.

Using the stored token in order to access restricted APIs

Now we have a token saved in our token in our localstorage, we need to use this token in order to access restricted APIs. To do so we can create an http interceptor. By default your application uses default angular http interceptor. In order to change that, we need to go to app.module.ts file and change this part:

providers: [
        provide: ErrorHandler,
        useClass: CustomErrorsHandler
        provide: HTTP_INTERCEPTORS,
        useClass: CustomHttpInterceptor, // change this line with your custom http interceptor
        multi: true

Then create a file named custom-http-interceptor.ts and fill it as follow:

import { HttpEvent, HttpHandler, HttpInterceptor, HttpRequest } from '@angular/common/http';
import { Injectable } from '@angular/core';
import { Observable } from 'rxjs/Observable';
import { Router } from '@angular/router';

export class CustomHttpInterceptor implements HttpInterceptor {
    constructor(private router: Router) { }
    intercept(req: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {

        let obj = JSON.parse(localStorage.getItem('token')

        if (obj != null) {
            req = req.clone({
                setHeaders: { 'Authorization': obj.value }
        else {
            if (req.url != 'login') {
        return next.handle(req);

In this file we create a class named CustomHttpInterceptor and we override function intercept. First we check if there is any token saved in localstorage. if there is, we send this token with url with appropriate header (In this case ‘Authorization’), if it is not, we check if the requested url needs token or not. if it doesn’t we send the request with no token.

Guard restricted pages

So far we have saved our token in localstorage and we also managed to send this token with every request. Now we need to limit users to access specific pages if they are not allowed. To do that we can use in canActivate our routing file. First we add canActivate method to our authService.

canActivate(): boolean {
const token = localStorage.getItem('token');
    if (token == null)   {
        return false;
    return true;

In this method we check if the token is available or not. If so, we return true otherwise we return false.

Then in our routing module (app.routing.module.ts) we change routes as follow:

const routes: Routes = [
    {path: '', redirectTo: '/login', pathMatch: 'full'},
        path: 'home', component: HomeComponent,
        canActivate: [AuthService] // <- this line is added
    {path: 'login', component: LoginComponent},

With canActivate property, we check whether the home component is accessible by user or not.


This tutorial is extremely simplified and its only purpose is for you to see all the aspects in one place. It is not suitable for the production environment. Security concerns such as plain text passwords are not considered. You can do a lot of things to improve it. For example you can use angular-jwtin order to check token’s validity. Regardless of that I believe a simple big picture on what needs to be done and in what place it should be is important. Hope this would help you.

Angular 6 (formerly Angular 2) - The Complete Guide

Learn Angular 2 from Beginner to Advanced

Angular 2 Firebase - Build a Web App with Typescript

Angular 2 Demystified

#angular #angular.js

Login and Authentication With Angular 6
1 Likes124.75 GEEK