How to implement Basic Authentication for web sockets using play framework.
I am creating a web socket using play framework.
I would like to do basic authentication and send 401 if authentication fails.
Below is my code and i am not able to send "{code=401, message=unauthorized access}" as response
def ChatServer(): WebSocket = WebSocket.accept[String, String] { request =>
if (Util.doBasicAuthentication(request.headers)) {
ActorFlow.actorRef { out =>
ChatActor.props(out)
}
} else throw new RuntimeException("Unauthorized Access")
}
Whenever authentication fails, i am not able to send the response back as "unauthorized access" instead i am ending up with exceptions
As described in the Play documentation, use WebSocket.acceptOrResult:
def socket = WebSocket.acceptOrResult[String, String] { request =>
Future.successful {
if (Util.doBasicAuthentication(request.headers)) {
Right(ActorFlow.actorRef { out =>
ChatActor.props(out)
})
} else {
Left(Unauthorized)
}
}
}
Question about akka-http server. I have a top-level mapResponse which wraps all other routes. This mapResponse wraps all responses in the json. And recently I found that sometimes my server returns 503 error with plain-text explanation. I found that the reason is akka.http.server.request-timeout config value - it was too small. But why I didn't catch these responses with the top-level mapResponse? I found that this 503 response is created in HttpServerBluePrint.TimeoutAccessImpl.apply and it somehow ignores my mapResponse.
Here is the minimal reproduction code. I wrap all my routes in logAndReturn200 function. I expect that all my routes will return StatusCodes.OK. But /bar returns timeout error.
val logAndReturn200 = mapResponse { response =>
println(response)
HttpResponse(StatusCodes.OK)
}
val route = {
logAndReturn200 {
get {
path("foo") {
complete("OK")
} ~
path("bar") {
val promise = Promise[Unit]()
actorSystem.scheduler.scheduleOnce(10.seconds) {
promise.success(())
}
onSuccess(promise.future) {
complete("OK")
}
}
}
}
}
val bindingFuture = Http().bindAndHandle(route, "localhost", 8080)
I am trying a basic authentication on post request in spray.io 1.3.2 using authenticate directive. My code looks following:
val route: Route = {
pathPrefix("ato") {
pathPrefix("v1") {
path("orders" / "updateStatus") {
post {
authenticate(BasicAuth(userPasswordAuthenticator _, realm = "bd ato import api")) {
user =>
entity(as[String]) {e =>
complete {
s"Hello $e "
}
}
}
}
}
}
}
}
def userPasswordAuthenticator(userPass: Option[UserPass]): Future[Option[String]] =
Future {
if (userPass.exists(up => up.user == ato_import_v1_usr && up.pass == ato_import_v1_pwd)) Some("ato_v1")
else None
}
This works perfectly fine, authorized Status Ok 200, unauthorized 401. However when the order of directives is changed as follows:
val route: Route = {
pathPrefix("ato") {
pathPrefix("v1") {
authenticate(BasicAuth(userPasswordAuthenticator _, realm = "bd ato import api")) {
user =>
path("orders" / "updateStatus") {
post {
entity(as[String]) {e =>
complete {
s"Hello $e "
}
}
}
}
}
}
}
}
I am getting Status 405, HTTP method not allowed for unauthorized access. I am not sure why that happens. From certain point it make sense, path is not matched because of missing credentials etc.
Could someone please clarify that?
The reason why I wanted to put authorization at v1 level is that I wanted to make every version protected by different password. Is there a way how to achieve that? What is the best practice in chaining directives?
I would like to follow DRY principle.
Thanks
I don't want to explicitly write:
options { ... }
for each entry point / path in my Spray route. I'd like to write some generic code that will add OPTIONS support for all paths. It should look at the routes and extract supported methods from them.
I can't paste any code since I don't know how to approach it in Spray.
The reason I'm doing it is I want to provide a self discoverable API that adheres to HATEOAS principles.
The below directive will be able to catch a rejected request, check if it is a option request, and return:
The CORS headers, to support CORS (this directive removes ALL cors protection, beware!!!!!)
The Allow headers, to give the peer a list of available methods
Try to understand the below snippet and adjust it where necessary. You should prefer to deliver as much information as possible, but if you only want to return the Allowed methods I suggest you cut out the rest :).
import spray.http.{AllOrigins, HttpMethods, HttpMethod, HttpResponse}
import spray.http.HttpHeaders._
import spray.http.HttpMethods._
import spray.routing._
/**
* A mixin to provide support for providing CORS headers as appropriate
*/
trait CorsSupport {
this: HttpService =>
private val allowOriginHeader = `Access-Control-Allow-Origin`(AllOrigins)
private val optionsCorsHeaders = List(
`Access-Control-Allow-Headers`(
"Origin, X-Requested-With, Content-Type, Accept, Accept-Encoding, Accept-Language, Host, " +
"Referer, User-Agent"
),
`Access-Control-Max-Age`(60 * 60 * 24 * 20) // cache pre-flight response for 20 days
)
def cors[T]: Directive0 = mapRequestContext {
context => context.withRouteResponseHandling {
// If an OPTIONS request was rejected as 405, complete the request by responding with the
// defined CORS details and the allowed options grabbed from the rejection
case Rejected(reasons) if (
context.request.method == HttpMethods.OPTIONS &&
reasons.exists(_.isInstanceOf[MethodRejection])
) => {
val allowedMethods = reasons.collect { case r: MethodRejection => r.supported }
context.complete(HttpResponse().withHeaders(
`Access-Control-Allow-Methods`(OPTIONS, allowedMethods :_*) ::
allowOriginHeader ::
optionsCorsHeaders
))
}
} withHttpResponseHeadersMapped { headers => allowOriginHeader :: headers }
}
}
Use it like this:
val routes: Route =
cors {
path("hello") {
get {
complete {
"GET"
}
} ~
put {
complete {
"PUT"
}
}
}
}
Resource: https://github.com/giftig/mediaman/blob/22b95a807f6e7bb64d695583f4b856588c223fc1/src/main/scala/com/programmingcentre/utils/utils/CorsSupport.scala
I did it like this:
private val CORSHeaders = List(
`Access-Control-Allow-Methods`(GET, POST, PUT, DELETE, OPTIONS),
`Access-Control-Allow-Headers`("Origin, X-Requested-With, Content-Type, Accept, Accept-Encoding, Accept-Language, Host, Referer, User-Agent"),
`Access-Control-Allow-Credentials`(true)
)
def respondWithCORS(origin: String)(routes: => Route) = {
val originHeader = `Access-Control-Allow-Origin`(SomeOrigins(Seq(HttpOrigin(origin))))
respondWithHeaders(originHeader :: CORSHeaders) {
routes ~ options { complete(StatusCodes.OK) }
}
}
val routes =
respondWithCORS(config.getString("origin.domain")) {
pathPrefix("api") {
// ... your routes here
}
}
So every OPTION request to any URL with /api prefix returns 200 code.
Update: added Access* headers.
Methinks options is generic enough, you can use it as:
path("foo") {
options {
...
}
} ~
path("bar") {
options {
...
}
}
or as this:
options {
path("foo") {
...
} ~
path("bar") {
...
}
}
I have a similar problem to this person and I am unsure why.
my post action is called from a form submission and the controller code
def processFreeDoc = UserAwareAction {
implicit request => {
userEmailForm.bindFromRequest.fold(
formWithErrors => {
Logger.error("Error processing the form %s "format formWithErrors.errors)
Redirect(routes.Application.index)
},
data => {
val sessionProduct = getSessionUnProcessedProduct(data.sessionId, data.documentName)
if(sessionProduct != null){
Logger.info("Found")
sessionProduct.updateProcessing(data.emailAddress, data.sessionId)
Redirect(routes.Application.index)
}
else
Logger.info("Nothing found")
Redirect(routes.Application.checkoutFree(data.sessionId))
}
)
}
}
is skipped entirely. There are no errors in the IDE(IDEA) console and the breakpoint at the entry of the method is not reached so none of the log messages are seen.
EDIT :
The relevant route in the routes file - POST /processFreeDoc controllers.Application.processFreeDoc