Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace play2-auth with Silhouette #237

Closed
3 of 6 tasks
swsnr opened this issue Jul 6, 2017 · 0 comments
Closed
3 of 6 tasks

Replace play2-auth with Silhouette #237

swsnr opened this issue Jul 6, 2017 · 0 comments
Assignees
@FRosner
Milestone
0.9.0

Comments

@swsnr
Copy link
Contributor

swsnr commented Jul 6, 2017
edited by FRosner
Loading

Problem

play2-auth seems less actively maintained and doesn't support Play 2.6 yet, see t2v/play2-auth#184.

I propose to switch to Silhouette. I think it's

  • got the better API,
  • more actively maintained,
  • already has a release candidate for version 5 with play 2.6 support,
  • and appears to be the standard play authentication framework these days.

Play 2.6 support implies Scala 2.12 support; without play 2.6 we'll not be able to use Scala 2.12

Code

Breaking changes

Moved all auth configuration into a case class, affecting the following keys:

  • broccoli.auth.session.allowMultiLoginbroccoli.auth.session.allow-multi-login
  • broccoli.auth.allowedFailedLoginsbroccoli.auth.allowed-failed-logins
  • broccol.auth.conf.accounts[].instanceRegexbroccol.auth.conf.accounts[].instance-regex

Hence the conf object is almost empty now, meaning that almost all settings are now defined and documented in reference.conf, and loaded through pureconfig into the super-config-case-class.

ToDo

  • Use Silhouette's Credentials type for, well, credentials
  • Use Silhouette's IdentityService to resolve user names to accounts
  • Use Silhouette's CredentialsProvider together with AuthInfoRepository to authenticate users.
  • Check "As part of this change passwords are now hashed with bcrypt when they are added to the authentication info repo in AuthModule. Silhouette makes this trivial, and it slows down authentication, making brute-force attacks against passwords less feasible."
  • Pick authenticator to use.
  • provide a SilhouetteProvider in AuthModule, then have Silhouette injected into controllers that authenticate and use it for authentication

References

User Aware Handler

def userAwareRequestHandler = Action.async { implicit request =>
  silhouette
    .UserAwareRequestHandler { userAwareRequest =>
      Future.successful(HandlerResult(Ok, userAwareRequest.identity))
    }
    .map {
      case HandlerResult(r, Some(user)) => Ok(Json.toJson(user.loginInfo))
      case HandlerResult(r, None)       => Unauthorized
    }
}

Secure Websocket

class Application(silhouette: Silhouette[DefaultEnv]) extends Controller {

  def socket = WebSocket.tryAccept[JsValue] { request =>
    implicit val req = Request(request, AnyContentAsEmpty)
    silhouette.SecuredRequestHandler { securedRequest =>  
      Future.successful(HandlerResult(Ok, Some(securedRequest.identity)))
    }.map {
      case HandlerResult(_, Some(_)) => Right((ws.in, ws.out))
      case HandlerResult(r, None)    => Left(r)
    }
  }
}
@FRosner FRosner added this to the 0.8.0 milestone Jul 6, 2017
@swsnr swsnr mentioned this issue Jul 12, 2017
Merged
@FRosner FRosner self-assigned this Oct 16, 2017
@FRosner FRosner modified the milestones: 0.8.0, 0.9.0 Mar 15, 2018
@swsnr swsnr closed this as completed May 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@FRosner FRosner

Labels
None yet
Projects
None yet
Milestone
0.9.0
Development

No branches or pull requests
2 participants
@swsnr @FRosner