Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Ktor Session Cookie Authentication

Tags:

kotlin

ktor

I'd like to use a session cookie for authentication with Ktor and what I have so far is:

private const val SEVER_PORT = 8082
private const val SESSION_COOKIE_NAME = "some-cookie-name"

data class AuthSession(
    val authToken: String
)

fun main() {
    embeddedServer(Netty, port = SEVER_PORT, module = Application::basicAuthApplication).start(wait = true)
}

fun Application.basicAuthApplication() {
    install(Sessions) {
        cookie<AuthSession>(SESSION_COOKIE_NAME, SessionStorageMemory()) {
            cookie.path = "/"
        }
    }
    install(DefaultHeaders)
    install(CallLogging)
    install(Authentication) {
        session<AuthSession> {
            validate { session ->
                // TODO: do the actual validation
                null
            }
        }
    }

    routing {
        authenticate {
            get("/") {
                call.respondText("Success")
            }
        }
    }
}

But everytime when I do:

curl -v localhost:8082

I get an HTTP 200 and the response "Success"

I expected to get an HTTP 401 Not authorized or something similar.

Can somebody give me insights here how to do proper session cookie authentication with Ktor?

thanks

like image 238
guenhter Avatar asked Jun 14 '19 06:06

guenhter


People also ask

What is the session in KTOR?

Sessions The Sessions plugin provides a mechanism to persist data between different HTTP requests. Typical use cases include storing a logged-in user's ID, the contents of a shopping basket, or keeping user preferences on the client.

What is KTOR?

Ktor is a framework to easily build connected applications – web applications, HTTP services, mobile and browser applications. Modern connected applications need to be asynchronous to provide the best experience to users, and Kotlin coroutines provide awesome facilities to do it in an easy and straightforward way.

What is KTOR client?

Ktor includes a multiplatform asynchronous HTTP client, which allows you to make requests and handle responses, extend its functionality with plugins, such as authentication, JSON serialization, and so on. In this tutorial, we'll create a simple client application for sending a request and receiving a response.


1 Answers

UPDATE:

Okay I realized there is a session auth type which is not documented with authentication feature docs.

The issue with your current code is that you are not specifying the challenge explicitly, the default challenge specified inside is SessionAuthChallenge.Ignore so you have to change it to SessionAuthChallenge.Unauthorized or SessionAuthChallenge.Redirect

So your code should look like:

install(Authentication) {
    session<AuthSession> {
        challenge = SessionAuthChallenge.Unauthorized
        validate { session ->
            // TODO: do the actual validation
            null
        }
    }
}

OLD:

You are not specifying the type of authentication you want to use, probably basic, form or jwt, you may want to try something like this for form authentications for example:

install(Authentication) {
    form("login") {

        skipWhen { call -> call.sessions.get<AuthSession>() != null }

        userParamName = "username"
        passwordParamName = "password"
        challenge = FormAuthChallenge.Unauthorized
        validate { credentials ->
         // Handle credentials validations
       }
    }
}

Check the official documentation for more info.

like image 154
Tosin John Avatar answered Oct 04 '22 03:10

Tosin John