CookieAuthenticatorService does not receive a proper value
29 views
Skip to first unread message
Michael Slinn
Aug 27, 2016, 8:47:35 PM8/27/16
to Silhouette
The second parameter to the CookieAuthenticatorService constructor has type Option[AuthenticatorRepository[CookieAuthenticator]], yet the Provider (provideAuthenticatorService) for SilhouetteModule in play-silhouette-seed always passes the value None to that parameter:
new CookieAuthenticatorService(config, None, cookieSigner, encoder, fingerprintGenerator, idGenerator, clock)
This means that the authenticator cookie cannot be invalidated by CookieAuthenticatorService.discard when the user tries to logs out.
Should the CookieAuthenticatorService class constructor receive an instance of extra parameter, of type Option[AuthenticatorRepository[CookieAuthenticator]]? If not, where should the value come from?
Thanks,
Mike
Christian Kaps
Aug 28, 2016, 6:16:21 AM8/28/16
to Silhouette
Hi,
the seed template uses the stateless approach the cookie authenticator provides. I think the documentation about the cookie authenticator describes both approaches well. If not let it me know. I think also the doc comment of the CookieAuthenticatorService describes the parameter well. So the question is, what type of scenario would you use for your implementation?
Best regards,
Christian
Michael Slinn
Aug 28, 2016, 6:47:37 AM8/28/16
to Silhouette
I do not understand what scenario might apply to log out. I understand log out to mean terminating the session, thereby preventing access to protected content.
Please correct me if I am wrong, but I believe that to log out all that needs to happen is that the cookie must be deleted and the LogoutEvent published. Here is a simple way:
val result = Redirect("/")
.discardingCookies(DiscardingCookie(cookieName, domain=domain, secure=request.secure))
silhouette.env.eventBus.publish(LogoutEvent(request.identity, request))
silhouette.env.authenticatorService.discard(request.authenticator, result) // does nothing
Mike
Please correct me if I am wrong, but I believe that to log out all that needs to happen is that the cookie must be deleted and the LogoutEvent published. Here is a simple way:
val result = Redirect("/")
.discardingCookies(DiscardingCookie(cookieName, domain=domain, secure=request.secure))
silhouette.env.eventBus.publish(LogoutEvent(request.identity, request))
silhouette.env.authenticatorService.discard(request.authenticator, result) // does nothing
Mike
Christian Kaps
Aug 28, 2016, 6:57:35 AM8/28/16
to Silhouette
The CookieAuthenticatorService.discard method discards the cookie in both cases. If you use the stateful approach, it also deletes the authenticator from backing store.
Best regards,
Christian
Reply all
Reply to author
Forward
0 new messages