Questions about implementing user login system and form crsf in Vert.x

473 views
Skip to first unread message

Hai Nguyen

unread,
Sep 10, 2015, 4:07:55 AM9/10/15
to vert.x
Hi there. 
I current have some questions (I read the docs but don't understand :D sorry) 

- I read about authProvider and the examples but where is the username and password check go ? I have a mongodb and an users collection with userame and hashed password, and i wanna create a user management and login system, with permissions to do different tasks. 

- How can I access currently logged-in user data in session ?

- Is there a proper way to add form token to protect CRSF in Vert.x ?


Sorry for the noob question :D 

Paulo Lopes

unread,
Sep 10, 2015, 5:14:15 AM9/10/15
to vert.x


On Thursday, September 10, 2015 at 10:07:55 AM UTC+2, Hai Nguyen wrote:
Hi there. 
I current have some questions (I read the docs but don't understand :D sorry) 

- I read about authProvider and the examples but where is the username and password check go ? I have a mongodb and an users collection with userame and hashed password, and i wanna create a user management and login system, with permissions to do different tasks. 

The AuthHandler will delegate on vertx-auth project for the authentication part, all checks are done there.
 

- How can I access currently logged-in user data in session ?

routingContext.user() returns a vertx-auth User object see: http://vertx.io/docs/apidocs/io/vertx/ext/auth/User.html


- Is there a proper way to add form token to protect CRSF in Vert.x ?

CSRF (right?) "See-Surf" in implemented on 3.1.0-SNAPSHOT and uses the angular approach, a Cookie and a Header, no Form field. In order to protect your forms just add the handler to your route.

https://github.com/vert-x3/vertx-web/blob/master/src/main/java/io/vertx/ext/web/handler/CSRFHandler.java

If you use angular most likely it will handle all the work for you, if not, then you need on your client side to copy the cookie to a special request header before post data.

The initial documentation is here:

https://github.com/vert-x3/vertx-web/blob/master/src/main/java/io/vertx/ext/web/package-info.java#L1523


This is how you would enable it:

router.route().handler(CookieHandler.create());
router.route().handler(CSRFHandler.create("abracadabra"));


Hai Nguyen

unread,
Sep 10, 2015, 5:47:38 AM9/10/15
to vert.x
Thanks, 

I come up with this block of code when i tried to create a new authProvider 

AuthProvider authProvider = (jsonObject, handler) -> {

  // does this mean i have to custom my own authProvider ?

};

router.route().handler(CookieHandler.create());
router.route()
        .handler(BodyHandler.create()
                .setUploadsDirectory(config.getString("upload.path")));
router.route().handler(SessionHandler.create(LocalSessionStore.create(vertx)));
router.route().handler(UserSessionHandler.create(authProvider));

AuthHandler redirectAuthHandler = RedirectAuthHandler.create(authProvider);

// All requests to paths starting with '/admin/' will be protected
router.route(ADMIN_PATH + "/*").handler(redirectAuthHandler);

Hai Nguyen

unread,
Sep 13, 2015, 1:40:18 PM9/13/15
to vert.x
How do I redirect the user back to the login page after a failed login ? Currently it only shows Forbidden 

What is the use of "returnURLParam" ?
:D thanks 

Hai Nguyen

unread,
Sep 13, 2015, 2:06:45 PM9/13/15
to vert.x
I self solved this by creating a custom formloginhandler :D 
Reply all
Reply to author
Forward
0 new messages