Simple Authentication with Scala

One of the things that I've really enjoyed about developing on Play has been the fantastic abstractions that Play's chosen. In many frameworks/languages, it's common to install a completely separate library to handle authentication in an obfuscated manner. Play's default approach is really stunningly simple.

Simple Password Login/Sessions

Each request has a "session" object which is an encrypted piece of state exposed to the client as a cookie. To authenticate a user, you expose an endpoint that accepts credentials, you verify them (using bcrypt or something similar,), and then set a variable in the session.

  def login = Action(BodyParsers.parse.json) { request =>
    val credsBody = request.body.validate[Credentials]
    credsBody.fold(
      errors => {
        BadRequest("Womp Womp, malformed credential request")
      },
      creds => {
        UserService.verifyPassword(creds.email, creds.password) match {
          case true => Ok.withSession(
            request.session + ("username"-> creds.email)
          )
          case false => Unauthorized
        }
      }
    )
  }

The verification of the password service is a very simple method that looks like this:

  def verifyPassword(email:String, password:String):Boolean = {
    UserRepository.findByEmail(email) match {
      case Some(user) => BCrypt.checkpw(password, user.password_hash)
      case None => false
    }
  }

Then at any point later, it's trivial to add authentication to a play action. play.api.mvc.Security.Authenticated includes a simple action wrapper that wraps your request.

  def index = Authenticated { userEmail =>
    Action { request =>
      Ok(views.html.index())
    }
  }

If you're building a client side application, this is actually almost all you need to do. Every request will have a user context or will be unauthenticated, so you just need to build redirecting to a login form on the frontend if an unauthorized response is returned.