1

I have Play with Silhouette authentication and authorization configured using the JWTAuthenticator. This authenticator works by reading the X-Auth-Token header, which is a jwt, to identify user in every request. This works fine for REST endpoints.

Now I have images that only owners should be able to access it, and I would like to use those in background-image css property (this is a requirement). In such scenario I'm not able to set the request header hence the request will be denied.

The next natural step is to embed the token in the background-image url itself as an url parameter. However I don't know then how to proceed at the server side. How can I tell the JWTAuthenticator to use the token in the url if not X-Auth-Token header is present?

Batato
  • 560
  • 5
  • 18

1 Answers1

0

Ok, I'm sharing here my founds so hopefully this can help others. While digging into silhouette code I found that we can easily configure from which part(s) of the request (header, query string, ...) we want to read the token. By default the jwt token is read from the X-Auth-Token header, but we can configure the JWTAuthenticator to read the token also from a query string variable:

    val config =
      configuration.underlying
        .as[JWTAuthenticatorSettings]("silhouette.authenticator")
        // this is the important line of code
        .copy(requestParts = Some(Seq(RequestPart.Headers, RequestPart.QueryString)))

    new JWTAuthenticatorService(config, None, encoder, idGenerator, clock)

Now if you want to use a protected asset behind a controller with a silhouette.SecureAction then you just need to add the X-Auth-Token as query string parameter to the url:

.my-class {
  background-image: url("/image?X-Auth-Token=........")
}
Batato
  • 560
  • 5
  • 18