Reputation: 151
How to restrict route access in ktor framework?
How to restrict route access in ktor framework?
//only admin
post("/add") {
call.respondText { "add" }
}
post("/delete") {
call.respondText { "delete" }
}
Upvotes: 0
Views: 1602
Answers (3)
Reputation: 6999
As another, more robust solution, you can use the Authentication plugin and create a provider to check if the user is an admin. The following code works with Ktor 2.* and 3.0.0-beta:
import io.ktor.server.application.*
import io.ktor.server.auth.*
import io.ktor.server.engine.*
import io.ktor.server.netty.*
import io.ktor.server.request.*
import io.ktor.server.response.*
import io.ktor.server.routing.*
fun main() {
embeddedServer(Netty, port = 8080) {
install(Authentication) {
provider("admin") {
authenticate { context ->
if (!isAdmin(context.call.request)) {
context.challenge("MyAuth", AuthenticationFailedCause.Error("Not an admin")) { challenge, call ->
call.respond(UnauthorizedResponse())
challenge.complete()
}
}
}
}
}
routing {
authenticate("admin") {
get("/admin") {
call.respondText { "OK" }
}
}
get("/everyone") {
call.respondText { "OK" }
}
}
}.start(wait = true)
}
fun isAdmin(request: ApplicationRequest): Boolean {
return request.headers["admin"] == "1"
}
Upvotes: 1
Reputation: 71
For Ktor 2.x the solution proposed by Alexsei does not work anymore because ChallengePhase is now marked as internal as they completely restructured the plugin system.
This code snippet seems to be working for me.
fun Route.authorization(build: Route.() -> Unit): Route {
val route = createChild(CustomSelector())
val plugin = createRouteScopedPlugin("CustomAuthorization") {
on(AuthenticationChecked) { call ->
val principal = call.authentication.principal
// custom logic
}
}
route.install(plugin)
route.build()
return route
}
private class CustomSelector : RouteSelector() {
override fun evaluate(context: RoutingResolveContext, segmentIndex: Int) = RouteSelectorEvaluation.Transparent
}
Of course, you can add parameters to the function specifying the restriction like required roles.
To secure a route...
fun Route.myRoute() = route("test") {
authorization {
get { ... }
}
}
For more details: https://ktor.io/docs/custom-plugins.html
Upvotes: 4
Reputation: 6999
You can write a method that creates a route that restricts access for admins only. Inside that method, the newly created route is intercepted to inject the code for validation. In the following example, if the header admin has the value 1 then a request is made from an admin otherwise for the /add and /delete routes the response with the 401 Unauthorized status will be returned.
import io.ktor.application.*
import io.ktor.auth.*
import io.ktor.http.*
import io.ktor.request.*
import io.ktor.response.*
import io.ktor.routing.*
import io.ktor.server.engine.*
import io.ktor.server.netty.*
import io.ktor.util.pipeline.*
fun main() {
embeddedServer(Netty, port = 5555, host = "0.0.0.0") {
routing {
admin {
post("/add") {
call.respondText { "add" }
}
post("/delete") {
call.respondText { "delete" }
}
}
post("/show") {
call.respondText { "show" }
}
}
}.start(wait = false)
}
private val validationPhase = PipelinePhase("Validate")
fun Route.admin(build: Route.() -> Unit): Route {
val route = createChild(AdminSelector())
route.insertPhaseAfter(ApplicationCallPipeline.Features, Authentication.ChallengePhase)
route.insertPhaseAfter(Authentication.ChallengePhase, validationPhase)
route.intercept(validationPhase) {
if (!isAdmin(call.request)) {
call.respond(HttpStatusCode.Forbidden)
finish()
}
}
route.build()
return route
}
class AdminSelector: RouteSelector() {
override fun evaluate(context: RoutingResolveContext, segmentIndex: Int) = RouteSelectorEvaluation.Transparent
}
fun isAdmin(request: ApplicationRequest): Boolean {
return request.headers["admin"] == "1"
}
Upvotes: 3
Related Questions
- Optional route authentication in Ktor
- Intercept initial Ktor authenticate route
- How to restrict access to certain routes in Phoenix?
- Adding interceptor to routes in Ktor not working
- Set up Ktor authenticated shutdown route
- Ktor Keycloak Acess Token Route Protection
- Is there a way of specifing a wildcard route in Ktor?
- Ktor prompt for credentials from within route interceptor inside a basic authentication block
- Ktor: How to check authentication inside a route handler?
- Ktor Routing: How to factorize the routing functionality in an application/api?