Checking an API key in the authorization header?


(Ali A) #1

Can the OAuth authenticator directive do the following:

  • From bearer <token>, pass the <token> portion to the authenticator

  • Have the authenticator either return the Account object (if verified), or a None

  • If verified, make the Account object available for further processing (to prevent needing to hit the db again), and if not, reject the request.

Is something like this possible via either the Oauth authenticators or any other directives, or should I write this own my own?


(Ali A) #2

authenticateOAuth2Async(realm, authenticator) worked perfectly for this. I just had the authenticator return the Account object to avoid a second db lookup. Worked like a charm.

Tests were a little hard to figure out, I had to dig around the example specs ( https://github.com/akka/akka-http/blob/master/docs/src/test/scala/docs/http/scaladsl/server/directives/SecurityDirectivesExamplesSpec.scala#L42 ) to figure out how to add credentials to the test:

Post("/foo", SomeRequest("test")) ~> addCredentials(OAuth2BearerToken(myToken)) ~> route ~> check