How to extract access rights validation in Kotlin's Ktor

1
votes

I have Ktor based REST API application which uses the jwt token's as authentication. Then I have to restrict certain routes for the specific role. In order to do it I am creating principal, containing the relevant info:

data class UserPrincipal (
  val id: Long,
  val username: String,
  val roleId: Long,
): Princpal {
  override fun getName() = username
}

object AuthLogin {
  fun Application.auth(jwt: JwtProvider) {
    install(Authentication) {
      jwt("jwt") {
        realm = jwt.realm()
        verifier(jwt.verifier())
        validate {
          val userId = it.payload.getClaim("id").asLong()
          val username = it.payload.getClain("name")
          val roleId = it.payload.getClaim("roleId").asLong()
          UserPrincipal(userId, username, roleId)
        }
      }
    }
  }
}

The claims with userId and roleId are being provided when signing the correctly logged in user. Now I can restrict REST endpoints like that:

object RestModule {
  fun Application.enititiesOne(userRepo: UserRepo) {
    routing {
      authenticate("jwt") {
        route("/entities1") {
          get {
            val principal = call.principal<UserPrincipal>()
            when(userRepo.hasAccessByRole(principal!!.roleId, "CAN_R_E1") {
              false -> call.respond(HttpStatusCode.Forbidden)
              true -> // some retrieval logic
          }
          post {
            val principal = call.principal<UserPrincipal>()
            when(userRepo.hasAccessByRole(principal!!.roleId, "CAN_W_E1") {
              false -> call.respond(HttpStatusCode.Forbidden)
              true -> // some update logic
          }
        }
      }
    }
  }
}

As you can see even inside one routing function I have to duplicate code that checks the principal's role twice. I can move it out to function but what I want is a single place to define my security roles. Something like that:

authenticate {
  val principal = call.principal<UserPrincipal()
  val rights = userRepo.rightsByRole(principal.roleId)
  when(routes) {
    get("/entities1/**") -> 
      if(rights.contain("CAN_R_E1")) call.proceed
      else call.respond(HttpStatusCode.Forbidden)
    post("/entites1) -> rights.contain("CAN_W_E1") // similar 
    get("/entities2/**") -> rights.contain("CAN_R_E2") // similar
    else -> call.respond(401)
  }
}

And then plug it into the rest endpoints. Or is there some similar approach that I can use in Kotlin's Ktor? Seems like interceptors is what I need but I'm not sure how to use them in an intended way.

1
kotlinktor
You could create separate auth configs in the installation block. Then wrap the routes accordingly. Also, you can probably check the route url / verb in the validation block, to automate this.avolkmann

1 Answers

4
votes

You can check the method and uri in the validate block.

install(Authentication) {
    jwt {
        validate {
            val userId = it.payload.getClaim("id").asLong()
            val username = it.payload.getClaim("name").asString()
            val roleId = it.payload.getClaim("roleId").asLong()
            UserPrincipal(userId, username, roleId)
            val requiredRole = when (request.httpMethod) {
                HttpMethod.Get -> // get role
                HttpMethod.Post -> // get other role
            }
            // check if role exists in repo
        }
    }
}
install(Routing) {
    get {
        val principal = call.principal<UserPrincipal>()!!
        call.respond(principal)
    }

    post {
        val principal = call.principal<UserPrincipal>()!!
        call.respond(principal)
    }
}

By the way, there were several issues with the code you posted, so it wouldn't compile.