Example using headers please
ajazam opened this issue · 6 comments
Is there an example using headers anywhere? I want to interface an android app to akka-http and headers would be the logical choice.
It should be a matter of using usingHeaders instead of usingCookies in e.g. setSession. Does that work for you?
I've done that and now the POST method returns a Set-Refresh-Token header. What I don't understand is why I'm still getting cookies when I've made the following change
def mySetSession(v: ExampleSession) = setSession(refreshable, usingHeaders, v)
val myRequiredSession = requiredSession(refreshable, usingHeaders)
val myInvalidateSession = invalidateSession(refreshable, usingHeaders)
When I access localhost:8080/ I get redirected to localhost:8080/site/index.html and also get the following cookie
Set-Cookie: "XSRF-TOKEN=8msbjnftu71rl48i0g7f9uis66hhue5ik91dtogap08r07us7qo0lj1fubjh7drs; Path=/"
Should I be getting cookies even though I've specified I'm using headers?
Are you using the randomTokenCsrfProtection directive? If you are authenticating using headers, you are not vulnerable to CSRF attacks, so you don't need it
I was using the randomTokenCrfsProtectiondirective. I also had to make the following change
mySetSession(ExampleSession(body)) {
//setNewCsrfToken(checkHeader) { ctx => ctx.complete("ok") }
ctx => ctx.complete("ok")
}
I am now receiving a Set-Authorization and Set-Refresh-Token headers as a response to the POST method. Am I correct to assume the session ID is returned bySet-Authorization and the value in Set-Refresh-Token is always returned back to the website?
Yes. The Set-Refresh-Token is used to implement "remember me", as described here: https://github.com/softwaremill/akka-http-session#refresh-tokens-remember-me
Thank you