Vert.x REST API Authentication and Authorization in Kotlin
It is time to secure our REST API endpoints, so we are going to create a restriction in some endpoints, so that only users that have an authorization that can access it. But before we start, I recommend you to check my previous article which is Build Simple REST API Using Vert.x in Kotlin, in case you haven’t read it yet. Since the current article is very related to the previous one.
Before you start, I would suggest you to copy the code and paste it to your favorite code editor then read it side by side with the explanation below. Hopefully it can help you to digest the code.
Add JWT auth provider dependency
First thing first we must add JWT auth dependency to our build.gradle in order to use the auth provider in our code. You can see on line 45 in the code below.
Add AuthProvider class to implement the Authorization and Authentication
We add new package that we called it authorization, we then create a new class — AuthProvider.kt — inside the package.
As you can see in line 13, we are initializing the authorization provider for JWT tokens using JWTAuthorization.create(). Line 14, we are assigning the hashmap which later we can use it for storing the task permission — for example: save, delete, update, etc.
Defining private and public key
We then jump over to line 34 and 45, these are to define our private key and public key. So I will show you how to generate the private and public key. First thing first, open up your terminal and execute this command:
$ openssl genrsa -out private.pem 2048Then it will generate a file called private.pem which contains the private key. Open that file and you will see something like this:
— — -BEGIN PRIVATE KEY — — -
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDeqPAg5ZgHzc/u
h26aBhVOh2i5Shi1c8wScSTokFF4S6KRbL47Dopq6XYirH1zI+Q8ufiurAmT9Ep/
FkiQzHhU21JfWxL3hWDgKYiNb0JEyxmsk+QfoiAAcIcmlQ49FgehpCFe+yzaGA8u
……
……
……
cPVQys3Htwm2tsbQtArcDFoA3f7+iUxN99s8BJxFMRhsy0V4shxFYfxrDLLG5bMQ
MDW/TbZj7+0pFaUAGSWzSQ==
— — -END PRIVATE KEY — — -Copy it and paste to your code, assign it to the privateKey variable.
And then to generate the public key, you must execute this command:
$ openssl rsa -in private.pem -outform PEM -pubout -out public.pemOpen that file and you will see something like this:
— — -BEGIN PUBLIC KEY — — -
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMII123KCAQEA3qjwIOWYB83P7njTOP5/
……
s4OB7h0Bq7uDMc8oveIb+oQ123LwRqF4CB+rImoEnigXSgk123lZd7a4JtxwIiWj
RwIDAQAB
— — -END PUBLIC KEY — — -Copy it and paste to your code, assign it to publicKey variable which later we will use it to issue or validate tokens.
Credentials and task permission validation
Then, we move back to line 16. From this line until 13, we implement how to validate the credentials. If the user id and password matches with our user data then we return the success value. Beside that, we also store the task permission if the current user meets the requirements, you can see on line 23 until 26.
Move forward to line 75 until 90, it implements the validation for task permission. If the current user has the task then the task is enabled to use.
Applying AuthProvider class to HttpServerVerticle.kt
Now we will apply what we have created previously. First we must update our HttpServerVerticle to something like this.
Generate auth token
Add lines of code in line 33 until 45. We create an instance of JWT auth provider and we also add the public and private key that we created previously.
Line 46, we define our new endpoint that will generate the token which later can be used as auth token. Then from line 49 to 52, we update the other endpoint and we add a JWTAuthHandler to restrict that endpoint from the unrecognize users.
Let’s dig out the token method in line 64 to 92. First we must get the credential from the header, and use that to authenticate in authenticationProvider — line 69, 70. If the credentials are authorized then — line 73 to 82 — the JWT auth provider is going to generate the auth token, and return it as a response.
Apply the task permision authorization
We can simply apply it by just call:
authProvider.verifyPermissionAuthorization(context.user(), “delete”)As you can see in line 155 on deleteUser() method, we send the context.user() and delete task to verifyPermissionAuthorization() method that previously we created in the AuthProvider class. It will check if a particular user has permission to execute the task or not.
You can found the complete source on https://github.com/merizrizal/vertx-kotlin-rest-api/tree/auth-rest-api
