SPA authentication with Angular + Play Framework (Java)

Question

I am not really into authentication mechanisms so I have trouble figuring out how to design authentication mechanism with Angular front-end and Play Framework (Java) back-end. The basic idea is this:

1. Angular front-end sends REST authentication call to Play Framework authentication mechanism.
2. Play generates some token (sends it to Angular)
3. Angular can make other REST calls based on that token

Ideally I would like to like to use CSRF token. I have found very little sources about integrating Angular and Play authentication and none of them was complete enough to implement it on my app. Off course there are many sources about integrating Javascript and Play authentication, but this is quite different case.

So my question is how to design that, what frameworks / functionality use to make it work and how to integrate Angular and Play in that area. General steps to achieve that would be sufficient, ie: use that authentication framework in Play, implement that functionality in Play, use that methods in Angular, connect everything in that way etc. Of course, more specific instructions are also welcomed. Last thing, I want to store passwords hashes in database, any tips on how to hash them (any Play mechanisms or other frameworks) would also help.

Answer 1

You can use something like JWT to create a token and give it to your angular app. Basically the flow would be something like this:

• User provides authentication (ex: email and password);
• You send that info to Play so it can check the credentials and generate a token if everything is ok. That token can have a lot of information, like the persissions/roles the user has, the creation date, etc;
• After you got your token , you can then use it in your angular app. On the Play side, you will have to check if the token provided is valid (it was generated from your app and it has not expired)

Note that you may want to store those tokens (ex: in a database) if you want to implement something like token blacklist or auto renew of the tokens...

Other options are to generate yourself some kind of token (ex: a base64 random string) and store it in a database with the associated info you may need (expiration date, etc), or even just set a cookie in Play and let your app use it (you probably can't use directly the default Play cookie in Angular because it is HTTP only).

Regarding password hashing, you can use whatever scala/java library, but you should choose something secure. Usually I use BCrypt ,but there are a lot of other options (scrypt, pbkdf2, etc)