Broken Authorization in Scala
Vulnerable Example
There are several instances of broken authentication/authorization, the most common of which is surely no mechanism at all. In Scala (Play Framework) endpoints are secured by means of actions composition. Consider the following example of a controller exposing a single publicly accessible endpoint:
class MyController @Inject() (
AuthAction: MyAuthAction
)(
implicit executionContext: ExecutionContext
) extends AbstractController(cc) {
def myEndpoint =
Action { implicit request =>
Ok(views.html.myView(request))
}
}
Prevention
Authentication/authorization mechanisms are plugged in using composition. Suppose, for example, that the security mechanisms are implemented in the following class:
class AuthAction @Inject() (
parser: BodyParsers.Default
)(
implicit executionContext: ExecutionContext
) extends ActionBuilderImpl(parser) {
override def invokeBlock[A](
request: Request[A],
block: (Request[A]) => Future[Result]
) = {
if (/* TODO implement the auth mechanism here... */) {
Future.successful(Redirect("/login"))
} else {
block(request)
}
}
}
It is possible to add AuthAction
to the original myEndpoint
in the following way:
def myEndpoint =
AuthAction { implicit request =>
Ok(views.html.myView(request))
}
References
MITRE - CWE 285 - Improper Authorization
OWASP Top 10 2021 - Broken Access Control