Merge pull request quarkusio#36818 from melloware/patch-1

Add SPA Form Based Authentication instructions
aloubyansky · Nov 4, 2023 · fded7c0 · fded7c0
2 parents 00074a4 + 74bd6aa
commit fded7c0
Showing 1 changed file with 77 additions and 0 deletions.
diff --git a/docs/src/main/asciidoc/security-authentication-mechanisms.adoc b/docs/src/main/asciidoc/security-authentication-mechanisms.adoc
@@ -91,6 +91,83 @@ quarkus.http.auth.form.landing-page=
 # do not redirect, respond with HTTP 401 Unauthorized
 quarkus.http.auth.form.login-page=
 quarkus.http.auth.form.error-page=
+
+# HttpOnly must be false if you want to logout on the client, it can be true if logging out on from the server
+quarkus.http.auth.form.http-only-cookie=false
+----
+
+Now that you have disabled redirects for the SPA, you must login and logout programmatically from your client.
+Below are example JavaScript methods for logging into the `j_security_check` endpoint and logging out of the application by destroying the cookie.
+
+[source,javascript]
+----
+const login = () => {
+    // Create an object to represent the form data
+    const formData = new URLSearchParams();
+    formData.append("j_username", username);
+    formData.append("j_password", password);
+
+    // Make an HTTP POST request using fetch against j_security_check endpoint
+    fetch("j_security_check", {
+        method: "POST",
+        body: formData,
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded",
+        },
+    })
+    .then((response) => {
+        if (response.status === 200) {
+            // Authentication was successful
+            console.log("Authentication successful");
+        } else {
+            // Authentication failed
+            console.error("Invalid credentials");
+        }
+    })
+    .catch((error) => {
+        console.error(error);
+    });
+};
+----
+
+To logout of the SPA from the client the cookie must be set to `quarkus.http.auth.form.http-only-cookie=false` so you can destroy
+the cookie and possibly redirect back to your main page.
+
+[source,javascript]
+----
+const logout= () => {
+    // delete the credential cookie essentially killing the session
+    const removeCookie = `quarkus-credential=; Max-Age=0;path=/`;
+    document.cookie = removeCookie;
+    
+    // perform post logout actions here such as redirecting back to your login page
+};
+----
+
+To logout of the SPA from the server the cookie can be set to `quarkus.http.auth.form.http-only-cookie=true` and use this example
+code to destroy the cookie.
+
+[source,java]
+----
+@ConfigProperty(name = "quarkus.http.auth.form.cookie-name")
+String cookieName;
+
+@Inject
+CurrentIdentityAssociation identity;
+
+@POST
+public Response logout() {
+    if (identity.getIdentity().isAnonymous()) {
+        throw new UnauthorizedException("Not authenticated");
+    }
+    final NewCookie removeCookie = new NewCookie.Builder(cookieName)
+            .maxAge(0)
+            .expiry(Date.from(Instant.EPOCH))
+            .path("/")
+            .build();
+    return Response.noContent().cookie(removeCookie).build();
+}
+
 ----
 
 The following properties can be used to configure form-based authentication: