Search code examples
scalaplayframeworkplayframework-2.1securesocial

On Play2 SecureSocial, POST is executed as GET after SecureadAction

I'm using PlayFramework 2.1.4 and SecureSocial 2.1.1.

I defined routes like below, set the request as POST.

POST    /postComment                                  controllers.Application.postComment

It goes well at first, but after SecuredAction, the request changed to GET. Logs:

[info] application - onRouteRequest() requestHander = POST /postComment
[debug] application - [securesocial] anonymous user trying to access : '/postComment'
[debug] application - [securesocial] assets controller = controllers.ReverseAssets
[info] application - onRouteRequest() requestHander = GET /login
[error] application - [securesocial] can't find provider for id userpass
[info] application - onRouteRequest() requestHander = GET /authenticate/facebook
[debug] application - [securesocial] user logged in : [SocialUser(IdentityId( ...)]
[info] application - onRouteRequest() requestHander = GET /postComment
[warn] application - onHandlerNotFound() requestHander = GET /postComment

What shall I do? Please give me your advice.

The form is like this (createComment.scala.html).

@helper.form(action=routes.Application.postComment){
@helper.textarea(commentForm("body"))
<div class="actions">
        <input type="submit" class="btn primary" value="submit">
</div>
}

and this is the Application.scala

case class CommentData(body: String, vote: String)

object Application extends Controller with SecureSocial {
val commentForm = Form(mapping("body" -> nonEmptyText)(CommentData.apply)(CommentData.unapply))
def postComment = SecuredAction { implicit request =>
val id=session.get("targetCommentId");
commentForm.bindFromRequest.fold(
formWithErrors => {
BadRequest(views.html.createComment(commentForm)).withSession(session+"targetCommentId"->id.toString)
},
commentData => {
val id = request.user.identityId.userId
val body = commentData.body
application.Application.createComment(id, body)
Ok(views.html.topiclist())
})
}
}
Solution

  • SecureSocial redirects to the original page after authentication, but will do so with an 303 See Other response that'll result in a GET request on the target resource. Whilst it's a simplification to say you can't redirect to a POST request, it won't work with SecureSocial AFAIK.

    A better way to handle this would be to prompt for authentication before the user submits the comment form, i.e:

    • anon user wants to create a comment and clicks "add comment" (or whatever)
    • do authentication via FB
    • redirect back to comment form (GET), now with authenticated user
    • proceed to process form submission (POST)

    You can read about some issues with POST redirects here.