server authentication/authorization support

[Enalmada]

I feel like most people would really benefit from an example of how to work in proper client authentication/authorization into this spa tutorial. This pull request is an attempt to add the prerequisite server side support to get that party started and help people that need client/server auth hit the ground running. controllers.auth.BasicAuth provides an auth function that takes email/password and returns a token that can be used for future requests. I assume basic auth and tokens that is what the spa client would want.

[aparo]

@Enalmada if you want to manage a better level security, imho it's better to serving the spa after a play login page with optional two-step auth (with google authenticator or similar) You can reuse play- silhouette for managing auth. This approach is better because you also reduce the bandwith not serving js-spa to not logged users.

[ochrons]

From a SPA point of view, a relevant case is providing both anonymous and authenticated access (like for example, Github does). This would demonstrate how to include authentication and authorization within the SPA itself and not just an external "can you access this site" -check.

Also this tutorial tries to be quite server-side-tech agnostic, so I wouldn't want to introduce heavy dependencies into Play-specific libs and database integrations. There are plenty of examples out there how to do auth in Play (or any other Scala web framework), but the important piece is about how to integrate it within the SPA client itself.

For example, adding a feature where the user needs to log in to access the Todo-list would be a good example of this. Including how to handle Unauthorized responses from the server to autowire calls.

[Enalmada]

You are totally right about dependencies so I have simplified the pull to only need play2-auth (which is as lean an authorization module as I think you can get while still being real...but I will not be offended at all if you want to go a different direction).

Yes, a traditional page in front is not a bad start but +1 for tutorial including authentication and authorization within the SPA itself. The todo requiring login and a login/logout button at the right of the header that changes depending on login state (not-logged in, logged in, and admin) I think could go a long way to helping people learn how to do the rest themselves!

Thanks again for all your time into this great example.

[Enalmada]

I am going to close this for now because I get the feeling it might be most desirable to mock up the authentication/authorization example with 0 external dependencies.