2020-07-29 15:14:47 +02:00
|
|
|
{-# LANGUAGE DataKinds #-}
|
2020-07-28 15:15:41 +02:00
|
|
|
{-# LANGUAGE ScopedTypeVariables #-}
|
2020-07-24 23:46:54 +02:00
|
|
|
{-# LANGUAGE OverloadedStrings #-}
|
2020-07-28 15:15:41 +02:00
|
|
|
{-# LANGUAGE NamedFieldPuns #-}
|
2020-07-28 22:33:58 +02:00
|
|
|
{-# LANGUAGE RecordWildCards #-}
|
2020-07-24 23:46:54 +02:00
|
|
|
{-# LANGUAGE TypeApplications #-}
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
module App where
|
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
import Control.Monad.IO.Class (liftIO)
|
|
|
|
import Data.String.Conversions (cs)
|
|
|
|
import Data.Text (Text)
|
|
|
|
import Servant
|
2020-07-29 21:26:23 +02:00
|
|
|
import Servant.Server.Internal.ServerError
|
2020-07-24 23:46:54 +02:00
|
|
|
import API
|
2020-07-28 19:46:05 +02:00
|
|
|
import Utils
|
2020-07-29 15:14:47 +02:00
|
|
|
import Web.Cookie
|
2020-07-28 15:15:41 +02:00
|
|
|
|
2020-07-31 19:30:21 +02:00
|
|
|
import qualified Network.Wai.Handler.Warp as Warp
|
|
|
|
import qualified Network.Wai.Middleware.Cors as Cors
|
2020-07-30 19:38:46 +02:00
|
|
|
import qualified System.Random as Random
|
|
|
|
import qualified Email as Email
|
2020-07-28 15:15:41 +02:00
|
|
|
import qualified Crypto.KDF.BCrypt as BC
|
|
|
|
import qualified Data.Text.Encoding as TE
|
2020-07-29 21:26:23 +02:00
|
|
|
import qualified Data.UUID as UUID
|
|
|
|
import qualified Data.UUID.V4 as UUID
|
2020-07-25 00:35:49 +02:00
|
|
|
import qualified Types as T
|
2020-07-28 19:38:30 +02:00
|
|
|
import qualified Accounts as Accounts
|
2020-07-29 21:26:23 +02:00
|
|
|
import qualified Auth as Auth
|
2020-07-28 19:38:30 +02:00
|
|
|
import qualified Trips as Trips
|
2020-07-28 19:48:38 +02:00
|
|
|
import qualified Sessions as Sessions
|
2020-07-28 22:33:58 +02:00
|
|
|
import qualified LoginAttempts as LoginAttempts
|
2020-07-30 19:38:46 +02:00
|
|
|
import qualified PendingAccounts as PendingAccounts
|
2020-07-24 23:46:54 +02:00
|
|
|
--------------------------------------------------------------------------------
|
|
|
|
|
2020-07-29 21:26:23 +02:00
|
|
|
err429 :: ServerError
|
|
|
|
err429 = ServerError
|
|
|
|
{ errHTTPCode = 429
|
|
|
|
, errReasonPhrase = "Too many requests"
|
|
|
|
, errBody = ""
|
|
|
|
, errHeaders = []
|
|
|
|
}
|
|
|
|
|
2020-07-30 19:38:46 +02:00
|
|
|
-- | Send an email to recipient, `to`, with a secret code.
|
2020-07-31 19:26:47 +02:00
|
|
|
sendVerifyEmail :: T.Config
|
|
|
|
-> Text
|
|
|
|
-> T.Username
|
|
|
|
-> T.Email
|
|
|
|
-> T.RegistrationSecret
|
|
|
|
-> IO (Either Email.SendError Email.SendSuccess)
|
|
|
|
sendVerifyEmail T.Config{..} apiKey (T.Username username) email@(T.Email to) (T.RegistrationSecret secretUUID) = do
|
2020-07-30 19:38:46 +02:00
|
|
|
Email.send apiKey subject (cs body) email
|
|
|
|
where
|
|
|
|
subject = "Please confirm your account"
|
|
|
|
-- TODO(wpcarro): Use a URL encoder
|
|
|
|
-- TODO(wpcarro): Use a dynamic domain and port number
|
|
|
|
body =
|
|
|
|
let secret = secretUUID |> UUID.toString in
|
2020-07-31 19:26:47 +02:00
|
|
|
cs configServer ++ cs username ++ "&secret=" ++ secret
|
2020-07-30 19:38:46 +02:00
|
|
|
|
2020-07-30 14:58:50 +02:00
|
|
|
server :: T.Config -> Server API
|
2020-07-31 19:26:47 +02:00
|
|
|
server config@T.Config{..} = createAccount
|
|
|
|
:<|> verifyAccount
|
|
|
|
:<|> deleteAccount
|
|
|
|
:<|> listAccounts
|
|
|
|
:<|> createTrip
|
|
|
|
:<|> updateTrip
|
|
|
|
:<|> deleteTrip
|
|
|
|
:<|> listTrips
|
|
|
|
:<|> login
|
|
|
|
:<|> logout
|
|
|
|
:<|> unfreezeAccount
|
2020-07-24 23:46:54 +02:00
|
|
|
where
|
2020-07-30 11:23:55 +02:00
|
|
|
-- Admit Admins + whatever the predicate `p` passes.
|
|
|
|
adminsAnd cookie p = Auth.assert dbFile cookie (\acct@T.Account{..} -> accountRole == T.Admin || p acct)
|
|
|
|
-- Admit Admins only.
|
|
|
|
adminsOnly cookie = adminsAnd cookie (const True)
|
|
|
|
|
2020-07-27 16:22:22 +02:00
|
|
|
-- TODO(wpcarro): Handle failed CONSTRAINTs instead of sending 500s
|
2020-07-29 21:26:23 +02:00
|
|
|
createAccount :: T.CreateAccountRequest -> Handler NoContent
|
2020-07-30 19:38:46 +02:00
|
|
|
createAccount T.CreateAccountRequest{..} = do
|
|
|
|
secretUUID <- liftIO $ T.RegistrationSecret <$> Random.randomIO
|
|
|
|
liftIO $ PendingAccounts.create dbFile
|
|
|
|
secretUUID
|
|
|
|
createAccountRequestUsername
|
|
|
|
createAccountRequestPassword
|
|
|
|
createAccountRequestRole
|
|
|
|
createAccountRequestEmail
|
2020-07-31 19:26:47 +02:00
|
|
|
liftIO $ sendVerifyEmail config mailgunAPIKey
|
2020-07-30 19:38:46 +02:00
|
|
|
createAccountRequestUsername
|
|
|
|
createAccountRequestEmail
|
|
|
|
secretUUID
|
2020-07-28 13:49:16 +02:00
|
|
|
pure NoContent
|
2020-07-25 00:35:49 +02:00
|
|
|
|
2020-07-30 19:38:46 +02:00
|
|
|
verifyAccount :: Text -> Text -> Handler NoContent
|
|
|
|
verifyAccount username secret = do
|
|
|
|
let mSecretUUID = T.RegistrationSecret <$> UUID.fromText secret in do
|
|
|
|
case mSecretUUID of
|
|
|
|
Nothing -> throwError err401 { errBody = "Invalid secret format" }
|
|
|
|
Just secretUUID -> do
|
|
|
|
mPendingAccount <- liftIO $ PendingAccounts.get dbFile (T.Username username)
|
|
|
|
case mPendingAccount of
|
|
|
|
Nothing ->
|
|
|
|
throwError err401 { errBody = "Either your secret or your username (or both) is invalid" }
|
|
|
|
Just pendingAccount@T.PendingAccount{..} ->
|
|
|
|
if pendingAccountSecret == secretUUID then do
|
|
|
|
liftIO $ Accounts.transferFromPending dbFile pendingAccount
|
|
|
|
pure NoContent
|
|
|
|
else
|
|
|
|
throwError err401 { errBody = "The secret you provided is invalid" }
|
|
|
|
|
2020-07-29 21:26:23 +02:00
|
|
|
deleteAccount :: T.SessionCookie -> Text -> Handler NoContent
|
2020-07-30 11:23:55 +02:00
|
|
|
deleteAccount cookie username = adminsOnly cookie $ do
|
|
|
|
liftIO $ Accounts.delete dbFile (T.Username username)
|
|
|
|
pure NoContent
|
2020-07-28 11:57:15 +02:00
|
|
|
|
2020-07-29 21:26:23 +02:00
|
|
|
listAccounts :: T.SessionCookie -> Handler [T.User]
|
2020-07-30 11:23:55 +02:00
|
|
|
listAccounts cookie = adminsOnly cookie $ do
|
|
|
|
liftIO $ Accounts.list dbFile
|
2020-07-24 23:46:54 +02:00
|
|
|
|
2020-07-29 21:26:23 +02:00
|
|
|
createTrip :: T.SessionCookie -> T.Trip -> Handler NoContent
|
2020-07-30 11:23:55 +02:00
|
|
|
createTrip cookie trip@T.Trip{..} =
|
|
|
|
adminsAnd cookie (\T.Account{..} -> accountUsername == tripUsername) $ do
|
|
|
|
liftIO $ Trips.create dbFile trip
|
|
|
|
pure NoContent
|
2020-07-28 10:10:54 +02:00
|
|
|
|
2020-07-31 12:25:36 +02:00
|
|
|
updateTrip :: T.SessionCookie -> T.UpdateTripRequest -> Handler NoContent
|
|
|
|
updateTrip cookie updates@T.UpdateTripRequest{..} =
|
|
|
|
adminsAnd cookie (\T.Account{..} -> accountUsername == T.tripPKUsername updateTripRequestTripPK) $ do
|
|
|
|
mTrip <- liftIO $ Trips.get dbFile updateTripRequestTripPK
|
|
|
|
case mTrip of
|
|
|
|
Nothing -> throwError err400 { errBody = "tripKey is invalid" }
|
|
|
|
Just trip@T.Trip{..} -> do
|
|
|
|
-- TODO(wpcarro): Prefer function in Trips module that does this in a
|
|
|
|
-- DB transaction.
|
|
|
|
liftIO $ Trips.delete dbFile updateTripRequestTripPK
|
|
|
|
liftIO $ Trips.create dbFile (T.updateTrip updates trip)
|
|
|
|
pure NoContent
|
|
|
|
|
2020-07-29 21:26:23 +02:00
|
|
|
deleteTrip :: T.SessionCookie -> T.TripPK -> Handler NoContent
|
2020-07-30 11:23:55 +02:00
|
|
|
deleteTrip cookie tripPK@T.TripPK{..} =
|
|
|
|
adminsAnd cookie (\T.Account{..} -> accountUsername == tripPKUsername) $ do
|
2020-07-29 21:26:23 +02:00
|
|
|
liftIO $ Trips.delete dbFile tripPK
|
2020-07-28 19:38:30 +02:00
|
|
|
pure NoContent
|
2020-07-28 11:14:33 +02:00
|
|
|
|
2020-07-31 11:55:10 +02:00
|
|
|
listTrips :: T.SessionCookie -> Handler [T.Trip]
|
|
|
|
listTrips cookie = do
|
|
|
|
mAccount <- liftIO $ Auth.accountFromCookie dbFile cookie
|
|
|
|
case mAccount of
|
|
|
|
Nothing -> throwError err401 { errBody = "Your session cookie is invalid. Try logging out and logging back in." }
|
|
|
|
Just T.Account{..} ->
|
|
|
|
case accountRole of
|
|
|
|
T.Admin -> liftIO $ Trips.listAll dbFile
|
|
|
|
_ -> liftIO $ Trips.list dbFile accountUsername
|
2020-07-29 15:14:47 +02:00
|
|
|
|
|
|
|
login :: T.AccountCredentials
|
2020-07-31 19:28:41 +02:00
|
|
|
-> Handler (Headers '[Header "Set-Cookie" SetCookie] T.Session)
|
2020-07-28 19:48:38 +02:00
|
|
|
login (T.AccountCredentials username password) = do
|
2020-07-29 21:26:23 +02:00
|
|
|
mAccount <- liftIO $ Accounts.lookup dbFile username
|
2020-07-28 19:48:38 +02:00
|
|
|
case mAccount of
|
2020-07-28 22:33:58 +02:00
|
|
|
Just account@T.Account{..} -> do
|
2020-07-29 21:26:23 +02:00
|
|
|
mAttempts <- liftIO $ LoginAttempts.forUsername dbFile accountUsername
|
2020-07-28 22:33:58 +02:00
|
|
|
case mAttempts of
|
|
|
|
Nothing ->
|
|
|
|
if T.passwordsMatch password accountPassword then do
|
2020-07-29 21:26:23 +02:00
|
|
|
uuid <- liftIO $ Sessions.findOrCreate dbFile account
|
2020-07-31 19:28:41 +02:00
|
|
|
pure $ addHeader (Auth.mkCookie uuid)
|
|
|
|
T.Session{ sessionUsername = accountUsername
|
|
|
|
, sessionRole = accountRole
|
|
|
|
}
|
2020-07-28 22:33:58 +02:00
|
|
|
else do
|
2020-07-29 21:26:23 +02:00
|
|
|
liftIO $ LoginAttempts.increment dbFile username
|
|
|
|
throwError err401 { errBody = "Your credentials are invalid" }
|
2020-07-28 22:33:58 +02:00
|
|
|
Just attempts ->
|
2020-07-30 20:53:46 +02:00
|
|
|
if attempts >= 3 then
|
2020-07-29 21:26:23 +02:00
|
|
|
throwError err429
|
2020-07-28 22:33:58 +02:00
|
|
|
else if T.passwordsMatch password accountPassword then do
|
2020-07-29 21:26:23 +02:00
|
|
|
uuid <- liftIO $ Sessions.findOrCreate dbFile account
|
2020-07-31 19:28:41 +02:00
|
|
|
pure $ addHeader (Auth.mkCookie uuid)
|
|
|
|
T.Session{ sessionUsername = accountUsername
|
|
|
|
, sessionRole = accountRole
|
|
|
|
}
|
2020-07-28 22:33:58 +02:00
|
|
|
else do
|
2020-07-29 21:26:23 +02:00
|
|
|
liftIO $ LoginAttempts.increment dbFile username
|
|
|
|
throwError err401 { errBody = "Your credentials are invalid" }
|
2020-07-28 15:15:41 +02:00
|
|
|
|
2020-07-28 19:48:38 +02:00
|
|
|
-- In this branch, the user didn't supply a known username.
|
2020-07-29 21:26:23 +02:00
|
|
|
Nothing -> throwError err401 { errBody = "Your credentials are invalid" }
|
2020-07-29 15:14:47 +02:00
|
|
|
|
|
|
|
logout :: T.SessionCookie
|
2020-07-29 21:26:23 +02:00
|
|
|
-> Handler (Headers '[Header "Set-Cookie" SetCookie] NoContent)
|
|
|
|
logout cookie = do
|
|
|
|
case Auth.uuidFromCookie cookie of
|
|
|
|
Nothing ->
|
|
|
|
pure $ addHeader Auth.emptyCookie NoContent
|
|
|
|
Just uuid -> do
|
|
|
|
liftIO $ Sessions.delete dbFile uuid
|
|
|
|
pure $ addHeader Auth.emptyCookie NoContent
|
2020-07-24 23:46:54 +02:00
|
|
|
|
2020-07-31 12:37:45 +02:00
|
|
|
unfreezeAccount :: T.SessionCookie
|
|
|
|
-> T.UnfreezeAccountRequest
|
|
|
|
-> Handler NoContent
|
|
|
|
unfreezeAccount cookie T.UnfreezeAccountRequest{..} =
|
|
|
|
adminsAnd cookie (\T.Account{..} -> accountRole == T.Manager) $ do
|
|
|
|
liftIO $ LoginAttempts.reset dbFile unfreezeAccountRequestUsername
|
|
|
|
pure NoContent
|
|
|
|
|
2020-07-30 14:58:50 +02:00
|
|
|
run :: T.Config -> IO ()
|
2020-07-31 19:30:21 +02:00
|
|
|
run config@T.Config{..} =
|
|
|
|
Warp.run 3000 (enforceCors $ serve (Proxy @ API) $ server config)
|
|
|
|
where
|
|
|
|
enforceCors = Cors.cors (const $ Just corsPolicy)
|
|
|
|
corsPolicy :: Cors.CorsResourcePolicy
|
|
|
|
corsPolicy =
|
|
|
|
Cors.simpleCorsResourcePolicy
|
|
|
|
{ Cors.corsOrigins = Just ([cs configClient], True)
|
|
|
|
, Cors.corsMethods = Cors.simpleMethods ++ ["PUT", "PATCH", "DELETE", "OPTIONS"]
|
|
|
|
, Cors.corsRequestHeaders = Cors.simpleHeaders ++ ["Content-Type", "Authorization"]
|
|
|
|
}
|