Fully support login, logout

Refactor my handlers to use the `Handler a` type instead of `IO a`; this allows
me to throwError inside of handlers that Servant properly handles. Previously I
was creating 500 errors unnecessarily.
This commit is contained in:
William Carroll 2020-07-29 20:26:23 +01:00
parent ab12be7840
commit fdd51f626c
3 changed files with 117 additions and 60 deletions

View file

@ -11,7 +11,7 @@ import qualified Types as T
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
-- | Once authenticated, users receive a SessionCookie. -- | Once authenticated, users receive a SessionCookie.
type SessionCookie = Header' '[Required] "Set-Cookie" T.SessionCookie type SessionCookie = Header' '[Required] "Cookie" T.SessionCookie
type API = type API =
-- accounts: Create -- accounts: Create

View file

@ -7,118 +7,121 @@
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
module App where module App where
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
import Control.Exception (throwIO)
import Control.Monad.IO.Class (liftIO) import Control.Monad.IO.Class (liftIO)
import Data.String.Conversions (cs) import Data.String.Conversions (cs)
import Data.Text (Text) import Data.Text (Text)
import Network.Wai.Handler.Warp as Warp import Network.Wai.Handler.Warp as Warp
import Servant import Servant
import Servant.Server.Internal.ServerError
import API import API
import Utils import Utils
import Web.Cookie import Web.Cookie
import qualified Crypto.KDF.BCrypt as BC import qualified Crypto.KDF.BCrypt as BC
import qualified Data.Text.Encoding as TE import qualified Data.Text.Encoding as TE
import qualified Data.UUID as UUID
import qualified Data.UUID.V4 as UUID
import qualified Types as T import qualified Types as T
import qualified Accounts as Accounts import qualified Accounts as Accounts
import qualified Auth as Auth
import qualified Trips as Trips import qualified Trips as Trips
import qualified Sessions as Sessions import qualified Sessions as Sessions
import qualified LoginAttempts as LoginAttempts import qualified LoginAttempts as LoginAttempts
-------------------------------------------------------------------------------- --------------------------------------------------------------------------------
server :: FilePath -> Server API err429 :: ServerError
server dbFile = createAccountH err429 = ServerError
:<|> deleteAccountH { errHTTPCode = 429
:<|> listAccountsH , errReasonPhrase = "Too many requests"
:<|> createTripH , errBody = ""
:<|> deleteTripH , errHeaders = []
:<|> listTripsH }
:<|> loginH
:<|> logoutH
where
createAccountH newUser = liftIO $ createAccount newUser
deleteAccountH cookie username = liftIO $ deleteAccount cookie username
listAccountsH cookie = liftIO $ listAccounts cookie
createTripH cookie trip = liftIO $ createTrip cookie trip
deleteTripH cookie tripPK = liftIO $ deleteTrip cookie tripPK
listTripsH = liftIO $ listTrips
loginH creds = liftIO $ login creds
logoutH cookie = liftIO $ logout cookie
server :: FilePath -> Server API
server dbFile = createAccount
:<|> deleteAccount
:<|> listAccounts
:<|> createTrip
:<|> deleteTrip
:<|> listTrips
:<|> login
:<|> logout
where
-- TODO(wpcarro): Handle failed CONSTRAINTs instead of sending 500s -- TODO(wpcarro): Handle failed CONSTRAINTs instead of sending 500s
createAccount :: T.CreateAccountRequest -> IO NoContent createAccount :: T.CreateAccountRequest -> Handler NoContent
createAccount request = do createAccount request = do
Accounts.create dbFile liftIO $ Accounts.create dbFile
(T.createAccountRequestUsername request) (T.createAccountRequestUsername request)
(T.createAccountRequestPassword request) (T.createAccountRequestPassword request)
(T.createAccountRequestEmail request) (T.createAccountRequestEmail request)
(T.createAccountRequestRole request) (T.createAccountRequestRole request)
pure NoContent pure NoContent
deleteAccount :: T.SessionCookie -> Text -> IO NoContent deleteAccount :: T.SessionCookie -> Text -> Handler NoContent
deleteAccount cookie username = do deleteAccount cookie username = do
Accounts.delete dbFile (T.Username username) mRole <- liftIO $ Auth.roleFromCookie dbFile cookie
pure NoContent case mRole of
Just T.Admin -> do
liftIO $ Accounts.delete dbFile (T.Username username)
pure NoContent
-- cannot delete an account if you're not an Admin
_ -> throwError err401 { errBody = "Only admins can delete accounts." }
listAccounts :: T.SessionCookie -> IO [T.User] listAccounts :: T.SessionCookie -> Handler [T.User]
listAccounts cookie = Accounts.list dbFile listAccounts (T.SessionCookie cookie) = liftIO $ Accounts.list dbFile
createTrip :: T.SessionCookie -> T.Trip -> IO NoContent createTrip :: T.SessionCookie -> T.Trip -> Handler NoContent
createTrip cookie trip = do createTrip cookie trip = do
Trips.create dbFile trip liftIO $ Trips.create dbFile trip
pure NoContent pure NoContent
-- TODO(wpcarro): Validate incoming data like startDate. -- TODO(wpcarro): Validate incoming data like startDate.
deleteTrip :: T.SessionCookie -> T.TripPK -> IO NoContent deleteTrip :: T.SessionCookie -> T.TripPK -> Handler NoContent
deleteTrip cookie tripPK = do deleteTrip cookie tripPK = do
Trips.delete dbFile tripPK liftIO $ Trips.delete dbFile tripPK
pure NoContent pure NoContent
listTrips :: IO [T.Trip] listTrips :: Handler [T.Trip]
listTrips = Trips.list dbFile listTrips = liftIO $ Trips.list dbFile
login :: T.AccountCredentials login :: T.AccountCredentials
-> IO (Headers '[Header "Set-Cookie" SetCookie] NoContent) -> Handler (Headers '[Header "Set-Cookie" SetCookie] NoContent)
login (T.AccountCredentials username password) = do login (T.AccountCredentials username password) = do
mAccount <- Accounts.lookup dbFile username mAccount <- liftIO $ Accounts.lookup dbFile username
case mAccount of case mAccount of
Just account@T.Account{..} -> do Just account@T.Account{..} -> do
mAttempts <- LoginAttempts.forUsername dbFile accountUsername mAttempts <- liftIO $ LoginAttempts.forUsername dbFile accountUsername
case mAttempts of case mAttempts of
Nothing -> Nothing ->
if T.passwordsMatch password accountPassword then do if T.passwordsMatch password accountPassword then do
session <- Sessions.findOrCreate dbFile account uuid <- liftIO $ Sessions.findOrCreate dbFile account
-- set cookie pure $ addHeader (Auth.mkCookie uuid) NoContent
undefined
else do else do
LoginAttempts.increment dbFile username liftIO $ LoginAttempts.increment dbFile username
throwIO err401 { errBody = "Your credentials are invalid" } throwError err401 { errBody = "Your credentials are invalid" }
Just attempts -> Just attempts ->
if attempts > 3 then if attempts > 3 then
-- TODO(wpcarro): Prefer 429 error code throwError err429
throwIO err401 { errBody = "Too many failed login attempts" }
else if T.passwordsMatch password accountPassword then do else if T.passwordsMatch password accountPassword then do
session <- Sessions.findOrCreate dbFile account uuid <- liftIO $ Sessions.findOrCreate dbFile account
-- set cookie pure $ addHeader (Auth.mkCookie uuid) NoContent
undefined
else do else do
LoginAttempts.increment dbFile username liftIO $ LoginAttempts.increment dbFile username
-- TODO(wpcarro): Catch and return errors over HTTP throwError err401 { errBody = "Your credentials are invalid" }
throwIO err401 { errBody = "Your credentials are invalid" }
-- In this branch, the user didn't supply a known username. -- In this branch, the user didn't supply a known username.
Nothing -> throwIO err401 { errBody = "Your credentials are invalid" } Nothing -> throwError err401 { errBody = "Your credentials are invalid" }
logout :: T.SessionCookie logout :: T.SessionCookie
-> IO (Headers '[Header "Set-Cookie" SetCookie] NoContent) -> Handler (Headers '[Header "Set-Cookie" SetCookie] NoContent)
logout cookie = undefined logout cookie = do
-- pull off SessionUUID from the request headers case Auth.uuidFromCookie cookie of
-- delete the SessionUUID from the Sessions table. Nothing ->
pure $ addHeader Auth.emptyCookie NoContent
mkApp :: FilePath -> IO Application Just uuid -> do
mkApp dbFile = do liftIO $ Sessions.delete dbFile uuid
pure $ serve (Proxy @ API) $ server dbFile pure $ addHeader Auth.emptyCookie NoContent
run :: FilePath -> IO () run :: FilePath -> IO ()
run sqliteFile = run dbFile =
Warp.run 3000 =<< mkApp sqliteFile Warp.run 3000 (serve (Proxy @ API) $ server dbFile)

54
src/Auth.hs Normal file
View file

@ -0,0 +1,54 @@
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
--------------------------------------------------------------------------------
module Auth where
--------------------------------------------------------------------------------
import Database.SQLite.Simple
import Utils
import Web.Cookie
import qualified Data.UUID as UUID
import qualified Web.Cookie as WC
import qualified Sessions as Sessions
import qualified Accounts as Accounts
import qualified Types as T
import qualified Data.ByteString.Lazy as LBS
--------------------------------------------------------------------------------
-- | Return the UUID from a Session cookie.
uuidFromCookie :: T.SessionCookie -> Maybe T.SessionUUID
uuidFromCookie (T.SessionCookie cookies) = do
auth <- lookup "auth" cookies
uuid <- UUID.fromASCIIBytes auth
pure $ T.SessionUUID uuid
-- | Attempt to return the user role associated with the `cookie`.
roleFromCookie :: FilePath -> T.SessionCookie -> IO (Maybe T.Role)
roleFromCookie dbFile cookie = withConnection dbFile $ \conn -> do
case uuidFromCookie cookie of
Nothing -> pure Nothing
Just uuid -> do
mSession <- Sessions.get dbFile uuid
case mSession of
Nothing -> pure Nothing
Just T.StoredSession{..} -> do
mAccount <- Accounts.lookup dbFile storedSessionUsername
case mAccount of
Nothing -> pure Nothing
Just T.Account{..} -> pure (Just accountRole)
-- | Create a new session cookie.
mkCookie :: T.SessionUUID -> SetCookie
mkCookie (T.SessionUUID uuid) =
defaultSetCookie
{ setCookieName = "auth"
, setCookieValue = UUID.toASCIIBytes uuid
}
-- | Use this to clear out the session cookie.
emptyCookie :: SetCookie
emptyCookie =
defaultSetCookie
{ setCookieName = "auth"
, setCookieValue = ""
}