Fully support login, logout
Refactor my handlers to use the `Handler a` type instead of `IO a`; this allows me to throwError inside of handlers that Servant properly handles. Previously I was creating 500 errors unnecessarily.
This commit is contained in:
parent
ab12be7840
commit
fdd51f626c
3 changed files with 117 additions and 60 deletions
|
@ -11,7 +11,7 @@ import qualified Types as T
|
||||||
--------------------------------------------------------------------------------
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
-- | Once authenticated, users receive a SessionCookie.
|
-- | Once authenticated, users receive a SessionCookie.
|
||||||
type SessionCookie = Header' '[Required] "Set-Cookie" T.SessionCookie
|
type SessionCookie = Header' '[Required] "Cookie" T.SessionCookie
|
||||||
|
|
||||||
type API =
|
type API =
|
||||||
-- accounts: Create
|
-- accounts: Create
|
||||||
|
|
121
src/App.hs
121
src/App.hs
|
@ -7,118 +7,121 @@
|
||||||
--------------------------------------------------------------------------------
|
--------------------------------------------------------------------------------
|
||||||
module App where
|
module App where
|
||||||
--------------------------------------------------------------------------------
|
--------------------------------------------------------------------------------
|
||||||
import Control.Exception (throwIO)
|
|
||||||
import Control.Monad.IO.Class (liftIO)
|
import Control.Monad.IO.Class (liftIO)
|
||||||
import Data.String.Conversions (cs)
|
import Data.String.Conversions (cs)
|
||||||
import Data.Text (Text)
|
import Data.Text (Text)
|
||||||
import Network.Wai.Handler.Warp as Warp
|
import Network.Wai.Handler.Warp as Warp
|
||||||
import Servant
|
import Servant
|
||||||
|
import Servant.Server.Internal.ServerError
|
||||||
import API
|
import API
|
||||||
import Utils
|
import Utils
|
||||||
import Web.Cookie
|
import Web.Cookie
|
||||||
|
|
||||||
import qualified Crypto.KDF.BCrypt as BC
|
import qualified Crypto.KDF.BCrypt as BC
|
||||||
import qualified Data.Text.Encoding as TE
|
import qualified Data.Text.Encoding as TE
|
||||||
|
import qualified Data.UUID as UUID
|
||||||
|
import qualified Data.UUID.V4 as UUID
|
||||||
import qualified Types as T
|
import qualified Types as T
|
||||||
import qualified Accounts as Accounts
|
import qualified Accounts as Accounts
|
||||||
|
import qualified Auth as Auth
|
||||||
import qualified Trips as Trips
|
import qualified Trips as Trips
|
||||||
import qualified Sessions as Sessions
|
import qualified Sessions as Sessions
|
||||||
import qualified LoginAttempts as LoginAttempts
|
import qualified LoginAttempts as LoginAttempts
|
||||||
--------------------------------------------------------------------------------
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
server :: FilePath -> Server API
|
err429 :: ServerError
|
||||||
server dbFile = createAccountH
|
err429 = ServerError
|
||||||
:<|> deleteAccountH
|
{ errHTTPCode = 429
|
||||||
:<|> listAccountsH
|
, errReasonPhrase = "Too many requests"
|
||||||
:<|> createTripH
|
, errBody = ""
|
||||||
:<|> deleteTripH
|
, errHeaders = []
|
||||||
:<|> listTripsH
|
}
|
||||||
:<|> loginH
|
|
||||||
:<|> logoutH
|
|
||||||
where
|
|
||||||
createAccountH newUser = liftIO $ createAccount newUser
|
|
||||||
deleteAccountH cookie username = liftIO $ deleteAccount cookie username
|
|
||||||
listAccountsH cookie = liftIO $ listAccounts cookie
|
|
||||||
createTripH cookie trip = liftIO $ createTrip cookie trip
|
|
||||||
deleteTripH cookie tripPK = liftIO $ deleteTrip cookie tripPK
|
|
||||||
listTripsH = liftIO $ listTrips
|
|
||||||
loginH creds = liftIO $ login creds
|
|
||||||
logoutH cookie = liftIO $ logout cookie
|
|
||||||
|
|
||||||
|
server :: FilePath -> Server API
|
||||||
|
server dbFile = createAccount
|
||||||
|
:<|> deleteAccount
|
||||||
|
:<|> listAccounts
|
||||||
|
:<|> createTrip
|
||||||
|
:<|> deleteTrip
|
||||||
|
:<|> listTrips
|
||||||
|
:<|> login
|
||||||
|
:<|> logout
|
||||||
|
where
|
||||||
-- TODO(wpcarro): Handle failed CONSTRAINTs instead of sending 500s
|
-- TODO(wpcarro): Handle failed CONSTRAINTs instead of sending 500s
|
||||||
createAccount :: T.CreateAccountRequest -> IO NoContent
|
createAccount :: T.CreateAccountRequest -> Handler NoContent
|
||||||
createAccount request = do
|
createAccount request = do
|
||||||
Accounts.create dbFile
|
liftIO $ Accounts.create dbFile
|
||||||
(T.createAccountRequestUsername request)
|
(T.createAccountRequestUsername request)
|
||||||
(T.createAccountRequestPassword request)
|
(T.createAccountRequestPassword request)
|
||||||
(T.createAccountRequestEmail request)
|
(T.createAccountRequestEmail request)
|
||||||
(T.createAccountRequestRole request)
|
(T.createAccountRequestRole request)
|
||||||
pure NoContent
|
pure NoContent
|
||||||
|
|
||||||
deleteAccount :: T.SessionCookie -> Text -> IO NoContent
|
deleteAccount :: T.SessionCookie -> Text -> Handler NoContent
|
||||||
deleteAccount cookie username = do
|
deleteAccount cookie username = do
|
||||||
Accounts.delete dbFile (T.Username username)
|
mRole <- liftIO $ Auth.roleFromCookie dbFile cookie
|
||||||
pure NoContent
|
case mRole of
|
||||||
|
Just T.Admin -> do
|
||||||
|
liftIO $ Accounts.delete dbFile (T.Username username)
|
||||||
|
pure NoContent
|
||||||
|
-- cannot delete an account if you're not an Admin
|
||||||
|
_ -> throwError err401 { errBody = "Only admins can delete accounts." }
|
||||||
|
|
||||||
listAccounts :: T.SessionCookie -> IO [T.User]
|
listAccounts :: T.SessionCookie -> Handler [T.User]
|
||||||
listAccounts cookie = Accounts.list dbFile
|
listAccounts (T.SessionCookie cookie) = liftIO $ Accounts.list dbFile
|
||||||
|
|
||||||
createTrip :: T.SessionCookie -> T.Trip -> IO NoContent
|
createTrip :: T.SessionCookie -> T.Trip -> Handler NoContent
|
||||||
createTrip cookie trip = do
|
createTrip cookie trip = do
|
||||||
Trips.create dbFile trip
|
liftIO $ Trips.create dbFile trip
|
||||||
pure NoContent
|
pure NoContent
|
||||||
|
|
||||||
-- TODO(wpcarro): Validate incoming data like startDate.
|
-- TODO(wpcarro): Validate incoming data like startDate.
|
||||||
deleteTrip :: T.SessionCookie -> T.TripPK -> IO NoContent
|
deleteTrip :: T.SessionCookie -> T.TripPK -> Handler NoContent
|
||||||
deleteTrip cookie tripPK = do
|
deleteTrip cookie tripPK = do
|
||||||
Trips.delete dbFile tripPK
|
liftIO $ Trips.delete dbFile tripPK
|
||||||
pure NoContent
|
pure NoContent
|
||||||
|
|
||||||
listTrips :: IO [T.Trip]
|
listTrips :: Handler [T.Trip]
|
||||||
listTrips = Trips.list dbFile
|
listTrips = liftIO $ Trips.list dbFile
|
||||||
|
|
||||||
login :: T.AccountCredentials
|
login :: T.AccountCredentials
|
||||||
-> IO (Headers '[Header "Set-Cookie" SetCookie] NoContent)
|
-> Handler (Headers '[Header "Set-Cookie" SetCookie] NoContent)
|
||||||
login (T.AccountCredentials username password) = do
|
login (T.AccountCredentials username password) = do
|
||||||
mAccount <- Accounts.lookup dbFile username
|
mAccount <- liftIO $ Accounts.lookup dbFile username
|
||||||
case mAccount of
|
case mAccount of
|
||||||
Just account@T.Account{..} -> do
|
Just account@T.Account{..} -> do
|
||||||
mAttempts <- LoginAttempts.forUsername dbFile accountUsername
|
mAttempts <- liftIO $ LoginAttempts.forUsername dbFile accountUsername
|
||||||
case mAttempts of
|
case mAttempts of
|
||||||
Nothing ->
|
Nothing ->
|
||||||
if T.passwordsMatch password accountPassword then do
|
if T.passwordsMatch password accountPassword then do
|
||||||
session <- Sessions.findOrCreate dbFile account
|
uuid <- liftIO $ Sessions.findOrCreate dbFile account
|
||||||
-- set cookie
|
pure $ addHeader (Auth.mkCookie uuid) NoContent
|
||||||
undefined
|
|
||||||
else do
|
else do
|
||||||
LoginAttempts.increment dbFile username
|
liftIO $ LoginAttempts.increment dbFile username
|
||||||
throwIO err401 { errBody = "Your credentials are invalid" }
|
throwError err401 { errBody = "Your credentials are invalid" }
|
||||||
Just attempts ->
|
Just attempts ->
|
||||||
if attempts > 3 then
|
if attempts > 3 then
|
||||||
-- TODO(wpcarro): Prefer 429 error code
|
throwError err429
|
||||||
throwIO err401 { errBody = "Too many failed login attempts" }
|
|
||||||
else if T.passwordsMatch password accountPassword then do
|
else if T.passwordsMatch password accountPassword then do
|
||||||
session <- Sessions.findOrCreate dbFile account
|
uuid <- liftIO $ Sessions.findOrCreate dbFile account
|
||||||
-- set cookie
|
pure $ addHeader (Auth.mkCookie uuid) NoContent
|
||||||
undefined
|
|
||||||
else do
|
else do
|
||||||
LoginAttempts.increment dbFile username
|
liftIO $ LoginAttempts.increment dbFile username
|
||||||
-- TODO(wpcarro): Catch and return errors over HTTP
|
throwError err401 { errBody = "Your credentials are invalid" }
|
||||||
throwIO err401 { errBody = "Your credentials are invalid" }
|
|
||||||
|
|
||||||
-- In this branch, the user didn't supply a known username.
|
-- In this branch, the user didn't supply a known username.
|
||||||
Nothing -> throwIO err401 { errBody = "Your credentials are invalid" }
|
Nothing -> throwError err401 { errBody = "Your credentials are invalid" }
|
||||||
|
|
||||||
logout :: T.SessionCookie
|
logout :: T.SessionCookie
|
||||||
-> IO (Headers '[Header "Set-Cookie" SetCookie] NoContent)
|
-> Handler (Headers '[Header "Set-Cookie" SetCookie] NoContent)
|
||||||
logout cookie = undefined
|
logout cookie = do
|
||||||
-- pull off SessionUUID from the request headers
|
case Auth.uuidFromCookie cookie of
|
||||||
-- delete the SessionUUID from the Sessions table.
|
Nothing ->
|
||||||
|
pure $ addHeader Auth.emptyCookie NoContent
|
||||||
mkApp :: FilePath -> IO Application
|
Just uuid -> do
|
||||||
mkApp dbFile = do
|
liftIO $ Sessions.delete dbFile uuid
|
||||||
pure $ serve (Proxy @ API) $ server dbFile
|
pure $ addHeader Auth.emptyCookie NoContent
|
||||||
|
|
||||||
run :: FilePath -> IO ()
|
run :: FilePath -> IO ()
|
||||||
run sqliteFile =
|
run dbFile =
|
||||||
Warp.run 3000 =<< mkApp sqliteFile
|
Warp.run 3000 (serve (Proxy @ API) $ server dbFile)
|
||||||
|
|
54
src/Auth.hs
Normal file
54
src/Auth.hs
Normal file
|
@ -0,0 +1,54 @@
|
||||||
|
{-# LANGUAGE OverloadedStrings #-}
|
||||||
|
{-# LANGUAGE RecordWildCards #-}
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
module Auth where
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
import Database.SQLite.Simple
|
||||||
|
import Utils
|
||||||
|
import Web.Cookie
|
||||||
|
|
||||||
|
import qualified Data.UUID as UUID
|
||||||
|
import qualified Web.Cookie as WC
|
||||||
|
import qualified Sessions as Sessions
|
||||||
|
import qualified Accounts as Accounts
|
||||||
|
import qualified Types as T
|
||||||
|
import qualified Data.ByteString.Lazy as LBS
|
||||||
|
--------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
-- | Return the UUID from a Session cookie.
|
||||||
|
uuidFromCookie :: T.SessionCookie -> Maybe T.SessionUUID
|
||||||
|
uuidFromCookie (T.SessionCookie cookies) = do
|
||||||
|
auth <- lookup "auth" cookies
|
||||||
|
uuid <- UUID.fromASCIIBytes auth
|
||||||
|
pure $ T.SessionUUID uuid
|
||||||
|
|
||||||
|
-- | Attempt to return the user role associated with the `cookie`.
|
||||||
|
roleFromCookie :: FilePath -> T.SessionCookie -> IO (Maybe T.Role)
|
||||||
|
roleFromCookie dbFile cookie = withConnection dbFile $ \conn -> do
|
||||||
|
case uuidFromCookie cookie of
|
||||||
|
Nothing -> pure Nothing
|
||||||
|
Just uuid -> do
|
||||||
|
mSession <- Sessions.get dbFile uuid
|
||||||
|
case mSession of
|
||||||
|
Nothing -> pure Nothing
|
||||||
|
Just T.StoredSession{..} -> do
|
||||||
|
mAccount <- Accounts.lookup dbFile storedSessionUsername
|
||||||
|
case mAccount of
|
||||||
|
Nothing -> pure Nothing
|
||||||
|
Just T.Account{..} -> pure (Just accountRole)
|
||||||
|
|
||||||
|
-- | Create a new session cookie.
|
||||||
|
mkCookie :: T.SessionUUID -> SetCookie
|
||||||
|
mkCookie (T.SessionUUID uuid) =
|
||||||
|
defaultSetCookie
|
||||||
|
{ setCookieName = "auth"
|
||||||
|
, setCookieValue = UUID.toASCIIBytes uuid
|
||||||
|
}
|
||||||
|
|
||||||
|
-- | Use this to clear out the session cookie.
|
||||||
|
emptyCookie :: SetCookie
|
||||||
|
emptyCookie =
|
||||||
|
defaultSetCookie
|
||||||
|
{ setCookieName = "auth"
|
||||||
|
, setCookieValue = ""
|
||||||
|
}
|
Loading…
Reference in a new issue