mdebray/tvl-depot
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
tvl-depot/src/API.hs
William Carroll 83f4f8e9d6 Prevent non-admins from creating Manager or Admin accounts 
Client-side, I'm not exposing the role option to users. Server-side, I'm
asserting that requests to create Manager and Admin accounts are attempted by
users with a session tied to an admin account.
2020-08-01 11:48:55 +01:00

69 lines
2.2 KiB
Haskell
Raw Blame History

{-# LANGUAGE DataKinds #-}
{-# LANGUAGE TypeOperators #-}
--------------------------------------------------------------------------------
module API where
--------------------------------------------------------------------------------
import Data.Text
import Servant.API
import Web.Cookie
import qualified Types as T
--------------------------------------------------------------------------------
-- | Once authenticated, users receive a SessionCookie.
type SessionCookie = Header' '[Required] "Cookie" T.SessionCookie
type API =
-- accounts: Create
"accounts"
:> Header "Cookie" T.SessionCookie
:> ReqBody '[JSON] T.CreateAccountRequest
:> Post '[JSON] NoContent
:<|> "verify"
:> QueryParam' '[Required] "username" Text
:> QueryParam' '[Required] "secret" Text
:> Get '[JSON] NoContent
-- accounts: Read
-- accounts: Update
-- accounts: Delete
:<|> "accounts"
:> SessionCookie
:> QueryParam' '[Required] "username" Text
:> Delete '[JSON] NoContent
-- accounts: List
:<|> "accounts"
:> SessionCookie
:> Get '[JSON] [T.User]
-- trips: Create
:<|> "trips"
:> SessionCookie
:> ReqBody '[JSON] T.Trip
:> Post '[JSON] NoContent
-- trips: Read
-- trips: Update
:<|> "trips"
:> SessionCookie
:> ReqBody '[JSON] T.UpdateTripRequest
:> Put '[JSON] NoContent
-- trips: Delete
:<|> "trips"
:> SessionCookie
:> ReqBody '[JSON] T.TripPK
:> Delete '[JSON] NoContent
-- trips: List
:<|> "trips"
:> SessionCookie
:> Get '[JSON] [T.Trip]
-- Miscellaneous
:<|> "login"
:> ReqBody '[JSON] T.AccountCredentials
:> Post '[JSON] (Headers '[Header "Set-Cookie" SetCookie] T.Session)
:<|> "logout"
:> SessionCookie
:> Get '[JSON] (Headers '[Header "Set-Cookie" SetCookie] NoContent)
:<|> "unfreeze"
:> SessionCookie
:> ReqBody '[JSON] T.UnfreezeAccountRequest
:> Post '[JSON] NoContent
Reference in a new issue View git blame Copy permalink