Happstack
diff --git a/‎happstack-authenticate-client/HappstackAuthenticateClient.hs‎
Lines changed: 0 additions & 983 deletions b/‎happstack-authenticate-client/HappstackAuthenticateClient.hs‎
Lines changed: 0 additions & 983 deletions
diff --git a/‎happstack-authenticate.cabal‎
Lines changed: 6 additions & 7 deletions b/‎happstack-authenticate.cabal‎
Lines changed: 6 additions & 7 deletions
diff --git a/‎src/Happstack/Authenticate/Client.hs‎
Lines changed: 65 additions & 145 deletions b/‎src/Happstack/Authenticate/Client.hs‎
Lines changed: 65 additions & 145 deletions
diff --git a/‎src/Happstack/Authenticate/Core.hs‎
Lines changed: 29 additions & 64 deletions b/‎src/Happstack/Authenticate/Core.hs‎
Lines changed: 29 additions & 64 deletions
diff --git a/‎src/Happstack/Authenticate/Handlers.hs‎
Lines changed: 51 additions & 19 deletions b/‎src/Happstack/Authenticate/Handlers.hs‎
Lines changed: 51 additions & 19 deletions
diff --git a/‎src/Happstack/Authenticate/Password/Core.hs‎
Lines changed: 2 additions & 11 deletions b/‎src/Happstack/Authenticate/Password/Core.hs‎
Lines changed: 2 additions & 11 deletions
@@ -1,8 +1,8 @@
 Cabal-version:       2.2
 Name:                happstack-authenticate
-Version:             3.0.0
+Version:             3.1.0
 Synopsis:            Happstack Authentication Library
-Description:         A themeable authentication library with support for username+password and OpenId.
+Description:         A themeable authentication library with support for username+password
 Homepage:            http://www.happstack.com/
 License:             BSD-3-Clause
 License-file:        LICENSE
@@ -34,10 +34,9 @@ common shared-properties
 common shared-ghcjs-properties
   default-language: Haskell2010
   if impl(ghcjs)
-    build-depends:    base,
-                     base64-bytestring            >= 1.0  && < 1.3,
-                     chili                        >= 0.4.2,
-                     jwt                          >= 0.3  && < 0.12
+    build-depends:     base
+                     , base64-bytestring            >= 1.0  && < 1.3
+                     , chili                        >= 0.4.2
                      , aeson
                      , bytestring
                      , containers
@@ -95,7 +94,6 @@ Library
                        boomerang                    >= 1.4  && < 1.5,
                        containers                   >= 0.4  && < 0.7,
                        ixset-typed                  >= 0.3  && < 0.6,
-                       jwt                          >= 0.3  && < 0.12,
                        lens                         >= 4.2  && < 5.2,
                        mtl                          >= 2.0  && < 2.3,
                        pwstore-purehaskell          == 2.1.*,
@@ -116,6 +114,7 @@ Library
                        filepath                     >= 1.3  && < 1.5,
                        hsx2hs                       >= 0.13 && < 0.15,
                        jmacro                       >= 0.6.11  && < 0.7,
+                       jwt                          >= 0.3  && < 0.12,
                        happstack-jmacro             >= 7.0  && < 7.1,
                        happstack-server             >= 6.0  && < 7.9,
                        happstack-hsp                >= 7.3  && < 7.4,
 
@@ -130,62 +130,30 @@ import Control.Category                ((.), id)
 import Control.Exception               (SomeException)
 import qualified Control.Exception     as E
 import Control.Lens                    ((?=), (.=), (^.), (.~), makeLenses, view, set)
--- import Control.Lens.At                 (IxValue(..), Ixed(..), Index(..), At(at))
--- import Control.Monad.Trans             (MonadIO(liftIO))
--- import Control.Monad.Reader            (ask)
--- import Control.Monad.State             (get, put, modify)
 import Data.Aeson                      (FromJSON(..), ToJSON(..), Result(..), fromJSON)
 import qualified Data.Aeson            as A
 import Data.Aeson.Types                (Options(fieldLabelModifier), defaultOptions, genericToJSON, genericParseJSON)
--- import Data.Acid                       (AcidState, Update, Query, makeAcidic)
--- import Data.Acid.Advanced              (update', query')
--- import Data.ByteString.Base64          (encode)
--- import qualified Data.ByteString.Char8 as B
 import Data.Data                       (Data, Typeable)
--- import Data.Default                    (def)
 import Data.Map                        (Map)
 import qualified Data.Map              as Map
 import Data.Maybe                      (fromMaybe, maybeToList)
 import Data.Monoid                     ((<>), mconcat, mempty)
 import Data.SafeCopy                   (SafeCopy, Migrate(..), base, deriveSafeCopy, extension)
 import Data.IxSet.Typed
 import qualified Data.IxSet.Typed      as IxSet
--- import           Data.Set              (Set)
--- import qualified Data.Set              as Set
 import Data.Text                       (Text)
 import qualified Data.Text             as Text
 import qualified Data.Text.Encoding    as Text
--- import Data.Time                       (UTCTime, addUTCTime, diffUTCTime, getCurrentTime)
--- import Data.Time.Clock.POSIX           (utcTimeToPOSIXSeconds, posixSecondsToUTCTime)
 import Data.UserId                     (UserId(..), rUserId, succUserId, unUserId)
 import GHC.Generics                    (Generic)
--- import Happstack.Server                (Cookie(secure), CookieLife(Session, MaxAge), Happstack, ServerPartT, Request(rqSecure), Response, addCookie, askRq, expireCookie, getHeaderM, lookCookie, lookCookieValue, mkCookie, notFound, toResponseBS)
--- import Happstack.Server.Internal.Clock (getApproximateUTCTime)
--- import Language.Javascript.JMacro
 import Prelude                         hiding ((.), id, exp)
 import System.IO                       (IOMode(ReadMode), withFile)
--- import System.Random                   (randomRIO)
 import Text.Boomerang.TH               (makeBoomerangs)
 import Text.Shakespeare.I18N           (RenderMessage(renderMessage), mkMessageFor)
-import Web.JWT                         (Algorithm(HS256), JWT, VerifiedJWT, JWTClaimsSet(..), encodeSigned, claims, decode, decodeAndVerifySignature, secondsSinceEpoch, intDate, verify)
-import qualified Web.JWT               as JWT
-#if MIN_VERSION_jwt(0,8,0)
-import Web.JWT                         (ClaimsMap(..), hmacSecret)
-#else
-import Web.JWT                         (secret)
-#endif
-
 import Web.Routes                      (RouteT, PathInfo(..), nestURL)
 import Web.Routes.Boomerang
--- import Web.Routes.Happstack            ()
 import Web.Routes.TH                   (derivePathInfo)
 
-#if MIN_VERSION_jwt(0,8,0)
-#else
-unClaimsMap = id
-#endif
-
-
 -- | when creating JSON field names, drop the first character. Since
 -- we are using lens, the leading character should always be _.
 jsonOptions :: Options
@@ -214,38 +182,14 @@ data CoreError
     deriving (Eq, Ord, Read, Show, Data, Typeable, Generic)
 instance ToJSON   CoreError where toJSON    = genericToJSON    jsonOptions
 instance FromJSON CoreError where parseJSON = genericParseJSON jsonOptions
-{-
-instance ToJExpr CoreError where
-    toJExpr = toJExpr . toJSON
--}
+
 deriveSafeCopy 0 'base ''CoreError
 
 mkMessageFor "HappstackAuthenticateI18N" "CoreError" "messages/core" ("en")
 
 ------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
--- UserId
-------------------------------------------------------------------------------
-{-
--- | a 'UserId' uniquely identifies a user.
-newtype UserId = UserId { _unUserId :: Integer }
-    deriving (Eq, Ord, Enum, Read, Show, Data, Typeable, Generic)
-deriveSafeCopy 1 'base ''UserId
-makeLenses ''UserId
-makeBoomerangs ''UserId
-
-instance ToJSON   UserId where toJSON (UserId i) = toJSON i
-instance FromJSON UserId where parseJSON v = UserId <$> parseJSON v
-
-instance PathInfo UserId where
-    toPathSegments (UserId i) = toPathSegments i
-    fromPathSegments = UserId <$> fromPathSegments
-
--- | get the next `UserId`
-succUserId :: UserId -> UserId
-succUserId (UserId i) = UserId (succ i)
--}
+
 ------------------------------------------------------------------------------
 -- Username
 ------------------------------------------------------------------------------
@@ -346,7 +290,8 @@ data AuthenticateURL
       AuthenticationMethods (Maybe (AuthenticationMethod, [Text]))
     | HappstackAuthenticateClient
     | Logout
---    | AmAuthenticated
+    | AmAuthenticated
+    | InitClient
     deriving (Eq, Ord, Read, Show, Data, Typeable, Generic)
 
 makeBoomerangs ''AuthenticateURL
@@ -358,7 +303,8 @@ authenticateURL =
     "authentication-methods" </> ( rAuthenticationMethods . rMaybe authenticationMethod)
   <> "happstack-authenticate-client" . rHappstackAuthenticateClient
   <> "logout" . rLogout
---   <> "am-authenticated" . rAmAuthenticated
+  <> "am-authenticated" . rAmAuthenticated
+  <> "init-client" . rInitClient
   )
   where
     userId = rUserId . integer
@@ -377,20 +323,39 @@ nestAuthenticationMethod :: (PathInfo methodURL) =>
 nestAuthenticationMethod authenticationMethod =
   nestURL $ \methodURL -> AuthenticationMethods $ Just (authenticationMethod, toPathSegments methodURL)
 
+------------------------------------------------------------------------------
+-- ClientInitData
+------------------------------------------------------------------------------
+
+-- | The `Token` type represents the data used to identify a user. The
+-- name used to make more sense and it should probably be renamed.
+data ClientInitData = ClientInitData
+  { _cidUser               :: Maybe User
+  , _cidPostLoginRedirectURL  :: Maybe Text
+  , _cidPostSignupRedirectURL :: Maybe Text
+  }
+    deriving (Eq, Ord, Read, Show, Data, Typeable, Generic)
+makeLenses ''ClientInitData
+instance ToJSON   ClientInitData where toJSON    = genericToJSON    jsonOptions
+instance FromJSON ClientInitData where parseJSON = genericParseJSON jsonOptions
+
+------------------------------------------------------------------------------
+-- Token
+------------------------------------------------------------------------------
 
--- | The `Token` type represents the encrypted data used to identify a
--- user.
+-- | The `Token` type represents the data used to identify a user. The
+-- name used to make more sense and it should probably be renamed.
 data Token = Token
   { _tokenUser        :: User
-  , _tokenIsAuthAdmin :: Bool
   }
     deriving (Eq, Ord, Read, Show, Data, Typeable, Generic)
 makeLenses ''Token
 instance ToJSON   Token where toJSON    = genericToJSON    jsonOptions
 instance FromJSON Token where parseJSON = genericParseJSON jsonOptions
 
+
 ------------------------------------------------------------------------------
--- Token / TokenText
+-- TokenText
 ------------------------------------------------------------------------------
 
 -- | `TokenText` is the encrypted form of the `Token` which is passed
 
@@ -12,12 +12,16 @@ import Control.Monad.Reader            (ask)
 import Control.Monad.State             (get, put, modify)
 import Data.Acid                       (AcidState, Update, Query, makeAcidic)
 import Data.Acid.Advanced              (update', query')
-import Data.Aeson                      (FromJSON(..), ToJSON(..), Result(..), fromJSON)
+import Data.Aeson                      (FromJSON(..), Object(..), ToJSON(..), Result(..), Value(..), fromJSON)
 import qualified Data.Aeson            as A
 import Data.Aeson.Types                (Options(fieldLabelModifier), defaultOptions, genericToJSON, genericParseJSON)
+#if MIN_VERSION_aeson(2,0,0)
+import qualified Data.Aeson.KeyMap as KM
+#endif
 import Data.ByteString.Base64          (encode)
 import qualified Data.ByteString.Char8 as B
 import Data.Data                       (Data, Typeable)
+import qualified Data.HashMap.Strict as HashMap
 import Data.Map                        (Map)
 import qualified Data.Map              as Map
 import Data.SafeCopy                   (SafeCopy, Migrate(..), base, deriveSafeCopy, extension)
@@ -32,7 +36,7 @@ import Data.Time                       (UTCTime, addUTCTime, diffUTCTime, getCur
 import Data.Time.Clock.POSIX           (utcTimeToPOSIXSeconds, posixSecondsToUTCTime)
 import Data.UserId                     (UserId(..), rUserId, succUserId, unUserId)
 import Happstack.Authenticate.Core
-import Happstack.Server                (Cookie(httpOnly, sameSite, secure), CookieLife(Session, MaxAge), Happstack, SameSite(SameSiteStrict), ServerPartT, Request(rqSecure), Response, addCookie, askRq, expireCookie, getHeaderM, lookCookie, lookCookieValue, mkCookie, notFound, toResponseBS)
+import Happstack.Server                (Cookie(httpOnly, sameSite, secure), CookieLife(Session, MaxAge), Happstack, Method(GET, HEAD), SameSite(SameSiteStrict), ServerPartT, Request(rqSecure), Response, addCookie, askRq, expireCookie, getHeaderM, lookCookie, lookCookieValue, method, mkCookie, notFound, resp, toResponseBS)
 import GHC.Generics                    (Generic)
 import Prelude                         hiding ((.), id, exp)
 import System.IO                       (IOMode(ReadMode), withFile)
@@ -348,12 +352,11 @@ getOrGenSharedSecret authenticateState uid =
 -- Token Functions
 ------------------------------------------------------------------------------
 
--- | create a `Token` for `User`
+-- | create a `TokenText` for `User`
 --
--- The @isAuthAdmin@ paramater is a function which will be called to
--- determine if `UserId` is a user who should be given Administrator
--- privileges. This includes the ability to things such as set the
--- `OpenId` realm, change the registeration mode, etc.
+-- NOTE: the `TokenText` is all that is needed to impersonate a
+-- user. It should not be stored in `LocalStorage` or other places
+-- which are accessibly by 3rd party javascript
 issueToken :: (MonadIO m) =>
               AcidState AuthenticateState
            -> AuthenticateConfig
@@ -376,9 +379,6 @@ issueToken authenticateState authenticateConfig user =
                          ClaimsMap $
 #endif
                            Map.fromList [ ("user"                 , toJSON user)
-                                        , ("authAdmin"            , toJSON admin)
-                                        , ("postLoginRedirectURL" , toJSON (_postLoginRedirect authenticateConfig))
-                                        , ("postSignupRedirectURL", toJSON (_postSignupRedirect authenticateConfig))
                                         ]
                    }
 #if MIN_VERSION_jwt(0,10,0)
@@ -431,12 +431,7 @@ decodeAndVerifyToken authenticateState now token =
                               (Just exp') ->
                                 if (utcTimeToPOSIXSeconds now) > (secondsSinceEpoch exp')
                                 then return Nothing
-                                else case Map.lookup "authAdmin" (unClaimsMap (unregisteredClaims (claims verified))) of
-                                       Nothing -> return (Just (Token u False, verified))
-                                       (Just a) ->
-                                           case fromJSON a of
-                                             (Error _) -> return (Just (Token u False, verified))
-                                             (Success b) -> return (Just (Token u b, verified))
+                                else return (Just (Token u, verified))
 
 ------------------------------------------------------------------------------
 -- Token in a Cookie
@@ -453,13 +448,12 @@ addTokenCookie :: (Happstack m) =>
                   AcidState AuthenticateState
                -> AuthenticateConfig
                -> User
-               -> m TokenText
+               -> m ()
 addTokenCookie authenticateState authenticateConfig user =
   do token <- issueToken authenticateState authenticateConfig user
      s <- rqSecure <$> askRq -- FIXME: this isn't that accurate in the face of proxies
      addCookie (MaxAge (60*60*24*30)) ((mkCookie authCookieName (Text.unpack token)) { sameSite = SameSiteStrict, secure = s, httpOnly = True })
---     addCookie (MaxAge 60) ((mkCookie authCookieName (Text.unpack token)) { secure = s })
-     return token
+     return ()
 
 -- | delete the `Token` `Cookie`
 deleteTokenCookie  :: (Happstack m) =>
@@ -559,3 +553,41 @@ toJSONError e = toResponseBS "application/json" (A.encode (JSONResponse NotOk (A
 type AuthenticationHandler = [Text] -> RouteT AuthenticateURL (ServerPartT IO) Response
 
 type AuthenticationHandlers = Map AuthenticationMethod AuthenticationHandler
+
+
+------------------------------------------------------------------------------
+-- amAuthenticated
+------------------------------------------------------------------------------
+
+amAuthenticated :: (Happstack m) =>
+         AcidState AuthenticateState
+      -> m Response
+amAuthenticated authenticateState =
+  do method [GET, HEAD]
+     mt <- getTokenCookie authenticateState
+     case mt of
+       Nothing -> resp 401 $ toJSONError AuthorizationRequired
+       (Just (token, jwt)) ->
+#if MIN_VERSION_aeson(2,0,0)
+                             resp 200 $ toJSONSuccess (Object $ KM.fromList      [("token", toJSON token)])
+#else
+                             resp 200 $ toJSONSuccess (Object $ HashMap.fromList [("token", toJSON token)])
+#endif
+
+
+clientInit :: (Happstack m) =>
+              AuthenticateConfig
+           -> AcidState AuthenticateState
+           -> m Response
+clientInit authenticateConfig authenticateState =
+  do method [GET, HEAD]
+     mt <- getTokenCookie authenticateState
+     let mUser =
+           case mt of
+             Nothing -> Nothing
+             Just ((Token user), _) -> Just user
+         cid = ClientInitData { _cidUser = mUser
+                              , _cidPostLoginRedirectURL  = _postLoginRedirect authenticateConfig
+                              , _cidPostSignupRedirectURL = _postSignupRedirect   authenticateConfig
+                              }
+     resp 200 $ toJSONSuccess (toJSON cid)
@@ -43,20 +43,11 @@ import Happstack.Authenticate.Password.URL (AccountURL(..))
 -- import System.FilePath                 (combine)
 -- import qualified Text.Email.Validate   as Email
 import Text.Shakespeare.I18N           (RenderMessage(..), Lang, mkMessageFor)
-import qualified Web.JWT               as JWT
-import Web.JWT                         (Algorithm(HS256), JWT, VerifiedJWT, JWTClaimsSet(..), encodeSigned, claims, decode, decodeAndVerifySignature, intDate, secondsSinceEpoch, verify)
-#if MIN_VERSION_jwt(0,8,0)
-import Web.JWT                         (ClaimsMap(..), hmacSecret)
-#else
-import Web.JWT                         (secret)
-#endif
+
+
 import Web.Routes
 import Web.Routes.TH
 
-#if MIN_VERSION_jwt(0,8,0)
-#else
-unClaimsMap = id
-#endif
 
 ------------------------------------------------------------------------------
 -- PasswordError