Security

[SamuelSchlesinger]

So far, absolutely no effort nor thought has been put into security for this app, with the idea that this will be something that will be somewhat easy to come along and stick in later on, once the basics are figured out and tested. I believe that the foundation is pretty solid at this point, so I will begin to think about what it would mean to lay a foundation for security that is as easily extensible and scalable as I believe the current app is. Here are the security problems we face, as I see them, and please add to this list with comments if you see more:

1. Password security
2. Authentication scheme (HTTP vs HTTPS, cookies vs JWTs)
3. Authorization system

As for password security, it seems that we want to establish a system for password hash versioning. Basically, we don't want to force users to update their passwords before we can update our password hashing function, so we will associate each hashed password with a tag to help us verify it. Hopefully we will be able to keep salts generic.

There are two options for the authentication system:

1. Stick with HTTP and switch to JWTs.
2. Stick with cookies and switch to HTTPS. I am leaning towards the latter, but I do not really care. It would be neat to implement JWTs, as I have not done that before.

As for authorization, that is a whole open field. Right now, we just do some ad hoc stuff, running some tests on the database before various endpoints do their work when we want to restrict who can call that endpoint. This is pretty much fine, but it doesn't enforce authorization in the way that one might like. It would be nice to have some sort of service that grants you signed "permission slips" for various data, then we make the database functionality only work when you have a good permission slip for the data you are asking for, and we make sure no bad permission slips are ever granted.

[SamuelSchlesinger]

On the authorization front, I have a number of modules that begin to implement a ghosts of departed proof style system. I suspect there is a way to rig this up via Servant so that I can specify things inside of the API... If anyone is curious to read how this idea can work, read here: https://ocharles.org.uk/blog/posts/2019-08-09-who-authorized-these-ghosts.html

[SamuelSchlesinger]

I just found something really neat. I can use existential types to escape the Named stuff and just do it at the beginning of the auth and break open the proof in normal Haskell.

[SamuelSchlesinger]

The ghosts of departed proofs stuff worked like a charm. I am currently slowly pulling out the old, ad hoc method, and replacing it. If you are looking for an example, presently link is the only backend function that really does auth the way I want the rest to.