Investigate HTTP(?) sessions with Scotty/WAI

[easoncxz]

The plan is to do OAuth 1.0a request-signing on my Haskell backend, so that I can have the prospects of hosting my app somewhere and let people use it, without them abusing my OAuth Consumer credentials (which would be the case if I just served them out to the frontend-app).

Plan:

• [x] Figure out some kind of secure session mechanism, so that the backend can securely identify that an HTTP client that comes back to make a request is the same one that succeeded in obtaining an OAuth Access Token.
• I will not serve any OAuth tokens to the frontend-app.
• [x] Implement a pass-through API in Haskell, that performs OAuth request-signing on an opaque request made by the frontend-app, and relays the response from Twitter API down to the frontend app. --- this bullet-point is split out into #7 .

[easoncxz]

Reading list:

• Friendly blogpost: https://www.freecodecamp.org/news/session-hijacking-and-how-to-stop-it-711e3683d1ac/
• OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
• Seemingly low-level library on Hackage: wai-session

[easoncxz]

Lol, this old scotty-session package on Hackage is only <100 lines long:

• Full source in one module: https://github.com/agrafix/scotty-session/blob/master/Web/Scotty/Session.hs

Surely there's a way to use this conveniently, either via extra-deps: in Stack, or straight-up copy-pasting it and committing it into my repo. It's BSD-3 licensed, so we're all-good.

Cheatsheet:

$ stack ghci --package scotty-session

(cf. https://www.fpcomplete.com/haskell/tutorial/stack-script/ )

[easoncxz]

I forked the repo for now:

• https://github.com/easoncxz/scotty-session/

Not sure whether I should go down this rabbit hole right this moment. Publishing updates to a Hackage library, even an ad-hoc Github-hosted one, probably requires me to know how to use cabal-install, which I still don't really.

Might be easier/safer to just check-in a copy and tweak things until it works.

[easoncxz]

Turns out vendoring a copy was a rather trivial process: commit 5aa6458 does it easily.

I just had to add a couple of dependencies; most were obvious, and the only potentially conflicting package was crypto-api, which scotty-session wanted, but has clashing module-names as cryptonite, which I'm not sure why I had. So I just removed cryptonite and everything worked.

Then it was a matter of piecing together Blaze and Scotty APIs to do something sensible. Commit 2fa286e did so.

Relevant reference docs:

• Blaze:
  • intro to syntax: https://www.stackage.org/haddock/lts-16.12/blaze-markup-0.8.2.7/Text-Blaze.html
  • crucial type Html = Markup alias: https://www.stackage.org/haddock/lts-16.12/blaze-html-0.9.1.2/Text-Blaze-Html.html#t:Html
  • big list of DOM elements: https://www.stackage.org/haddock/lts-16.12/blaze-html-0.9.1.2/Text-Blaze-Html5.html
  • rendering function, to connect with Scotty APIs: https://www.stackage.org/haddock/lts-16.12/blaze-html-0.9.1.2/Text-Blaze-Html-Renderer-Text.html
• Scotty:
  • ActionM for getting the form param: https://www.stackage.org/haddock/lts-16.12/scotty-0.11.6/Web-Scotty.html#v:params
  • ActionM for performing a redirect: https://www.stackage.org/haddock/lts-16.12/scotty-0.11.6/Web-Scotty.html#v:redirect
• HTML basics, from MDN docs
  • Set-Cookie header, to read about HttpOnly and Secure: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
  • <form> elements (has a nice example): https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form
  • <input type="submit">: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/submit