Auth?

[twopoint718]

Is there an auth system for rest? Or is there any plan to implement this?

[bergmark]

Hi Chris,

Are you referring to authentication or authorization?

Rest itself doesn't have support for authentication, we don't want to force users in a certain direction. You should be able to just do this inside your handlers with whatever authentication method/library you prefer. We do it like this and have found no need to abstract it into the rest package hierarchy.

On the other hand we do want to implement authorization support so end points can be marked as requiring certain permissions, both for documentation/client generation and to prevent omissions when writing handlers. This is still in the wish list stage, we don't have a design in mind. We want to do this in a general manner, not assuming that every api has "admins" and "logged in users". It may depend on the resource you are requesting, e.g. I should have access to /user/adam/edit but not /user/chris/edit.

[twopoint718]

Oh, sorry that I wasn't more clear. I was talking about both.

What do you use for authentication?

[hesselink]

For authentication we just have something simple: an SQL database with user/password info and session IDs. After login, the session ID is set as a browser cookie.

[twopoint718]

Thanks. My current plan is to implement some sort of token authentication, but I was curious about what you'd done. Thanks!

[nd2s]

Has there been any progress on this? Or are there maybe some examples how authentication/authorisation could be implemented elegantly? I'm not quite sure how to implement even a very basic auth system.

[hesselink]

No, we haven't done any work on this, and I suspect we won't any time soon. The system I described above is relatively easy to implement. On the top level (so not in rest) you would handle authentication, and then you can pass the user (or user id) into the state for your handlers. Then each handler can check the authorization for the current user. The rest-example does the latter part, although it doesn't do authentication (the user is just passed in the request).

[nd2s]

Thanks for your reply, but I'm not quite sure I understand how I can pass state into the handlers.

Are you talking about doing database lookups in some WAI middleware and then adding some headers to the request for example?

This sounds a bit ugly because I'd need to add all user information into the HTTP headers instead of just passing some User type. Although I'd probably only need id and some role in most cases...

Edit: Actually it seems I can't edit WAI Requests at all.

Edit2: I'm trying to somehow write a wrapper function like so: withAuth :: (User -> GenHandler m f) -> GenHandler m f.