search

zohl / servant-auth-cookie

Authentication via encrypted cookies
BSD 3-Clause "New" or "Revised" License
23 stars 23 forks source link

Exporting `CookiedWrapperClass`? #38

Closed michalrus closed 6 years ago

michalrus commented 7 years ago

Hello!

Could you export CookiedWrapperClass? Or define it in an *.Internal module.

Use case: I need to derive AuthCookieSettings from some data received in the request. I’m defining my own cookied' similarly to:

{-# OPTIONS_GHC -fno-warn-missing-signatures #-}

-- FIXME: CookiedWrapperClass is not exported by https://github.com/zohl/servant-auth-cookie/issues/38

--cookied' :: CookiedWrapperClass f r UserSession => E.Env -> f -> Maybe Datum -> r
cookied' env f datum =
  cookied
    (authSettings env datum)
    (E.authRS env)
    (E.authKey env)
    (Proxy :: Proxy UserSession)
    f

type CookieProtect a = ExtractDatum :> AuthProtect "cookie-auth" :> a

The problem is obviously, that GHC is complaining about missing top-level signatures, and I can’t add one, because that CookiedWrapperClass class is not exported.

ExtractDatum is a Servant combinator, that extracts some data from Network.Wai.Request—that part is irrelevant.

And then using it like:

type SomeAPI
   = CookieProtect ("something" :> ReqBody '[ JSON] ReqSomething :> PostNoContent '[ JSON] (Cookied NoContent))

serveSomething :: E.Env -> Server SomeAPI
serveSomething env =
  cookied' env $ \UserSession {..} ReqSomething {..} -> do
    undefined

If you know of a better way to achieve that use case (depending on some value from Network.Wai.Request in AuthCookieSettings in all three places: cookied, addSession, removeSession), then I’ll happily switch to that solution!

zohl commented 7 years ago

Hello again,

I've exported the class, so fell free to use it.

I expected AuthCookieSettings to be persistent, so (from my point of view) your approach seems a little bit strange. However, if I needed to customize sessions in a way you mentioned in two previous issues, I would do the same trick :) This is why I'm considering moving "mutable" (i.e. session-specific) options to SessionSettings, so they can be stored right in the cookies. So if it's possible to store your options inside cookies (e.g. they do not affect how to decrypt/verify cookies) and they are of general purpose (might be useful for any application, not a specific one), I can add them into SessionSettings. If they aren't of general purpose, I'll try to consider parametrized SessionSettings record.

michalrus commented 6 years ago

Thank you very much! ♥