yesod-auth-1.4.11/Yesod/0000755000000000000000000000000012626722350013136 5ustar0000000000000000yesod-auth-1.4.11/Yesod/Auth/0000755000000000000000000000000012626722350014037 5ustar0000000000000000yesod-auth-1.4.11/Yesod/Auth.hs0000644000000000000000000004662612626722350014411 0ustar0000000000000000{-# LANGUAGE CPP #-} {-# LANGUAGE ViewPatterns #-} {-# LANGUAGE ConstraintKinds #-} {-# LANGUAGE DefaultSignatures #-} {-# LANGUAGE QuasiQuotes, TypeFamilies, TemplateHaskell #-} {-# LANGUAGE FlexibleContexts #-} {-# LANGUAGE FlexibleInstances #-} {-# LANGUAGE MultiParamTypeClasses #-} {-# LANGUAGE RankNTypes #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE DeriveDataTypeable #-} {-# LANGUAGE UndecidableInstances #-} {-# OPTIONS_GHC -fno-warn-orphans #-} module Yesod.Auth ( -- * Subsite Auth , AuthRoute , Route (..) , AuthPlugin (..) , getAuth , YesodAuth (..) , YesodAuthPersist (..) -- * Plugin interface , Creds (..) , setCreds , setCredsRedirect , clearCreds , loginErrorMessage , loginErrorMessageI -- * User functions , AuthenticationResult (..) , defaultMaybeAuthId , defaultLoginHandler , maybeAuthPair , maybeAuth , requireAuthId , requireAuthPair , requireAuth -- * Exception , AuthException (..) -- * Helper , AuthHandler -- * Internal , credsKey , provideJsonMessage , messageJson401 , asHtml ) where import Control.Applicative ((<$>)) import Control.Monad (when) import Control.Monad.Trans.Maybe import Yesod.Auth.Routes import Data.Aeson hiding (json) import Data.Text.Encoding (decodeUtf8With) import Data.Text.Encoding.Error (lenientDecode) import Data.Text (Text) import qualified Data.Text as T import qualified Data.HashMap.Lazy as Map import Data.Monoid (Endo) import Network.HTTP.Client (Manager, Request, withResponse, Response, BodyReader) import qualified Network.Wai as W import Yesod.Core import Yesod.Core.Types (HandlerT(..), unHandlerT) import Yesod.Persist import Yesod.Auth.Message (AuthMessage, defaultMessage) import qualified Yesod.Auth.Message as Msg import Yesod.Form (FormMessage) import Data.Typeable (Typeable) import Control.Exception (Exception) import Network.HTTP.Types (Status, internalServerError500, unauthorized401) import Control.Monad.Trans.Resource (MonadResourceBase) import qualified Control.Monad.Trans.Writer as Writer import Control.Monad (void) type AuthRoute = Route Auth type AuthHandler master a = YesodAuth master => HandlerT Auth (HandlerT master IO) a type Method = Text type Piece = Text -- | The result of an authentication based on credentials -- -- Since 1.4.4 data AuthenticationResult master = Authenticated (AuthId master) -- ^ Authenticated successfully | UserError AuthMessage -- ^ Invalid credentials provided by user | ServerError Text -- ^ Some other error data AuthPlugin master = AuthPlugin { apName :: Text , apDispatch :: Method -> [Piece] -> AuthHandler master TypedContent , apLogin :: (Route Auth -> Route master) -> WidgetT master IO () } getAuth :: a -> Auth getAuth = const Auth -- | User credentials data Creds master = Creds { credsPlugin :: Text -- ^ How the user was authenticated , credsIdent :: Text -- ^ Identifier. Exact meaning depends on plugin. , credsExtra :: [(Text, Text)] } class (Yesod master, PathPiece (AuthId master), RenderMessage master FormMessage) => YesodAuth master where type AuthId master -- | specify the layout. Uses defaultLayout by default authLayout :: WidgetT master IO () -> HandlerT master IO Html authLayout = defaultLayout -- | Default destination on successful login, if no other -- destination exists. loginDest :: master -> Route master -- | Default destination on successful logout, if no other -- destination exists. logoutDest :: master -> Route master -- | Perform authentication based on the given credentials. -- -- Default implementation is in terms of @'getAuthId'@ -- -- Since: 1.4.4 authenticate :: Creds master -> HandlerT master IO (AuthenticationResult master) authenticate creds = do muid <- getAuthId creds return $ maybe (UserError Msg.InvalidLogin) Authenticated muid -- | Determine the ID associated with the set of credentials. -- -- Default implementation is in terms of @'authenticate'@ -- getAuthId :: Creds master -> HandlerT master IO (Maybe (AuthId master)) getAuthId creds = do auth <- authenticate creds return $ case auth of Authenticated auid -> Just auid _ -> Nothing -- | Which authentication backends to use. authPlugins :: master -> [AuthPlugin master] -- | What to show on the login page. -- -- By default this calls 'defaultLoginHandler', which concatenates -- plugin widgets and wraps the result in 'authLayout'. Override if -- you need fancy widget containers, additional functionality, or an -- entirely custom page. For example, in some applications you may -- want to prevent the login page being displayed for a user who is -- already logged in, even if the URL is visited explicitly; this can -- be done by overriding 'loginHandler' in your instance declaration -- with something like: -- -- > instance YesodAuth App where -- > ... -- > loginHandler = do -- > ma <- lift maybeAuthId -- > when (isJust ma) $ -- > lift $ redirect HomeR -- or any other Handler code you want -- > defaultLoginHandler -- loginHandler :: AuthHandler master Html loginHandler = defaultLoginHandler -- | Used for i18n of messages provided by this package. renderAuthMessage :: master -> [Text] -- ^ languages -> AuthMessage -> Text renderAuthMessage _ _ = defaultMessage -- | After login and logout, redirect to the referring page, instead of -- 'loginDest' and 'logoutDest'. Default is 'False'. redirectToReferer :: master -> Bool redirectToReferer _ = False -- | Return an HTTP connection manager that is stored in the foundation -- type. This allows backends to reuse persistent connections. If none of -- the backends you're using use HTTP connections, you can safely return -- @error \"authHttpManager\"@ here. authHttpManager :: master -> Manager -- | Called on a successful login. By default, calls -- @setMessageI NowLoggedIn@. onLogin :: HandlerT master IO () onLogin = setMessageI Msg.NowLoggedIn -- | Called on logout. By default, does nothing onLogout :: HandlerT master IO () onLogout = return () -- | Retrieves user credentials, if user is authenticated. -- -- By default, this calls 'defaultMaybeAuthId' to get the user ID from the -- session. This can be overridden to allow authentication via other means, -- such as checking for a special token in a request header. This is -- especially useful for creating an API to be accessed via some means -- other than a browser. -- -- Since 1.2.0 maybeAuthId :: HandlerT master IO (Maybe (AuthId master)) default maybeAuthId :: (YesodAuthPersist master, Typeable (AuthEntity master)) => HandlerT master IO (Maybe (AuthId master)) maybeAuthId = defaultMaybeAuthId -- | Called on login error for HTTP requests. By default, calls -- @setMessage@ and redirects to @dest@. onErrorHtml :: (MonadResourceBase m) => Route master -> Text -> HandlerT master m Html onErrorHtml dest msg = do setMessage $ toHtml msg fmap asHtml $ redirect dest -- | runHttpRequest gives you a chance to handle an HttpException and retry -- The default behavior is to simply execute the request which will throw an exception on failure -- -- The HTTP 'Request' is given in case it is useful to change behavior based on inspecting the request. -- This is an experimental API that is not broadly used throughout the yesod-auth code base runHttpRequest :: Request -> (Response BodyReader -> HandlerT master IO a) -> HandlerT master IO a runHttpRequest req inner = do man <- authHttpManager <$> getYesod HandlerT $ \t -> withResponse req man $ \res -> unHandlerT (inner res) t {-# MINIMAL loginDest, logoutDest, (authenticate | getAuthId), authPlugins, authHttpManager #-} {-# DEPRECATED getAuthId "Define 'authenticate' instead; 'getAuthId' will be removed in the next major version" #-} -- | Internal session key used to hold the authentication information. -- -- Since 1.2.3 credsKey :: Text credsKey = "_ID" -- | Retrieves user credentials from the session, if user is authenticated. -- -- This function does /not/ confirm that the credentials are valid, see -- 'maybeAuthIdRaw' for more information. -- -- Since 1.1.2 defaultMaybeAuthId :: (YesodAuthPersist master, Typeable (AuthEntity master)) => HandlerT master IO (Maybe (AuthId master)) defaultMaybeAuthId = runMaybeT $ do s <- MaybeT $ lookupSession credsKey aid <- MaybeT $ return $ fromPathPiece s _ <- MaybeT $ cachedAuth aid return aid cachedAuth :: (YesodAuthPersist master, Typeable (AuthEntity master)) => AuthId master -> HandlerT master IO (Maybe (AuthEntity master)) cachedAuth = fmap unCachedMaybeAuth . cached . fmap CachedMaybeAuth . getAuthEntity -- | Default handler to show the login page. -- -- This is the default 'loginHandler'. It concatenates plugin widgets and -- wraps the result in 'authLayout'. See 'loginHandler' for more details. -- -- Since 1.4.9 defaultLoginHandler :: AuthHandler master Html defaultLoginHandler = do tp <- getRouteToParent lift $ authLayout $ do setTitleI Msg.LoginTitle master <- getYesod mapM_ (flip apLogin tp) (authPlugins master) loginErrorMessageI :: (MonadResourceBase m, YesodAuth master) => Route child -> AuthMessage -> HandlerT child (HandlerT master m) TypedContent loginErrorMessageI dest msg = do toParent <- getRouteToParent lift $ loginErrorMessageMasterI (toParent dest) msg loginErrorMessageMasterI :: (YesodAuth master, MonadResourceBase m, RenderMessage master AuthMessage) => Route master -> AuthMessage -> HandlerT master m TypedContent loginErrorMessageMasterI dest msg = do mr <- getMessageRender loginErrorMessage dest (mr msg) -- | For HTML, set the message and redirect to the route. -- For JSON, send the message and a 401 status loginErrorMessage :: (YesodAuth master, MonadResourceBase m) => Route master -> Text -> HandlerT master m TypedContent loginErrorMessage dest msg = messageJson401 msg (onErrorHtml dest msg) messageJson401 :: MonadResourceBase m => Text -> HandlerT master m Html -> HandlerT master m TypedContent messageJson401 = messageJsonStatus unauthorized401 messageJson500 :: MonadResourceBase m => Text -> HandlerT master m Html -> HandlerT master m TypedContent messageJson500 = messageJsonStatus internalServerError500 messageJsonStatus :: MonadResourceBase m => Status -> Text -> HandlerT master m Html -> HandlerT master m TypedContent messageJsonStatus status msg html = selectRep $ do provideRep html provideRep $ do let obj = object ["message" .= msg] void $ sendResponseStatus status obj return obj provideJsonMessage :: Monad m => Text -> Writer.Writer (Endo [ProvidedRep m]) () provideJsonMessage msg = provideRep $ return $ object ["message" .= msg] setCredsRedirect :: YesodAuth master => Creds master -- ^ new credentials -> HandlerT master IO TypedContent setCredsRedirect creds = do y <- getYesod auth <- authenticate creds case auth of Authenticated aid -> do setSession credsKey $ toPathPiece aid onLogin res <- selectRep $ do provideRepType typeHtml $ fmap asHtml $ redirectUltDest $ loginDest y provideJsonMessage "Login Successful" sendResponse res UserError msg -> case authRoute y of Nothing -> do msg' <- renderMessage' msg messageJson401 msg' $ authLayout $ -- TODO toWidget [whamlet|

_{msg}|] Just ar -> loginErrorMessageMasterI ar msg ServerError msg -> do $(logError) msg case authRoute y of Nothing -> do msg' <- renderMessage' Msg.AuthError messageJson500 msg' $ authLayout $ toWidget [whamlet|

_{Msg.AuthError}|] Just ar -> loginErrorMessageMasterI ar Msg.AuthError where renderMessage' msg = do langs <- languages master <- getYesod return $ renderAuthMessage master langs msg -- | Sets user credentials for the session after checking them with authentication backends. setCreds :: YesodAuth master => Bool -- ^ if HTTP redirects should be done -> Creds master -- ^ new credentials -> HandlerT master IO () setCreds doRedirects creds = if doRedirects then void $ setCredsRedirect creds else do auth <- authenticate creds case auth of Authenticated aid -> setSession credsKey $ toPathPiece aid _ -> return () -- | same as defaultLayoutJson, but uses authLayout authLayoutJson :: (YesodAuth site, ToJSON j) => WidgetT site IO () -- ^ HTML -> HandlerT site IO j -- ^ JSON -> HandlerT site IO TypedContent authLayoutJson w json = selectRep $ do provideRep $ authLayout w provideRep $ fmap toJSON json -- | Clears current user credentials for the session. -- -- Since 1.1.7 clearCreds :: YesodAuth master => Bool -- ^ if HTTP redirect to 'logoutDest' should be done -> HandlerT master IO () clearCreds doRedirects = do y <- getYesod onLogout deleteSession credsKey when doRedirects $ do redirectUltDest $ logoutDest y getCheckR :: AuthHandler master TypedContent getCheckR = lift $ do creds <- maybeAuthId authLayoutJson (do setTitle "Authentication Status" toWidget $ html' creds) (return $ jsonCreds creds) where html' creds = [shamlet| $newline never

Authentication Status $maybe _ <- creds

Logged in. $nothing

Not logged in. |] jsonCreds creds = Object $ Map.fromList [ (T.pack "logged_in", Bool $ maybe False (const True) creds) ] setUltDestReferer' :: AuthHandler master () setUltDestReferer' = lift $ do master <- getYesod when (redirectToReferer master) setUltDestReferer getLoginR :: AuthHandler master Html getLoginR = setUltDestReferer' >> loginHandler getLogoutR :: AuthHandler master () getLogoutR = setUltDestReferer' >> redirectToPost LogoutR postLogoutR :: AuthHandler master () postLogoutR = lift $ clearCreds True handlePluginR :: Text -> [Text] -> AuthHandler master TypedContent handlePluginR plugin pieces = do master <- lift getYesod env <- waiRequest let method = decodeUtf8With lenientDecode $ W.requestMethod env case filter (\x -> apName x == plugin) (authPlugins master) of [] -> notFound ap:_ -> apDispatch ap method pieces -- | Similar to 'maybeAuthId', but additionally look up the value associated -- with the user\'s database identifier to get the value in the database. This -- assumes that you are using a Persistent database. -- -- Since 1.1.0 maybeAuth :: ( YesodAuthPersist master , val ~ AuthEntity master , Key val ~ AuthId master , PersistEntity val , Typeable val ) => HandlerT master IO (Maybe (Entity val)) maybeAuth = runMaybeT $ do (aid, ae) <- MaybeT maybeAuthPair return $ Entity aid ae -- | Similar to 'maybeAuth', but doesn’t assume that you are using a -- Persistent database. -- -- Since 1.4.0 maybeAuthPair :: (YesodAuthPersist master, Typeable (AuthEntity master)) => HandlerT master IO (Maybe (AuthId master, AuthEntity master)) maybeAuthPair = runMaybeT $ do aid <- MaybeT maybeAuthId ae <- MaybeT $ cachedAuth aid return (aid, ae) newtype CachedMaybeAuth val = CachedMaybeAuth { unCachedMaybeAuth :: Maybe val } deriving Typeable -- | Class which states that the given site is an instance of @YesodAuth@ -- and that its @AuthId@ is a lookup key for the full user information in -- a @YesodPersist@ database. -- -- The default implementation of @getAuthEntity@ assumes that the @AuthId@ -- for the @YesodAuth@ superclass is in fact a persistent @Key@ for the -- given value. This is the common case in Yesod, and means that you can -- easily look up the full information on a given user. -- -- Since 1.4.0 class (YesodAuth master, YesodPersist master) => YesodAuthPersist master where -- | If the @AuthId@ for a given site is a persistent ID, this will give the -- value for that entity. E.g.: -- -- > type AuthId MySite = UserId -- > AuthEntity MySite ~ User -- -- Since 1.2.0 type AuthEntity master :: * type AuthEntity master = KeyEntity (AuthId master) getAuthEntity :: AuthId master -> HandlerT master IO (Maybe (AuthEntity master)) default getAuthEntity :: ( YesodPersistBackend master ~ PersistEntityBackend (AuthEntity master) , Key (AuthEntity master) ~ AuthId master , PersistStore (YesodPersistBackend master) , PersistEntity (AuthEntity master) ) => AuthId master -> HandlerT master IO (Maybe (AuthEntity master)) getAuthEntity = runDB . get type family KeyEntity key type instance KeyEntity (Key x) = x -- | Similar to 'maybeAuthId', but redirects to a login page if user is not -- authenticated or responds with error 401 if this is an API client (expecting JSON). -- -- Since 1.1.0 requireAuthId :: YesodAuth master => HandlerT master IO (AuthId master) requireAuthId = maybeAuthId >>= maybe handleAuthLack return -- | Similar to 'maybeAuth', but redirects to a login page if user is not -- authenticated or responds with error 401 if this is an API client (expecting JSON). -- -- Since 1.1.0 requireAuth :: ( YesodAuthPersist master , val ~ AuthEntity master , Key val ~ AuthId master , PersistEntity val , Typeable val ) => HandlerT master IO (Entity val) requireAuth = maybeAuth >>= maybe handleAuthLack return -- | Similar to 'requireAuth', but not tied to Persistent's 'Entity' type. -- Instead, the 'AuthId' and 'AuthEntity' are returned in a tuple. -- -- Since 1.4.0 requireAuthPair :: (YesodAuthPersist master, Typeable (AuthEntity master)) => HandlerT master IO (AuthId master, AuthEntity master) requireAuthPair = maybeAuthPair >>= maybe handleAuthLack return handleAuthLack :: Yesod master => HandlerT master IO a handleAuthLack = do aj <- acceptsJson if aj then notAuthenticated else redirectLogin redirectLogin :: Yesod master => HandlerT master IO a redirectLogin = do y <- getYesod setUltDestCurrent case authRoute y of Just z -> redirect z Nothing -> permissionDenied "Please configure authRoute" instance YesodAuth master => RenderMessage master AuthMessage where renderMessage = renderAuthMessage data AuthException = InvalidFacebookResponse deriving (Show, Typeable) instance Exception AuthException instance YesodAuth master => YesodSubDispatch Auth (HandlerT master IO) where yesodSubDispatch = $(mkYesodSubDispatch resourcesAuth) asHtml :: Html -> Html asHtml = id yesod-auth-1.4.11/Yesod/Auth/BrowserId.hs0000644000000000000000000001254012565471070016277 0ustar0000000000000000{-# LANGUAGE QuasiQuotes #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE TemplateHaskell #-} {-# LANGUAGE RecordWildCards #-} module Yesod.Auth.BrowserId ( authBrowserId , createOnClick, createOnClickOverride , def , BrowserIdSettings , bisAudience , bisLazyLoad , forwardUrl ) where import Yesod.Auth import Web.Authenticate.BrowserId import Data.Text (Text) import Yesod.Core import qualified Data.Text as T import Data.Maybe (fromMaybe) import Control.Monad (when, unless) import Text.Julius (rawJS) import Network.URI (uriPath, parseURI) import Data.FileEmbed (embedFile) import Data.ByteString (ByteString) import Data.Default pid :: Text pid = "browserid" forwardUrl :: AuthRoute forwardUrl = PluginR pid [] complete :: AuthRoute complete = forwardUrl -- | A settings type for various configuration options relevant to BrowserID. -- -- See: -- -- Since 1.2.0 data BrowserIdSettings = BrowserIdSettings { bisAudience :: Maybe Text -- ^ BrowserID audience value. If @Nothing@, will be extracted based on the -- approot. -- -- Default: @Nothing@ -- -- Since 1.2.0 , bisLazyLoad :: Bool -- ^ Use asynchronous Javascript loading for the BrowserID JS file. -- -- Default: @True@. -- -- Since 1.2.0 } instance Default BrowserIdSettings where def = BrowserIdSettings { bisAudience = Nothing , bisLazyLoad = True } authBrowserId :: YesodAuth m => BrowserIdSettings -> AuthPlugin m authBrowserId bis@BrowserIdSettings {..} = AuthPlugin { apName = pid , apDispatch = \m ps -> case (m, ps) of ("GET", [assertion]) -> do master <- lift getYesod audience <- case bisAudience of Just a -> return a Nothing -> do r <- getUrlRender return $ T.takeWhile (/= '/') $ stripScheme $ r LoginR memail <- lift $ checkAssertion audience assertion (authHttpManager master) case memail of Nothing -> do $logErrorS "yesod-auth" "BrowserID assertion failure" tm <- getRouteToParent lift $ loginErrorMessage (tm LoginR) "BrowserID login error." Just email -> lift $ setCredsRedirect Creds { credsPlugin = pid , credsIdent = email , credsExtra = [] } ("GET", ["static", "sign-in.png"]) -> sendResponse ( "image/png" :: ByteString , toContent $(embedFile "persona_sign_in_blue.png") ) (_, []) -> badMethod _ -> notFound , apLogin = \toMaster -> do onclick <- createOnClick bis toMaster autologin <- fmap (== Just "true") $ lookupGetParam "autologin" when autologin $ toWidget [julius|#{rawJS onclick}();|] toWidget [hamlet| $newline never

|] } where loginIcon = PluginR pid ["static", "sign-in.png"] stripScheme t = fromMaybe t $ T.stripPrefix "//" $ snd $ T.breakOn "//" t -- | Generates a function to handle on-click events, and returns that function -- name. createOnClickOverride :: BrowserIdSettings -> (Route Auth -> Route master) -> Maybe (Route master) -> WidgetT master IO Text createOnClickOverride BrowserIdSettings {..} toMaster mOnRegistration = do unless bisLazyLoad $ addScriptRemote browserIdJs onclick <- newIdent render <- getUrlRender let login = toJSON $ getPath $ render loginRoute -- (toMaster LoginR) loginRoute = maybe (toMaster LoginR) id mOnRegistration toWidget [julius| function #{rawJS onclick}() { if (navigator.id) { navigator.id.watch({ onlogin: function (assertion) { if (assertion) { document.location = "@{toMaster complete}/" + assertion; } }, onlogout: function () {} }); navigator.id.request({ returnTo: #{login} + "?autologin=true" }); } else { alert("Loading, please try again"); } } |] when bisLazyLoad $ toWidget [julius| (function(){ var bid = document.createElement("script"); bid.async = true; bid.src = #{toJSON browserIdJs}; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(bid, s); })(); |] autologin <- fmap (== Just "true") $ lookupGetParam "autologin" when autologin $ toWidget [julius|#{rawJS onclick}();|] return onclick where getPath t = fromMaybe t $ do uri <- parseURI $ T.unpack t return $ T.pack $ uriPath uri -- | Generates a function to handle on-click events, and returns that function -- name. createOnClick :: BrowserIdSettings -> (Route Auth -> Route master) -> WidgetT master IO Text createOnClick bidSettings toMaster = createOnClickOverride bidSettings toMaster Nothing yesod-auth-1.4.11/Yesod/Auth/Dummy.hs0000644000000000000000000000160412565471070015471 0ustar0000000000000000{-# LANGUAGE QuasiQuotes #-} {-# LANGUAGE OverloadedStrings #-} -- | Provides a dummy authentication module that simply lets a user specify -- his/her identifier. This is not intended for real world use, just for -- testing. module Yesod.Auth.Dummy ( authDummy ) where import Yesod.Auth import Yesod.Form (runInputPost, textField, ireq) import Yesod.Core authDummy :: YesodAuth m => AuthPlugin m authDummy = AuthPlugin "dummy" dispatch login where dispatch "POST" [] = do ident <- lift $ runInputPost $ ireq textField "ident" lift $ setCredsRedirect $ Creds "dummy" ident [] dispatch _ _ = notFound url = PluginR "dummy" [] login authToMaster = toWidget [hamlet| $newline never

Your new identifier is: # |] yesod-auth-1.4.11/Yesod/Auth/Email.hs0000644000000000000000000005177012565471070015436 0ustar0000000000000000{-# LANGUAGE ConstrainedClassMethods #-} {-# LANGUAGE FlexibleContexts #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE PatternGuards #-} {-# LANGUAGE QuasiQuotes #-} {-# LANGUAGE Rank2Types #-} {-# LANGUAGE TypeFamilies #-} -- | A Yesod plugin for Authentication via e-mail -- -- This plugin works out of the box by only setting a few methods on the type class -- that tell the plugin how to interoprate with your user data storage (your database). -- However, almost everything is customizeable by setting more methods on the type class. -- In addition, you can send all the form submissions via JSON and completely control the user's flow. -- This is a standard registration e-mail flow -- -- 1) A user registers a new e-mail address, and an e-mail is sent there -- 2) The user clicks on the registration link in the e-mail -- Note that at this point they are actually logged in (without a password) -- That means that when they log out they will need to reset their password -- 3) The user sets their password and is redirected to the site. -- 4) The user can now -- * logout and sign in -- * reset their password module Yesod.Auth.Email ( -- * Plugin authEmail , YesodAuthEmail (..) , EmailCreds (..) , saltPass -- * Routes , loginR , registerR , forgotPasswordR , setpassR , verifyR , isValidPass -- * Types , Email , VerKey , VerUrl , SaltedPass , VerStatus , Identifier -- * Misc , loginLinkKey , setLoginLinkKey -- * Default handlers , defaultRegisterHandler , defaultForgotPasswordHandler , defaultSetPasswordHandler ) where import Yesod.Auth import qualified Yesod.Auth.Message as Msg import Yesod.Core import Yesod.Form import qualified Yesod.PasswordStore as PS import Control.Applicative ((<$>), (<*>)) import qualified Crypto.Hash.MD5 as H import qualified Crypto.Nonce as Nonce import Data.ByteString.Base16 as B16 import Data.Text (Text) import qualified Data.Text as TS import qualified Data.Text as T import Data.Text.Encoding (decodeUtf8With, encodeUtf8) import qualified Data.Text.Encoding as TE import Data.Text.Encoding.Error (lenientDecode) import Data.Time (addUTCTime, getCurrentTime) import Safe (readMay) import System.IO.Unsafe (unsafePerformIO) import qualified Text.Email.Validate loginR, registerR, forgotPasswordR, setpassR :: AuthRoute loginR = PluginR "email" ["login"] registerR = PluginR "email" ["register"] forgotPasswordR = PluginR "email" ["forgot-password"] setpassR = PluginR "email" ["set-password"] -- | -- -- Since 1.4.5 verifyR :: Text -> Text -> AuthRoute -- FIXME verifyR eid verkey = PluginR "email" ["verify", eid, verkey] type Email = Text type VerKey = Text type VerUrl = Text type SaltedPass = Text type VerStatus = Bool -- | An Identifier generalizes an email address to allow users to log in with -- some other form of credentials (e.g., username). -- -- Note that any of these other identifiers must not be valid email addresses. -- -- Since 1.2.0 type Identifier = Text -- | Data stored in a database for each e-mail address. data EmailCreds site = EmailCreds { emailCredsId :: AuthEmailId site , emailCredsAuthId :: Maybe (AuthId site) , emailCredsStatus :: VerStatus , emailCredsVerkey :: Maybe VerKey , emailCredsEmail :: Email } class ( YesodAuth site , PathPiece (AuthEmailId site) , (RenderMessage site Msg.AuthMessage) ) => YesodAuthEmail site where type AuthEmailId site -- | Add a new email address to the database, but indicate that the address -- has not yet been verified. -- -- Since 1.1.0 addUnverified :: Email -> VerKey -> HandlerT site IO (AuthEmailId site) -- | Send an email to the given address to verify ownership. -- -- Since 1.1.0 sendVerifyEmail :: Email -> VerKey -> VerUrl -> HandlerT site IO () -- | Get the verification key for the given email ID. -- -- Since 1.1.0 getVerifyKey :: AuthEmailId site -> HandlerT site IO (Maybe VerKey) -- | Set the verification key for the given email ID. -- -- Since 1.1.0 setVerifyKey :: AuthEmailId site -> VerKey -> HandlerT site IO () -- | Verify the email address on the given account. -- -- Since 1.1.0 verifyAccount :: AuthEmailId site -> HandlerT site IO (Maybe (AuthId site)) -- | Get the salted password for the given account. -- -- Since 1.1.0 getPassword :: AuthId site -> HandlerT site IO (Maybe SaltedPass) -- | Set the salted password for the given account. -- -- Since 1.1.0 setPassword :: AuthId site -> SaltedPass -> HandlerT site IO () -- | Get the credentials for the given @Identifier@, which may be either an -- email address or some other identification (e.g., username). -- -- Since 1.2.0 getEmailCreds :: Identifier -> HandlerT site IO (Maybe (EmailCreds site)) -- | Get the email address for the given email ID. -- -- Since 1.1.0 getEmail :: AuthEmailId site -> HandlerT site IO (Maybe Email) -- | Generate a random alphanumeric string. -- -- Since 1.1.0 randomKey :: site -> IO Text randomKey _ = Nonce.nonce128urlT defaultNonceGen -- | Route to send user to after password has been set correctly. -- -- Since 1.2.0 afterPasswordRoute :: site -> Route site -- | Does the user need to provide the current password in order to set a -- new password? -- -- Default: if the user logged in via an email link do not require a password. -- -- Since 1.2.1 needOldPassword :: AuthId site -> HandlerT site IO Bool needOldPassword aid' = do mkey <- lookupSession loginLinkKey case mkey >>= readMay . TS.unpack of Just (aidT, time) | Just aid <- fromPathPiece aidT, toPathPiece (aid `asTypeOf` aid') == toPathPiece aid' -> do now <- liftIO getCurrentTime return $ addUTCTime (60 * 30) time <= now _ -> return True -- | Check that the given plain-text password meets minimum security standards. -- -- Default: password is at least three characters. checkPasswordSecurity :: AuthId site -> Text -> HandlerT site IO (Either Text ()) checkPasswordSecurity _ x | TS.length x >= 3 = return $ Right () | otherwise = return $ Left "Password must be at least three characters" -- | Response after sending a confirmation email. -- -- Since 1.2.2 confirmationEmailSentResponse :: Text -> HandlerT site IO TypedContent confirmationEmailSentResponse identifier = do mr <- getMessageRender selectRep $ do provideJsonMessage (mr msg) provideRep $ authLayout $ do setTitleI Msg.ConfirmationEmailSentTitle [whamlet|

_{msg}|] where msg = Msg.ConfirmationEmailSent identifier -- | Additional normalization of email addresses, besides standard canonicalization. -- -- Default: Lower case the email address. -- -- Since 1.2.3 normalizeEmailAddress :: site -> Text -> Text normalizeEmailAddress _ = TS.toLower -- | Handler called to render the registration page. The -- default works fine, but you may want to override it in -- order to have a different DOM. -- -- Default: 'defaultRegisterHandler'. -- -- Since: 1.2.6. registerHandler :: AuthHandler site Html registerHandler = defaultRegisterHandler -- | Handler called to render the \"forgot password\" page. -- The default works fine, but you may want to override it in -- order to have a different DOM. -- -- Default: 'defaultForgotPasswordHandler'. -- -- Since: 1.2.6. forgotPasswordHandler :: AuthHandler site Html forgotPasswordHandler = defaultForgotPasswordHandler -- | Handler called to render the \"set password\" page. The -- default works fine, but you may want to override it in -- order to have a different DOM. -- -- Default: 'defaultSetPasswordHandler'. -- -- Since: 1.2.6. setPasswordHandler :: Bool -- ^ Whether the old password is needed. If @True@, a -- field for the old password should be presented. -- Otherwise, just two fields for the new password are -- needed. -> AuthHandler site TypedContent setPasswordHandler = defaultSetPasswordHandler authEmail :: YesodAuthEmail m => AuthPlugin m authEmail = AuthPlugin "email" dispatch $ \tm -> [whamlet| $newline never
_{Msg.Email}
_{Msg.Password}