servant-auth-token-api 0.4.2.2 → 0.5.4.0
raw patch · 3 files changed
Files
- CHANGELOG.md +25/−0
- servant-auth-token-api.cabal +9/−7
- src/Servant/API/Auth/Token.hs +59/−1
CHANGELOG.md view
@@ -1,3 +1,28 @@+0.5.4.0+=======++* Bump versions for `servant-0.16` and `swagger-2.4`.++0.5.3.0+=======++* Bump versions to `lts-12.9`.++0.5.2.0+=======++* Push version bounds.++0.5.1.0+=======++* Push version bounds.++0.5.0.0+=======++* Add `AuthSigninPostMethod` to substitute security weak `AuthSigninMethod`.+ 0.4.2.1 =======
servant-auth-token-api.cabal view
@@ -1,7 +1,8 @@ name: servant-auth-token-api-version: 0.4.2.2+version: 0.5.4.0 synopsis: Servant based API for token based authorisation-description: Please see README.md+description: The package provides cross compiler API (for GHC and GHCJS) for+ <http://hackage.haskell.org/package/servant-auth-token servant-auth-token>. Please see README.md homepage: https://github.com/ncrashed/servant-auth-token-api#readme license: BSD3 license-file: LICENSE@@ -14,6 +15,7 @@ README.md CHANGELOG.md cabal-version: >=1.10+tested-with: GHC ==8.6.5, GHC ==8.4.4 Flag flat-perm-symbols Description: Use flat Symbols for token tags, improve compilation time.@@ -28,14 +30,14 @@ Servant.API.Auth.Token.Internal.Schema build-depends: base >= 4.7 && < 5- , aeson >= 0.11 && < 1.3- , aeson-injector >= 1.0.4 && < 1.1+ , aeson >= 0.11 && < 1.5+ , aeson-injector >= 1.0.4 && < 1.2 , lens >= 4.13 && < 5 , raw-strings-qq >= 1.1 && < 1.2- , servant >= 0.9 && < 0.13- , servant-docs >= 0.9 && < 0.13+ , servant >= 0.9 && < 0.17+ , servant-docs >= 0.9 && < 0.15 , servant-swagger >= 1.1 && < 1.2- , swagger2 >= 2.1 && < 2.2+ , swagger2 >= 2.4 && < 2.5 , text >= 1.2 && < 2 default-language: Haskell2010
src/Servant/API/Auth/Token.hs view
@@ -22,6 +22,7 @@ -- * API specs AuthAPI , AuthSigninMethod+ , AuthSigninPostMethod , AuthSigninGetCodeMethod , AuthSigninPostCodeMethod , AuthTouchMethod@@ -77,6 +78,7 @@ , RespUserInfo(..) , PatchUser(..) , RespUsersInfo(..)+ , AuthSigninPostBody(..) -- ** User groups , UserGroupId , UserGroup(..)@@ -173,7 +175,7 @@ type Token' (perms :: [Symbol]) = Token (PlainPerms perms) instance ToParamSchema (Token perms) where- toParamSchema _ = mempty { _paramSchemaType = SwaggerString }+ toParamSchema _ = mempty { _paramSchemaType = Just SwaggerString } instance FromHttpApiData (Token perms) where parseUrlPiece = fmap Token . parseUrlPiece@@ -406,6 +408,37 @@ , patchUserGroupNoParent = Just True } +-- | Body for 'AuthSigninPostMethod'+data AuthSigninPostBody = AuthSigninPostBody {+ authSigninBodyLogin :: !Login+, authSigninBodyPassword :: !Password+, authSigninBodySeconds :: !(Maybe Seconds) -- ^ Nothing is default server value+} deriving (Generic, Show)+$(deriveJSON (derivePrefix "authSigninBody") ''AuthSigninPostBody)++instance ToSchema AuthSigninPostBody where+ declareNamedSchema = genericDeclareNamedSchema $+ schemaOptionsDropPrefix "authSigninBody"++instance ToSample AuthSigninPostBody where+ toSamples _ = samples [s1, s2, s3]+ where+ s1 = AuthSigninPostBody {+ authSigninBodyLogin = "admin"+ , authSigninBodyPassword = "123456"+ , authSigninBodySeconds = Nothing+ }+ s2 = AuthSigninPostBody {+ authSigninBodyLogin = "sviborg"+ , authSigninBodyPassword = "qwerty"+ , authSigninBodySeconds = Just 360+ }+ s3 = AuthSigninPostBody {+ authSigninBodyLogin = "schoolgirl"+ , authSigninBodyPassword = "ilovepony"+ , authSigninBodySeconds = Just 42+ }+ instance ToParam (QueryParam "login" Login) where toParam _ = DocQueryParam "login" ["ncrashed", "buddy"] "Any valid login for user" Normal instance ToParam (QueryParam "password" Password) where@@ -425,6 +458,7 @@ -- | Generic authorization API type AuthAPI = AuthSigninMethod+ :<|> AuthSigninPostMethod :<|> AuthSigninGetCodeMethod :<|> AuthSigninPostCodeMethod :<|> AuthTouchMethod@@ -472,6 +506,30 @@ :> QueryParam "password" Password :> QueryParam "expire" Seconds :> Get '[JSON] (OnlyField "token" SimpleToken)+{-# DEPRECATED AuthSigninMethod "AuthSigninPostMethod is more secure" #-}++-- | How to get a token, expire of 'Nothing' means+-- some default value (server config).+--+-- Logic of authorisation via this method is:+--+-- * Client sends POST request to the endpoint with+-- user specified login and password and optional expire+--+-- * Server responds with token or error+--+-- * Client uses the token with other requests as authorisation+-- header+--+-- * Client can extend lifetime of token by periodically pinging+-- of 'AuthTouchMethod' endpoint+--+-- * Client can invalidate token instantly by 'AuthSignoutMethod'+--+-- * Client can get info about user with 'AuthTokenInfoMethod' endpoint.+type AuthSigninPostMethod = "auth" :> "signin"+ :> ReqBody '[JSON] AuthSigninPostBody+ :> Post '[JSON] (OnlyField "token" SimpleToken) -- | Authorisation via code of single usage. --