packages feed

simple-session (empty) → 0.6.0

raw patch · 4 files changed

+417/−0 lines, 4 filesdep +basedep +base64-bytestringdep +blaze-buildersetup-changed

Dependencies added: base, base64-bytestring, blaze-builder, byteable, bytestring, containers, cookie, cryptohash, http-types, simple, transformers, wai

Files

+ LICENSE view
@@ -0,0 +1,165 @@+                  GNU LESSER GENERAL PUBLIC LICENSE+                       Version 3, 29 June 2007++ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>+ Everyone is permitted to copy and distribute verbatim copies+ of this license document, but changing it is not allowed.+++  This version of the GNU Lesser General Public License incorporates+the terms and conditions of version 3 of the GNU General Public+License, supplemented by the additional permissions listed below.++  0. Additional Definitions. ++  As used herein, "this License" refers to version 3 of the GNU Lesser+General Public License, and the "GNU GPL" refers to version 3 of the GNU+General Public License.++  "The Library" refers to a covered work governed by this License,+other than an Application or a Combined Work as defined below.++  An "Application" is any work that makes use of an interface provided+by the Library, but which is not otherwise based on the Library.+Defining a subclass of a class defined by the Library is deemed a mode+of using an interface provided by the Library.++  A "Combined Work" is a work produced by combining or linking an+Application with the Library.  The particular version of the Library+with which the Combined Work was made is also called the "Linked+Version".++  The "Minimal Corresponding Source" for a Combined Work means the+Corresponding Source for the Combined Work, excluding any source code+for portions of the Combined Work that, considered in isolation, are+based on the Application, and not on the Linked Version.++  The "Corresponding Application Code" for a Combined Work means the+object code and/or source code for the Application, including any data+and utility programs needed for reproducing the Combined Work from the+Application, but excluding the System Libraries of the Combined Work.++  1. Exception to Section 3 of the GNU GPL.++  You may convey a covered work under sections 3 and 4 of this License+without being bound by section 3 of the GNU GPL.++  2. Conveying Modified Versions.++  If you modify a copy of the Library, and, in your modifications, a+facility refers to a function or data to be supplied by an Application+that uses the facility (other than as an argument passed when the+facility is invoked), then you may convey a copy of the modified+version:++   a) under this License, provided that you make a good faith effort to+   ensure that, in the event an Application does not supply the+   function or data, the facility still operates, and performs+   whatever part of its purpose remains meaningful, or++   b) under the GNU GPL, with none of the additional permissions of+   this License applicable to that copy.++  3. Object Code Incorporating Material from Library Header Files.++  The object code form of an Application may incorporate material from+a header file that is part of the Library.  You may convey such object+code under terms of your choice, provided that, if the incorporated+material is not limited to numerical parameters, data structure+layouts and accessors, or small macros, inline functions and templates+(ten or fewer lines in length), you do both of the following:++   a) Give prominent notice with each copy of the object code that the+   Library is used in it and that the Library and its use are+   covered by this License.++   b) Accompany the object code with a copy of the GNU GPL and this license+   document.++  4. Combined Works.++  You may convey a Combined Work under terms of your choice that,+taken together, effectively do not restrict modification of the+portions of the Library contained in the Combined Work and reverse+engineering for debugging such modifications, if you also do each of+the following:++   a) Give prominent notice with each copy of the Combined Work that+   the Library is used in it and that the Library and its use are+   covered by this License.++   b) Accompany the Combined Work with a copy of the GNU GPL and this license+   document.++   c) For a Combined Work that displays copyright notices during+   execution, include the copyright notice for the Library among+   these notices, as well as a reference directing the user to the+   copies of the GNU GPL and this license document.++   d) Do one of the following:++       0) Convey the Minimal Corresponding Source under the terms of this+       License, and the Corresponding Application Code in a form+       suitable for, and under terms that permit, the user to+       recombine or relink the Application with a modified version of+       the Linked Version to produce a modified Combined Work, in the+       manner specified by section 6 of the GNU GPL for conveying+       Corresponding Source.++       1) Use a suitable shared library mechanism for linking with the+       Library.  A suitable mechanism is one that (a) uses at run time+       a copy of the Library already present on the user's computer+       system, and (b) will operate properly with a modified version+       of the Library that is interface-compatible with the Linked+       Version. ++   e) Provide Installation Information, but only if you would otherwise+   be required to provide such information under section 6 of the+   GNU GPL, and only to the extent that such information is+   necessary to install and execute a modified version of the+   Combined Work produced by recombining or relinking the+   Application with a modified version of the Linked Version. (If+   you use option 4d0, the Installation Information must accompany+   the Minimal Corresponding Source and Corresponding Application+   Code. If you use option 4d1, you must provide the Installation+   Information in the manner specified by section 6 of the GNU GPL+   for conveying Corresponding Source.)++  5. Combined Libraries.++  You may place library facilities that are a work based on the+Library side by side in a single library together with other library+facilities that are not Applications and are not covered by this+License, and convey such a combined library under terms of your+choice, if you do both of the following:++   a) Accompany the combined library with a copy of the same work based+   on the Library, uncombined with any other library facilities,+   conveyed under the terms of this License.++   b) Give prominent notice with the combined library that part of it+   is a work based on the Library, and explaining where to find the+   accompanying uncombined form of the same work.++  6. Revised Versions of the GNU Lesser General Public License.++  The Free Software Foundation may publish revised and/or new versions+of the GNU Lesser General Public License from time to time. Such new+versions will be similar in spirit to the present version, but may+differ in detail to address new problems or concerns.++  Each version is given a distinguishing version number. If the+Library as you received it specifies that a certain numbered version+of the GNU Lesser General Public License "or any later version"+applies to it, you have the option of following the terms and+conditions either of that published version or of any later version+published by the Free Software Foundation. If the Library as you+received it does not specify a version number of the GNU Lesser+General Public License, you may choose any version of the GNU Lesser+General Public License ever published by the Free Software Foundation.++  If the Library as you received it specifies that a proxy can decide+whether future versions of the GNU Lesser General Public License shall+apply, that proxy's public statement of acceptance of any version is+permanent authorization for you to choose that version for the+Library.
+ Setup.hs view
@@ -0,0 +1,2 @@+import Distribution.Simple+main = defaultMain
+ simple-session.cabal view
@@ -0,0 +1,59 @@+name:                simple-session+version:             0.6.0+synopsis:            Cookie-based session management for the Simple web framework+description:++  Adds cookie-based session management to simple 'Controller's. To add to an+  application, declare the Controller setting\'s type an instance of+  'HasSession', and wrap routes with 'withSession'. For example:+  .+  > data AppSettings = ...+  >+  > instance HasSession AppSettings where+  >   ...+  .+  > controllerApp settings $ withSessions $ do+  >   routeName \"posts\" $ ...+  .+  Then, in your controllers you can seemlessly get and set keys from the+  session:+  .+  > get "/profile" $ do+  >   muserId <- sessionLookup "current_user_id"+  >   case muserIf of+  >     Nothing -> respond $ redirectTo "/login"+  >     Just userId -> [handle request]+      +homepage:            http://simple.cx+license:             LGPL-3+license-file:        LICENSE+author:              Amit Aryeh Levy+maintainer:          amit@amitlevy.com+category:            Web+build-type:          Simple+cabal-version:       >=1.10++library+  hs-source-dirs: src+  ghc-options: -Wall+  exposed-modules:+    Web.Simple.Session+  build-depends:+      base < 6+    , blaze-builder+    , cookie+    , cryptohash+    , byteable+    , base64-bytestring+    , bytestring+    , containers+    , http-types+    , simple >= 0.6+    , transformers+    , wai+  default-language:    Haskell2010++source-repository head+  type: git+  location: anonymous@gitstar.com:alevy/simple.git+
+ src/Web/Simple/Session.hs view
@@ -0,0 +1,191 @@+{-# LANGUAGE FlexibleInstances, OverloadedStrings #-}++{- | Adds cookie-based session management to simple 'Controller's. To add to an+  application, declare the Controller setting\'s type an instance of+  'HasSession', and wrap routes with 'withSession'. For example:++  > data AppSettings = ...+  >+  > instance HasSession AppSettings where+  >   ...++  > controllerApp settings $ withSessions $ do+  >   routeName \"posts\" $ ...++ -}+module Web.Simple.Session+  ( Session+  -- * Class and Middleware+  , HasSession(..), withSession+  -- * Accessors+  , sessionLookup, sessionInsert, sessionDelete, sessionClear++  -- * Utilities+  , session, parseSession, dumpSession, addCookie+  ) where++import Control.Monad.IO.Class+import Blaze.ByteString.Builder+import Crypto.Hash+import Data.Byteable+import Data.ByteString.Base64+import qualified Data.ByteString as S+import qualified Data.ByteString.Char8 as S8+import Data.Map (Map)+import qualified Data.Map as M+import Network.HTTP.Types.Header+import Network.HTTP.Types.URI+import Web.Cookie+import Web.Simple+import System.Environment++-- | Plaintext mapping of the session map. Both keys and values are+-- 'S.ByteString's.+type Session = Map S.ByteString S.ByteString++-- | Instances of this class can be used as states by a 'Controller' states+-- to manage cookie-based user sessions. Instances must minimally implement+-- 'getSession' and 'setSession'. By default, the secret session key is taken+-- from the environment variable \"SESSION_KEY\", or a default dummy key is+-- used if the environment variable \"ENV\" is set to \"development\". You can+-- override this behaviour by implementing the 'sessionKey' method.+-- If the controller state contains a dedicated field of type 'Maybe Session',+-- a reasonable implementation would be:+--+-- > data MyAppSettings = MyAppSettings { myAppSess :: Maybe Session, ...}+-- >+-- > instance HasSession MyAppSettings where+-- >    getSession = myAppSess <$> controllerState+-- >    setSession sess = do+-- >      cs <- controllerState+-- >      putState $ cs { myAppSess = sess }+--+class HasSession hs where+  -- | Returns the secret session key. The default implementation uses the+  -- \"SESSION_KEY\" environment variable. If it is not present, and the+  -- \"ENV\" environment variable is set to \"development\", a dummy, hardcoded+  -- key is used.+  sessionKey :: Controller hs S.ByteString+  sessionKey = liftIO $ do+    env <- getEnvironment+    case lookup "SESSION_KEY" env of+      Just key -> return $ S8.pack key+      Nothing ->+        case lookup "ENV" env of+          Just e | e == "development" -> return "test-session-key"+          _ -> (error "SESSION_KEY environment variable not set")++  -- | Returns the cached session for the current request, or nothing if the+  -- session has not been set yet for this request. +  getSession :: hs -> Maybe Session++  -- | Stores a parsed or changed session for the remainder of the request.This+  -- is used both for cached a parsed session cookie as well as for serializing+  -- to the \"Set-Cookie\" header when responding.+  setSession :: Session -> Controller hs ()++-- | A trivial implementation if the 'Controller' settings is just a Session+-- store.+instance HasSession (Maybe Session) where+  getSession = id+  setSession = putState . Just++-- | A middleware wrapper around a 'Controller' that sets the \"Set-Cookie\"+-- header in the HTTP response if the Session is present, i.e. if it was+-- accessed/modified by the 'Controller'.+withSession :: HasSession hs => Controller hs a -> Controller hs a+withSession (Controller act) = do+  sk <- sessionKey+  Controller $ \st0 -> do+    (eres, st@(r, _)) <- act st0+    case eres of+      Left resp0 -> do+        let resp = case getSession r of+                     Just sess -> addCookie+                                   ("session", dumpSession sk sess)+                                   resp0+                     Nothing -> resp0+        return (Left resp, st)+      Right _ -> return (eres, st)++-- | Adds a \"Set-Cookie\" with the given key-value tuple to the 'Response'.+-- The path set on the cookie is \"/\", meaning it applies to all routes on the+-- domain, and no expiration is set.+addCookie :: (S.ByteString, S.ByteString) -> Response -> Response+addCookie (key, value) resp =+  let (stat, hdrs, src) = responseSource resp+  in ResponseSource stat (("Set-Cookie", cookie):hdrs) src+  where cookie = toByteString . renderSetCookie $+                  def { setCookieName = key+                      , setCookieValue = value+                      , setCookiePath = Just "/" }++-- | Returns the current 'Session', either from the 'getSession' cache or by+-- parsing the cookie from the 'Request' using 'sessionFromCookie'.+session :: HasSession hs => Controller hs Session+session = do+  msession <- getSession `fmap` controllerState+  case msession of+    Just sess -> return sess+    Nothing -> do+      sess <- sessionFromCookie+      setSession =<< sessionFromCookie+      return sess++-- | Get and parse a 'Session' from the current 'Request'.+sessionFromCookie :: HasSession hs => Controller hs Session+sessionFromCookie = do+  cookies <- (maybe [] parseCookies) `fmap` requestHeader hCookie+  sess <- case lookup "session" cookies of+            Just sessionCookie -> do+              sk <- sessionKey+              return $ parseSession sk sessionCookie+            Nothing -> return M.empty+  return sess++-- | Parses and validates a serialized 'Session' given the secret. If the+-- 'Session' is invalid (i.e. the hmac does not match), an empty 'Session' is+-- returned.+parseSession :: S.ByteString -> S.ByteString -> Session+parseSession secret sessionCookie =+  let (b64, serial) = S.splitAt 44 sessionCookie+      mdigest = digestFromByteString $ either (const S.empty) id $ decode b64+  in case mdigest of+       Nothing -> M.empty+       Just digest ->+         if hmacGetDigest (hmacAlg SHA256 secret serial) == digest then+           M.fromList $ parseSimpleQuery serial+           else M.empty++-- | Serializes a 'Session' by applying a sha256 hmac with the given secret+-- key to the serialized 'Session' (using 'renderSimpleQuery'), base64 encoding+-- the result, and prepending it to the serialized 'Session'.+dumpSession :: S.ByteString -> Session -> S.ByteString+dumpSession secret sess =+  let serial = renderSimpleQuery False $ M.toList sess+      digest = hmacGetDigest $ hmacAlg SHA256 secret serial+      b64 = encode $ toBytes digest+  in b64 `S.append` serial++-- | Lookup a key from the current 'Request's session.+sessionLookup :: HasSession hs+              => S.ByteString -> Controller hs (Maybe S.ByteString)+sessionLookup key = M.lookup key `fmap` session++-- | Insert or replace a key in the current 'Request's session.+sessionInsert :: HasSession hs+              => S.ByteString -> S.ByteString -> Controller hs ()+sessionInsert key value = do+  sess <- session+  setSession (M.insert key value sess)++-- | Remove a key from the current 'Request's session.+sessionDelete :: HasSession hs => S.ByteString -> Controller hs ()+sessionDelete key = do+  sess <- session+  setSession $ M.delete key sess++-- | Clear the entire 'Session'.+sessionClear :: HasSession hs => Controller hs ()+sessionClear = setSession M.empty+