simple-session (empty) → 0.6.0
raw patch · 4 files changed
+417/−0 lines, 4 filesdep +basedep +base64-bytestringdep +blaze-buildersetup-changed
Dependencies added: base, base64-bytestring, blaze-builder, byteable, bytestring, containers, cookie, cryptohash, http-types, simple, transformers, wai
Files
- LICENSE +165/−0
- Setup.hs +2/−0
- simple-session.cabal +59/−0
- src/Web/Simple/Session.hs +191/−0
+ LICENSE view
@@ -0,0 +1,165 @@+ GNU LESSER GENERAL PUBLIC LICENSE+ Version 3, 29 June 2007++ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>+ Everyone is permitted to copy and distribute verbatim copies+ of this license document, but changing it is not allowed.+++ This version of the GNU Lesser General Public License incorporates+the terms and conditions of version 3 of the GNU General Public+License, supplemented by the additional permissions listed below.++ 0. Additional Definitions. ++ As used herein, "this License" refers to version 3 of the GNU Lesser+General Public License, and the "GNU GPL" refers to version 3 of the GNU+General Public License.++ "The Library" refers to a covered work governed by this License,+other than an Application or a Combined Work as defined below.++ An "Application" is any work that makes use of an interface provided+by the Library, but which is not otherwise based on the Library.+Defining a subclass of a class defined by the Library is deemed a mode+of using an interface provided by the Library.++ A "Combined Work" is a work produced by combining or linking an+Application with the Library. The particular version of the Library+with which the Combined Work was made is also called the "Linked+Version".++ The "Minimal Corresponding Source" for a Combined Work means the+Corresponding Source for the Combined Work, excluding any source code+for portions of the Combined Work that, considered in isolation, are+based on the Application, and not on the Linked Version.++ The "Corresponding Application Code" for a Combined Work means the+object code and/or source code for the Application, including any data+and utility programs needed for reproducing the Combined Work from the+Application, but excluding the System Libraries of the Combined Work.++ 1. Exception to Section 3 of the GNU GPL.++ You may convey a covered work under sections 3 and 4 of this License+without being bound by section 3 of the GNU GPL.++ 2. Conveying Modified Versions.++ If you modify a copy of the Library, and, in your modifications, a+facility refers to a function or data to be supplied by an Application+that uses the facility (other than as an argument passed when the+facility is invoked), then you may convey a copy of the modified+version:++ a) under this License, provided that you make a good faith effort to+ ensure that, in the event an Application does not supply the+ function or data, the facility still operates, and performs+ whatever part of its purpose remains meaningful, or++ b) under the GNU GPL, with none of the additional permissions of+ this License applicable to that copy.++ 3. Object Code Incorporating Material from Library Header Files.++ The object code form of an Application may incorporate material from+a header file that is part of the Library. You may convey such object+code under terms of your choice, provided that, if the incorporated+material is not limited to numerical parameters, data structure+layouts and accessors, or small macros, inline functions and templates+(ten or fewer lines in length), you do both of the following:++ a) Give prominent notice with each copy of the object code that the+ Library is used in it and that the Library and its use are+ covered by this License.++ b) Accompany the object code with a copy of the GNU GPL and this license+ document.++ 4. Combined Works.++ You may convey a Combined Work under terms of your choice that,+taken together, effectively do not restrict modification of the+portions of the Library contained in the Combined Work and reverse+engineering for debugging such modifications, if you also do each of+the following:++ a) Give prominent notice with each copy of the Combined Work that+ the Library is used in it and that the Library and its use are+ covered by this License.++ b) Accompany the Combined Work with a copy of the GNU GPL and this license+ document.++ c) For a Combined Work that displays copyright notices during+ execution, include the copyright notice for the Library among+ these notices, as well as a reference directing the user to the+ copies of the GNU GPL and this license document.++ d) Do one of the following:++ 0) Convey the Minimal Corresponding Source under the terms of this+ License, and the Corresponding Application Code in a form+ suitable for, and under terms that permit, the user to+ recombine or relink the Application with a modified version of+ the Linked Version to produce a modified Combined Work, in the+ manner specified by section 6 of the GNU GPL for conveying+ Corresponding Source.++ 1) Use a suitable shared library mechanism for linking with the+ Library. A suitable mechanism is one that (a) uses at run time+ a copy of the Library already present on the user's computer+ system, and (b) will operate properly with a modified version+ of the Library that is interface-compatible with the Linked+ Version. ++ e) Provide Installation Information, but only if you would otherwise+ be required to provide such information under section 6 of the+ GNU GPL, and only to the extent that such information is+ necessary to install and execute a modified version of the+ Combined Work produced by recombining or relinking the+ Application with a modified version of the Linked Version. (If+ you use option 4d0, the Installation Information must accompany+ the Minimal Corresponding Source and Corresponding Application+ Code. If you use option 4d1, you must provide the Installation+ Information in the manner specified by section 6 of the GNU GPL+ for conveying Corresponding Source.)++ 5. Combined Libraries.++ You may place library facilities that are a work based on the+Library side by side in a single library together with other library+facilities that are not Applications and are not covered by this+License, and convey such a combined library under terms of your+choice, if you do both of the following:++ a) Accompany the combined library with a copy of the same work based+ on the Library, uncombined with any other library facilities,+ conveyed under the terms of this License.++ b) Give prominent notice with the combined library that part of it+ is a work based on the Library, and explaining where to find the+ accompanying uncombined form of the same work.++ 6. Revised Versions of the GNU Lesser General Public License.++ The Free Software Foundation may publish revised and/or new versions+of the GNU Lesser General Public License from time to time. Such new+versions will be similar in spirit to the present version, but may+differ in detail to address new problems or concerns.++ Each version is given a distinguishing version number. If the+Library as you received it specifies that a certain numbered version+of the GNU Lesser General Public License "or any later version"+applies to it, you have the option of following the terms and+conditions either of that published version or of any later version+published by the Free Software Foundation. If the Library as you+received it does not specify a version number of the GNU Lesser+General Public License, you may choose any version of the GNU Lesser+General Public License ever published by the Free Software Foundation.++ If the Library as you received it specifies that a proxy can decide+whether future versions of the GNU Lesser General Public License shall+apply, that proxy's public statement of acceptance of any version is+permanent authorization for you to choose that version for the+Library.
+ Setup.hs view
@@ -0,0 +1,2 @@+import Distribution.Simple+main = defaultMain
+ simple-session.cabal view
@@ -0,0 +1,59 @@+name: simple-session+version: 0.6.0+synopsis: Cookie-based session management for the Simple web framework+description:++ Adds cookie-based session management to simple 'Controller's. To add to an+ application, declare the Controller setting\'s type an instance of+ 'HasSession', and wrap routes with 'withSession'. For example:+ .+ > data AppSettings = ...+ >+ > instance HasSession AppSettings where+ > ...+ .+ > controllerApp settings $ withSessions $ do+ > routeName \"posts\" $ ...+ .+ Then, in your controllers you can seemlessly get and set keys from the+ session:+ .+ > get "/profile" $ do+ > muserId <- sessionLookup "current_user_id"+ > case muserIf of+ > Nothing -> respond $ redirectTo "/login"+ > Just userId -> [handle request]+ +homepage: http://simple.cx+license: LGPL-3+license-file: LICENSE+author: Amit Aryeh Levy+maintainer: amit@amitlevy.com+category: Web+build-type: Simple+cabal-version: >=1.10++library+ hs-source-dirs: src+ ghc-options: -Wall+ exposed-modules:+ Web.Simple.Session+ build-depends:+ base < 6+ , blaze-builder+ , cookie+ , cryptohash+ , byteable+ , base64-bytestring+ , bytestring+ , containers+ , http-types+ , simple >= 0.6+ , transformers+ , wai+ default-language: Haskell2010++source-repository head+ type: git+ location: anonymous@gitstar.com:alevy/simple.git+
+ src/Web/Simple/Session.hs view
@@ -0,0 +1,191 @@+{-# LANGUAGE FlexibleInstances, OverloadedStrings #-}++{- | Adds cookie-based session management to simple 'Controller's. To add to an+ application, declare the Controller setting\'s type an instance of+ 'HasSession', and wrap routes with 'withSession'. For example:++ > data AppSettings = ...+ >+ > instance HasSession AppSettings where+ > ...++ > controllerApp settings $ withSessions $ do+ > routeName \"posts\" $ ...++ -}+module Web.Simple.Session+ ( Session+ -- * Class and Middleware+ , HasSession(..), withSession+ -- * Accessors+ , sessionLookup, sessionInsert, sessionDelete, sessionClear++ -- * Utilities+ , session, parseSession, dumpSession, addCookie+ ) where++import Control.Monad.IO.Class+import Blaze.ByteString.Builder+import Crypto.Hash+import Data.Byteable+import Data.ByteString.Base64+import qualified Data.ByteString as S+import qualified Data.ByteString.Char8 as S8+import Data.Map (Map)+import qualified Data.Map as M+import Network.HTTP.Types.Header+import Network.HTTP.Types.URI+import Web.Cookie+import Web.Simple+import System.Environment++-- | Plaintext mapping of the session map. Both keys and values are+-- 'S.ByteString's.+type Session = Map S.ByteString S.ByteString++-- | Instances of this class can be used as states by a 'Controller' states+-- to manage cookie-based user sessions. Instances must minimally implement+-- 'getSession' and 'setSession'. By default, the secret session key is taken+-- from the environment variable \"SESSION_KEY\", or a default dummy key is+-- used if the environment variable \"ENV\" is set to \"development\". You can+-- override this behaviour by implementing the 'sessionKey' method.+-- If the controller state contains a dedicated field of type 'Maybe Session',+-- a reasonable implementation would be:+--+-- > data MyAppSettings = MyAppSettings { myAppSess :: Maybe Session, ...}+-- >+-- > instance HasSession MyAppSettings where+-- > getSession = myAppSess <$> controllerState+-- > setSession sess = do+-- > cs <- controllerState+-- > putState $ cs { myAppSess = sess }+--+class HasSession hs where+ -- | Returns the secret session key. The default implementation uses the+ -- \"SESSION_KEY\" environment variable. If it is not present, and the+ -- \"ENV\" environment variable is set to \"development\", a dummy, hardcoded+ -- key is used.+ sessionKey :: Controller hs S.ByteString+ sessionKey = liftIO $ do+ env <- getEnvironment+ case lookup "SESSION_KEY" env of+ Just key -> return $ S8.pack key+ Nothing ->+ case lookup "ENV" env of+ Just e | e == "development" -> return "test-session-key"+ _ -> (error "SESSION_KEY environment variable not set")++ -- | Returns the cached session for the current request, or nothing if the+ -- session has not been set yet for this request. + getSession :: hs -> Maybe Session++ -- | Stores a parsed or changed session for the remainder of the request.This+ -- is used both for cached a parsed session cookie as well as for serializing+ -- to the \"Set-Cookie\" header when responding.+ setSession :: Session -> Controller hs ()++-- | A trivial implementation if the 'Controller' settings is just a Session+-- store.+instance HasSession (Maybe Session) where+ getSession = id+ setSession = putState . Just++-- | A middleware wrapper around a 'Controller' that sets the \"Set-Cookie\"+-- header in the HTTP response if the Session is present, i.e. if it was+-- accessed/modified by the 'Controller'.+withSession :: HasSession hs => Controller hs a -> Controller hs a+withSession (Controller act) = do+ sk <- sessionKey+ Controller $ \st0 -> do+ (eres, st@(r, _)) <- act st0+ case eres of+ Left resp0 -> do+ let resp = case getSession r of+ Just sess -> addCookie+ ("session", dumpSession sk sess)+ resp0+ Nothing -> resp0+ return (Left resp, st)+ Right _ -> return (eres, st)++-- | Adds a \"Set-Cookie\" with the given key-value tuple to the 'Response'.+-- The path set on the cookie is \"/\", meaning it applies to all routes on the+-- domain, and no expiration is set.+addCookie :: (S.ByteString, S.ByteString) -> Response -> Response+addCookie (key, value) resp =+ let (stat, hdrs, src) = responseSource resp+ in ResponseSource stat (("Set-Cookie", cookie):hdrs) src+ where cookie = toByteString . renderSetCookie $+ def { setCookieName = key+ , setCookieValue = value+ , setCookiePath = Just "/" }++-- | Returns the current 'Session', either from the 'getSession' cache or by+-- parsing the cookie from the 'Request' using 'sessionFromCookie'.+session :: HasSession hs => Controller hs Session+session = do+ msession <- getSession `fmap` controllerState+ case msession of+ Just sess -> return sess+ Nothing -> do+ sess <- sessionFromCookie+ setSession =<< sessionFromCookie+ return sess++-- | Get and parse a 'Session' from the current 'Request'.+sessionFromCookie :: HasSession hs => Controller hs Session+sessionFromCookie = do+ cookies <- (maybe [] parseCookies) `fmap` requestHeader hCookie+ sess <- case lookup "session" cookies of+ Just sessionCookie -> do+ sk <- sessionKey+ return $ parseSession sk sessionCookie+ Nothing -> return M.empty+ return sess++-- | Parses and validates a serialized 'Session' given the secret. If the+-- 'Session' is invalid (i.e. the hmac does not match), an empty 'Session' is+-- returned.+parseSession :: S.ByteString -> S.ByteString -> Session+parseSession secret sessionCookie =+ let (b64, serial) = S.splitAt 44 sessionCookie+ mdigest = digestFromByteString $ either (const S.empty) id $ decode b64+ in case mdigest of+ Nothing -> M.empty+ Just digest ->+ if hmacGetDigest (hmacAlg SHA256 secret serial) == digest then+ M.fromList $ parseSimpleQuery serial+ else M.empty++-- | Serializes a 'Session' by applying a sha256 hmac with the given secret+-- key to the serialized 'Session' (using 'renderSimpleQuery'), base64 encoding+-- the result, and prepending it to the serialized 'Session'.+dumpSession :: S.ByteString -> Session -> S.ByteString+dumpSession secret sess =+ let serial = renderSimpleQuery False $ M.toList sess+ digest = hmacGetDigest $ hmacAlg SHA256 secret serial+ b64 = encode $ toBytes digest+ in b64 `S.append` serial++-- | Lookup a key from the current 'Request's session.+sessionLookup :: HasSession hs+ => S.ByteString -> Controller hs (Maybe S.ByteString)+sessionLookup key = M.lookup key `fmap` session++-- | Insert or replace a key in the current 'Request's session.+sessionInsert :: HasSession hs+ => S.ByteString -> S.ByteString -> Controller hs ()+sessionInsert key value = do+ sess <- session+ setSession (M.insert key value sess)++-- | Remove a key from the current 'Request's session.+sessionDelete :: HasSession hs => S.ByteString -> Controller hs ()+sessionDelete key = do+ sess <- session+ setSession $ M.delete key sess++-- | Clear the entire 'Session'.+sessionClear :: HasSession hs => Controller hs ()+sessionClear = setSession M.empty+