yesod-auth-oidc 0.1.1 → 0.1.3
raw patch · 2 files changed
+121/−110 lines, 2 filesdep ~aesondep ~basedep ~base64-bytestring
Dependency ranges changed: aeson, base, base64-bytestring, blaze-html, broch, bytestring, classy-prelude, classy-prelude-yesod, containers, cryptonite, directory, email-validate, http-client, http-conduit, http-types, jose-jwt, lens-regex-pcre, monad-logger, oidc-client, postgresql-simple, reroute, resource-pool, shakespeare, sqlite-simple, text, time, unordered-containers, wai-app-static, wai-extra, warp, yesod, yesod-auth, yesod-core, yesod-form, yesod-persistent, yesod-test
Files
- src/Yesod/Auth/OIDC.hs +29/−7
- yesod-auth-oidc.cabal +92/−103
src/Yesod/Auth/OIDC.hs view
@@ -1,4 +1,5 @@ {-# LANGUAGE AllowAmbiguousTypes #-}+{-# LANGUAGE CPP #-} {-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE FlexibleContexts #-} {-# LANGUAGE LambdaCase #-}@@ -335,9 +336,10 @@ (Right issuerLoc, clientId) -> do unless ("https:" `T.isPrefixOf` issuerLoc || "http://localhost" `T.isPrefixOf` issuerLoc) $- throwIO $ TLSNotUsedException- $ "The issuer location doesn't start with 'https:'. \- \OIDC requires all communication with the IdP to use TLS."+ throwIO $ TLSNotUsedException $ unwords+ [ "The issuer location doesn't start with 'https:'. "+ , "OIDC requires all communication with the IdP to use TLS."+ ] provider <- getHttpManagerForOidc >>= \case Left mock -> pure $ (mopDiscover mock) issuerLoc Right mgr -> liftIO $ discover issuerLoc mgr@@ -384,9 +386,19 @@ , sessionStoreSave = \state nonce -> unlift $ do setSessionBS stateSessionKey state setSessionBS nonceSessionKey nonce+#if MIN_VERSION_oidc_client(0,7,0)+ , sessionStoreGet = \untrustedState -> unlift $ do+ (mState, mNonce) <-+ (,) <$> lookupSessionBS stateSessionKey+ <*> lookupSessionBS nonceSessionKey+ if mState /= Just untrustedState+ then pure Nothing+ else pure mNonce+#else , sessionStoreGet = unlift $ (,) <$> lookupSessionBS stateSessionKey <*> lookupSessionBS nonceSessionKey+#endif , sessionStoreDelete = unlift $ do deleteSession stateSessionKey deleteSession nonceSessionKey@@ -429,9 +441,10 @@ -- but the oidc-client haskell library still asks for it inside the -- 'OIDC' type. We purposefully throw a 500 error if the value is used. oidc <- makeOIDC provider clientId (ClientSecret "DUMMY") <&> \oidc' -> oidc'- { oidcClientSecret =- error "client_secret should never be used in the authentication \- \request as it would undesirably expose the secret to the user"+ { oidcClientSecret = error $ unwords+ [ "client_secret should never be used in the authentication "+ , "request as it would undesirably expose the secret to the user"+ ] } let extraParams = [("login_hint", Just $ urlEncode False $ encodeUtf8 loginHint)]@@ -458,10 +471,19 @@ => SessionStore IO -> [Text] -> m Text asTrustedState sessionStore = \case [untrustedState] -> do- (mState, _) <- liftIO $ sessionStoreGet sessionStore+#if MIN_VERSION_oidc_client(0,7,0)+ -- In this case, there's no point in validating the state - we+ -- need to thread this value through to the code later, and when+ -- the code reads the nonce, the state will be validated+ --+ -- We're using 'const' to avoid an unuse warning in the function arg+ pure $ const untrustedState sessionStore+#else+ (mState, _) <- liftIO $ sessionStoreGet sessionStore untrustedState if fmap decodeUtf8 mState /= Just untrustedState then onBadCallbackRequest Nothing else pure untrustedState+#endif _ -> onBadCallbackRequest Nothing processCallbackInput :: (YesodAuthOIDC site, MonadAuthHandler site m)
yesod-auth-oidc.cabal view
@@ -1,115 +1,108 @@-cabal-version: 2.2-name: yesod-auth-oidc-version: 0.1.1-build-type: Simple-category: Web, Yesod+cabal-version: 2.2+name: yesod-auth-oidc+version: 0.1.3+build-type: Simple+category: Web, Yesod extra-source-files: README.md-license: BSD-3-Clause-license-file: LICENSE-author: Supercede Technology Ltd-maintainer: Supercede Technology Ltd <support@supercede.com>-homepage: https://github.com/SupercedeTech/yesod-auth-oidc-synopsis: A yesod-auth plugin for multi-tenant SSO via OpenID Connect+license: BSD-3-Clause+license-file: LICENSE+author: Supercede Technology Ltd+maintainer: Supercede Technology Ltd <support@supercede.com>+homepage: https://github.com/SupercedeTech/yesod-auth-oidc+synopsis: A yesod-auth plugin for multi-tenant SSO via OpenID Connect description: A yesod-auth plugin for multi-tenant SSO via OpenID Connect, using Authorization Code flow (AKA server flow).- Please see the README.md file for more documentation. -tested-with: GHC == 8.10.4+tested-with: GHC ==8.10.4 source-repository head- type: git+ type: git location: git@github.com:SupercedeTech/yesod-auth-oidc.git common common-options- default-language: Haskell2010+ default-language: Haskell2010 default-extensions: NoImplicitPrelude- hs-source-dirs: src+ hs-source-dirs: src ghc-options:- -Wall -Wincomplete-uni-patterns- -Wincomplete-record-updates -Widentities -Wredundant-constraints- -Wcpp-undef -Wimplicit-prelude -fwarn-tabs- build-depends:- base >=4.9.1.0 && <5,- aeson >= 2.0.0.0 && < 3.0,- text >= 1.2.4 && < 1.3,- time >= 1.9.3 && < 1.10,- unordered-containers >= 0.2.13 && < 0.3,- base64-bytestring >= 1.1.0 && < 1.3,- classy-prelude-yesod >= 1.5.0 && < 1.6,-- cryptonite >= 0.28 && < 1,-- http-client >= 0.6.4 && < 1,- jose-jwt >= 0.9.2 && < 0.10,-- oidc-client >= 0.6.0 && < 0.7,-- shakespeare >= 2.0.25 && < 2.1,-- yesod-core >= 1.6.19 && < 1.7,- yesod-form >= 1.6.7 && < 2.0,- yesod-auth >= 1.6.10 && < 1.7,- containers+ -Wall -Wincomplete-uni-patterns -Wincomplete-record-updates+ -Widentities -Wredundant-constraints -Wcpp-undef -Wimplicit-prelude+ -fwarn-tabs + build-depends:+ , aeson >=2.0.0.0 && <3.0+ , base >=4.9.1.0 && <5+ , base64-bytestring >=1.1.0 && <1.3+ , classy-prelude-yesod ^>=1.5.0+ , containers+ , cryptonite >=0.28 && <1+ , http-client >=0.6.4 && <1+ , jose-jwt ^>=0.9.2+ , oidc-client >=0.6.0 && <0.8+ , shakespeare >=2.0.25 && <2.2+ , text >=1.2.4 && <3.0+ , time >=1.9.3 && <2.0+ , unordered-containers ^>=0.2.13+ , yesod-auth ^>=1.6.10+ , yesod-core ^>=1.6.19+ , yesod-form >=1.6.7 && <2.0 library- import: common-options- hs-source-dirs: src- exposed-modules:- Yesod.Auth.OIDC+ import: common-options+ hs-source-dirs: src+ exposed-modules: Yesod.Auth.OIDC -Common test-properties- Default-Language: Haskell2010- Hs-Source-Dirs: src, test- Ghc-Options: -Wall- Default-Extensions: NoImplicitPrelude- Build-Depends:- base,- aeson,- bytestring >= 0.10.10 && < 0.11,- containers >= 0.6.2 && < 0.7,- text,- time,- unordered-containers,- base64-bytestring,- classy-prelude-yesod,- classy-prelude >= 1.5.0 && < 1.6,- directory >= 1.3.6 && < 1.4,- http-conduit >= 2.3.8 && < 2.4,- http-client,- http-types >= 0.12.3 && < 0.13,- memory >= 0.15.0 && < 1,- cryptonite,- persistent >= 2.11.0 && <= 3.0.0,- blaze-html >= 0.9.1 && < 0.10,- fast-logger >= 3.0.5 && < 4.0,- monad-logger >= 0.3.36 && < 0.4,- resource-pool >= 0.2.3 && < 0.3,- yesod >= 1.6.1 && < 1.7,- shakespeare,- wai-extra >= 3.1.6 && < 3.2,- warp >= 3.3.15 && < 3.4,- yesod-core,- yesod-form,- email-validate >= 2.3.2 && < 2.4,- yesod-persistent >= 1.6.0 && < 1.7,- wai-app-static >= 3.1.7 && < 3.2,- jose-jwt,- oidc-client,- yesod-auth,- broch >= 0.1 && < 0.2,- postgresql-simple >= 0.6.4 && < 0.7,- reroute >= 0.6.0 && < 0.7,- sqlite-simple >= 0.4.18 && < 0.5,- hspec >= 2.7.10 && < 3.0,- lens >= 4.19.2 && < 6.0,- lens-regex-pcre >= 1.1.0 && < 1.2,- persistent-sqlite >= 2.11.1 && <= 3.0,- yesod-test >= 1.6.12 && < 1.7+common test-properties+ default-language: Haskell2010+ hs-source-dirs: src test+ ghc-options: -Wall+ default-extensions: NoImplicitPrelude+ build-depends:+ , aeson+ , base+ , base64-bytestring+ , blaze-html ^>=0.9.1+ , broch ^>=0.1+ , bytestring ^>=0.10.10+ , classy-prelude ^>=1.5.0+ , classy-prelude-yesod+ , containers ^>=0.6.2+ , cryptonite+ , directory ^>=1.3.6+ , email-validate ^>=2.3.2+ , fast-logger >=3.0.5 && <4.0+ , hspec >=2.7.10 && <3.0+ , http-client+ , http-conduit ^>=2.3.8+ , http-types ^>=0.12.3+ , jose-jwt+ , lens >=4.19.2 && <6.0+ , lens-regex-pcre ^>=1.1.0+ , memory >=0.15.0 && <1+ , monad-logger ^>=0.3.36+ , oidc-client+ , persistent >=2.11.0 && <=3.0.0+ , persistent-sqlite >=2.11.1 && <=3.0+ , postgresql-simple ^>=0.6.4+ , reroute >=0.6.0 && <0.8+ , resource-pool ^>=0.2.3+ , shakespeare+ , sqlite-simple ^>=0.4.18+ , text+ , time+ , unordered-containers+ , wai-app-static ^>=3.1.7+ , wai-extra ^>=3.1.6+ , warp ^>=3.3.15+ , yesod ^>=1.6.1+ , yesod-auth+ , yesod-core+ , yesod-form+ , yesod-persistent ^>=1.6.0+ , yesod-test ^>=1.6.12 - Other-Modules:+ other-modules: ExampleApp ExampleProvider ExampleProviderOpts@@ -117,12 +110,8 @@ Yesod.Auth.OIDC Yesod.Auth.OIDCSpec -Test-Suite spec- Import: test-properties- Type: exitcode-stdio-1.0- Main-Is: Spec.hs- Build-Tool-Depends: hspec-discover:hspec-discover--Executable yesod-auth-oidc-test- Import: test-properties- Main-Is: Spec.hs+test-suite spec+ import: test-properties+ type: exitcode-stdio-1.0+ main-is: Spec.hs+ build-tool-depends: hspec-discover:hspec-discover