-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | Server implementation of the Avers API
--   
--   See README.md
@package avers-server
@version 0.0.5

module Avers.Server
serveAversCoreAPI :: Handle -> Authorizations -> Server AversCoreAPI
serveAversSessionAPI :: Handle -> Server AversSessionAPI

-- | Convert the <a>Credentials</a> into an <a>ObjId</a> to which the
--   ceredentials refer. That's the object the client is authenticated as.
credentialsObjId :: Handle -> Credentials -> ExceptT ServantErr IO ObjId

-- | Defines all the authorization points which are used in the server. For
--   each you can supply your own logic. The default is to allow
--   everything.
data Authorizations
Authorizations :: (Credentials -> Text -> Authz) -> (Credentials -> ObjId -> Authz) -> Authorizations
[createObjectAuthz] :: Authorizations -> Credentials -> Text -> Authz
[lookupObjectAuthz] :: Authorizations -> Credentials -> ObjId -> Authz

-- | Authorization logic is implemented as a list of <a>Avers</a> actions,
--   each of which we call a <tt>module</tt> and returns a result
--   (<a>AuthzR</a>), which determines what happens next.
type Authz = [Avers AuthzR]

-- | The result of a single module is either <a>ContinueR</a>, which means
--   we continue executing following modules, <a>AllowR</a> which means
--   that the action is allowed and any following modules are skipped, or
--   <tt>RejcetR</tt> which means that the action is rejected and following
--   modules are skipped as well.
data AuthzR
ContinueR :: AuthzR
AllowR :: AuthzR
RejectR :: AuthzR
defaultAuthorizations :: Authorizations

-- | Run the authorization logic inside of the Servant monad.
runAuthorization :: Handle -> Authz -> ExceptT ServantErr IO ()

-- | This doesn't change the result, but allows you to run arbitrary
--   <a>Avers</a> actions. This is useful for debugging.
trace :: Avers () -> Avers AuthzR

-- | If the given <a>Avers</a> action returns <a>True</a>, it is sufficient
--   to pass the authorization check.
sufficient :: Avers Bool -> Avers AuthzR

-- | The given <a>Avers</a> action must return <a>True</a> for this
--   authorization check to pass.
requisite :: Avers Bool -> Avers AuthzR