hails- Multi-app web platform framework

Safe HaskellTrustworthy




This module exports generic definitions for Wai-authentication pipelines in Hails. requireLoginMiddleware looks for the X-Hails-Login header from an Application 's Response and, if present, responds to the user with an authentication request instead of the Application response (e.g., a redirect to a login page or an HTTP response with status 401).

Additionally, this module exports authentication Middlewares for basic HTTP authentication, devBasicAuth, (useful in development environments) and federated (OpenID) authentication, openIdAuth. In general, authentication Middlewares are expected to set the X-Hails-User header on the request if it is from an authenticated user.



requireLoginMiddleware :: IO Response -> Middleware Source

Executes the app and if the app Response has header X-Hails-Login and the user is not logged in, respond with an authentication response (Basic Auth, redirect, etc.)


Persona (BrowserID)

personaAuth :: ByteString -> Text -> Middleware Source

Authentica user with Mozilla's persona. If the X-Hails-Persona-Login header is set, this intercepts the request and verifies the supplied identity assertion, supplied in the request body.

If the authentication is successful, set the _hails_user and _hails_user_hmac cookies to identify the user. The former contains the user email address, the latter contains the MAC that is used for verifications in later requests.

If the X-Hails-Persona-Logout header is set, this intercepts the request and deletes the aforementioned cookies.

If the app wishes the user to authenticate (by setting X-Hails-Login) this redirects to audience/login -- where the app can call navigator.request().


openIdAuth Source


:: Text

OpenID Provider

-> Middleware 

Perform OpenID authentication.

Authenticate with external app

externalAuth :: ByteString -> String -> Middleware Source

Use an external authentication service that sets cookies. The cookie names are _hails_user, whose contents contains the user-name, and _hails_user_hmac, whose contents contains HMAC-SHA1(user-name). This function simply checks that the cookie exists and the MAC'd user name is correct. If this is the case, it returns a request with the cookie removed and x-hails-user header set. Otherwies the original request is returned. The login service retuns a redirect (to the provided url). Additionally, cookie _hails_refer$ is set to the current URL (scheme:/domain:portpath@).

Development: basic authentication

devBasicAuth :: Middleware Source

Basic HTTP authentication middleware for development. Accepts any username and password.