Safe Haskell | None |
---|---|
Language | Haskell2010 |
Extensions |
|
Validation of JWT claims
Synopsis
- data ValidationSettings = Settings {}
- defaultValidationSettings :: ValidationSettings
- runValidation :: MonadTime m => ValidationSettings -> JwtValidation pc any -> Payload pc any -> m (ValidationNEL ValidationFailure Valid)
- type ValidationNEL a b = Validation (NonEmpty a) b
- data Valid
- type Check pc ns = Payload pc ns -> ValidationNEL ValidationFailure Valid
- data JwtValidation pc any
- validation :: Check pc any -> JwtValidation pc any
- invalid :: ValidationFailure -> ValidationNEL ValidationFailure Valid
- valid :: ValidationNEL ValidationFailure Valid
- checkIssuer :: String -> JwtValidation any1 any2
- checkSubject :: String -> JwtValidation any1 any2
- checkAge :: NominalDiffTime -> JwtValidation any1 any2
- checkIssuedAfter :: UTCTime -> JwtValidation any1 any2
- checkJwtId :: UUID -> JwtValidation any1 any2
- checkClaim :: (CanGet n pc, a ~ LookupClaimType n pc) => (a -> Bool) -> ClaimName n -> JwtValidation pc any
- check :: String -> (a -> Bool) -> (Payload pc any -> a) -> JwtValidation pc any
- data ValidationFailure
Documentation
data ValidationSettings Source #
User-defined parameters of an validation
Instances
Show ValidationSettings Source # | |
Defined in Libjwt.JwtValidation showsPrec :: Int -> ValidationSettings -> ShowS # show :: ValidationSettings -> String # showList :: [ValidationSettings] -> ShowS # |
defaultValidationSettings :: ValidationSettings Source #
ValidationSettings
with leeway
set to 0
and appName
set to Nothing
:: MonadTime m | |
=> ValidationSettings | leeway and appName |
-> JwtValidation pc any | v |
-> Payload pc any | payload |
-> m (ValidationNEL ValidationFailure Valid) |
Run checks against the payload
.
The exact set of checks is: defaultValidationRules <> v
, where v
is passed to this function and defaultValidationRules
is:
- check exp claim against the current time (minus possible
leeway
), - check nbf claim against the current time (plus possible
leeway
), - check aud claim against
appName
See the docs of ValidationFailure
for a list of possible errors.
type ValidationNEL a b = Validation (NonEmpty a) b Source #
type Check pc ns = Payload pc ns -> ValidationNEL ValidationFailure Valid Source #
data JwtValidation pc any Source #
Instances
Semigroup (JwtValidation pc any) Source # | |
Defined in Libjwt.JwtValidation (<>) :: JwtValidation pc any -> JwtValidation pc any -> JwtValidation pc any # sconcat :: NonEmpty (JwtValidation pc any) -> JwtValidation pc any # stimes :: Integral b => b -> JwtValidation pc any -> JwtValidation pc any # | |
Monoid (JwtValidation any1 any2) Source # | |
Defined in Libjwt.JwtValidation mempty :: JwtValidation any1 any2 # mappend :: JwtValidation any1 any2 -> JwtValidation any1 any2 -> JwtValidation any1 any2 # mconcat :: [JwtValidation any1 any2] -> JwtValidation any1 any2 # |
validation :: Check pc any -> JwtValidation pc any Source #
Construct validation from function
:: ValidationFailure | reason |
-> ValidationNEL ValidationFailure Valid |
Validation that always fails and signals reason
valid :: ValidationNEL ValidationFailure Valid Source #
Validation that is always valid
:: String | issuer |
-> JwtValidation any1 any2 |
Check that iss is present and equal to issuer
. If not, then signal InvalidClaim
"iss"
:: String | subject |
-> JwtValidation any1 any2 |
Check that sub is present and equal to subject
. If not, then signal InvalidClaim
"sub"
:: NominalDiffTime | maxAge |
-> JwtValidation any1 any2 |
Check that iat (if present) is not further than maxAge
from currentTime
(minus possible leeway
). Otherwise signal TokenTooOld
.
:: UTCTime | time |
-> JwtValidation any1 any2 |
Check that iat (if present) is after time
. If false, signal
.InvalidClaim
"iat"
:: UUID | jwtId |
-> JwtValidation any1 any2 |
Check that jti is present and equal to jwtId
. If not, then signal InvalidClaim
"jti"
:: (CanGet n pc, a ~ LookupClaimType n pc) | |
=> (a -> Bool) | p |
-> ClaimName n | n |
-> JwtValidation pc any |
Check that p a == True
, where a
is a value of private claim n
. If not, signal InvalidClaim
n
Example:
checkClaim
not #is_root
:: String | claim |
-> (a -> Bool) | p |
-> (Payload pc any -> a) | prop |
-> JwtValidation pc any |
Check the property prop
of a payload with the predicate p
If p
is False
, then signal InvalidClaim
claim
data ValidationFailure Source #
Reasons for rejecting a JWT token
InvalidClaim String | User check failed |
TokenExpired NominalDiffTime | exp check failed: the current time was after or equal to the expiration time (plus possible |
TokenNotReady NominalDiffTime | nbf check failed: the current time was before the not-before time (minus possible |
WrongRecipient | aud check failed: the application processing this claim did not identify itself ( |
TokenTooOld NominalDiffTime | iat check failed: the current time minus the time the JWT was issued (plus possible |
Instances
Eq ValidationFailure Source # | |
Defined in Libjwt.JwtValidation (==) :: ValidationFailure -> ValidationFailure -> Bool # (/=) :: ValidationFailure -> ValidationFailure -> Bool # | |
Show ValidationFailure Source # | |
Defined in Libjwt.JwtValidation showsPrec :: Int -> ValidationFailure -> ShowS # show :: ValidationFailure -> String # showList :: [ValidationFailure] -> ShowS # |