Each user is uniquely identified by a username.

Route for the default new account page.

See the New Account section below for customizing the new account process.

Route for the reset password page.

This page allows the user to reset their password by requesting an email with a reset URL be sent to them. See the Password Reset section below for customization.

The account authentication plugin. Here is a complete example using persistent 2.1 and yesod 1.4.

{-# LANGUAGE QuasiQuotes, TypeFamilies, GeneralizedNewtypeDeriving #-}
{-# LANGUAGE FlexibleContexts, FlexibleInstances, TemplateHaskell, OverloadedStrings #-}
{-# LANGUAGE GADTs, MultiParamTypeClasses, TypeSynonymInstances #-}

import Data.Text (Text)
import Data.ByteString (ByteString)
import Database.Persist.Sqlite
import Control.Monad.Logger (runStderrLoggingT)
import Yesod
import Yesod.Auth
import Yesod.Auth.Account

share [mkPersist sqlSettings, mkMigrate "migrateAll"] [persistUpperCase|
User
    username Text
    UniqueUsername username
    password ByteString
    emailAddress Text
    UniqueEmailAddress emailAddress
    verified Bool
    verifyKey Text
    resetPasswordKey Text
    deriving Show
|]

instance PersistUserCredentials User where
    userUsernameF = UserUsername
    userPasswordHashF = UserPassword
    userEmailF = UserEmailAddress
    userEmailVerifiedF = UserVerified
    userEmailVerifyKeyF = UserVerifyKey
    userResetPwdKeyF = UserResetPasswordKey
    uniqueUsername = UniqueUsername
    uniqueEmailaddress = UniqueEmailAddress

    userCreate name email key pwd = User name pwd email False key ""

data MyApp = MyApp ConnectionPool

mkYesod "MyApp" [parseRoutes|
/ HomeR GET
/auth AuthR Auth getAuth
|]

instance Yesod MyApp

instance RenderMessage MyApp FormMessage where
    renderMessage _ _ = defaultFormMessage

instance YesodPersist MyApp where
    type YesodPersistBackend MyApp = SqlBackend
    runDB action = do
        MyApp pool <- getYesod
        runSqlPool action pool

instance YesodAuth MyApp where
    type AuthId MyApp = Username
    getAuthId = return . Just . credsIdent
    loginDest _ = HomeR
    logoutDest _ = HomeR
    authPlugins _ = [accountPlugin]
    authHttpManager _ = error "No manager needed"
    onLogin = return ()
    maybeAuthId = lookupSession credsKey

instance AccountSendEmail MyApp

instance YesodAuthAccount (AccountPersistDB MyApp User) MyApp where
    runAccountDB = runAccountPersistDB
    getTextId _ = return

getHomeR :: Handler Html
getHomeR = do
    maid <- maybeAuthId
    case maid of
        Nothing -> defaultLayout $ [whamlet|
<p>Please visit the <a href="@{AuthR LoginR}">Login page</a>
|]
        Just u -> defaultLayout $ [whamlet|
<p>You are logged in as #{u}
<p><a href="@{AuthR LogoutR}">Logout</a>
|]

main :: IO ()
main = runStderrLoggingT $ withSqlitePool "test.db3" 10 $ \pool -> do
    runSqlPool (runMigration migrateAll) pool
    liftIO $ warp 3000 $ MyApp pool

The data collected in the login form.

The login form.

You can embed this form into your own pages if you want a custom rendering of this form or to include a login form on your own pages. The form submission should be posted to loginFormPostTargetR.

The POST target for the loginForm.

A default rendering of loginForm using renderDivs.

This is the widget used in the default implementation of loginHandler. The widget also includes links to the new account and reset password pages.

The URL sent in an email for email verification

The data collected in the new account form.

The new account form.

You can embed this form into your own pages or into getNewAccountR. The form submission should be posted to newAccountR. Alternatively, you could embed this form into a larger form where you prompt for more information during account creation. In this case, the NewAccountData should be passed to createNewAccount from inside postNewAccountR.

A default rendering of the newAccountForm using renderDivs.

An action to create a new account.

You can use this action inside your own implementation of postNewAccountR if you add additional fields to the new account creation. This action assumes the user has not yet been created in the database and will create the user, so this action should be run first in your handler. Note that this action does not check if the passwords are equal. If an error occurs (username exists, etc.) this will set a message and redirect to newAccountR.

A form to allow the user to request the email validation be resent.

Intended for use in unregisteredLogin. The result should be posted to resendVerifyR.

The POST target for resending a verification email

A default rendering of resendVerifyEmailForm

The URL sent in an email when the user requests to reset their password

Choose a new password while logged in

A form for the user to request that an email be sent to them to allow them to reset their password. This form contains a field for the username (plus the CSRF token). The form should be posted to resetPasswordR.

A default rendering of resetPasswordForm.

The data for setting a new password.

The form for setting a new password. It contains hidden fields for the username and key, and optionally a field for the user to input its current password, besides the new passwords. This form should be posted to setPasswordR.

The POST target for reseting the password

A default rendering of newPasswordForm.

Interface for the data type which stores the user info when not using persistent.

You must make a data type that is either an instance of this class or of PersistUserCredentials, depending on if you are using persistent or not.

Users are uniquely identified by their username or their email, and for each user we must store the email, the verify status, a hashed user password, and a reset password key. The format for the hashed password is the format from Crypto.PasswordStore. If the email has been verified and no password reset is in progress, the relevent keys should be the empty string.

Interface for the data type which stores the user info when using persistent.

You must make a data type that is either an instance of this class or of UserCredentials, depending on if you are using persistent or not.

These are the database operations to load and update user data.

Persistent users can use AccountPersistDB and don't need to create their own instance. If you are not using persistent or are using persistent but want to customize the database activity, you must manually make a monad an instance of this class. You can use any monad for which you can write runAccountDB, but typically the monad will be a newtype of HandlerT. For example,

newtype MyAccountDB a = MyAccountDB {runMyAccountDB :: HandlerT MyApp IO a}
   deriving (Monad, MonadIO)
instance AccountDB MyAccountDB where
    ....

A class to send email.

Both of the methods are implemented by default to just log a message, so during development there are no required methods. For production, I recommend http://hackage.haskell.org/package/mime-mail.

A newtype which when using persistent is an instance of AccountDB.

Use this for runAccountDB if you are using AccountPersistDB as your database type.

The main class controlling the account plugin.

You must make your database instance of AccountDB and your master site an instance of this class. The only required method is runAccountDB, although this class contains many other methods to customize the behavior of the account plugin.

Continuing the example from the manual creation of AccountDB, a minimal instance is

instance YesodAuthAccount MyAccountDB MyApp where
    runAccountDB = runMyAccountDB

If instead you are using persistent and have made an instance of PersistUserCredentials, a minimal instance is

instance YesodAuthAccount (AccountPersistDB MyApp User) MyApp where
   runAccountDB = runAccountPersistDB

Salt and hash a password.

Verify a password

Randomly create a new verification key.