Authentication and Authorization

Authentication and authorization are two very related, and yet separate, concepts. While the former deals with identifying a user, the latter determines what a user is allowed to do. Unfortunately, since both terms are often abbreviated as “auth,” the concepts are often conflated.

Yesod provides built-in support for a number of third-party authentication systems, such as OpenID, BrowserID and OAuth. These are systems where your application trusts some external system for validating a user’s credentials. Additionally, there is support for more commonly used username/password and email/password systems. The former route ensures simplicity for users (no new passwords to remember) and implementors (no need to deal with an entire security architecture), while the latter gives the developer more control.

On the authorization side, we are able to take advantage of REST and type-safe URLs to create simple, declarative systems. Additionally, since all authorization code is written in Haskell, you have the full flexibility of the language at your disposal.

This chapter will cover how to set up an “auth” solution in Yesod and discuss some trade-offs in the different authentication options.

Overview

The yesod-auth package provides a unified interface for a number of different authentication plugins. The only real requirement for these backends is that they identify a user based on some unique string. In OpenID, for instance, this would be the actual OpenID value. In BrowserID, it’s the email address. For HashDB (which uses a database of hashed passwords), it’s the username.

Each authentication plugin provides its own system for logging in, whether it be via passing tokens with an external site or an email/password form. After a successful login, the plugin sets a value in the user’s session to indicate his/her AuthId. This AuthId is usually a Persistent ID from a table used for keeping track of users.

There are a few functions available for querying a user’s AuthId, most commonly maybeAuthId, requireAuthId, maybeAuth and requireAuth. The “require” versions will redirect to a login page if the user is not logged in, while the second set of functions (the ones not ending in Id) give both the table ID and entity value.

Since all of the storage of AuthId is built on top of sessions, all of the rules from there apply. In particular, the data is stored in an encrypted, HMACed client cookie, which automatically times out after a certain configurable period of inactivity. Additionally, since there is no server-side component to sessions, logging out simply deletes the data from the session cookie; if a user reuses an older cookie value, the session will still be valid.

You can replace the default client-side sessions with server side sessions, to provide a forced logout capability, if this is desired. Also, if you wish to secure your sessions from man in the middle (MITM) attacks, you should serve your site over SSL and harden your sessions via sslOnlySessions and sslOnlyMiddleware, as described in the sessions chapter.

On the flip side, authorization is handled by a few methods inside the Yesod typeclass. For every request, these methods are run to determine if access should be allowed, denied, or if the user needs to be authenticated. By default, these methods allow access for every request. Alternatively, you can implement authorization in a more ad-hoc way by adding calls to requireAuth and the like within individual handler functions, though this undermines many of the benefits of a declarative authorization system.

Authenticate Me

Let’s jump right in with an example of authentication. For the Google oAuth authentication to work you should follow these steps:

  1. Read on Google Developers Help how to obtain OAuth 2.0 credentials such as a client ID and client secret that are known to both Google and your application.

  2. Set Authorized redirect URIs to http://localhost:3000/auth/page/googleemail2/complete.

  3. Enable Google+ API and Contacts API.

  4. Once you have the clientId and secretId, replace them in the code below.

  1. {-# LANGUAGE MultiParamTypeClasses #-}
  2. {-# LANGUAGE OverloadedStrings #-}
  3. {-# LANGUAGE QuasiQuotes #-}
  4. {-# LANGUAGE TemplateHaskell #-}
  5. {-# LANGUAGE TypeFamilies #-}
  6. import Data.Default (def)
  7. import Data.Text (Text)
  8. import Network.HTTP.Client.Conduit (Manager, newManager)
  9. import Yesod
  10. import Yesod.Auth
  11. import Yesod.Auth.BrowserId
  12. import Yesod.Auth.GoogleEmail2
  13. -- Replace with Google client ID.
  14. clientId :: Text
  15. clientId = ""
  16. -- Replace with Google secret ID.
  17. clientSecret :: Text
  18. clientSecret = ""
  19. data App = App
  20. { httpManager :: Manager
  21. }
  22. mkYesod "App" [parseRoutes|
  23. / HomeR GET
  24. /auth AuthR Auth getAuth
  25. |]
  26. instance Yesod App where
  27. -- Note: In order to log in with BrowserID, you must correctly
  28. -- set your hostname here.
  29. approot = ApprootStatic "http://localhost:3000"
  30. instance YesodAuth App where
  31. type AuthId App = Text
  32. getAuthId = return . Just . credsIdent
  33. loginDest _ = HomeR
  34. logoutDest _ = HomeR
  35. authPlugins _ =
  36. [ authBrowserId def
  37. , authGoogleEmail clientId clientSecret
  38. ]
  39. authHttpManager = httpManager
  40. -- The default maybeAuthId assumes a Persistent database. We're going for a
  41. -- simpler AuthId, so we'll just do a direct lookup in the session.
  42. maybeAuthId = lookupSession "_ID"
  43. instance RenderMessage App FormMessage where
  44. renderMessage _ _ = defaultFormMessage
  45. getHomeR :: Handler Html
  46. getHomeR = do
  47. maid <- maybeAuthId
  48. defaultLayout
  49. [whamlet|
  50. <p>Your current auth ID: #{show maid}
  51. $maybe _ <- maid
  52. <p>
  53. <a href=@{AuthR LogoutR}>Logout
  54. $nothing
  55. <p>
  56. <a href=@{AuthR LoginR}>Go to the login page
  57. |]
  58. main :: IO ()
  59. main = do
  60. man <- newManager
  61. warp 3000 $ App man

We’ll start with the route declarations. First, we declare our standard HomeR route, and then we set up the authentication subsite. Remember that a subsite needs four parameters: the path to the subsite, the route name, the subsite name, and a function to get the subsite value. In other words, based on the line:

  1. /auth AuthR Auth getAuth

We need to have getAuth :: MyAuthSite → Auth. While we haven’t written that function ourselves, yesod-auth provides it automatically. With other subsites (like static files), we provide configuration settings in the subsite value, and therefore need to specify the get function. In the auth subsite, we specify these settings in a separate typeclass, YesodAuth.

Why not use the subsite value? There are a number of settings we would like to give for an auth subsite, and doing so from a record type would be inconvenient. Also, since we want to have an AuthId associated type, a typeclass is more natural. And why not use a typeclass for all subsites? It comes with a downside: you can then only have a single instance per site, disallowing serving different sets of static files from different routes. Also, the subsite value works better when we want to load data at app initialization.

So what exactly goes in this YesodAuth instance? There are six required declarations:

  • AuthId is an associated type. This is the value yesod-auth will give you when you ask if a user is logged in (via maybeAuthId or requireAuthId). In our case, we’re simply using Text, to store the raw identifier- email address in our case, as we’ll soon see.

  • getAuthId gets the actual AuthId from the Creds (credentials) data type. This type has three pieces of information: the authentication backend used (browserid or googleemail in our case), the actual identifier, and an associated list of arbitrary extra information. Each backend provides different extra information; see their docs for more information.

  • loginDest gives the route to redirect to after a successful login.

  • Likewise, logoutDest gives the route to redirect to after a logout.

  • authPlugins is a list of individual authentication backends to use. In our example, we’re using BrowserID, which logs in via Mozilla’s BrowserID system, and Google oAuth, which authenticates a user using their Google account. The somewhat advantage of BrowserID backends is:

    • It requires no set up, as opposed to Facebook or OAuth, which require setting up credentials.

    • It uses email addresses as identifiers, which people are comfortable with, as opposed to OpenID, which uses a URL.

  • authHttpManager gets an HTTP connection manager from the foundation type. This allows authentication backends which use HTTP connections (i.e., almost all third-party login systems) to share connections, avoiding the cost of restarting a TCP connection for each request.

In addition to these six methods, there are other methods available to control other behavior of the authentication system, such as what the login page looks like. For more information, please see the API documentation.

In our HomeR handler, we have some simple links to the login and logout pages, depending on whether or not the user is logged in. Notice how we construct these subsite links: first we give the subsite route name (AuthR), followed by the route within the subsite (LoginR and LogoutR).

The figures below show what the login process looks like from a user perspective.

Initial page load

Authentication and Authorization - 图1

BrowserID login screen

Authentication and Authorization - 图2

Homepage after logging in

Authentication and Authorization - 图3

Email

For many use cases, third-party authentication of email will be sufficient. Occasionally, you’ll want users to create passwords on your site. The scaffolded site does not include this setup, because:

  • In order to securely accept passwords, you need to be running over SSL. Many users are not serving their sites over SSL.

  • While the email backend properly salts and hashes passwords, a compromised database could still be problematic. Again, we make no assumptions that Yesod users are following secure deployment practices.

  • You need to have a working system for sending email. Many web servers these days are not equipped to deal with all of the spam protection measures used by mail servers.

The example below will use the system’s built-in sendmail executable. If you would like to avoid the hassle of dealing with an email server yourself, you can use Amazon SES. There is a package called mime-mail-ses which provides a drop-in replacement for the sendmail code used below. This is the approach I generally recommend, and what I use on most of my sites, including FP Haskell Center and Haskellers.com.

But assuming you are able to meet these demands, and you want to have a separate password login specifically for your site, Yesod offers a built-in backend. It requires quite a bit of code to set up, since it needs to store passwords securely in the database and send a number of different emails to users (verify account, password retrieval, etc.).

Let’s have a look at a site that provides email authentication, storing passwords in a Persistent SQLite database.

Even if you don’t have an email server, for debugging purposes the verification link is printed in the console.

  1. {-# LANGUAGE DeriveDataTypeable #-}
  2. {-# LANGUAGE FlexibleContexts #-}
  3. {-# LANGUAGE GADTs #-}
  4. {-# LANGUAGE GeneralizedNewtypeDeriving #-}
  5. {-# LANGUAGE MultiParamTypeClasses #-}
  6. {-# LANGUAGE OverloadedStrings #-}
  7. {-# LANGUAGE QuasiQuotes #-}
  8. {-# LANGUAGE TemplateHaskell #-}
  9. {-# LANGUAGE TypeFamilies #-}
  10. import Control.Monad (join)
  11. import Control.Monad.Logger (runNoLoggingT)
  12. import Data.Maybe (isJust)
  13. import Data.Text (Text, unpack)
  14. import qualified Data.Text.Lazy.Encoding
  15. import Data.Typeable (Typeable)
  16. import Database.Persist.Sqlite
  17. import Database.Persist.TH
  18. import Network.Mail.Mime
  19. import Text.Blaze.Html.Renderer.Utf8 (renderHtml)
  20. import Text.Hamlet (shamlet)
  21. import Text.Shakespeare.Text (stext)
  22. import Yesod
  23. import Yesod.Auth
  24. import Yesod.Auth.Email
  25. share [mkPersist sqlSettings { mpsGeneric = False }, mkMigrate "migrateAll"] [persistLowerCase|
  26. User
  27. email Text
  28. password Text Maybe -- Password may not be set yet
  29. verkey Text Maybe -- Used for resetting passwords
  30. verified Bool
  31. UniqueUser email
  32. deriving Typeable
  33. |]
  34. data App = App SqlBackend
  35. mkYesod "App" [parseRoutes|
  36. / HomeR GET
  37. /auth AuthR Auth getAuth
  38. |]
  39. instance Yesod App where
  40. -- Emails will include links, so be sure to include an approot so that
  41. -- the links are valid!
  42. approot = ApprootStatic "http://localhost:3000"
  43. yesodMiddleware = defaultCsrfMiddleware . defaultYesodMiddleware
  44. instance RenderMessage App FormMessage where
  45. renderMessage _ _ = defaultFormMessage
  46. -- Set up Persistent
  47. instance YesodPersist App where
  48. type YesodPersistBackend App = SqlBackend
  49. runDB f = do
  50. App conn <- getYesod
  51. runSqlConn f conn
  52. instance YesodAuth App where
  53. type AuthId App = UserId
  54. loginDest _ = HomeR
  55. logoutDest _ = HomeR
  56. authPlugins _ = [authEmail]
  57. -- Need to find the UserId for the given email address.
  58. getAuthId creds = runDB $ do
  59. x <- insertBy $ User (credsIdent creds) Nothing Nothing False
  60. return $ Just $
  61. case x of
  62. Left (Entity userid _) -> userid -- newly added user
  63. Right userid -> userid -- existing user
  64. authHttpManager = error "Email doesn't need an HTTP manager"
  65. instance YesodAuthPersist App
  66. -- Here's all of the email-specific code
  67. instance YesodAuthEmail App where
  68. type AuthEmailId App = UserId
  69. afterPasswordRoute _ = HomeR
  70. addUnverified email verkey =
  71. runDB $ insert $ User email Nothing (Just verkey) False
  72. sendVerifyEmail email _ verurl = do
  73. -- Print out to the console the verification email, for easier
  74. -- debugging.
  75. liftIO $ putStrLn $ "Copy/ Paste this URL in your browser:" ++ unpack verurl
  76. -- Send email.
  77. liftIO $ renderSendMail (emptyMail $ Address Nothing "noreply")
  78. { mailTo = [Address Nothing email]
  79. , mailHeaders =
  80. [ ("Subject", "Verify your email address")
  81. ]
  82. , mailParts = [[textPart, htmlPart]]
  83. }
  84. where
  85. textPart = Part
  86. { partType = "text/plain; charset=utf-8"
  87. , partEncoding = None
  88. , partFilename = Nothing
  89. , partContent = Data.Text.Lazy.Encoding.encodeUtf8
  90. [stext|
  91. Please confirm your email address by clicking on the link below.
  92. #{verurl}
  93. Thank you
  94. |]
  95. , partHeaders = []
  96. }
  97. htmlPart = Part
  98. { partType = "text/html; charset=utf-8"
  99. , partEncoding = None
  100. , partFilename = Nothing
  101. , partContent = renderHtml
  102. [shamlet|
  103. <p>Please confirm your email address by clicking on the link below.
  104. <p>
  105. <a href=#{verurl}>#{verurl}
  106. <p>Thank you
  107. |]
  108. , partHeaders = []
  109. }
  110. getVerifyKey = runDB . fmap (join . fmap userVerkey) . get
  111. setVerifyKey uid key = runDB $ update uid [UserVerkey =. Just key]
  112. verifyAccount uid = runDB $ do
  113. mu <- get uid
  114. case mu of
  115. Nothing -> return Nothing
  116. Just u -> do
  117. update uid [UserVerified =. True]
  118. return $ Just uid
  119. getPassword = runDB . fmap (join . fmap userPassword) . get
  120. setPassword uid pass = runDB $ update uid [UserPassword =. Just pass]
  121. getEmailCreds email = runDB $ do
  122. mu <- getBy $ UniqueUser email
  123. case mu of
  124. Nothing -> return Nothing
  125. Just (Entity uid u) -> return $ Just EmailCreds
  126. { emailCredsId = uid
  127. , emailCredsAuthId = Just uid
  128. , emailCredsStatus = isJust $ userPassword u
  129. , emailCredsVerkey = userVerkey u
  130. , emailCredsEmail = email
  131. }
  132. getEmail = runDB . fmap (fmap userEmail) . get
  133. getHomeR :: Handler Html
  134. getHomeR = do
  135. maid <- maybeAuthId
  136. defaultLayout
  137. [whamlet|
  138. <p>Your current auth ID: #{show maid}
  139. $maybe _ <- maid
  140. <p>
  141. <a href=@{AuthR LogoutR}>Logout
  142. $nothing
  143. <p>
  144. <a href=@{AuthR LoginR}>Go to the login page
  145. |]
  146. main :: IO ()
  147. main = runNoLoggingT $ withSqliteConn "email.db3" $ \conn -> liftIO $ do
  148. runSqlConn (runMigration migrateAll) conn
  149. warp 3000 $ App conn

Authorization

Once you can authenticate your users, you can use their credentials to authorize requests. Authorization in Yesod is simple and declarative: most of the time, you just need to add the authRoute and isAuthorized methods to your Yesod typeclass instance. Let’s see an example.

  1. {-# LANGUAGE MultiParamTypeClasses #-}
  2. {-# LANGUAGE OverloadedStrings #-}
  3. {-# LANGUAGE QuasiQuotes #-}
  4. {-# LANGUAGE TemplateHaskell #-}
  5. {-# LANGUAGE TypeFamilies #-}
  6. import Data.Default (def)
  7. import Data.Text (Text)
  8. import Network.HTTP.Conduit (Manager, newManager, tlsManagerSettings)
  9. import Yesod
  10. import Yesod.Auth
  11. import Yesod.Auth.Dummy -- just for testing, don't use in real life!!!
  12. data App = App
  13. { httpManager :: Manager
  14. }
  15. mkYesod "App" [parseRoutes|
  16. / HomeR GET POST
  17. /admin AdminR GET
  18. /auth AuthR Auth getAuth
  19. |]
  20. instance Yesod App where
  21. authRoute _ = Just $ AuthR LoginR
  22. -- route name, then a boolean indicating if it's a write request
  23. isAuthorized HomeR True = isAdmin
  24. isAuthorized AdminR _ = isAdmin
  25. -- anyone can access other pages
  26. isAuthorized _ _ = return Authorized
  27. isAdmin = do
  28. mu <- maybeAuthId
  29. return $ case mu of
  30. Nothing -> AuthenticationRequired
  31. Just "admin" -> Authorized
  32. Just _ -> Unauthorized "You must be an admin"
  33. instance YesodAuth App where
  34. type AuthId App = Text
  35. getAuthId = return . Just . credsIdent
  36. loginDest _ = HomeR
  37. logoutDest _ = HomeR
  38. authPlugins _ = [authDummy]
  39. authHttpManager = httpManager
  40. maybeAuthId = lookupSession "_ID"
  41. instance RenderMessage App FormMessage where
  42. renderMessage _ _ = defaultFormMessage
  43. getHomeR :: Handler Html
  44. getHomeR = do
  45. maid <- maybeAuthId
  46. defaultLayout
  47. [whamlet|
  48. <p>Note: Log in as "admin" to be an administrator.
  49. <p>Your current auth ID: #{show maid}
  50. $maybe _ <- maid
  51. <p>
  52. <a href=@{AuthR LogoutR}>Logout
  53. <p>
  54. <a href=@{AdminR}>Go to admin page
  55. <form method=post>
  56. Make a change (admins only)
  57. \ #
  58. <input type=submit>
  59. |]
  60. postHomeR :: Handler ()
  61. postHomeR = do
  62. setMessage "You made some change to the page"
  63. redirect HomeR
  64. getAdminR :: Handler Html
  65. getAdminR = defaultLayout
  66. [whamlet|
  67. <p>I guess you're an admin!
  68. <p>
  69. <a href=@{HomeR}>Return to homepage
  70. |]
  71. main :: IO ()
  72. main = do
  73. manager <- newManager tlsManagerSettings
  74. warp 3000 $ App manager

authRoute should be your login page, almost always AuthR LoginR. isAuthorized is a function that takes two parameters: the requested route, and whether or not the request was a “write” request. You can actually change the meaning of what a write request is using the isWriteRequest method, but the out-of-the-box version follows RESTful principles: anything but a GET, HEAD, OPTIONS or TRACE request is a write request.

What’s convenient about the body of isAuthorized is that you can run any Handler code you want. This means you can:

  • Access the filesystem (normal IO)

  • Lookup values in the database

  • Pull any session or request values you want

Using these techniques, you can develop as sophisticated an authorization system as you like, or even tie into existing systems used by your organization.

Conclusion

This chapter covered the basics of setting up user authentication, as well as how the built-in authorization functions provide a simple, declarative approach for users. While these are complicated concepts, with many approaches, Yesod should provide you with the building blocks you need to create your own customized auth solution.