|Assignee:||Pavan Rikhi||% Done:|
|Target version:||v0.9.0 - Admin|
Storing the api key in localstorage isn't too safe since other scripts can inspect the values. We should store it in cookies instead. We'll have to show the cookie warning for EU countries, but we'd have to anyways since google analytics is storing cookies for us already.
There is a
servant-auth-cookie package we can use, along with a short guide on setting everything up:
[#1399] Add Initial Cookie Authentication Architecture
Modify the server's Auth module, adding a new functions & type instances
for using Cookie Authentication for routes via the servant-auth-cookie
package. Session settings are available for permanent & temporary
logins. The `addSessionCookie` function sets the cookie value and the
`withCookie` function pulls the `AuthToken` from an existing cookie or
throws a 403 error.
The Config type has new fields for the secret key used to encrypt
cookies, as well as the entropy generator for cookie generation.
The server executable initializes the entropy generator & pulls the
cookie secret from the `COOKIE_SECRET` environmental variable.
[#1399] Add Additional Authorization Helpers
Add withValidatedCookie & validateCookieAndParameters functions to the
server's Auth module for checking the AuthToken in a Cookie against the
database, and for checking both the AuthToken using the validateToken
function and route parameters using the Validation typeclass.
[#1399] Migrate API Routes to Cookie Authentication
Change the route declarations in the Customers, Carts, & Checkout route
modules to take a WrappedAuthToken instead of an AuthToken, using either
the withValidatedCookie or validateCookieAndParameters functions to pull
out the AuthToken from the request cookies.
Have the Register, Login, Reset Password, & Anonymous Place Order set a
temporary session cookie when the route processing successful.
Remove the AuthToken from the Authorize route's parameters, pulling it
from the Cookie instead.
In a future commit, the login route will be changed to pick between a
temporary session & permanent session if the user has checked the
"remember me" checkbox. We also need to add a Logout route that removes
the session cookie.
[#1399] Remove Auth Token From Client API Requests
Remove all traces of the authToken from the client code, since that is
now transparently stored in the browser cookies. This includes startup
flags, ports, API requests, & the User type.
indicate authorization changes from other tabs.
#7 Updated by Pavan Rikhi about 2 months ago
Template that uses cookie auth: https://github.com/sboehler/servant-starter-app
Another tutorial: https://sigrlami.eu/en/content/notes/servant-cookie-auth.html
Haddock docs: https://hackage.haskell.org/package/servant-auth-cookie-0.5.0.5/docs/Servant-Server-Experimental-Auth-Cookie.html
Session expiration type value to handle #1158(or set a max age of 0?)