eeva/servant
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Include note about basic auth timing attacks

Browse source
This commit is contained in:
aaron levin 2016-01-26 23:50:26 +01:00
parent 459e82a8e0
commit ee04fbbe3a
1 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
servant/src/Servant/API/Auth.hs
View file

@ -13,7 +13,9 @@ import GHC.TypeLits (Symbol)
-- --
-- *IMPORTANT*: Only use Basic Auth over HTTPS! Credentials are not hashed or -- *IMPORTANT*: Only use Basic Auth over HTTPS! Credentials are not hashed or
-- encrypted. Note also that because the same credentials are sent on every -- encrypted. Note also that because the same credentials are sent on every
-- request, Basic Auth is not as secure as some alternatives. -- request, Basic Auth is not as secure as some alternatives. Further, the
-- implementation in servant-server does not protect against some types of
-- timing attacks.
-- --
-- In Basic Auth, username and password are base64-encoded and transmitted via -- In Basic Auth, username and password are base64-encoded and transmitted via
-- the @Authorization@ header. Handshakes are not required, making it -- the @Authorization@ header. Handshakes are not required, making it
@ -26,6 +28,7 @@ data BasicAuthData = BasicAuthData { basicAuthUsername :: !ByteString
, basicAuthPassword :: !ByteString , basicAuthPassword :: !ByteString
} }
-- | A generalized Authentication combinator. -- | A generalized Authentication combinator. Use this if you have a
-- non-standard authentication technique.
data AuthProtect (tag :: k) data AuthProtect (tag :: k)
deriving (Typeable) deriving (Typeable)