439 lines
18 KiB
Text
439 lines
18 KiB
Text
# Authentication in Servant
|
|
|
|
Once you've established the basic routes and semantics of your API, it's time
|
|
to consider protecting parts of it. Authentication and authorization are broad
|
|
and nuanced topics; as servant began to explore this space we started small
|
|
with one of HTTP's earliest authentication schemes: [Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication).
|
|
|
|
Servant `0.5` shipped with out-of-the-box support for Basic Authentication.
|
|
However, we recognize that every web application is its own beautiful snowflake
|
|
and are offering experimental support for generalized or ad-hoc authentication.
|
|
|
|
In this tutorial we'll build two APIs. One protecting certain routes with Basic
|
|
Authentication and another protecting the same routes with a custom, in-house
|
|
authentication scheme.
|
|
|
|
## Basic Authentication
|
|
|
|
When protecting endpoints with basic authentication, we need to specify two
|
|
items:
|
|
|
|
1. The **realm** of authentication as per the Basic Authentication spec.
|
|
2. The datatype returned by the server after authentication is verified. This
|
|
is usually a `User` or `Customer` datatype.
|
|
|
|
With those two items in mind, *servant* provides the following combinator:
|
|
|
|
``` haskell ignore
|
|
data BasicAuth (realm :: Symbol) (userData :: *)
|
|
```
|
|
|
|
You can use this combinator to protect an API as follows:
|
|
|
|
```haskell
|
|
{-# LANGUAGE DataKinds #-}
|
|
{-# LANGUAGE DeriveGeneric #-}
|
|
{-# LANGUAGE FlexibleContexts #-}
|
|
{-# LANGUAGE FlexibleInstances #-}
|
|
{-# LANGUAGE MultiParamTypeClasses #-}
|
|
{-# LANGUAGE OverloadedStrings #-}
|
|
{-# LANGUAGE ScopedTypeVariables #-}
|
|
{-# LANGUAGE TypeFamilies #-}
|
|
{-# LANGUAGE TypeOperators #-}
|
|
{-# LANGUAGE UndecidableInstances #-}
|
|
|
|
module Authentication where
|
|
|
|
import Data.Aeson (ToJSON)
|
|
import Data.ByteString (ByteString)
|
|
import Data.Map (Map, fromList)
|
|
import qualified Data.Map as Map
|
|
import Data.Proxy (Proxy (Proxy))
|
|
import Data.Text (Text)
|
|
import GHC.Generics (Generic)
|
|
import Network.Wai (Request, requestHeaders)
|
|
import Network.Wai.Handler.Warp (run)
|
|
import Servant.API ((:<|>) ((:<|>)), (:>), BasicAuth,
|
|
Get, JSON)
|
|
import Servant.API.BasicAuth (BasicAuthData (BasicAuthData))
|
|
import Servant.API.Experimental.Auth (AuthProtect)
|
|
import Servant (throwError)
|
|
import Servant.Server (BasicAuthCheck (BasicAuthCheck),
|
|
BasicAuthResult( Authorized
|
|
, Unauthorized
|
|
),
|
|
Context ((:.), EmptyContext),
|
|
err401, err403, errBody, Server,
|
|
serveWithContext, Handler)
|
|
import Servant.Server.Experimental.Auth (AuthHandler, AuthServerData,
|
|
mkAuthHandler)
|
|
import Servant.Server.Experimental.Auth()
|
|
import Web.Cookie (parseCookies)
|
|
|
|
-- | private data that needs protection
|
|
newtype PrivateData = PrivateData { ssshhh :: Text }
|
|
deriving (Eq, Show, Generic)
|
|
|
|
instance ToJSON PrivateData
|
|
|
|
-- | public data that anyone can use.
|
|
newtype PublicData = PublicData { somedata :: Text }
|
|
deriving (Eq, Show, Generic)
|
|
|
|
instance ToJSON PublicData
|
|
|
|
-- | A user we'll grab from the database when we authenticate someone
|
|
newtype User = User { userName :: Text }
|
|
deriving (Eq, Show)
|
|
|
|
-- | a type to wrap our public api
|
|
type PublicAPI = Get '[JSON] [PublicData]
|
|
|
|
-- | a type to wrap our private api
|
|
type PrivateAPI = Get '[JSON] PrivateData
|
|
|
|
-- | our API
|
|
type BasicAPI = "public" :> PublicAPI
|
|
:<|> "private" :> BasicAuth "foo-realm" User :> PrivateAPI
|
|
|
|
-- | a value holding a proxy of our API type
|
|
basicAuthApi :: Proxy BasicAPI
|
|
basicAuthApi = Proxy
|
|
```
|
|
|
|
You can see that we've prefixed our public API with "public" and our private
|
|
API with "private." Additionally, the private parts of our API use the
|
|
`BasicAuth` combinator to protect them under a Basic Authentication scheme (the
|
|
realm for this authentication is `"foo-realm"`).
|
|
|
|
Unfortunately we're not done. When someone makes a request to our `"private"`
|
|
API, we're going to need to provide to servant the logic for validating
|
|
usernames and passwords. This adds a certain conceptual wrinkle in servant's
|
|
design that we'll briefly discuss. If you want the **TL;DR**: we supply a lookup
|
|
function to servant's new `Context` primitive.
|
|
|
|
Until now, all of servant's API combinators extracted information from a request
|
|
or dictated the structure of a response (e.g. a `Capture` param is pulled from
|
|
the request path). Now consider an API resource protected by basic
|
|
authentication. Once the required `WWW-Authenticate` header is checked, we need
|
|
to verify the username and password. But how? One solution would be to force an
|
|
API author to provide a function of type `BasicAuthData -> Handler User`
|
|
and servant should use this function to authenticate a request. Unfortunately
|
|
this didn't work prior to `0.5` because all of servant's machinery was
|
|
engineered around the idea that each combinator can extract information from
|
|
only the request. We cannot extract the function
|
|
`BasicAuthData -> Handler User` from a request! Are we doomed?
|
|
|
|
Servant `0.5` introduced `Context` to handle this. The type machinery is beyond
|
|
the scope of this tutorial, but the idea is simple: provide some data to the
|
|
`serve` function, and that data is propagated to the functions that handle each
|
|
combinator. Using `Context`, we can supply a function of type
|
|
`BasicAuthData -> Handler User` to the `BasicAuth` combinator
|
|
handler. This will allow the handler to check authentication and return a `User`
|
|
to downstream handlers if successful.
|
|
|
|
In practice we wrap `BasicAuthData -> Handler` into a slightly
|
|
different function to better capture the semantics of basic authentication:
|
|
|
|
``` haskell ignore
|
|
-- | The result of authentication/authorization
|
|
data BasicAuthResult usr
|
|
= Unauthorized
|
|
| BadPassword
|
|
| NoSuchUser
|
|
| Authorized usr
|
|
deriving (Eq, Show, Read, Generic, Typeable, Functor)
|
|
|
|
-- | Datatype wrapping a function used to check authentication.
|
|
newtype BasicAuthCheck usr = BasicAuthCheck
|
|
{ unBasicAuthCheck :: BasicAuthData
|
|
-> IO (BasicAuthResult usr)
|
|
}
|
|
deriving (Generic, Typeable, Functor)
|
|
```
|
|
|
|
We now use this datatype to supply servant with a method to authenticate
|
|
requests. In this simple example the only valid username and password is
|
|
`"servant"` and `"server"`, respectively, but in a real, production application
|
|
you might do some database lookup here.
|
|
|
|
```haskell
|
|
-- | 'BasicAuthCheck' holds the handler we'll use to verify a username and password.
|
|
authCheck :: BasicAuthCheck User
|
|
authCheck =
|
|
let check (BasicAuthData username password) =
|
|
if username == "servant" && password == "server"
|
|
then return (Authorized (User "servant"))
|
|
else return Unauthorized
|
|
in BasicAuthCheck check
|
|
```
|
|
|
|
And now we create the `Context` used by servant to find `BasicAuthCheck`:
|
|
|
|
```haskell
|
|
-- | We need to supply our handlers with the right Context. In this case,
|
|
-- Basic Authentication requires a Context Entry with the 'BasicAuthCheck' value
|
|
-- tagged with "foo-tag" This context is then supplied to 'server' and threaded
|
|
-- to the BasicAuth HasServer handlers.
|
|
basicAuthServerContext :: Context (BasicAuthCheck User ': '[])
|
|
basicAuthServerContext = authCheck :. EmptyContext
|
|
```
|
|
|
|
We're now ready to write our `server` method that will tie everything together:
|
|
|
|
```haskell
|
|
-- | an implementation of our server. Here is where we pass all the handlers to our endpoints.
|
|
-- In particular, for the BasicAuth protected handler, we need to supply a function
|
|
-- that takes 'User' as an argument.
|
|
basicAuthServer :: Server BasicAPI
|
|
basicAuthServer =
|
|
let publicAPIHandler = return [PublicData "foo", PublicData "bar"]
|
|
privateAPIHandler (user :: User) = return (PrivateData (userName user))
|
|
in publicAPIHandler :<|> privateAPIHandler
|
|
```
|
|
|
|
Finally, our main method and a sample session working with our server:
|
|
|
|
```haskell
|
|
-- | hello, server!
|
|
basicAuthMain :: IO ()
|
|
basicAuthMain = run 8080 (serveWithContext basicAuthApi
|
|
basicAuthServerContext
|
|
basicAuthServer
|
|
)
|
|
|
|
{- Sample session
|
|
|
|
$ curl -XGET localhost:8080/public
|
|
[{"somedata":"foo"},{"somedata":"bar"}
|
|
|
|
$ curl -iXGET localhost:8080/private
|
|
HTTP/1.1 401 Unauthorized
|
|
transfer-encoding: chunked
|
|
Date: Thu, 07 Jan 2016 22:36:38 GMT
|
|
Server: Warp/3.1.8
|
|
WWW-Authenticate: Basic realm="foo-realm"
|
|
|
|
$ curl -iXGET localhost:8080/private -H "Authorization: Basic c2VydmFudDpzZXJ2ZXI="
|
|
HTTP/1.1 200 OK
|
|
transfer-encoding: chunked
|
|
Date: Thu, 07 Jan 2016 22:37:58 GMT
|
|
Server: Warp/3.1.8
|
|
Content-Type: application/json
|
|
{"ssshhh":"servant"}
|
|
-}
|
|
```
|
|
|
|
## Generalized Authentication
|
|
|
|
Sometimes your server's authentication scheme doesn't quite fit with the
|
|
standards (or perhaps servant hasn't rolled-out support for that new, fancy
|
|
authentication scheme). For such a scenario, servant `0.5` provides easy and
|
|
simple experimental support to roll your own authentication.
|
|
|
|
Why experimental? We worked on the design for authentication for a long time. We
|
|
really struggled to find a nice, type-safe niche in the design space. In fact,
|
|
`Context` came out of this work, and while it really fit for schemes like Basic
|
|
and JWT, it wasn't enough to fully support something like OAuth or HMAC, which
|
|
have flows, roles, and other fancy ceremonies. Further, we weren't sure *how*
|
|
people will use auth.
|
|
|
|
So, in typical startup fashion, we developed an MVP of 'generalized auth' and
|
|
released it in an experimental module, with the hope of getting feedback from you!
|
|
So, if you're reading this or using generalized auth support, please give us
|
|
your feedback!
|
|
|
|
### What is Generalized Authentication?
|
|
|
|
**TL;DR**: you throw a tagged `AuthProtect` combinator in front of the
|
|
endpoints you want protected and then supply a function `Request -> Handler a`,
|
|
where `a` is the type of your choice representing the data returned by
|
|
successful authentication - e.g., a `User` or, in our example below, `Account`.
|
|
This function is run anytime a request matches a protected endpoint. It
|
|
precisely solves the "I just need to protect these endpoints with a function
|
|
that does some complicated business logic" and nothing more. Behind the scenes
|
|
we use a type family instance (`AuthServerData`) and `Context` to accomplish
|
|
this.
|
|
|
|
### Generalized Authentication in Action
|
|
|
|
Let's implement a trivial authentication scheme. We will protect our API by
|
|
looking for a cookie named `"servant-auth-cookie"`. This cookie's value will
|
|
contain a key from which we can lookup an `Account`.
|
|
|
|
```haskell
|
|
-- | An account type that we "fetch from the database" after
|
|
-- performing authentication
|
|
newtype Account = Account { unAccount :: Text }
|
|
|
|
-- | A (pure) database mapping keys to accounts.
|
|
database :: Map ByteString Account
|
|
database = fromList [ ("key1", Account "Anne Briggs")
|
|
, ("key2", Account "Bruce Cockburn")
|
|
, ("key3", Account "Ghédalia Tazartès")
|
|
]
|
|
|
|
-- | A method that, when given a password, will return an Account.
|
|
-- This is our bespoke (and bad) authentication logic.
|
|
lookupAccount :: ByteString -> Handler Account
|
|
lookupAccount key = case Map.lookup key database of
|
|
Nothing -> throwError (err403 { errBody = "Invalid Cookie" })
|
|
Just usr -> return usr
|
|
```
|
|
|
|
For generalized authentication, servant exposes the `AuthHandler` type,
|
|
which is used to wrap the `Request -> Handler Account` logic. Let's
|
|
create a value of type `AuthHandler Request Account` using the above `lookupAccount`
|
|
method (note: we depend upon [`cookie`](https://hackage.haskell.org/package/cookie)'s
|
|
`parseCookies` for this):
|
|
|
|
```haskell
|
|
|
|
--- | The auth handler wraps a function from Request -> Handler Account.
|
|
--- We look for a token in the request headers that we expect to be in the cookie.
|
|
--- The token is then passed to our `lookupAccount` function.
|
|
authHandler :: AuthHandler Request Account
|
|
authHandler = mkAuthHandler handler
|
|
where
|
|
maybeToEither e = maybe (Left e) Right
|
|
throw401 msg = throwError $ err401 { errBody = msg }
|
|
handler req = either throw401 lookupAccount $ do
|
|
cookie <- maybeToEither "Missing cookie header" $ lookup "cookie" $ requestHeaders req
|
|
maybeToEither "Missing token in cookie" $ lookup "servant-auth-cookie" $ parseCookies cookie
|
|
```
|
|
|
|
Let's now protect our API with our new, bespoke authentication scheme. We'll
|
|
re-use the endpoints from our Basic Authentication example.
|
|
|
|
```haskell
|
|
-- | Our API, with auth-protection
|
|
type AuthGenAPI = "private" :> AuthProtect "cookie-auth" :> PrivateAPI
|
|
:<|> "public" :> PublicAPI
|
|
|
|
-- | A value holding our type-level API
|
|
genAuthAPI :: Proxy AuthGenAPI
|
|
genAuthAPI = Proxy
|
|
```
|
|
|
|
Now we need to bring everything together for the server. We have the
|
|
`AuthHandler Request Account` value and an `AuthProtected` endpoint. To bind these
|
|
together, we need to provide a [Type Family](https://downloads.haskell.org/~ghc/8.8.1/docs/html/users_guide/glasgow_exts.html#type-families)
|
|
instance that tells the `HasServer` instance that our `Context` will supply a
|
|
`Account` (via `AuthHandler Request Account`) and that downstream combinators will
|
|
have access to this `Account` value (or an error will be thrown if authentication
|
|
fails).
|
|
|
|
```haskell
|
|
|
|
-- | We need to specify the data returned after authentication
|
|
type instance AuthServerData (AuthProtect "cookie-auth") = Account
|
|
```
|
|
|
|
Note that we specify the type-level tag `"cookie-auth"` when defining the type
|
|
family instance. This allows us to have multiple authentication schemes
|
|
protecting a single API.
|
|
|
|
We now construct the `Context` for our server, allowing us to instantiate a
|
|
value of type `Server AuthGenAPI`, in addition to the server value:
|
|
|
|
```haskell
|
|
-- | The context that will be made available to request handlers. We supply the
|
|
-- "cookie-auth"-tagged request handler defined above, so that the 'HasServer' instance
|
|
-- of 'AuthProtect' can extract the handler and run it on the request.
|
|
genAuthServerContext :: Context (AuthHandler Request Account ': '[])
|
|
genAuthServerContext = authHandler :. EmptyContext
|
|
|
|
-- | Our API, where we provide all the author-supplied handlers for each end
|
|
-- point. Note that 'privateDataFunc' is a function that takes 'Account' as an
|
|
-- argument. We don't worry about the authentication instrumentation here,
|
|
-- that is taken care of by supplying context
|
|
genAuthServer :: Server AuthGenAPI
|
|
genAuthServer =
|
|
let privateDataFunc (Account name) =
|
|
return (PrivateData ("this is a secret: " <> name))
|
|
publicData = return [PublicData "this is a public piece of data"]
|
|
in privateDataFunc :<|> publicData
|
|
```
|
|
|
|
We're now ready to start our server (and provide a sample session)!
|
|
|
|
```haskell
|
|
-- | run our server
|
|
genAuthMain :: IO ()
|
|
genAuthMain = run 8080 (serveWithContext genAuthAPI genAuthServerContext genAuthServer)
|
|
|
|
{- Sample Session:
|
|
|
|
$ curl -XGET localhost:8080/private
|
|
Missing auth header
|
|
|
|
$ curl -XGET localhost:8080/private -H "Cookie: servant-auth-cookie=key3"
|
|
[{"ssshhh":"this is a secret: Ghédalia Tazartès"}]
|
|
|
|
$ curl -XGET localhost:8080/private -H "Cookie: servant-auth-cookie=bad-key"
|
|
Invalid Cookie
|
|
|
|
$ curl -XGET localhost:8080/public
|
|
[{"somedata":"this is a public piece of data"}]
|
|
-}
|
|
```
|
|
|
|
### Recap
|
|
|
|
Creating a generalized, ad-hoc authentication scheme was fairly straight
|
|
forward:
|
|
|
|
1. use the `AuthProtect` combinator to protect your API.
|
|
2. choose an application-specific data type used by your server when
|
|
authentication is successful (in our case this was `Account`).
|
|
3. Create a value of `AuthHandler Request Account` which encapsulates the
|
|
authentication logic (`Request -> Handler Account`). This function
|
|
will be executed every time a request matches a protected route.
|
|
4. Provide an instance of the `AuthServerData` type family, specifying your
|
|
application-specific data type returned when authentication is successful (in
|
|
our case this was `Account`).
|
|
|
|
Caveats:
|
|
|
|
1. The module `Servant.Server.Experimental.Auth` contains an orphan `HasServer`
|
|
instance for the `AuthProtect` combinator. You may be get orphan instance
|
|
warnings when using this.
|
|
2. Generalized authentication requires the `UndecidableInstances` extension.
|
|
|
|
## Client-side Authentication
|
|
|
|
### Basic Authentication
|
|
|
|
As of `0.5`, *servant-client* comes with support for basic authentication!
|
|
Endpoints protected by Basic Authentication will require a value of type
|
|
`BasicAuthData` to complete the request.
|
|
|
|
You can find more comprehensive Basic Authentication example in the [Cookbook](../cookbook/basic-auth/BasicAuth.html).
|
|
|
|
### Generalized Authentication
|
|
|
|
Servant `0.5` also shipped with support for generalized authentication. Similar
|
|
to the server-side support, clients need to supply an instance of the
|
|
`AuthClientData` type family specifying the datatype the client will use to
|
|
marshal an unauthenticated request into an authenticated request. Generally,
|
|
this will look like:
|
|
|
|
```haskell ignore
|
|
import Servant.Common.Req (Req, addHeader)
|
|
|
|
-- | The datatype we'll use to authenticate a request. If we were wrapping
|
|
-- something like OAuth, this might be a Bearer token.
|
|
type instance AuthClientData (AuthProtect "cookie-auth") = String
|
|
|
|
-- | A method to authenticate a request
|
|
authenticateReq :: String -> Req -> Req
|
|
authenticateReq s req = addHeader "my-bespoke-header" s req
|
|
```
|
|
|
|
Now, if the client method for our protected endpoint was `getProtected`, then
|
|
we could perform authenticated requests as follows:
|
|
|
|
```haskell ignore
|
|
-- | one could curry this to make it simpler to work with.
|
|
result = runExceptT (getProtected (mkAuthenticateReq "secret" authenticateReq))
|
|
```
|