From 51d1ff2273315ad1270794499d0c49e8fb99aba5 Mon Sep 17 00:00:00 2001 From: Joris Date: Sun, 1 Nov 2015 19:47:24 +0100 Subject: Store the sign in token instead of the login in the session cookie --- src/server/Secure.hs | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) (limited to 'src/server/Secure.hs') diff --git a/src/server/Secure.hs b/src/server/Secure.hs index 1fef713..8565098 100644 --- a/src/server/Secure.hs +++ b/src/server/Secure.hs @@ -8,13 +8,15 @@ import Web.Scotty import Network.HTTP.Types.Status (forbidden403) -import Database.Persist (Entity) +import Database.Persist (Entity, entityVal) -import Model.Database (User, runDb) import Model.User (getUser) +import Model.SignIn (getSignInToken, isLastValidToken) +import Model.Database import Control.Monad.IO.Class (liftIO) +import Data.Text (Text) import qualified Data.Text as T import qualified Data.Text.IO as TIO @@ -22,17 +24,28 @@ import qualified LoginSession loggedAction :: (Entity User -> ActionM ()) -> ActionM () loggedAction action = do - maybeLogin <- LoginSession.get - case maybeLogin of - Just login -> do - maybeUser <- liftIO . runDb $ getUser login + maybeToken <- LoginSession.get + case maybeToken of + Just token -> do + maybeUser <- liftIO . runDb . getUserFromToken $ token case maybeUser of Just user -> action user Nothing -> do status forbidden403 - liftIO . TIO.putStrLn . T.concat $ ["Could not find the user which login is ", login] - html "Could not find a user from your login" + html "You are not authorized to logged in" Nothing -> do status forbidden403 html "You need to be logged in to perform this action" + +getUserFromToken :: Text -> Persist (Maybe (Entity User)) +getUserFromToken token = do + mbSignIn <- fmap entityVal <$> getSignInToken token + case mbSignIn of + Just signIn -> do + isValid <- isLastValidToken signIn + if isValid + then getUser (signInEmail signIn) + else return Nothing + Nothing -> + return Nothing -- cgit v1.2.3