diff options
author | Joris | 2015-11-01 19:47:24 +0100 |
---|---|---|
committer | Joris | 2015-11-01 19:47:24 +0100 |
commit | 51d1ff2273315ad1270794499d0c49e8fb99aba5 (patch) | |
tree | 8a3027d9fe2865731e0111989bc84eaea1591270 /src/server/Secure.hs | |
parent | f76aaedd794f15d9f049f53a081710b9565fb8b1 (diff) |
Store the sign in token instead of the login in the session cookie
Diffstat (limited to 'src/server/Secure.hs')
-rw-r--r-- | src/server/Secure.hs | 29 |
1 files changed, 21 insertions, 8 deletions
diff --git a/src/server/Secure.hs b/src/server/Secure.hs index 1fef713..8565098 100644 --- a/src/server/Secure.hs +++ b/src/server/Secure.hs @@ -8,13 +8,15 @@ import Web.Scotty import Network.HTTP.Types.Status (forbidden403) -import Database.Persist (Entity) +import Database.Persist (Entity, entityVal) -import Model.Database (User, runDb) import Model.User (getUser) +import Model.SignIn (getSignInToken, isLastValidToken) +import Model.Database import Control.Monad.IO.Class (liftIO) +import Data.Text (Text) import qualified Data.Text as T import qualified Data.Text.IO as TIO @@ -22,17 +24,28 @@ import qualified LoginSession loggedAction :: (Entity User -> ActionM ()) -> ActionM () loggedAction action = do - maybeLogin <- LoginSession.get - case maybeLogin of - Just login -> do - maybeUser <- liftIO . runDb $ getUser login + maybeToken <- LoginSession.get + case maybeToken of + Just token -> do + maybeUser <- liftIO . runDb . getUserFromToken $ token case maybeUser of Just user -> action user Nothing -> do status forbidden403 - liftIO . TIO.putStrLn . T.concat $ ["Could not find the user which login is ", login] - html "Could not find a user from your login" + html "You are not authorized to logged in" Nothing -> do status forbidden403 html "You need to be logged in to perform this action" + +getUserFromToken :: Text -> Persist (Maybe (Entity User)) +getUserFromToken token = do + mbSignIn <- fmap entityVal <$> getSignInToken token + case mbSignIn of + Just signIn -> do + isValid <- isLastValidToken signIn + if isValid + then getUser (signInEmail signIn) + else return Nothing + Nothing -> + return Nothing |