{-# LANGUAGE CPP                        #-}
{-# LANGUAGE DataKinds                  #-}
{-# LANGUAGE GeneralizedNewtypeDeriving #-}
{-# LANGUAGE TypeFamilies               #-}
{-# LANGUAGE TypeOperators              #-}
module Servant.Auth where

import           Data.Proxy          (Proxy(..))
import           Servant.API         ((:>))
import           Servant.Links       (HasLink (..))

-- * Authentication

-- | @Auth [auth1, auth2] val :> api@ represents an API protected *either* by
-- @auth1@ or @auth2@
data Auth (auths :: [*]) val

-- | A @HasLink@ instance for @Auth@
instance HasLink sub => HasLink (Auth (tag :: [*]) value :> sub) where
#if MIN_VERSION_servant(0,14,0)
  type MkLink (Auth (tag :: [*]) value :> sub) a = MkLink sub a
  toLink toA _ = toLink toA (Proxy :: Proxy sub)
#else
  type MkLink (Auth (tag :: [*]) value :> sub) = MkLink sub
  toLink _ = toLink (Proxy :: Proxy sub)
#endif

-- ** Combinators

-- | A JSON Web Token (JWT) in the the Authorization header:
--
--    @Authorization: Bearer <token>@
--
-- Note that while the token is signed, it is not encrypted. Therefore do not
-- keep in it any information you would not like the client to know.
--
-- JWTs are described in IETF's <https://tools.ietf.org/html/rfc7519 RFC 7519>
data JWT

-- | A cookie. The content cookie itself is a JWT. Another cookie is also used,
-- the contents of which are expected to be send back to the server in a
-- header, for XSRF protection.
data Cookie


-- We could use 'servant''s BasicAuth, but then we don't get control over the
-- documentation, and we'd have to polykind everything. (Also, we don't
-- currently depend on servant!)
--
-- | Basic Auth.
data BasicAuth

-- | Login via a form.
data FormLogin form