Safe Haskell | None |
---|---|
Language | Haskell2010 |
Core functions for Orizentic
-
- The most conceptually confusing part of this is the relationship between the a Token, an unverified JWT, a verified JWT, and a claims set.
-
- A Token is a broad concept, and there is no particular data structure in this system that corresponds.
-
- Colloquially, however, a Token is synoymous with a JWT. JWTs can be either unverified or verified. An unverified JWT is anything that has been recieved from any outside source but whose signature has not yet been checked. a verified JWT has had the signature checked, at least as JWT
implements it. In this application, however, the process of checking the JWT signature also involves checking that the JWT is known to the application and that it has not expired.
-
- A ClaimsSet is an attribute of a JWT that is available for reading whether the JWT has been signed or whether the signature is valid. This describes all of the interesting parts of what the token is good for and who it should belong to.
-
- JWTs and their signatures typically get encoded into a Base64 format for transmission across the internet. JWT
provides the encodeSigned
and decode
functions to handle this process. This library provides encodeToken
to do the conversion with a somewhat nicer API.
-
- Many operations in this library involve creating and managing claims sets. Additional functions are utilities for converting those claims sets both to and from JWT and fully encoded formats.
-
- newtype ResourceName = ResourceName Text
- newtype Permissions = Permissions [Text]
- newtype Issuer = Issuer Text
- newtype TTL = TTL NominalDiffTime
- newtype Username = Username Text
- data OrizenticCtx = OrizenticCtx Secret ClaimsStore
- class HasOrizenticCtx ctx where
- newOrizenticCtx :: MonadIO m => Secret -> [JWTClaimsSet] -> m OrizenticCtx
- validateToken :: OrizenticM m r => JWT UnverifiedJWT -> m (Maybe (JWT VerifiedJWT))
- checkAuthorizations :: (ResourceName -> Permissions -> Bool) -> JWT VerifiedJWT -> Bool
- createClaims :: OrizenticM m r => Issuer -> Maybe TTL -> ResourceName -> Username -> Permissions -> m JWTClaimsSet
- revokeClaims :: OrizenticM m r => JWTClaimsSet -> m ()
- revokeByUUID :: OrizenticM m r => Text -> m ()
- replaceClaims :: OrizenticM m r => [JWTClaimsSet] -> m ()
- listClaims :: OrizenticM m r => m [JWTClaimsSet]
- findClaims :: OrizenticM m r => Text -> m (Maybe JWTClaimsSet)
- encodeClaims :: OrizenticM m r => JWTClaimsSet -> m Text
- hasPermission :: Permissions -> Text -> Bool
- permissions :: JWTClaimsSet -> Permissions
Documentation
newtype ResourceName Source #
ResourceName is application-defined for however the resources in the application should be named
newtype Permissions Source #
Permissions are application-defined descriptions of what can be done with the named resource
Issuers are typically informative, but should generally describe who or what created the token
Time to live is the number of seconds until a token expires
Username, or Audience in JWT terms, should describe who or what is supposed to be using this token
class HasOrizenticCtx ctx where Source #
hasOrizenticCtx :: ctx -> OrizenticCtx Source #
newOrizenticCtx :: MonadIO m => Secret -> [JWTClaimsSet] -> m OrizenticCtx Source #
Create a new OrizenticCtx
that will use a particular JWT secret and set of claims. -
validateToken :: OrizenticM m r => JWT UnverifiedJWT -> m (Maybe (JWT VerifiedJWT)) Source #
Validate a token by checking its signature, that it is not expired, and that it is still present in the database. Return Nothing if any check fails, but return a verified JWT if it all succeeds. This function requires IO because it checks both the current database state and the current time.
checkAuthorizations :: (ResourceName -> Permissions -> Bool) -> JWT VerifiedJWT -> Bool Source #
Given a verified JWT, pass the resource name and permissions to a user-defined function. The function should return true if the caller should be granted access to the resource and falls, otherwise. That result will be passed back to the caller.
createClaims :: OrizenticM m r => Issuer -> Maybe TTL -> ResourceName -> Username -> Permissions -> m JWTClaimsSet Source #
Create a new JWTClaimsSet. This will create the claims (a tedious process with JWT) and add it to the database. It will also calculate and set the expiration time if a TTL is provided.
revokeClaims :: OrizenticM m r => JWTClaimsSet -> m () Source #
Remove a claims set from the database so that all additional validation checks fail.
revokeByUUID :: OrizenticM m r => Text -> m () Source #
Revoke a ClaimsSet given its UUID, which is set in the jti
claim.
replaceClaims :: OrizenticM m r => [JWTClaimsSet] -> m () Source #
Replace the entire list of claims currently in memory. This is typically used when reloading a claims set from disk.
listClaims :: OrizenticM m r => m [JWTClaimsSet] Source #
Return all of the ClaimsSets currently in the database.
findClaims :: OrizenticM m r => Text -> m (Maybe JWTClaimsSet) Source #
Find a ClaimsSet by UUID
encodeClaims :: OrizenticM m r => JWTClaimsSet -> m Text Source #
Encode a ClaimsSet using this context's secret.
hasPermission :: Permissions -> Text -> Bool Source #
Orphan instances
Eq (JWT VerifiedJWT) Source # | |