Define settings for a Yesod applications. All methods have intelligent defaults, and therefore no implementation is required.

This class is automatically instantiated when you use the template haskell mkYesod function. You should never need to deal with it directly.

A type-safe, concise method of creating breadcrumbs for pages. For each resource, you declare the title of the page and the parent resource (if present).

Gets the title of the current page and the hierarchy of parent pages, along with their respective titles.

How to determine the root of the application for constructing URLs.

Note that future versions of Yesod may add new constructors without bumping the major version number. As a result, you should not pattern match on Approot values.

Responses to indicate some form of an error occurred.

Return the same URL if the user is authorized to see it.

Built on top of isAuthorized. This is useful for building page that only contain links to pages the user is allowed to see.

Convert a widget to a PageContent.

The default error handler for errorHandler.

Default implementation of yesodMiddleware. Adds the response header "Vary: Accept, Accept-Language", "X-XSS-Protection: 1; mode=block", and performs authorization checks.

Since 1.2.0

Check if a given request is authorized via isAuthorized and isWriteRequest.

Since 1.2.0

Return an Unauthorized value, with the given i18n message.

Default implementation of makeLogger. Sends to stdout and automatically flushes on each write.

Since 1.4.10

Default implementation of messageLoggerSource. Checks if the message should be logged using the provided function, and if so, formats using formatLogMessage. You can use defaultShouldLogIO as the provided function.

Since 1.4.10

Default implementation of shouldLog. Logs everything at or above LevelInfo.

Since 1.4.10

Default formatting for log messages. When you use the template haskell logging functions for to log with information about the source location, that information will be appended to the end of the log. When you use the non-TH logging functions, like logDebugN, this function does not include source information. This currently works by checking to see if the package name is the string "<unknown>". This is a hack, but it removes some of the visual clutter from non-TH logs.

Since 1.4.10

Generates a function that takes a Text and logs a LevelDebug message. Usage:

$(logDebug) "This is a debug log message"

See logDebug

See logDebug

See logDebug

Generates a function that takes a Text and logs a LevelOther message. Usage:

$(logOther "My new level") "This is a log message"

Generates a function that takes a LogSource and Text and logs a LevelDebug message. Usage:

$logDebugS "SomeSource" "This is a debug log message"

See logDebugS

See logDebugS

See logDebugS

Generates a function that takes a LogSource, a level name and a Text and logs a LevelOther message. Usage:

$logOtherS "SomeSource" "My new level" "This is a log message"

Customize the cookies used by the session backend. You may use this function on your definition of makeSessionBackend.

For example, you could set the cookie domain so that it would work across many subdomains:

makeSessionBackend site =
    (fmap . fmap) (customizeSessionCookies addDomain) ...
  where
    addDomain cookie = cookie { setCookieDomain = Just ".example.com" }

Default: Do not customize anything (id).

Create a SessionBackend which reads the session key from the named environment variable.

This can be useful if:

1. You can't rely on a persistent file system (e.g. Heroku)
2. Your application is open source (e.g. you can't commit the key)

By keeping a consistent value in the environment variable, your users will have consistent sessions without relying on the file system.

Note: A suitable value should only be obtained in one of two ways:

1. Run this code without the variable set, a value will be generated and printed on devstdout/
2. Use clientsession-generate

Since 1.4.5

Defends against session hijacking by setting the secure bit on session cookies so that browsers will not transmit them over http. With this setting on, it follows that the server will regard requests made over http as sessionless, because the session cookie will not be included in the request. Use this as part of a total security measure which also includes disabling HTTP traffic to the site or issuing redirects from HTTP urls, and composing sslOnlyMiddleware with the site's yesodMiddleware.

Since 1.4.7

Helps defend against CSRF attacks by setting the SameSite attribute on session cookies to Lax. With the Lax setting, the cookie will be sent with same-site requests, and with cross-site top-level navigations.

This option is liable to change in future versions of Yesod as the spec evolves. View more information here.

Since: 1.4.23

Helps defend against CSRF attacks by setting the SameSite attribute on session cookies to Strict. With the Strict setting, the cookie will only be sent with same-site requests.

This option is liable to change in future versions of Yesod as the spec evolves. View more information here.

Since: 1.4.23

Apply a Strict-Transport-Security header with the specified timeout to all responses so that browsers will rewrite all http links to https until the timeout expires. For security, the max-age of the STS header should always equal or exceed the client sessions timeout. This defends against SSL-stripping man-in-the-middle attacks. It is only effective if a secure connection has already been made; Strict-Transport-Security headers are ignored over HTTP.

Since 1.4.7

Headers to be added to a Result.

Calls defaultCsrfSetCookieMiddleware and defaultCsrfCheckMiddleware.

For details, see the "AJAX CSRF protection" section of Yesod.Core.Handler.

You can chain this middleware together with other middleware like so:

yesodMiddleware = defaultYesodMiddleware . defaultCsrfMiddleware

or:

yesodMiddleware app = defaultYesodMiddleware $ defaultCsrfMiddleware $ app

Since 1.4.14

Calls csrfSetCookieMiddleware with the defaultCsrfCookieName.

The cookie's path is set to /, making it valid for your whole website.

Since 1.4.14

Takes a SetCookie and overrides its value with a CSRF token, then sets the cookie. See setCsrfCookieWithCookie.

For details, see the "AJAX CSRF protection" section of Yesod.Core.Handler.

Make sure to set the setCookiePath to the root path of your application, otherwise you'll generate a new CSRF token for every path of your app. If your app is run from from e.g. www.example.com/app1, use app1. The vast majority of sites will just use /.

Since 1.4.14

Calls csrfCheckMiddleware with isWriteRequest, defaultCsrfHeaderName, and defaultCsrfParamName as parameters.

Since 1.4.14

Looks up the CSRF token from the request headers or POST parameters. If the value doesn't match the token stored in the session, this function throws a PermissionDenied error.

For details, see the "AJAX CSRF protection" section of Yesod.Core.Handler.

Since 1.4.14

Guess the approot based on request headers. For more information, see Network.Wai.Middleware.Approot

In the case of headers being unavailable, it falls back to ApprootRelative

Since 1.4.16

Guess the approot based on request headers, with fall back to the specified AppRoot.

Since 1.4.16

Get the textual application root from an Approot value.

Since 1.4.17

Format a UTCTime in W3 format.

Format as per RFC 1123.

Format as per RFC 822.

Convert a value to Markup without escaping

The class of monad transformers. Instances should satisfy the following laws, which state that lift is a monad transformation:

• lift . return = return

• lift (m >>= f) = lift m >>= (lift . f)

Monads in which IO computations may be embedded. Any monad built by applying a sequence of monad transformers to the IO monad will be an instance of this class.

Instances should satisfy the following laws, which state that liftIO is a transformer of monads:

• liftIO . return = return

• liftIO (m >>= f) = liftIO m >>= (liftIO . f)

Monads which allow their actions to be run in IO.

While MonadIO allows an IO action to be lifted into another monad, this class captures the opposite concept: allowing you to capture the monadic context. Note that, in order to meet the laws given below, the intuition is that a monad must have no monadic state, but may have monadic context. This essentially limits MonadUnliftIO to ReaderT and IdentityT transformers on top of IO.

Laws. For any value u returned by askUnliftIO, it must meet the monad transformer laws as reformulated for MonadUnliftIO:

• unliftIO u . return = return

• unliftIO u (m >>= f) = unliftIO u m >>= unliftIO u . f

Instances of MonadUnliftIO must also satisfy the idempotency law:

• askUnliftIO >>= \u -> (liftIO . unliftIO u) m = m

This law showcases two properties. First, askUnliftIO doesn't change the monadic context, and second, liftIO . unliftIO u is equivalent to id IF called in the same monadic context as askUnliftIO.

Since: unliftio-core-0.1.0.0

A Monad which allows for safe resource allocation. In theory, any monad transformer stack which includes a ResourceT can be an instance of MonadResource.

Note: runResourceT has a requirement for a MonadUnliftIO m monad, which allows control operations to be lifted. A MonadResource does not have this requirement. This means that transformers such as ContT can be an instance of MonadResource. However, the ContT wrapper will need to be unwrapped before calling runResourceT.

Since 0.3.0

A Monad which has the ability to log messages in some manner.