Discussion: XSRF header for servant-auth clients #48
Comments
|
BTW this extra header can be added by using |
|
Hi We made this work using the Web.Cookie (cookie) library to parse the cookie text. The following example is based on a Servant authentication API derived from type Authenticated = Auth '[Cookie] User
type SetCookies = Headers '[ Header "Set-Cookie" SetCookie
, Header "Set-Cookie" SetCookie
] NoContent
type AuthApi
= "login" :> ReqBody '[JSON] LoginInfo :> PostNoContent '[JSON] SetCookies
:<|> Authenticated :> "user" :> Get '[JSON] UserThis is the -- Get the XHR-COOKIE if set
let getToken = lookup "XSRF-TOKEN" . parseCookiesText . T.encodeUtf8
xsrfToken <- liftJSM $ getToken <$> (currentDocumentUnchecked >>= getCookie)
-- API access functions
let tweakRequest = ClientOptions $ \r -> do
return $ r & xhrRequest_config
. xhrRequestConfig_headers
. at "X-XSRF-TOKEN" .~ xsrfToken
pm = Proxy :: Proxy m
pn = Proxy :: Proxy ()
bp = constDyn (BasePath "/")
login :<|> user = clientWithOpts api pm pn bp tweakRequest |
|
@finlay Thanks for the full example! Is it possible to put the |
|
I think the issue is that the And the We could change the F |
|
There is a way to get the JSM context and regain it again but I can't recall how. I'm sure @hamishmack knows. |
servant-auth-serverby default expects that the [browser] client will add anX-XSRF-TOKENheader with the contents of theXSRF-TOKENcookie for authenticated requests. I have a PR servant-auth to make this configurable, but regardless it would be nice if servant-reflex made this easier. Now that we have #47, we can actually do this manually. In fact, that may be the only way currently. The reason is that servant-auth doesn't "advertise" in the types the name of the XSRF cookie or the header it expects. The server and the client need to negotiate that out-of-band (so to speak).Thoughts?
The text was updated successfully, but these errors were encountered: