MIT licensed by Patrick Brisbin, later changes Paul Rouse
Maintained by Paul Rouse
This version can be pinned in stack with:yesod-auth-hashdb-,3550

Module documentation for

This package is the Yesod.Auth.HashDB plugin, originally included as part of yesod-auth, but now modified to be more secure and placed in a separate package.

It provides authentication using hashed passwords stored in a database, and works best in situations where an administrator is involved in setting up a user with an initial password.

The complete login process, including a default form, is implemented by this plugin, but the application developer must design the interfaces for setting up users and allowing them to change their own passwords, since only the low-level password-setting functions are provided by this package. (Note that other authentication plugins may be more appropriate if you wish to use email verification to set up accounts).


  • Fix test to allow use of persistent-template-2.8

  • Fix test and relax upper bound for persistent-2.10 / persistent-template-2.7
  • Replace use of deprecated requireJsonBody


  • Relax upper bounds to allow persistent-2.9 (for GHC 8.6 versions of Stackage nightly)
  • Remove testing of GHC below 8.0.2, and lts below 9


  • Update for changes in yesod version 1.6, but retain compatibility with previous versions
  • Remove support for GHC below 7.10, and lts below 6


  • Use PasswordStore from yesod-auth instead of pwstore-fast (uses cryptonite instead of cryptohash)


  • Relax upper bound on persistent

  • Fix serious documentation layout problem caused by typo


This release completes the breaking changes started in 1.5. For details of upgrading, please see

  • Complete removal of compatibility with old databases designed for versions before 1.3
  • Add JSON support

  • Fix test failure with basic-prelude >= 0.6 (#6)

  • Relax upper bound to allow persistent-2.6

  • Minor documentation improvement
  • Reduce external-library dependencies for tests


  • Include CSRF token in default form


This release can break both old code and old database entries. For details of upgrading, please see

  • First phase of removing compatibility with old databases designed for versions before 1.3
  • Remove deprecated utilities (getAuthIdHashDB and pre-defined User data type)


  • Changes to work with persistent-2.5

  • Relax upper bound to allow persistent-2.2.*

  • Add ChangeLog


  • Deprecate getAuthIdHashDB (see #5)

  • Use internationalized messages
  • Increase defaultStrength

  • Minor documentation change


  • Expose additional validation function which does not need to read the database
  • Deprecate compatibility with old data which includes a salt field


  • Changes for Yesod 1.4


  • Documentation improvement


  • Optional custom login form
  • Deprecate predefined User data type
  • Changes for Persistent 2

  • Version bounds
  • Minor documentation changes


  • First release as a separate package, not part of yesod-auth