wai-middleware-auth

Authentication middleware that secures WAI application

Version on this page:0.2.5.1
LTS Haskell 18.28:0.2.5.1
Stackage Nightly 2022-02-05:0.2.5.1
Latest on Hackage:0.2.6.0@rev:1

See all snapshots wai-middleware-auth appears in

MIT licensed by Alexey Kuleshevich
Maintained by [email protected]
This version can be pinned in stack with:wai-middleware-auth-0.2.5.1@sha256:c35a2cfac87629dc021f241354dfea9fbf72020fbc6f75c3ad7e3008b591da87,4412

wai-middleware-auth

Build Status

Middleware that secures WAI application

Installation

$ stack install wai-middleware-auth

OR

$ cabal install wai-middleware-auth

wai-auth

Along with middleware this package ships with an executable wai-auth, which can function as a protected file server or a reverse proxy. Right from the box it supports OAuth2 authentication as well as it’s custom implementations for Google and Github.

Configuration is done using a yaml config file. Here is a sample file that will configure wai-auth to run a file server with Google, GitHub, and GitLab authentication on http://localhost:3000:

app_root: "_env:APPROOT:http://localhost:3000"
app_port: 3000
cookie_age: 3600
secret_key: "...+vwscbKR4DyPT"
file_server:
  root_folder: "/path/to/html/files"
  redirect_to_index: true
  add_trailing_slash: true
providers:
  github:
    client_id: "...94cc"
    client_secret: "...166f"
    app_name: "Dev App for wai-middleware-auth"
    email_white_list:
      - "^[a-zA-Z0-9._%+-][email protected]$"
  google:
    client_id: "...qlj.apps.googleusercontent.com"
    client_secret: "...oxW"
    email_white_list:
      - "^[a-zA-Z0-9._%+-][email protected]$"
  gitlab:
    client_id: "...9cfc"
    client_secret: "...f0d0"
    app_name: "Dev App for wai-middleware-auth"
    email_white_list:
      - "^[a-zA-Z0-9._%+-][email protected]$"

Above configuration will also block access to users that don’t have an email with example.com domain. There is also a secret_key field which will be used to encrypt the session cookie. In order to generate a new random key run this command:

$ echo $(wai-auth key --base64)
azuCFq0zEBkLSXhQrhliZzZD8Kblo...

Make sure you have proper callback/redirect urls registered with google/github/gitlab apps, eg: http://localhost:3000/_auth_middleware/google/complete.

After configuration file is ready, running application is very easy:

$ wai-auth --config-file=/path/to/config.yaml
Listening on port 3000

Reverse proxy

To use a reverse proxy instead of a file server, replace file_server with reverse_proxy, eg:

reverse_proxy:
  host: myapp.example.com
  port: 80

Self-hosted GitLab

The GitLab provider also supports using a self-hosted GitLab instance by setting the gitlab_host field. In this case you may also want to override the provider_info to change the title, logo, and description. For example:

providers:
  gitlab:
    gitlab_host: gitlab.mycompany.com
    client_id: "...9cfc"
    client_secret: "...f0d0"
    app_name: "Dev App for wai-middleware-auth"
    email_white_list:
      - "^[a-zA-Z0-9._%+-][email protected]$"
    provider_info:
      title: My Company's GitLab
      logo_url: https://mycompany.com/logo.png
      descr: Use your My Company GitLab account to access this page.

Changes

0.2.5.1

  • Add support for GHC 9.0.

0.2.5.0

  • Add getAuthUserFromVault for Servant.Api.Vault user.

0.2.4.0

  • Add GitLab provider.

0.2.3.1

  • Expose discoverURI in Network.Wai.Middleware.Auth.OIDC

  • Fix bug with OAuth2 and OpenID Connect authentication where scopes were separated using comma’s instead of spaces.

    0.2.3.0

  • Support hoauth2-1.11.0

  • Drop support for jose versions < 0.8

  • Expose decodeKey

  • OAuth2 provider remove a session when an access token expires. It will use a refresh token if one is available to create a new session. If no refresh token is available it will redirect the user to re-authenticate.

  • Providers can define logic for refreshing a session without user intervention.

  • Add an OpenID Connect provider.

    0.2.2.0

  • Add request logging to executable

  • Newer multistage Docker build system

    0.2.1.0

  • Fix a bug in deserialization of UserIdentity

    0.2.0.0

  • Drop compatiblity with hoauth2 versions <= 1.0.0.

  • Add a function for getting the oauth2 token from an authenticated request.

  • Modify encoding of oauth2 session cookies. As a consequence existing cookies will be invalid.

    0.1.2.1

  • Compatibility with hoauth2-1.3.0 - fixed: #4

    0.1.2.0

  • Implemented compatibility with hoauth2 >= 1.0.0 - fixed: #3

    0.1.1.2

  • Fixed wai-middleware-auth-0.1.1.1 does not compile in 32 bit Linux

    0.1.1.1

  • Disallow empty userIdentity to produce a successfull login.

  • Produces a 404 on /favicon.ico page if not logged in: work around for issue with Chrome requesting it first and messing up the redirect url.

  • Added JQuery to the template, since it’s bootstrap’s requirement.

    0.1.1.0

  • Fixed whitelist email regex matching for Github and Google auth.

    0.1.0.0

  • Initial implementation.