Servant based API and server for token based authorisation

Latest on Hackage:

This package is not currently in any snapshots. If you're interested in using it, we recommend adding it to Stackage Nightly. Doing so will make builds more reliable, and allow to host generated Haddocks.


Build Status

The repo contains server implementation of servant-auth-token-api.

How to add to your server

At the moment you have two options for backend storage:

  • persistent backend - persistent backend, simple to integrate with your app.

  • acid-state backend - acid-state backend is light solution for in memory storage, but it is more difficult to integrate it with your app.

  • Possible candidates for other storage backends: VCache, leveldb, JSON files. To see how to implement them, see HasStorage type class.

Now you can use ‘guardAuthToken’ to check authorization headers in endpoints of your server:

-- | Read a single customer from DB
customerGet :: CustomerId -- ^ Customer unique id
  -> MToken '["customer-read"] -- ^ Required permissions for auth token
  -> ServerM Customer -- ^ Customer data
customerGet i token = do
  guardAuthToken token
  runDB404 "customer" $ getCustomer i


  • Allow passing client side hashed passwords for signup and restore.

  • Allow passing client side hashed password to signin endpoint.

  • Bump versions for lts-12.9.

  • Support servant-0.13.

  • Support servant-0.12.

  • Versions bounds are relaxed.

  • Fix typo in invalidatePermanentCodes.
  • Servant combinator.
  • Rename migration function.

  • Relax servant and servant-server versions.

  • Make withAuthToken work properly.

  • Add withAuthToken to guard groups of endpoints.

  • Auto deriving HasAuthConfig and HasStorage for transformers.

  • persistent-postgresql is not actually used

  • Add signinByHashUnsafe for internal usage.

  • Implementation for AuthFindUserByLogin endpoint.
  • Feature to manipulate with hashes of passwords. For instance, now you can store hashed admin password in config.

  • Add implementation for AuthCheckPermissionsMethod and AuthGetUserIdMethod endpoints.

  • Relax aeson and opt-parse-applicative bounds.
  • Add monad-control instances.

  • Remove persistent dependencies from abstract package.

  • Abstract over storage: persistent and acid-state backends.

  • Support lts-7.1 (ghc 8 and persistent-0.6)

  • Add authorisation by single usage codes.

  • Relax boundaries for ghc 8.0.1.

  • Implement servant-auth-token- API.

  • Expose implementation of API for embedding in complex servers.

  • Added restoreCodeGenerator to configuration

  • Initial publication
comments powered byDisqus