This software is actively developed, but incomplete (many of the features promised here are missing) and highly unstable (the existing code will change in unexpected and possibly undocumented ways). If you are interested in using it, please contact us to negotiate a release plan.

Having that said: enjoy! (:

Thentos (/'tentɒs/) is the swiss army knife of web application user management. You can:

• use it as a library to offer SSO (single-sign-on) via github or facebook to your users,

• run it as a proxy in front of your web application that does all the user management for you (a bit like sproxy),

• set up your own, federated SSO service hierarchy,

• use a third-party SSO service to completely hide user information from your application and only work with pre-authenticated, anonymised sessions,

• and many other things.

Thentos is based on acid-state for persistence (modules DB.*), servant for rest apis (modules Backend.*), and snap for HTML-form-based user interfaces (modules Frontend.*). While DB.* provides mostly acidic transactions, Api.* offers a more high-level access to the database. It lives in between frontend/backend and persistence layer.

We use parts of lio for authorization management. Acid transactions are labelled with authorization expressions that are enforced against clearance expressions (almost) implicitly. (We do not use the 'LIO' monad so far, as this requires changes to both acid-state and servant, and is most relevant when running a mix of trusted and untrusted Haskell modules.)

Thentos is designed as both a library and an out-of-the-box web application and service. You can use any of the parts that work for you and build something completely different from them:

• implement your own rest api dialect on top of DB.* and Api;

• write a new database schema derived from the old one and a lens into the old one, and reuse all existing transactions on the new schema;

• use special-purpose blaze combinators and handlers from the default frontend to build your own.

Tested on ghc-7.8.4 with all versions pinned (see cabal.config). You should be able to build with other ghc versions sind 7.8 and without pinning, but it may involve some tweaking (and hence some familiarity with ghc).

To build, make sure ghc is in your path and ghc --version sais it is 7.8.4. Then:

$ cabal sandbox init
$ cabal install --enable-tests --enable-documentation

This will take a while, as it will pull and build a lot of library dependencies. --enable-tests and --enable-documentation are optional (but it will still take a while to build).

To run the tests:

$ cabal test
$ cabal run -- thentos run --runbackend --runfrontend

Benchmarks:

$ git clone https://github.com/fhartwig/pronk -b barely-working-state
$ cabal sandbox add-source ./pronk
$ cabal install --enable-bench
$ cabal bench  # requires thentos to be running in another shell

There is a helloworld service that you can use to test a simple oauth-like setup where browser and service connect to Thentos in order to perform user and session management. Once the session is established, the browser will talk directly to the service with the negotiated session token.

Keep Thentos running in a different terminal (see above).

$ cd services/helloworld/
$ cabal sandbox init
$ cabal install
$ cabal run

In order to obtain a service identity for helloworld to authenticate against Thentos, connect to the Thentos frontend, click on create_service, and on create_service again.

Add the information to services/helloworld/devel.config, stop the cabal run process, and start it again.

Create a user (use god/god as username/password if you want to skip this step): visit the Thentos fronend again, click on create_user. Email confirmation is configured to work if there is a mail system running that supports email to local users. Just use user unix user name as email address and hope for the best. There should also be a line in ./log/thentos.log that contains the confirmation token (logging needs to be set to DEBUG, but that is currently the hard-wired default).

Visit the helloworld service. You should be able to log in and out now.

There is also a highly experimental (even more so than the rest of Thentos) alternative rest api that mimics the adhocracy3 backend:

cabal run -- runa3 --runbackend --runfrontend
curl -XPOST -d '{"name": "god", "password": "god"}' http://localhost:7001/login_username

(Try a bad password to run into one of the gaps in the implementation. :)

• ./docs/related_work.md

  An incomplete list of related software projects.

• Generated Thentos documentation (version 0.0.1):

  • servant-docs
  • haddock
  • SourceGraph

(in alphanumerical order)

• Christian Siefkes
• Julian Arni
• Sönke Hahn