yesodweb / authenticate Goto Github PK

See here: GaloisInc/RSA#17 (comment). It should be < 2.5 now to build with GHC 8.8.1.

Hello, i'm getting Handshake Errors (presumably from TLS) when calling authenticate (getForwardUrl works fine apparently).

Below is code so you can reproduce, unfortunately this will require creating an account with the OpenID provider in question.

{-# LANGUAGE OverloadedStrings #-}

import qualified Data.Text.Encoding as T
import qualified Data.Text.Lazy as LT
import qualified Data.Text.Lazy.Encoding as LT

import Network.HTTP.Types
import Network.HTTP.Conduit (newManager)

import Network.Wai
import Network.Wai.Handler.Warp

import Web.Authenticate.OpenId

main = run 3000 $ \req -> do
  man <- newManager
  case pathInfo req of
    [] -> do
      url <- getForwardUrl "http://steamcommunity.com/openid" "http://localhost:3000/check"
                           Nothing [] man
      return $ responseLBS statusFound [("Location", T.encodeUtf8 url)] ""
    ["check"] -> do
      let query = map (\(k,v) -> (T.decodeUtf8 k, T.decodeUtf8 v))
                      (parseSimpleQuery $ rawQueryString req)
      id <- fmap (identifier . fst) $ authenticate query man
      return $ responseLBS statusOK [] . LT.encodeUtf8 . LT.fromChunks . (:[]) $ id
    _ -> return $ responseLBS statusNotFound [] ""

[7 of 9] Compiling OpenId2.Discovery ( OpenId2/Discovery.hs, dist/build/OpenId2/Discovery.o )

OpenId2/Discovery.hs:85:11: error: Not in scope: `checkStatus'

Related change:

snoyberg/http-client@b476183

https://dev.twitter.com/discussions/16443

Twitter OAuth keeps failing for me and I'm wondering if this is related.

The Cabal file at https://github.com/yesodweb/authenticate/blob/master/authenticate/authenticate.cabal#L3 says BSD3, but the license file at https://github.com/yesodweb/authenticate/blob/master/authenticate/LICENSE contains a BSD2 license.

Please adjust to build with RSA 2.0

hi,

i'd like to port it to http-client and remove the conduit dependency.

i would just use IO instead of MonadResource, MonadUnsafeIO, etc. what do you think?

(i have a proof of concept with MonadIO as well.)

Currently, checkAssertion in Web.Authenticate.BrowserID just does a POST to https://browserid.org/verify . Please consider implementing BrowserID assertion verification directly. See https://wiki.mozilla.org/Identity/BrowserID#Assertion_Verification (and the preceding bits on that page) for the specification, and https://github.com/mozilla/browserid/blob/dev/bin/verifier for the source of the reference validator (written with node.js). (For the latter, note that the real work happens in the libraries loaded from https://github.com/mozilla/browserid/tree/dev/lib/verifier .)

I'm not sure if this is in progress or not, but here's a ticket for myself and others to track :) I see there is https://gist.github.com/2351071, which may be of us.

Hello,

Most likely I'm missing something, but I think API lacks few helpers.

I'm trying to use it to authenticate via twitter, hence:

oauthTwitter :: OAuth
oauthTwitter = newOAuth
               { oauthServerName = "api.twitter.com"
               , oauthRequestUri      = "https://api.twitter.com/oauth/request_token"
               , oauthAccessTokenUri  = "https://api.twitter.com/oauth/access_token"
               , oauthAuthorizeUri    = "https://api.twitter.com/oauth/authorize"
               , oauthSignatureMethod = HMACSHA1
               , oauthConsumerKey = "<snip>" 
               , oauthConsumerSecret = "<snip!>"
               , oauthVersion         = OAuth10a }

main = do
  mgr <- newManager tlsManagerSettings
  cred <- getTemporaryCredential oauthTwitter mgr
  let token = lookup "oauth_token" $ unCredential cred
  -- and now, use this token to generate api/oauth/authenticate?oauth_token=.... URL for the browser

So, in last two lines I'm doing raw lookup to grab the token, and then raw concatenation to generate URL (I rather use a helper akin to that of authorizeUrl to generate it for me). Am I correct in thinking that something like this could be added to the API?

When trying to use this to authenticate with Twitter using the sample code here https://github.com/himura/twitter-conduit/blob/master/sample/simple.hs it fails.

The problem seems to be that the Credential returned by getAccessToken contains extra fields:

Credential {unCredential = [("oauth_token","XXX"),("oauth_token_secret","YYY"),("user_id","51459324"),("screen_name","nomeata")]}

and using these credentials later fails. I have to remove them using code like this

    let cred' = filter (\(k,v) -> k /= "user_id" && k /= "screen_name") cred

to make it work.

I am not sure if Twitter, authenticate-oauth or twitter-conduit is to blame, but somewhere something goes wrong…

Realted: himura/twitter-conduit#64

Web/Authenticate/Rpxnow.hs:41:22: error:
    Module ‘Data.Conduit’ does not export ‘MonadBaseControl’

Web/Authenticate/Rpxnow.hs:41:40: error:
    Module ‘Data.Conduit’ does not export ‘MonadResource’

As a Hackage trustee, I have pushed revisions that add bounds conduit < 1.1 for the problematic versions, e.g. https://hackage.haskell.org/package/authenticate-1.3.2.7/revisions/.

When I build authenticate-1.3.5 with aeson-2.0.1.0, I get the following errors:

Web/Authenticate/BrowserId.hs:36:35: error:
    • Couldn't match type ‘Data.Aeson.KeyMap.KeyMap Value’
                     with ‘Map.HashMap k0 Value’
      Expected type: Map.HashMap k0 Value
        Actual type: aeson-2.0.1.0:Data.Aeson.Types.Internal.Object
    • In the second argument of ‘Map.lookup’, namely ‘o’
      In the expression: Map.lookup "status" o
      In the expression: (Map.lookup "status" o, Map.lookup "email" o)
   |
36 |         case (Map.lookup "status" o, Map.lookup "email" o) of
   |                                   ^

Web/Authenticate/BrowserId.hs:36:57: error:
    • Couldn't match type ‘Data.Aeson.KeyMap.KeyMap Value’
                     with ‘Map.HashMap k1 Value’
      Expected type: Map.HashMap k1 Value
        Actual type: aeson-2.0.1.0:Data.Aeson.Types.Internal.Object
    • In the second argument of ‘Map.lookup’, namely ‘o’
      In the expression: Map.lookup "email" o
      In the expression: (Map.lookup "status" o, Map.lookup "email" o)
   |
36 |         case (Map.lookup "status" o, Map.lookup "email" o) of
   |                                                         ^

There is a DH Problem at the moment when using Yesod Platform
Yesod Platform 1.0.4.2 specifies base64-bytestring (0.1.1.1);
authenticate.oauth specifies base64-bytestring (0.1.*) which picks up base64-bytestring (0.1.2.0), so that the Yesod Platform is rejected
Perhaps it is for Yesod Platform to specify base64-bytestring (0.1.2.0).
I have worked around by removing the dependency on Yesod Platform.

Robert

There is a package on Hackage (crypto-totp) which seems to provide the crytpto part. Having an easy way to enable 2 steps authentication on a Yesod enabled app would be awsome.

Please update authenticate-oauth to build with resourcet 1.1.1

Currently, the BrowserID implementation expects to just add a script tag referencing browserid.org/include.js. Please consider providing an easy way for sites to host that script themselves, to avoid referencing third-party scripts. According to the BrowserID folks, the API between include.js and browserid.org has almost entirely stabilized, though they don't plan to declare it entirely stable until this summer.

authenticate-oauth compiles fine with recent versions of crypto-pubkey-types. Could you please lift the restrictions in the Cabal file?

The BrowserID plugin is hot-linking an old button that is likely to go away at any time.

There are new buttons available but they should be downloaded locally because hot-linking to an image on a wiki isn't very stable :)

Try logging in with Wordpress on Haskellers.com

It definitely compiles with later versions of http-conduit, I haven't tried the other two outdated dependencies (crypto-pubkey-types and SHA)

conduit-1.1 no longer includes Data.Conduit.Blaze - it looks like you need to depend on conduit-extra.

Hi,

authenticate-oauth currently wants crypto-pubkey-types (≥0.1 & <0.4). It would be nice if 0.4 were also supported.

Thanks,
Joachim