diff options
| -rwxr-xr-x | run.sh | 2 | ||||
| -rw-r--r-- | src/Authentication.hs | 9 | ||||
| -rw-r--r-- | src/Main.hs | 6 |
3 files changed, 11 insertions, 6 deletions
@@ -1,2 +1,2 @@ #!/bin/bash -stack exec photos -- --pending_path=/tmp --photos_path=/tmp --allowed_users=kjetil.orbekk@gmail.com +stack exec photos -- --pending_path=/tmp --photos_path=/tmp --allowed_users=kjetil.orbekk@gmail.com --client_ids=962011751339-3gia1j74sqhu1ju40o0scbnfsf39llja.apps.googleusercontent.com diff --git a/src/Authentication.hs b/src/Authentication.hs index bc00863..a0d3d8c 100644 --- a/src/Authentication.hs +++ b/src/Authentication.hs @@ -23,8 +23,8 @@ type Token = String data User = User { email :: String , name :: String + , aud :: String } deriving (Eq, Show, Generic) - instance FromJSON User queryUser :: Token -> IO (Maybe User) @@ -36,15 +36,18 @@ queryUser' token = do response <- simpleHttp (makeUrl token) return (decode response) -isAuthenticated :: [String] -> MVar [Token] -> Token -> IO Bool -isAuthenticated allowedUsers tokenCache token = runEitherT runner >>= return . fromEither +isAuthenticated :: [String] -> [String] -> MVar [Token] -> Token -> IO Bool +isAuthenticated clientIds allowedUsers tokenCache token = runEitherT runner >>= return . fromEither where runner :: EitherT Bool IO Bool runner = do ts <- lift $ readMVar tokenCache _ <- leftIf (token `elem` ts) True user <- lift $ queryUser token email' <- return $ fromMaybe "" (user >>= return . email) + aud' <- return $ fromMaybe "" (user >>= return . aud) + liftIO $ putStrLn $ "Trying to authenticate user: " ++ show user _ <- leftIf (not (email' `elem` allowedUsers)) False + _ <- leftIf (not (aud' `elem` clientIds)) False tokens <- lift $ takeMVar tokenCache lift $ putMVar tokenCache (token:tokens) return True diff --git a/src/Main.hs b/src/Main.hs index c091c8f..46b6108 100644 --- a/src/Main.hs +++ b/src/Main.hs @@ -32,6 +32,7 @@ defineFlag "host" ("*6" :: String) "Host to serve on (*6 for ipv6 mode)" defineFlag "pending_path" ("" :: String) "Path to pending albums" defineFlag "photos_path" ("" :: String) "Path to permanent albums" defineFlag "allowed_users" ("" :: String) "Comma separated list of emails" +defineFlag "client_ids" ("" :: String) "Comma separated list of client ids" $(return []) -- Somehow forces the flags to be set. instance ToJSON Album @@ -56,8 +57,9 @@ type PhotoApi = type Token = String -isAuthenticated = Authentication.isAuthenticated users cache - where users = splitOn "," flags_allowed_users +isAuthenticated = Authentication.isAuthenticated clientIds users cache + where clientIds = splitOn "," flags_client_ids + users = splitOn "," flags_allowed_users cache = unsafePerformIO (newMVar []) config = Config |