From a01051eaf66a263aebb3ff9e1d492b0d0c1c4429 Mon Sep 17 00:00:00 2001
From: Maximilian Tagher <feedback.tagher@gmail.com>
Date: Sun, 14 Feb 2016 17:10:07 -0800
Subject: [PATCH 01/67] Have the yesod-auth login form use a CSRF token

Closes #1159

Based on reading this [StackOverflow Post](http://stackoverflow.com/questions/6412813/do-login-forms-need-tokens-against-csrf-attacks) and skimming [this paper](http://seclab.stanford.edu/websec/csrf/csrf.pdf), using CSRF protection on login forms protects against a vulnerability where an attacker submits their own username/password in the login form. Later, the user uses the real site, but doesn't realize they're logged in as the attacker. This creates vulnerabilities like:

1. If the site logs the user's activity for them (e.g. recently watched videos on YouTube, previous searches on Google), the attacker can see this information by logging in.
2. The user adds sensitive information to the account, like credit card information, the attacker can login and potentially steal that information or use it on the site.

I don't think this vulnerability applies to the `Yesod.Auth.Hardcoded` plugin because the attacker couldn't create an account of their own.

However:

* If I understand the example in `Yesod.Auth.Hardcoded`, one use case is to share one login form that works for both the Hardcoded plugin as well as normal database-backed username/password login, in which case having a CSRF token makes sense
* I don't see a downside to having the CSRF token there
* It makes the Hardcoded plugin work with the CSRF middleware

Does this sound like the right solution?
---
 yesod-auth/Yesod/Auth/Hardcoded.hs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/yesod-auth/Yesod/Auth/Hardcoded.hs b/yesod-auth/Yesod/Auth/Hardcoded.hs
index 592c0cf2..bb4a24da 100644
--- a/yesod-auth/Yesod/Auth/Hardcoded.hs
+++ b/yesod-auth/Yesod/Auth/Hardcoded.hs
@@ -160,10 +160,14 @@ authHardcoded =
   where
     dispatch "POST" ["login"] = postLoginR >>= sendResponse
     dispatch _ _ = notFound
-    loginWidget toMaster =
+    loginWidget toMaster = do
+      request <- getRequest
+      let tokenKey = ("_token" :: Text) -- This value taken from yesod-form's postHelper. Not ideal that it's hard-coded in two places.
       [whamlet|
         $newline never
         <form method="post" action="@{toMaster loginR}">
+          $maybe t <- reqToken request
+            <input type=hidden name=#{tokenKey} value=#{t}>
           <table>
             <tr>
               <th>_{Msg.UserName}

From d39ce44c21d355cf522108a973d284e568611901 Mon Sep 17 00:00:00 2001
From: Maximilian Tagher <feedback.tagher@gmail.com>
Date: Mon, 15 Feb 2016 23:59:24 -0800
Subject: [PATCH 02/67] Use `defaultCsrfParamName` instead of hard-coding its
 value

* Up version bounds so that `defaultCsrfParamName` is available.
* I didn't bump the yesod-form version. It seemed unnecessary to do a new release just for this.
---
 yesod-auth/ChangeLog.md            | 4 ++++
 yesod-auth/Yesod/Auth/Hardcoded.hs | 3 +--
 yesod-auth/yesod-auth.cabal        | 4 ++--
 yesod-form/Yesod/Form/Functions.hs | 3 ++-
 yesod-form/yesod-form.cabal        | 2 +-
 5 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/yesod-auth/ChangeLog.md b/yesod-auth/ChangeLog.md
index 970cd994..46640af4 100644
--- a/yesod-auth/ChangeLog.md
+++ b/yesod-auth/ChangeLog.md
@@ -1,3 +1,7 @@
+## 1.4.13
+
+* Add a CSRF token to the login form from `Yesod.Auth.Hardcoded`, making it compatible with the CSRF middleware [#1161](https://github.com/yesodweb/yesod/pull/1161)
+
 ## 1.4.12
 
 * Deprecated Yesod.Auth.GoogleEmail
diff --git a/yesod-auth/Yesod/Auth/Hardcoded.hs b/yesod-auth/Yesod/Auth/Hardcoded.hs
index bb4a24da..0f7061ad 100644
--- a/yesod-auth/Yesod/Auth/Hardcoded.hs
+++ b/yesod-auth/Yesod/Auth/Hardcoded.hs
@@ -162,12 +162,11 @@ authHardcoded =
     dispatch _ _ = notFound
     loginWidget toMaster = do
       request <- getRequest
-      let tokenKey = ("_token" :: Text) -- This value taken from yesod-form's postHelper. Not ideal that it's hard-coded in two places.
       [whamlet|
         $newline never
         <form method="post" action="@{toMaster loginR}">
           $maybe t <- reqToken request
-            <input type=hidden name=#{tokenKey} value=#{t}>
+            <input type=hidden name=#{defaultCsrfParamName} value=#{t}>
           <table>
             <tr>
               <th>_{Msg.UserName}
diff --git a/yesod-auth/yesod-auth.cabal b/yesod-auth/yesod-auth.cabal
index 28468eff..69c13d9d 100644
--- a/yesod-auth/yesod-auth.cabal
+++ b/yesod-auth/yesod-auth.cabal
@@ -1,5 +1,5 @@
 name:            yesod-auth
-version:         1.4.12
+version:         1.4.13
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman, Patrick Brisbin
@@ -23,7 +23,7 @@ library
     build-depends:   base                    >= 4         && < 5
                    , authenticate            >= 1.3
                    , bytestring              >= 0.9.1.4
-                   , yesod-core              >= 1.4       && < 1.5
+                   , yesod-core              >= 1.4.14    && < 1.5
                    , wai                     >= 1.4
                    , template-haskell
                    , base16-bytestring
diff --git a/yesod-form/Yesod/Form/Functions.hs b/yesod-form/Yesod/Form/Functions.hs
index 6fe69b04..fc1e9903 100644
--- a/yesod-form/Yesod/Form/Functions.hs
+++ b/yesod-form/Yesod/Form/Functions.hs
@@ -59,6 +59,7 @@ import Text.Blaze (Markup, toMarkup)
 #define Html Markup
 #define toHtml toMarkup
 import Yesod.Core
+import Yesod.Core.Handler (defaultCsrfParamName)
 import Network.Wai (requestMethod)
 import Text.Hamlet (shamlet)
 import Data.Monoid (mempty)
@@ -213,7 +214,7 @@ postHelper  :: (MonadHandler m, RenderMessage (HandlerSite m) FormMessage)
             -> m ((FormResult a, xml), Enctype)
 postHelper form env = do
     req <- getRequest
-    let tokenKey = "_token"
+    let tokenKey = defaultCsrfParamName
     let token =
             case reqToken req of
                 Nothing -> mempty
diff --git a/yesod-form/yesod-form.cabal b/yesod-form/yesod-form.cabal
index a7f715d5..ebfd6fa3 100644
--- a/yesod-form/yesod-form.cabal
+++ b/yesod-form/yesod-form.cabal
@@ -20,7 +20,7 @@ flag network-uri
 
 library
     build-depends:   base                  >= 4        && < 5
-                   , yesod-core            >= 1.4      && < 1.5
+                   , yesod-core            >= 1.4.14   && < 1.5
                    , yesod-persistent      >= 1.4      && < 1.5
                    , time                  >= 1.1.4
                    , shakespeare           >= 2.0

From 76fc5887f96dc698295c744539678e025838502b Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Wed, 17 Feb 2016 20:39:09 -0700
Subject: [PATCH 03/67] Fixed registerHandler CSRF issue

The default register handler for email authentication didn't provide a
CSRF token. I provided one by using a monadic form helper.
---
 yesod-auth/Yesod/Auth/Email.hs | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 1b94c411..6a3663ff 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -107,6 +107,8 @@ data EmailCreds site = EmailCreds
     , emailCredsEmail  :: Email
     }
 
+data UserForm = UserForm { email :: Text }
+
 class ( YesodAuth site
       , PathPiece (AuthEmailId site)
       , (RenderMessage site Msg.AuthMessage)
@@ -299,18 +301,37 @@ getRegisterR = registerHandler
 -- Since: 1.2.6
 defaultRegisterHandler :: YesodAuthEmail master => AuthHandler master Html
 defaultRegisterHandler = do
-    email <- newIdent
-    tp <- getRouteToParent
+    ((f,widget),e) <- lift $ runFormPost registrationForm
+    toParentRoute <- getRouteToParent
     lift $ authLayout $ do
         setTitleI Msg.RegisterLong
         [whamlet|
             <p>_{Msg.EnterEmail}
-            <form method="post" action="@{tp registerR}">
+            <form method="post" action="@{toParentRoute registerR}">
                 <div id="registerForm">
-                    <label for=#{email}>_{Msg.Email}:
-                    <input ##{email} type="email" name="email" width="150" autofocus>
+                    ^{widget}
                 <button .btn>_{Msg.Register}
         |]
+    where
+        registrationForm extra = do
+            let emailSettings = FieldSettings {
+                fsLabel = "Email" ,
+                fsTooltip = Nothing ,
+                fsId = Just "email",
+                fsName = Just "email",
+                fsAttrs = []
+            }
+
+            (emailRes, emailView) <- mreq textField emailSettings Nothing
+
+            let userRes = UserForm <$> emailRes
+            let widget = do
+                [whamlet|
+                    #{extra}
+                    ^{fvInput emailView}
+                |]
+
+            return (userRes, widget)
 
 registerHelper :: YesodAuthEmail master
                => Bool -- ^ allow usernames?

From d87499deb5fa559d8d33b36c682312e9b2fe0afd Mon Sep 17 00:00:00 2001
From: Luigy Leon <luichi.19@gmail.com>
Date: Thu, 18 Feb 2016 17:57:31 -0500
Subject: [PATCH 04/67] [yesod-bin] improve stack detection for 'stack keter'

The following will now use stack:

* `stack query` succeeds from current directory instead of searching that a `stack.yaml` exists
* `STACK_YAML` or `STACK_EXE`(set by `stack exec`) environment variables are set
---
 yesod-bin/Keter.hs | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/yesod-bin/Keter.hs b/yesod-bin/Keter.hs
index 3cf021e1..12c1a5c9 100644
--- a/yesod-bin/Keter.hs
+++ b/yesod-bin/Keter.hs
@@ -6,11 +6,12 @@ module Keter
 import Data.Yaml
 import qualified Data.HashMap.Strict as Map
 import qualified Data.Text as T
+import System.Environment (getEnvironment)
 import System.Exit
 import System.Process
 import Control.Monad
 import System.Directory hiding (findFiles)
-import Data.Maybe (mapMaybe)
+import Data.Maybe (mapMaybe,isJust,maybeToList)
 import Data.Monoid
 import System.FilePath ((</>))
 import qualified Codec.Archive.Tar as Tar
@@ -48,6 +49,8 @@ keter cabal noBuild noCopyTo buildArgs = do
                             _ -> return value
             Just _ -> error $ ketercfg ++ " is not an object"
 
+    env' <- getEnvironment
+    cwd' <- getCurrentDirectory
     files <- getDirectoryContents "."
     project <-
         case mapMaybe (T.stripSuffix ".cabal" . T.pack) files of
@@ -74,11 +77,22 @@ keter cabal noBuild noCopyTo buildArgs = do
         collapse' (x:xs) = x : collapse' xs
         collapse' [] = []
 
-    unless noBuild $ if elem "stack.yaml" files
-        then do run "stack" ["clean"]
-                createDirectoryIfMissing True "./dist/bin"
+    stackQueryRunSuccess <- do
+      (ec,_,_) <- readProcessWithExitCode "stack" ["query"] ""
+      return (ec == ExitSuccess)
+
+    let inStackExec = isJust $ lookup "STACK_EXE" env'
+        mStackYaml = lookup "STACK_YAML" env'
+        useStack = inStackExec || isJust mStackYaml || stackQueryRunSuccess
+
+    unless noBuild $ if useStack
+        then do let stackYaml = maybeToList $ fmap ("--stack-yaml="<>) mStackYaml
+                    localBinPath = cwd' </> "dist/bin"
+                run "stack" $ stackYaml <> ["clean"]
+                createDirectoryIfMissing True localBinPath
                 run "stack"
-                    ((words "--local-bin-path ./dist/bin build --copy-bins")
+                    (stackYaml
+                     <> ["--local-bin-path",localBinPath,"build","--copy-bins"]
                      <> buildArgs)
         else do run cabal ["clean"]
                 run cabal ["configure"]

From f576a8a43506655c29767d9222a321fb7c508292 Mon Sep 17 00:00:00 2001
From: Luigy Leon <luichi.19@gmail.com>
Date: Fri, 19 Feb 2016 15:42:42 -0500
Subject: [PATCH 05/67] only perform checks when it needs to build

---
 yesod-bin/Keter.hs | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/yesod-bin/Keter.hs b/yesod-bin/Keter.hs
index 12c1a5c9..d5236e42 100644
--- a/yesod-bin/Keter.hs
+++ b/yesod-bin/Keter.hs
@@ -77,26 +77,27 @@ keter cabal noBuild noCopyTo buildArgs = do
         collapse' (x:xs) = x : collapse' xs
         collapse' [] = []
 
-    stackQueryRunSuccess <- do
-      (ec,_,_) <- readProcessWithExitCode "stack" ["query"] ""
-      return (ec == ExitSuccess)
+    unless noBuild $ do
+        stackQueryRunSuccess <- do
+            (ec,_,_) <- readProcessWithExitCode "stack" ["query"] ""
+            return (ec == ExitSuccess)
 
-    let inStackExec = isJust $ lookup "STACK_EXE" env'
-        mStackYaml = lookup "STACK_YAML" env'
-        useStack = inStackExec || isJust mStackYaml || stackQueryRunSuccess
+        let inStackExec = isJust $ lookup "STACK_EXE" env'
+            mStackYaml = lookup "STACK_YAML" env'
+            useStack = inStackExec || isJust mStackYaml || stackQueryRunSuccess
 
-    unless noBuild $ if useStack
-        then do let stackYaml = maybeToList $ fmap ("--stack-yaml="<>) mStackYaml
-                    localBinPath = cwd' </> "dist/bin"
-                run "stack" $ stackYaml <> ["clean"]
-                createDirectoryIfMissing True localBinPath
-                run "stack"
-                    (stackYaml
-                     <> ["--local-bin-path",localBinPath,"build","--copy-bins"]
-                     <> buildArgs)
-        else do run cabal ["clean"]
-                run cabal ["configure"]
-                run cabal ("build" : buildArgs)
+        if useStack
+            then do let stackYaml = maybeToList $ fmap ("--stack-yaml="<>) mStackYaml
+                        localBinPath = cwd' </> "dist/bin"
+                    run "stack" $ stackYaml <> ["clean"]
+                    createDirectoryIfMissing True localBinPath
+                    run "stack"
+                        (stackYaml
+                         <> ["--local-bin-path",localBinPath,"build","--copy-bins"]
+                         <> buildArgs)
+            else do run cabal ["clean"]
+                    run cabal ["configure"]
+                    run cabal ("build" : buildArgs)
 
     _ <- try' $ removeDirectoryRecursive "static/tmp"
 

From 3e37983f1cef39818362df9d95108107a09fd055 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Sat, 20 Feb 2016 13:37:43 -0700
Subject: [PATCH 06/67] Added encoding type and removed unused variable

---
 yesod-auth/Yesod/Auth/Email.hs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 6a3663ff..1316c4be 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -301,13 +301,13 @@ getRegisterR = registerHandler
 -- Since: 1.2.6
 defaultRegisterHandler :: YesodAuthEmail master => AuthHandler master Html
 defaultRegisterHandler = do
-    ((f,widget),e) <- lift $ runFormPost registrationForm
+    ((_,widget),enctype) <- lift $ runFormPost registrationForm
     toParentRoute <- getRouteToParent
     lift $ authLayout $ do
         setTitleI Msg.RegisterLong
         [whamlet|
             <p>_{Msg.EnterEmail}
-            <form method="post" action="@{toParentRoute registerR}">
+            <form method="post" action="@{toParentRoute registerR}" enctype=#{enctype}>
                 <div id="registerForm">
                     ^{widget}
                 <button .btn>_{Msg.Register}

From ed5037fa749402de728bdcedc8b627171853d426 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Sat, 20 Feb 2016 13:38:19 -0700
Subject: [PATCH 07/67] Used localized email label

---
 yesod-auth/Yesod/Auth/Email.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 1316c4be..7792413c 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -315,8 +315,8 @@ defaultRegisterHandler = do
     where
         registrationForm extra = do
             let emailSettings = FieldSettings {
-                fsLabel = "Email" ,
                 fsTooltip = Nothing ,
+                fsLabel = SomeMessage Msg.Email,
                 fsId = Just "email",
                 fsName = Just "email",
                 fsAttrs = []

From c376146231ee61b714d967fdbb9f7e254f1408a7 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Sat, 20 Feb 2016 13:38:48 -0700
Subject: [PATCH 08/67] Removed whitespace

---
 yesod-auth/Yesod/Auth/Email.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 7792413c..8ca50394 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -315,8 +315,8 @@ defaultRegisterHandler = do
     where
         registrationForm extra = do
             let emailSettings = FieldSettings {
-                fsTooltip = Nothing ,
                 fsLabel = SomeMessage Msg.Email,
+                fsTooltip = Nothing,
                 fsId = Just "email",
                 fsName = Just "email",
                 fsAttrs = []

From 27e1ec3be3796444e2539d41e6d6f48c4735ee08 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Sat, 20 Feb 2016 13:39:08 -0700
Subject: [PATCH 09/67] Used email field for input

---
 yesod-auth/Yesod/Auth/Email.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 8ca50394..a0c7b6d0 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -322,7 +322,7 @@ defaultRegisterHandler = do
                 fsAttrs = []
             }
 
-            (emailRes, emailView) <- mreq textField emailSettings Nothing
+            (emailRes, emailView) <- mreq emailField emailSettings Nothing
 
             let userRes = UserForm <$> emailRes
             let widget = do

From 456e93fb1008d66694fe416b564f6c8384bcab8b Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Sat, 20 Feb 2016 13:47:42 -0700
Subject: [PATCH 10/67] Added autofocus attribute to email input

---
 yesod-auth/Yesod/Auth/Email.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index a0c7b6d0..025a788d 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -319,7 +319,7 @@ defaultRegisterHandler = do
                 fsTooltip = Nothing,
                 fsId = Just "email",
                 fsName = Just "email",
-                fsAttrs = []
+                fsAttrs = [("autofocus", "")]
             }
 
             (emailRes, emailView) <- mreq emailField emailSettings Nothing

From 1cae0e38ab7c07debdc5f621dde7e59f901bdb1f Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Sat, 20 Feb 2016 21:26:58 -0700
Subject: [PATCH 11/67] Moved login logic into a function

This is more clear and looks like the other authorization plugins.
---
 yesod-auth/Yesod/Auth/Email.hs | 42 +++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 025a788d..416d4df2 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -258,28 +258,28 @@ class ( YesodAuth site
 
 authEmail :: YesodAuthEmail m => AuthPlugin m
 authEmail =
-    AuthPlugin "email" dispatch $ \tm ->
-        [whamlet|
-$newline never
-<form method="post" action="@{tm loginR}">
-    <table>
-        <tr>
-            <th>_{Msg.Email}
-            <td>
-                <input type="email" name="email" required>
-        <tr>
-            <th>_{Msg.Password}
-            <td>
-                <input type="password" name="password" required>
-        <tr>
-            <td colspan="2">
-                <button type=submit .btn .btn-success>
-                    _{Msg.LoginViaEmail}
-                &nbsp;
-                <a href="@{tm registerR}" .btn .btn-default>
-                    _{Msg.RegisterLong}
-|]
+    AuthPlugin "email" dispatch login
   where
+    login tm =
+        [whamlet|
+            <form method="post" action="@{tm loginR}">
+                <table>
+                    <tr>
+                        <th>_{Msg.Email}
+                        <td>
+                            <input type="email" name="email" required>
+                    <tr>
+                        <th>_{Msg.Password}
+                        <td>
+                            <input type="password" name="password" required>
+                    <tr>
+                        <td colspan="2">
+                            <button type=submit .btn .btn-success>
+                                _{Msg.LoginViaEmail}
+                            &nbsp;
+                            <a href="@{tm registerR}" .btn .btn-default>
+                                _{Msg.RegisterLong}
+        |]
     dispatch "GET" ["register"] = getRegisterR >>= sendResponse
     dispatch "POST" ["register"] = postRegisterR >>= sendResponse
     dispatch "GET" ["forgot-password"] = getForgotPasswordR >>= sendResponse

From 5a25e5e53b7a4dc1d3782cd6d021ee458c88a17b Mon Sep 17 00:00:00 2001
From: Kazuki Okamoto <kakkun61@gmail.com>
Date: Sun, 28 Feb 2016 16:48:56 +0900
Subject: [PATCH 12/67] =?UTF-8?q?change=20Twitter=20ID=20screen=5Fname=20?=
 =?UTF-8?q?=E2=86=92=20user=5Fid?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 yesod-auth-oauth/Yesod/Auth/OAuth.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-auth-oauth/Yesod/Auth/OAuth.hs b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
index 79ab12ac..e78ae311 100644
--- a/yesod-auth-oauth/Yesod/Auth/OAuth.hs
+++ b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
@@ -103,7 +103,7 @@ authTwitter key secret = authOAuth
                           , oauthConsumerSecret  = secret
                           , oauthVersion         = OAuth10a
                           })
-                (mkExtractCreds "twitter" "screen_name")
+                (mkExtractCreds "twitter" "user_id")
 
 twitterUrl :: AuthRoute
 twitterUrl = oauthUrl "twitter"

From d46d75455503a30cdac45c88fffab55c1825f83f Mon Sep 17 00:00:00 2001
From: Kazuki Okamoto <kazuki.okamoto@kakkun61.com>
Date: Mon, 29 Feb 2016 00:00:42 +0900
Subject: [PATCH 13/67] =?UTF-8?q?Revert=20"change=20Twitter=20ID=20screen?=
 =?UTF-8?q?=5Fname=20=E2=86=92=20user=5Fid"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This reverts commit 5a25e5e53b7a4dc1d3782cd6d021ee458c88a17b.
---
 yesod-auth-oauth/Yesod/Auth/OAuth.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-auth-oauth/Yesod/Auth/OAuth.hs b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
index e78ae311..79ab12ac 100644
--- a/yesod-auth-oauth/Yesod/Auth/OAuth.hs
+++ b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
@@ -103,7 +103,7 @@ authTwitter key secret = authOAuth
                           , oauthConsumerSecret  = secret
                           , oauthVersion         = OAuth10a
                           })
-                (mkExtractCreds "twitter" "user_id")
+                (mkExtractCreds "twitter" "screen_name")
 
 twitterUrl :: AuthRoute
 twitterUrl = oauthUrl "twitter"

From 074b0c68e73a8441e60053b1c726590d6ac5f2a9 Mon Sep 17 00:00:00 2001
From: Kazuki Okamoto <kazuki.okamoto@kakkun61.com>
Date: Mon, 29 Feb 2016 04:07:42 +0900
Subject: [PATCH 14/67] add twitterId function

---
 yesod-auth-oauth/Yesod/Auth/OAuth.hs | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/yesod-auth-oauth/Yesod/Auth/OAuth.hs b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
index 79ab12ac..7a6c2268 100644
--- a/yesod-auth-oauth/Yesod/Auth/OAuth.hs
+++ b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
@@ -5,6 +5,7 @@ module Yesod.Auth.OAuth
     , oauthUrl
     , authTwitter
     , twitterUrl
+    , twitterId
     , authTumblr
     , tumblrUrl
     , module Web.Authenticate.OAuth
@@ -108,6 +109,25 @@ authTwitter key secret = authOAuth
 twitterUrl :: AuthRoute
 twitterUrl = oauthUrl "twitter"
 
+-- | Gets Twitter ID (/user_id/) from @Creds@.
+--
+-- Never use @credsIdent@ for Twitter OAuth. @credsIdent@ returns /screen_name/, which shouldn't be used for authentication.
+-- /screen_name/ is text like /foo/ of /\@foo/ which is unique but __mutable__. So /screen_name/ cannot authenticate users.
+-- /user_id/ is integer which is unique and __immutable__. So you should use this for authentication.
+--
+-- Because of compatibility, @credsIdent@ returns /screen_name/ yet.
+--
+-- Since 1.4.x.x
+twitterId :: Yesod m => Creds m -> Text
+twitterId creds =
+    let
+        key   = "user_id"
+        extra = credsExtra creds
+    in
+        case lookup key extra of
+            Just uId -> uId
+            Nothing  -> throw $ CredentialError ("key not found: " ++ (T.unpack key)) (Credential $ map (encodeUtf8 *** encodeUtf8) extra)
+
 authTumblr :: YesodAuth m
             => ByteString -- ^ Consumer Key
             -> ByteString -- ^ Consumer Secret

From 8a66da1f24432d50289ad6f80a75e56d78cb1ddf Mon Sep 17 00:00:00 2001
From: Kazuki Okamoto <kazuki.okamoto@kakkun61.com>
Date: Tue, 1 Mar 2016 23:21:17 +0900
Subject: [PATCH 15/67] Revert "add twitterId function"

This reverts commit 074b0c68e73a8441e60053b1c726590d6ac5f2a9.
---
 yesod-auth-oauth/Yesod/Auth/OAuth.hs | 20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/yesod-auth-oauth/Yesod/Auth/OAuth.hs b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
index 7a6c2268..79ab12ac 100644
--- a/yesod-auth-oauth/Yesod/Auth/OAuth.hs
+++ b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
@@ -5,7 +5,6 @@ module Yesod.Auth.OAuth
     , oauthUrl
     , authTwitter
     , twitterUrl
-    , twitterId
     , authTumblr
     , tumblrUrl
     , module Web.Authenticate.OAuth
@@ -109,25 +108,6 @@ authTwitter key secret = authOAuth
 twitterUrl :: AuthRoute
 twitterUrl = oauthUrl "twitter"
 
--- | Gets Twitter ID (/user_id/) from @Creds@.
---
--- Never use @credsIdent@ for Twitter OAuth. @credsIdent@ returns /screen_name/, which shouldn't be used for authentication.
--- /screen_name/ is text like /foo/ of /\@foo/ which is unique but __mutable__. So /screen_name/ cannot authenticate users.
--- /user_id/ is integer which is unique and __immutable__. So you should use this for authentication.
---
--- Because of compatibility, @credsIdent@ returns /screen_name/ yet.
---
--- Since 1.4.x.x
-twitterId :: Yesod m => Creds m -> Text
-twitterId creds =
-    let
-        key   = "user_id"
-        extra = credsExtra creds
-    in
-        case lookup key extra of
-            Just uId -> uId
-            Nothing  -> throw $ CredentialError ("key not found: " ++ (T.unpack key)) (Credential $ map (encodeUtf8 *** encodeUtf8) extra)
-
 authTumblr :: YesodAuth m
             => ByteString -- ^ Consumer Key
             -> ByteString -- ^ Consumer Secret

From 7123b025006e01a39da08100a5c01779dbaa01f7 Mon Sep 17 00:00:00 2001
From: Chris Allen <cma@bitemyapp.com>
Date: Tue, 1 Mar 2016 15:13:34 -0600
Subject: [PATCH 16/67] typo

---
 yesod-core/Yesod/Core/Internal/Session.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-core/Yesod/Core/Internal/Session.hs b/yesod-core/Yesod/Core/Internal/Session.hs
index d255f7ae..f8bc5f4d 100644
--- a/yesod-core/Yesod/Core/Internal/Session.hs
+++ b/yesod-core/Yesod/Core/Internal/Session.hs
@@ -55,7 +55,7 @@ decodeClientSession key date rhost encrypted = do
 -- to preserve the type.
 
 clientSessionDateCacher ::
-     NominalDiffTime -- ^ Inactive session valitity.
+     NominalDiffTime -- ^ Inactive session validity.
   -> IO (IO ClientSessionDateCache, IO ())
 clientSessionDateCacher validity = do
     getClientSessionDateCache <- mkAutoUpdate defaultUpdateSettings

From e1b70eb0f8c5b5d8d960f157a788c07f2b1ff18f Mon Sep 17 00:00:00 2001
From: Kazuki Okamoto <kazuki.okamoto@kakkun61.com>
Date: Wed, 2 Mar 2016 10:56:40 +0900
Subject: [PATCH 17/67] new twitter plugin

---
 yesod-auth-oauth/Yesod/Auth/OAuth.hs | 31 ++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/yesod-auth-oauth/Yesod/Auth/OAuth.hs b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
index 79ab12ac..13b2c9cf 100644
--- a/yesod-auth-oauth/Yesod/Auth/OAuth.hs
+++ b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
@@ -4,6 +4,7 @@ module Yesod.Auth.OAuth
     ( authOAuth
     , oauthUrl
     , authTwitter
+    , authTwitterUsingUserId
     , twitterUrl
     , authTumblr
     , tumblrUrl
@@ -89,11 +90,12 @@ mkExtractCreds name idName (Credential dic) = do
     Just crId -> return $ Creds name crId $ map (bsToText *** bsToText) dic
     Nothing -> throwIO $ CredentialError ("key not found: " ++ idName) (Credential dic)
 
-authTwitter :: YesodAuth m
-            => ByteString -- ^ Consumer Key
-            -> ByteString -- ^ Consumer Secret
-            -> AuthPlugin m
-authTwitter key secret = authOAuth
+authTwitter' :: YesodAuth m
+             => ByteString -- ^ Consumer Key
+             -> ByteString -- ^ Consumer Secret
+             -> String
+             -> AuthPlugin m
+authTwitter' key secret idName = authOAuth
                 (newOAuth { oauthServerName      = "twitter"
                           , oauthRequestUri      = "https://api.twitter.com/oauth/request_token"
                           , oauthAccessTokenUri  = "https://api.twitter.com/oauth/access_token"
@@ -103,7 +105,24 @@ authTwitter key secret = authOAuth
                           , oauthConsumerSecret  = secret
                           , oauthVersion         = OAuth10a
                           })
-                (mkExtractCreds "twitter" "screen_name")
+                (mkExtractCreds "twitter" idName)
+
+-- | This plugin uses Twitter's /screen_name/ as ID, which shouldn't be used for authentication because it is mutable.
+authTwitter :: YesodAuth m
+            => ByteString -- ^ Consumer Key
+            -> ByteString -- ^ Consumer Secret
+            -> AuthPlugin m
+authTwitter key secret = authTwitter' key secret "screen_name"
+{-# DEPRECATED authTwitter "Use authTwitterUsingUserID instead" #-}
+
+-- | Twitter plugin which uses Twitter's /user_id/ as ID.
+--
+-- Since 1.4.x.x TODO fix version
+authTwitterUsingUserId :: YesodAuth m
+                  => ByteString -- ^ Consumer Key
+                  -> ByteString -- ^ Consumer Secret
+                  -> AuthPlugin m
+authTwitterUsingUserId key secret = authTwitter' key secret "user_id"
 
 twitterUrl :: AuthRoute
 twitterUrl = oauthUrl "twitter"

From 5709040dcd50f527761fcf8921cdf377c1620180 Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Mon, 1 Feb 2016 11:31:10 +0200
Subject: [PATCH 18/67] Add some docs for MassInput

---
 yesod-form/Yesod/Form/MassInput.hs | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/yesod-form/Yesod/Form/MassInput.hs b/yesod-form/Yesod/Form/MassInput.hs
index a2b434d4..24a0602d 100644
--- a/yesod-form/Yesod/Form/MassInput.hs
+++ b/yesod-form/Yesod/Form/MassInput.hs
@@ -3,6 +3,8 @@
 {-# LANGUAGE TypeFamilies #-}
 {-# LANGUAGE FlexibleContexts #-}
 {-# LANGUAGE CPP#-}
+-- | A module providing a means of creating multiple input forms, such as a
+-- list of 0 or more recipients.
 module Yesod.Form.MassInput
     ( inputList
     , massDivs
@@ -40,11 +42,19 @@ up i = do
         IntCons _ is' -> put is' >> newFormIdent >> return ()
     up $ i - 1
 
+-- | Generate a form that accepts 0 or more values from the user, allowing the
+-- user to specify that a new row is necessary.
 inputList :: (m ~ HandlerT site IO, xml ~ WidgetT site IO (), RenderMessage site FormMessage)
           => Html
+          -- ^ label for the form
           -> ([[FieldView site]] -> xml)
+          -- ^ how to display the rows, usually either 'massDivs' or 'massTable'
           -> (Maybe a -> AForm (HandlerT site IO) a)
-          -> (Maybe [a] -> AForm (HandlerT site IO) [a])
+          -- ^ display a single row of the form, where @Maybe a@ gives the
+          -- previously submitted value
+          -> Maybe [a]
+          -- ^ default initial values for the form
+          -> AForm (HandlerT site IO) [a]
 inputList label fixXml single mdef = formToAForm $ do
     theId <- lift newIdent
     down 1

From 64cb8980db750da1fb46ba537ebf13e5827ea830 Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Wed, 2 Mar 2016 11:08:15 +0200
Subject: [PATCH 19/67] Version bump

---
 yesod-auth-oauth/ChangeLog.md           | 4 ++++
 yesod-auth-oauth/Yesod/Auth/OAuth.hs    | 4 +++-
 yesod-auth-oauth/yesod-auth-oauth.cabal | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/yesod-auth-oauth/ChangeLog.md b/yesod-auth-oauth/ChangeLog.md
index db27428f..8dd1ceac 100644
--- a/yesod-auth-oauth/ChangeLog.md
+++ b/yesod-auth-oauth/ChangeLog.md
@@ -1,3 +1,7 @@
+## 1.4.1
+
+* change OAuth Twitter ID, screen_name → user_id [#1168](https://github.com/yesodweb/yesod/pull/1168)
+
 ## 1.4.0.2
 
 * Compile with GHC 7.10
diff --git a/yesod-auth-oauth/Yesod/Auth/OAuth.hs b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
index 13b2c9cf..5a8eb79b 100644
--- a/yesod-auth-oauth/Yesod/Auth/OAuth.hs
+++ b/yesod-auth-oauth/Yesod/Auth/OAuth.hs
@@ -117,7 +117,9 @@ authTwitter key secret = authTwitter' key secret "screen_name"
 
 -- | Twitter plugin which uses Twitter's /user_id/ as ID.
 --
--- Since 1.4.x.x TODO fix version
+-- For more information, see: https://github.com/yesodweb/yesod/pull/1168
+--
+-- @since 1.4.1
 authTwitterUsingUserId :: YesodAuth m
                   => ByteString -- ^ Consumer Key
                   -> ByteString -- ^ Consumer Secret
diff --git a/yesod-auth-oauth/yesod-auth-oauth.cabal b/yesod-auth-oauth/yesod-auth-oauth.cabal
index be3659ef..6a952db6 100644
--- a/yesod-auth-oauth/yesod-auth-oauth.cabal
+++ b/yesod-auth-oauth/yesod-auth-oauth.cabal
@@ -1,5 +1,5 @@
 name:            yesod-auth-oauth
-version:         1.4.0.2
+version:         1.4.1
 license:         BSD3
 license-file:    LICENSE
 author:          Hiromi Ishii

From 4963f562fef4f9a941aebb7a1f77ea457397bfd0 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Thu, 3 Mar 2016 20:47:13 -0700
Subject: [PATCH 20/67] Converted yesod login screen to monadic form

The form helpers weren't being used which caused the CSRF tokens to not
be present. This also allows for a bit more flexability and
cleans up the code as well.
---
 yesod-auth/Yesod/Auth/Email.hs | 72 ++++++++++++++++++++++++----------
 1 file changed, 52 insertions(+), 20 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 416d4df2..67b45bab 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -108,6 +108,7 @@ data EmailCreds site = EmailCreds
     }
 
 data UserForm = UserForm { email :: Text }
+data UserLoginForm = UserLoginForm { loginEmail :: Text, loginPassword :: Text }
 
 class ( YesodAuth site
       , PathPiece (AuthEmailId site)
@@ -255,31 +256,62 @@ class ( YesodAuth site
       -> AuthHandler site TypedContent
     setPasswordHandler = defaultSetPasswordHandler
 
-
-authEmail :: YesodAuthEmail m => AuthPlugin m
+authEmail :: (YesodAuthEmail m) => AuthPlugin m
 authEmail =
     AuthPlugin "email" dispatch login
   where
-    login tm =
+    login toParent = do
+        ((_,widget),enctype) <- liftWidgetT $ runFormPost loginForm
+
         [whamlet|
-            <form method="post" action="@{tm loginR}">
-                <table>
-                    <tr>
-                        <th>_{Msg.Email}
-                        <td>
-                            <input type="email" name="email" required>
-                    <tr>
-                        <th>_{Msg.Password}
-                        <td>
-                            <input type="password" name="password" required>
-                    <tr>
-                        <td colspan="2">
-                            <button type=submit .btn .btn-success>
-                                _{Msg.LoginViaEmail}
-                            &nbsp;
-                            <a href="@{tm registerR}" .btn .btn-default>
-                                _{Msg.RegisterLong}
+            <form method="post" action="@{toParent loginR}">
+                ^{widget}
+                <div>
+                    <button type=submit .btn .btn-success>
+                        _{Msg.LoginViaEmail}
+                    &nbsp;
+                    <a href="@{toParent registerR}" .btn .btn-default>
+                        _{Msg.RegisterLong}
         |]
+
+    loginForm extra = do
+        emailMsg <- renderMessage' Msg.Email
+        let emailSettings = FieldSettings {
+            fsLabel = SomeMessage Msg.Email,
+            fsTooltip = Nothing,
+            fsId = Just "email",
+            fsName = Just "email",
+            fsAttrs = [("autofocus", ""), ("placeholder", emailMsg)]
+        }
+
+        (emailRes, emailView) <- mreq emailField emailSettings Nothing
+
+        passwordMsg <- renderMessage' Msg.Password
+        let passwordSettings = FieldSettings {
+            fsLabel = SomeMessage Msg.Password,
+            fsTooltip = Nothing,
+            fsId = Just "password",
+            fsName = Just "password",
+            fsAttrs = [("placeholder", passwordMsg)]
+        }
+
+        (passwordRes, passwordView) <- mreq passwordField passwordSettings Nothing
+
+        let userRes = UserLoginForm <$> emailRes <*> passwordRes
+        let widget = do
+            [whamlet|
+                #{extra}
+                <div>
+                    ^{fvInput emailView}
+                <div>
+                    ^{fvInput passwordView}
+            |]
+
+        return (userRes, widget)
+    renderMessage' msg = do
+        langs <- languages
+        master <- getYesod
+        return $ renderAuthMessage master langs msg
     dispatch "GET" ["register"] = getRegisterR >>= sendResponse
     dispatch "POST" ["register"] = postRegisterR >>= sendResponse
     dispatch "GET" ["forgot-password"] = getForgotPasswordR >>= sendResponse

From fe2b6844b669cf8094eedf9362cffe76332b40d8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arthur=20Fayzrakhmanov=20=28=D0=90=D1=80=D1=82=D1=83=D1=80?=
 =?UTF-8?q?=20=D0=A4=D0=B0=D0=B9=D0=B7=D1=80=D0=B0=D1=85=D0=BC=D0=B0=D0=BD?=
 =?UTF-8?q?=D0=BE=D0=B2=29?= <heraldhoi@gmail.com>
Date: Fri, 4 Mar 2016 07:07:53 +0500
Subject: [PATCH 21/67] Add notice about Summernote

---
 yesod-form/README.md         | 11 +++++++++++
 yesod-form/Yesod/Form/Nic.hs |  7 +++++++
 yesod-form/yesod-form.cabal  |  2 +-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/yesod-form/README.md b/yesod-form/README.md
index b3d9c8d8..097995c4 100644
--- a/yesod-form/README.md
+++ b/yesod-form/README.md
@@ -2,3 +2,14 @@
 
 Form handling for Yesod, in the same style as formlets. See [the forms
 chapter](http://www.yesodweb.com/book/forms) of the Yesod book.
+
+This package provies a set of basic form inputs such as text, number, time,
+checkbox, select, textarea, and etc. via `Yesod.Form.Fields` module.  Also,
+there is `Yesod.Form.Nic` module providing richtext field using Nic editor.
+However, this module is grandfathered now and Nic editor is not actively
+maintained since June 2012.  You can find additional richtext editor fields in
+[`yesod-form-richtext`][yesod-form-richtext] package (currently in provides
+support of [Summernote][summernote] editor only).
+
+[yesod-form-richtext]:http://hackage.haskell.org/package/yesod-form-richtext
+[summernote]:http://summernote.org/
diff --git a/yesod-form/Yesod/Form/Nic.hs b/yesod-form/Yesod/Form/Nic.hs
index 28626789..c291520c 100644
--- a/yesod-form/Yesod/Form/Nic.hs
+++ b/yesod-form/Yesod/Form/Nic.hs
@@ -4,6 +4,13 @@
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE CPP #-}
 -- | Provide the user with a rich text editor.
+--
+-- According to NIC editor homepage it is not actively maintained since June
+-- 2012.  There is another better alternative — open sourced Summernote editor
+-- released under MIT licence.  You can use Summernote in your Yesod forms via
+-- separately distributed
+-- <http://hackage.haskell.org/package/yesod-form-richtext yesod-form-richtext>
+-- package.
 module Yesod.Form.Nic
     ( YesodNic (..)
     , nicHtmlField
diff --git a/yesod-form/yesod-form.cabal b/yesod-form/yesod-form.cabal
index a7f715d5..b4fe88c2 100644
--- a/yesod-form/yesod-form.cabal
+++ b/yesod-form/yesod-form.cabal
@@ -10,7 +10,7 @@ stability:       Stable
 cabal-version:   >= 1.8
 build-type:      Simple
 homepage:        http://www.yesodweb.com/
-description:     API docs and the README are available at <http://www.stackage.org/package/yesod-form>
+description:     API docs and the README are available at <http://www.stackage.org/package/yesod-form>.  Third-party packages which you can find useful: <http://hackage.haskell.org/package/yesod-form-richtext yesod-form-richtext> - richtext form fields (currntly it provides only Summernote support).
 extra-source-files: ChangeLog.md
                     README.md
 

From a38564df431de8d38fa6e9ff91aed41a1c54350a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arthur=20Fayzrakhmanov=20=28=D0=90=D1=80=D1=82=D1=83=D1=80?=
 =?UTF-8?q?=20=D0=A4=D0=B0=D0=B9=D0=B7=D1=80=D0=B0=D1=85=D0=BC=D0=B0=D0=BD?=
 =?UTF-8?q?=D0=BE=D0=B2=29?= <heraldhoi@gmail.com>
Date: Fri, 4 Mar 2016 22:07:18 +0500
Subject: [PATCH 22/67] Fix line ending

---
 yesod-form/yesod-form.cabal | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-form/yesod-form.cabal b/yesod-form/yesod-form.cabal
index b4fe88c2..117f6afb 100644
--- a/yesod-form/yesod-form.cabal
+++ b/yesod-form/yesod-form.cabal
@@ -63,7 +63,7 @@ library
                      Yesod.Form.I18n.German
                      Yesod.Form.I18n.French
                      Yesod.Form.I18n.Norwegian
-                     Yesod.Form.I18n.Japanese
+                     Yesod.Form.I18n.Japanese
                      Yesod.Form.I18n.Czech
                      Yesod.Form.I18n.Russian
                      Yesod.Form.I18n.Dutch

From d42d38990d3501f93d1526a1eb82cfe9b208f30b Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Sat, 5 Mar 2016 16:58:34 -0700
Subject: [PATCH 23/67] Added translated label to default register handler

This was removed on accident.
---
 yesod-auth/Yesod/Auth/Email.hs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 67b45bab..c705c0e1 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -360,6 +360,7 @@ defaultRegisterHandler = do
             let widget = do
                 [whamlet|
                     #{extra}
+                    ^{fvLabel emailView}
                     ^{fvInput emailView}
                 |]
 

From 4b78c4d60a4b5e4290cf34cee31a1630e98c3c11 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Thu, 3 Mar 2016 21:16:18 -0700
Subject: [PATCH 24/67] Moved emailLoginHandler out of authEmail

The authEmail function was getting large so I moved the
emailLoginHandler out into its own function.
---
 yesod-auth/Yesod/Auth/Email.hs | 39 +++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index c705c0e1..0e5580e4 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -258,9 +258,26 @@ class ( YesodAuth site
 
 authEmail :: (YesodAuthEmail m) => AuthPlugin m
 authEmail =
-    AuthPlugin "email" dispatch login
+    AuthPlugin "email" dispatch emailLoginHandler
   where
-    login toParent = do
+    dispatch "GET" ["register"] = getRegisterR >>= sendResponse
+    dispatch "POST" ["register"] = postRegisterR >>= sendResponse
+    dispatch "GET" ["forgot-password"] = getForgotPasswordR >>= sendResponse
+    dispatch "POST" ["forgot-password"] = postForgotPasswordR >>= sendResponse
+    dispatch "GET" ["verify", eid, verkey] =
+        case fromPathPiece eid of
+            Nothing -> notFound
+            Just eid' -> getVerifyR eid' verkey >>= sendResponse
+    dispatch "POST" ["login"] = postLoginR >>= sendResponse
+    dispatch "GET" ["set-password"] = getPasswordR >>= sendResponse
+    dispatch "POST" ["set-password"] = postPasswordR >>= sendResponse
+    dispatch _ _ = notFound
+
+getRegisterR :: YesodAuthEmail master => HandlerT Auth (HandlerT master IO) Html
+getRegisterR = registerHandler
+
+emailLoginHandler :: YesodAuthEmail master => (Route Auth -> Route master) -> WidgetT master IO ()
+emailLoginHandler toParent = do
         ((_,widget),enctype) <- liftWidgetT $ runFormPost loginForm
 
         [whamlet|
@@ -273,7 +290,7 @@ authEmail =
                     <a href="@{toParent registerR}" .btn .btn-default>
                         _{Msg.RegisterLong}
         |]
-
+  where
     loginForm extra = do
         emailMsg <- renderMessage' Msg.Email
         let emailSettings = FieldSettings {
@@ -312,22 +329,6 @@ authEmail =
         langs <- languages
         master <- getYesod
         return $ renderAuthMessage master langs msg
-    dispatch "GET" ["register"] = getRegisterR >>= sendResponse
-    dispatch "POST" ["register"] = postRegisterR >>= sendResponse
-    dispatch "GET" ["forgot-password"] = getForgotPasswordR >>= sendResponse
-    dispatch "POST" ["forgot-password"] = postForgotPasswordR >>= sendResponse
-    dispatch "GET" ["verify", eid, verkey] =
-        case fromPathPiece eid of
-            Nothing -> notFound
-            Just eid' -> getVerifyR eid' verkey >>= sendResponse
-    dispatch "POST" ["login"] = postLoginR >>= sendResponse
-    dispatch "GET" ["set-password"] = getPasswordR >>= sendResponse
-    dispatch "POST" ["set-password"] = postPasswordR >>= sendResponse
-    dispatch _ _ = notFound
-
-getRegisterR :: YesodAuthEmail master => HandlerT Auth (HandlerT master IO) Html
-getRegisterR = registerHandler
-
 -- | Default implementation of 'registerHandler'.
 --
 -- Since: 1.2.6

From 93da4f060e3b2e0c5f34f7a5c7e4f4b964e39304 Mon Sep 17 00:00:00 2001
From: Sajith Sasidharan <sajith@gmail.com>
Date: Sun, 6 Mar 2016 18:22:51 -0500
Subject: [PATCH 25/67] Minor doc patch - sendStatusJSON is since 1.4.18

I'm sure this is trivially obvious. :-)

Commit 6a60dac introduced `sendStatusJSON` on Nov 25, 2015; yesod-core 1.4.18 was uploaded to hackage on Dec 17.
---
 yesod-core/Yesod/Core/Handler.hs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/yesod-core/Yesod/Core/Handler.hs b/yesod-core/Yesod/Core/Handler.hs
index 7d9e6da7..7f908c80 100644
--- a/yesod-core/Yesod/Core/Handler.hs
+++ b/yesod-core/Yesod/Core/Handler.hs
@@ -580,6 +580,8 @@ sendResponseStatus s = handlerError . HCContent s . toTypedContent
 
 -- | Bypass remaining handler code and output the given JSON with the given
 -- status code.
+-- 
+-- Since 1.4.18
 sendStatusJSON :: (MonadHandler m, ToJSON c) => H.Status -> c -> m a
 sendStatusJSON s v = sendResponseStatus s (toJSON v)
 

From e3aa310c84009fe4b86d14335b997491ce478d70 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Sun, 6 Mar 2016 19:53:03 -0700
Subject: [PATCH 26/67] Used monadic form helper for password handler

This needed to happen in order to automatically get CSRF protection

Several changes happened while switching over:
* Relied on built in names for inputs
* Cleaned up naming
* Created password helpers for each field
* Added a translation for current password
---
 yesod-auth/Yesod/Auth/Email.hs   | 104 +++++++++++++++++++++----------
 yesod-auth/Yesod/Auth/Message.hs |   2 +
 2 files changed, 73 insertions(+), 33 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 0e5580e4..b9dba026 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -107,6 +107,7 @@ data EmailCreds site = EmailCreds
     , emailCredsEmail  :: Email
     }
 
+data PasswordForm = PasswordForm { passwordCurrent :: Text, passwordNew :: Text, passwordConfirm :: Text }
 data UserForm = UserForm { email :: Text }
 data UserLoginForm = UserLoginForm { loginEmail :: Text, loginPassword :: Text }
 
@@ -516,40 +517,77 @@ getPasswordR = do
 -- Since: 1.2.6
 defaultSetPasswordHandler :: YesodAuthEmail master => Bool -> AuthHandler master TypedContent
 defaultSetPasswordHandler needOld = do
-    tp <- getRouteToParent
-    pass0 <- newIdent
-    pass1 <- newIdent
-    pass2 <- newIdent
-    mr <- lift getMessageRender
+    messageRender <- lift getMessageRender
+    toParent <- getRouteToParent
     selectRep $ do
-      provideJsonMessage $ mr Msg.SetPass
-      provideRep $ lift $ authLayout $ do
-          setTitleI Msg.SetPassTitle
-          [whamlet|
-$newline never
-<h3>_{Msg.SetPass}
-<form method="post" action="@{tp setpassR}">
-    <table>
-        $if needOld
-            <tr>
-                <th>
-                    <label for=#{pass0}>Current Password
-                <td>
-                    <input ##{pass0} type="password" name="current" autofocus>
-        <tr>
-            <th>
-                <label for=#{pass1}>_{Msg.NewPass}
-            <td>
-                <input ##{pass1} type="password" name="new" :not needOld:autofocus>
-        <tr>
-            <th>
-                <label for=#{pass2}>_{Msg.ConfirmPass}
-            <td>
-                <input ##{pass2} type="password" name="confirm">
-        <tr>
-            <td colspan="2">
-                <input type="submit" value=_{Msg.SetPassTitle}>
-|]
+        provideJsonMessage $ messageRender Msg.SetPass
+        provideRep $ lift $ authLayout $ do
+            ((_,widget),enctype) <- liftWidgetT $ runFormPost $ setPasswordForm needOld
+            setTitleI Msg.SetPassTitle
+            [whamlet|
+                <h3>_{Msg.SetPass}
+                <form method="post" action="@{toParent setpassR}">
+                    ^{widget}
+            |]
+  where
+    setPasswordForm needOld extra = do
+        (currentPasswordRes, currentPasswordView) <- mreq passwordField currentPasswordSettings Nothing
+        (newPasswordRes, newPasswordView) <- mreq passwordField newPasswordSettings Nothing
+        (confirmPasswordRes, confirmPasswordView) <- mreq passwordField confirmPasswordSettings Nothing
+
+        let passwordFormRes = PasswordForm <$> currentPasswordRes <*> newPasswordRes <*> confirmPasswordRes
+        let widget = do
+            [whamlet|
+                #{extra}
+                <table>
+                    $if needOld
+                        <tr>
+                            <th>
+                                ^{fvLabel currentPasswordView}
+                            <td>
+                                ^{fvInput currentPasswordView}
+                    <tr>
+                        <th>
+                            ^{fvLabel newPasswordView}
+                        <td>
+                            ^{fvInput newPasswordView}
+                    <tr>
+                        <th>
+                            ^{fvLabel confirmPasswordView}
+                        <td>
+                            ^{fvInput confirmPasswordView}
+                    <tr>
+                        <td colspan="2">
+                            <input type=submit value=_{Msg.SetPassTitle}>
+            |]
+
+        return (passwordFormRes, widget)
+    currentPasswordSettings =
+         FieldSettings {
+             fsLabel = SomeMessage Msg.CurrentPassword,
+             fsTooltip = Nothing,
+             fsId = Just "currentPassword",
+             fsName = Just "current",
+             fsAttrs = [("autofocus", "")]
+         }
+    newPasswordSettings =
+        FieldSettings {
+            fsLabel = SomeMessage Msg.NewPass,
+            fsTooltip = Nothing,
+            fsId = Just "newPassword",
+            fsName = Just "new",
+            fsAttrs = [("autofocus", ""), (":not", ""), ("needOld:autofocus", "")]
+        }
+    confirmPasswordSettings =
+        FieldSettings {
+            fsLabel = SomeMessage Msg.ConfirmPass,
+            fsTooltip = Nothing,
+            fsId = Just "confirmPassword",
+            fsName = Just "confirm",
+            fsAttrs = [("autofocus", "")]
+        }
+
+
 
 postPasswordR :: YesodAuthEmail master => HandlerT Auth (HandlerT master IO) TypedContent
 postPasswordR = do
diff --git a/yesod-auth/Yesod/Auth/Message.hs b/yesod-auth/Yesod/Auth/Message.hs
index 8459bb7f..0ef811ba 100644
--- a/yesod-auth/Yesod/Auth/Message.hs
+++ b/yesod-auth/Yesod/Auth/Message.hs
@@ -60,6 +60,7 @@ data AuthMessage =
     | ProvideIdentifier
     | SendPasswordResetEmail
     | PasswordResetPrompt
+    | CurrentPassword
     | InvalidUsernamePass
     | Logout
     | LogoutTitle
@@ -78,6 +79,7 @@ englishMessage LoginYahoo = "Login via Yahoo"
 englishMessage Email = "Email"
 englishMessage UserName = "User name"
 englishMessage Password = "Password"
+englishMessage CurrentPassword = "Current Password"
 englishMessage Register = "Register"
 englishMessage RegisterLong = "Register a new account"
 englishMessage EnterEmail = "Enter your e-mail address below, and a confirmation e-mail will be sent to you."

From 936fe84cdd6510e0b499791b4a069df6b20bc9e3 Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Tue, 8 Mar 2016 16:27:21 +0200
Subject: [PATCH 27/67] Deprecate BrowserId #1173

---
 yesod-auth/Yesod/Auth/BrowserId.hs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/yesod-auth/Yesod/Auth/BrowserId.hs b/yesod-auth/Yesod/Auth/BrowserId.hs
index 61e558ea..a63ed0e1 100644
--- a/yesod-auth/Yesod/Auth/BrowserId.hs
+++ b/yesod-auth/Yesod/Auth/BrowserId.hs
@@ -2,7 +2,10 @@
 {-# LANGUAGE OverloadedStrings #-}
 {-# LANGUAGE TemplateHaskell #-}
 {-# LANGUAGE RecordWildCards #-}
+-- | NOTE: Mozilla Persona will be shut down by the end of 2016, therefore this
+-- module is no longer recommended for use.
 module Yesod.Auth.BrowserId
+    {-# DEPRECATED "Mozilla Persona will be shut down by the end of 2016" #-}
     ( authBrowserId
     , createOnClick, createOnClickOverride
     , def

From 7faecc89526285e023f09503fedef2247228b208 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Wed, 9 Mar 2016 18:24:42 -0700
Subject: [PATCH 28/67] Added translations and dummy data for current password

German and Spanish provided by Erin Eichenberger.
---
 yesod-auth/Yesod/Auth/Message.hs | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/yesod-auth/Yesod/Auth/Message.hs b/yesod-auth/Yesod/Auth/Message.hs
index 0ef811ba..8fecd446 100644
--- a/yesod-auth/Yesod/Auth/Message.hs
+++ b/yesod-auth/Yesod/Auth/Message.hs
@@ -126,6 +126,7 @@ portugueseMessage LoginYahoo = "Entrar via Yahoo"
 portugueseMessage Email = "E-mail"
 portugueseMessage UserName = "Nome de usuário" -- FIXME by Google Translate "user name"
 portugueseMessage Password = "Senha"
+portugueseMessage CurrentPassword = "Palavra de passe"
 portugueseMessage Register = "Registrar"
 portugueseMessage RegisterLong = "Registrar uma nova conta"
 portugueseMessage EnterEmail = "Por favor digite seu endereço de e-mail abaixo e um e-mail de confirmação será enviado para você."
@@ -173,6 +174,7 @@ spanishMessage LoginYahoo = "Entrar utilizando Yahoo"
 spanishMessage Email = "Correo electrónico"
 spanishMessage UserName = "Nombre de Usuario" -- FIXME by Google Translate "user name"
 spanishMessage Password = "Contraseña"
+spanishMessage CurrentPassword = "Contraseña actual"
 spanishMessage Register = "Registrarse"
 spanishMessage RegisterLong = "Registrar una nueva cuenta"
 spanishMessage EnterEmail = "Coloque su dirección de correo electrónico, y un correo de confirmación le será enviado a su cuenta."
@@ -220,6 +222,7 @@ swedishMessage LoginYahoo = "Logga in via Yahoo"
 swedishMessage Email = "Epost"
 swedishMessage UserName = "Användarnamn"  -- FIXME by Google Translate "user name"
 swedishMessage Password = "Lösenord"
+swedishMessage CurrentPassword = "Current password"
 swedishMessage Register = "Registrera"
 swedishMessage RegisterLong = "Registrera ett nytt konto"
 swedishMessage EnterEmail = "Skriv in din epost nedan så kommer ett konfirmationsmail skickas till adressen."
@@ -268,6 +271,7 @@ germanMessage LoginYahoo = "Login via Yahoo"
 germanMessage Email = "Email"
 germanMessage UserName = "Benutzername" -- FIXME by Google Translate "user name"
 germanMessage Password = "Passwort"
+germanMessage CurrentPassword = "Aktuelles Passwort"
 germanMessage Register = "Registrieren"
 germanMessage RegisterLong = "Neuen Account registrieren"
 germanMessage EnterEmail = "Bitte die e-Mail Adresse angeben, eine Bestätigungsmail wird verschickt."
@@ -315,6 +319,7 @@ frenchMessage LoginYahoo = "Se connecter avec Yahoo"
 frenchMessage Email = "Adresse électronique"
 frenchMessage UserName = "Nom d'utilisateur" -- FIXME by Google Translate "user name"
 frenchMessage Password = "Mot de passe"
+frenchMessage CurrentPassword = "Current password"
 frenchMessage Register = "S'inscrire"
 frenchMessage RegisterLong = "Créer un compte"
 frenchMessage EnterEmail = "Entrez ci-dessous votre adresse électronique, et un message de confirmation vous sera envoyé"
@@ -361,6 +366,7 @@ norwegianBokmålMessage LoginYahoo = "Logg inn med Yahoo"
 norwegianBokmålMessage Email = "E-post"
 norwegianBokmålMessage UserName = "Brukernavn" -- FIXME by Google Translate "user name"
 norwegianBokmålMessage Password = "Passord"
+norwegianBokmålMessage CurrentPassword = "Current password"
 norwegianBokmålMessage Register = "Registrer"
 norwegianBokmålMessage RegisterLong = "Registrer en ny konto"
 norwegianBokmålMessage EnterEmail = "Skriv inn e-postadressen din nedenfor og en e-postkonfirmasjon vil bli sendt."
@@ -408,6 +414,7 @@ japaneseMessage LoginYahoo = "Yahooでログイン"
 japaneseMessage Email = "Eメール"
 japaneseMessage UserName = "ユーザー名" -- FIXME by Google Translate "user name"
 japaneseMessage Password = "パスワード"
+japaneseMessage CurrentPassword = "Current password"
 japaneseMessage Register = "登録"
 japaneseMessage RegisterLong = "新規アカウント登録"
 japaneseMessage EnterEmail = "メールアドレスを入力してください。確認メールが送られます"
@@ -455,6 +462,7 @@ finnishMessage LoginYahoo = "Kirjaudu Yahoo-tilillä"
 finnishMessage Email = "Sähköposti"
 finnishMessage UserName = "Käyttäjätunnus" -- FIXME by Google Translate "user name"
 finnishMessage Password = "Salasana"
+finnishMessage Password = "Current password"
 finnishMessage Register = "Luo uusi"
 finnishMessage RegisterLong = "Luo uusi tili"
 finnishMessage EnterEmail = "Kirjoita alle sähköpostiosoitteesi, johon vahvistussähköposti lähetetään."
@@ -503,6 +511,7 @@ chineseMessage LoginYahoo = "用Yahoo帐户登录"
 chineseMessage Email = "邮箱"
 chineseMessage UserName = "用户名" -- FIXME by Google Translate "user name"
 chineseMessage Password = "密码"
+chineseMessage CurrentPassword = "Current password"
 chineseMessage Register = "注册"
 chineseMessage RegisterLong = "注册新帐户"
 chineseMessage EnterEmail = "输入你的邮箱地址，你将收到一封确认邮件。"
@@ -550,6 +559,7 @@ czechMessage LoginYahoo = "Přihlásit přes Yahoo"
 czechMessage Email = "E-mail"
 czechMessage UserName = "Uživatelské jméno"
 czechMessage Password = "Heslo"
+czechMessage CurrentPassword = "Current password"
 czechMessage Register = "Registrovat"
 czechMessage RegisterLong = "Zaregistrovat nový účet"
 czechMessage EnterEmail = "Níže zadejte svou e-mailovou adresu a bude vám poslán potvrzovací e-mail."
@@ -597,6 +607,7 @@ russianMessage LoginYahoo = "Вход с помощью Yahoo"
 russianMessage Email = "Эл.почта"
 russianMessage UserName = "Имя пользователя"
 russianMessage Password = "Пароль"
+russianMessage CurrentPassword = "Current password"
 russianMessage Register = "Регистрация"
 russianMessage RegisterLong = "Создать учётную запись"
 russianMessage EnterEmail = "Введите свой адрес эл.почты ниже, вам будет отправлено письмо для подтверждения."
@@ -643,6 +654,7 @@ dutchMessage LoginYahoo = "Inloggen via Yahoo"
 dutchMessage Email = "E-mail"
 dutchMessage UserName = "Gebruikersnaam" -- FIXME by Google Translate "user name"
 dutchMessage Password = "Wachtwoord"
+dutchMessage CurrentPassword = "Current password"
 dutchMessage Register = "Registreren"
 dutchMessage RegisterLong = "Registreer een nieuw account"
 dutchMessage EnterEmail = "Voer uw e-mailadres hieronder in, er zal een bevestigings-e-mail naar u worden verzonden."
@@ -691,6 +703,7 @@ croatianMessage LoginViaEmail = "Prijava putem e-pošte"
 croatianMessage Email         = "E-pošta"
 croatianMessage UserName      = "Korisničko ime"
 croatianMessage Password      = "Lozinka"
+croatianMessage CurrentPassword = "Current Password"
 croatianMessage Register      = "Registracija"
 croatianMessage RegisterLong  = "Registracija novog računa"
 croatianMessage EnterEmail          = "Dolje unesite adresu e-pošte, pa ćemo vam poslati e-poruku za potvrdu."

From dee130ac9f4ae58718f58d8167e49f6256d5991b Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Wed, 9 Mar 2016 19:47:52 -0700
Subject: [PATCH 29/67] Made spacing consistent with the rest of the file

---
 yesod-auth/Yesod/Auth/Message.hs | 76 ++++++++++++++++----------------
 1 file changed, 38 insertions(+), 38 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Message.hs b/yesod-auth/Yesod/Auth/Message.hs
index 8fecd446..5705aa3c 100644
--- a/yesod-auth/Yesod/Auth/Message.hs
+++ b/yesod-auth/Yesod/Auth/Message.hs
@@ -694,45 +694,45 @@ dutchMessage LogoutTitle = "Log Out" -- FIXME NOT TRANSLATED
 dutchMessage AuthError = "Verificatiefout" -- FIXME by Google Translate
 
 croatianMessage :: AuthMessage -> Text
-croatianMessage NoOpenID      = "Nije pronađen OpenID identifikator"
-croatianMessage LoginOpenID   = "Prijava uz OpenID"
-croatianMessage LoginGoogle   = "Prijava uz Google"
-croatianMessage LoginYahoo    = "Prijava uz Yahoo"
-croatianMessage Facebook      = "Prijava uz Facebook"
+croatianMessage NoOpenID = "Nije pronađen OpenID identifikator"
+croatianMessage LoginOpenID = "Prijava uz OpenID"
+croatianMessage LoginGoogle = "Prijava uz Google"
+croatianMessage LoginYahoo = "Prijava uz Yahoo"
+croatianMessage Facebook = "Prijava uz Facebook"
 croatianMessage LoginViaEmail = "Prijava putem e-pošte"
-croatianMessage Email         = "E-pošta"
-croatianMessage UserName      = "Korisničko ime"
-croatianMessage Password      = "Lozinka"
+croatianMessage Email = "E-pošta"
+croatianMessage UserName = "Korisničko ime"
+croatianMessage Password = "Lozinka"
 croatianMessage CurrentPassword = "Current Password"
-croatianMessage Register      = "Registracija"
-croatianMessage RegisterLong  = "Registracija novog računa"
-croatianMessage EnterEmail          = "Dolje unesite adresu e-pošte, pa ćemo vam poslati e-poruku za potvrdu."
+croatianMessage Register = "Registracija"
+croatianMessage RegisterLong = "Registracija novog računa"
+croatianMessage EnterEmail = "Dolje unesite adresu e-pošte, pa ćemo vam poslati e-poruku za potvrdu."
 croatianMessage PasswordResetPrompt = "Dolje unesite adresu e-pošte ili korisničko ime, pa ćemo vam poslati e-poruku za potvrdu."
-croatianMessage ConfirmationEmailSentTitle    = "E-poruka za potvrdu"
+croatianMessage ConfirmationEmailSentTitle = "E-poruka za potvrdu"
 croatianMessage (ConfirmationEmailSent email) = "E-poruka za potvrdu poslana je na adresu " <> email <> "."
-croatianMessage AddressVerified               = "Adresa ovjerena, postavite novu lozinku"
-croatianMessage InvalidKeyTitle               = "Ključ za ovjeru nije valjan"
-croatianMessage InvalidKey                    = "Nažalost, taj ključ za ovjeru nije valjan."
-croatianMessage InvalidEmailPass              = "Kombinacija e-pošte i lozinke nije valjana"
-croatianMessage InvalidUsernamePass           = "Kombinacija korisničkog imena i lozinke nije valjana"
-croatianMessage BadSetPass                    = "Za postavljanje lozinke morate biti prijavljeni"
-croatianMessage SetPassTitle                  = "Postavi lozinku"
-croatianMessage SetPass                       = "Postavite novu lozinku"
-croatianMessage NewPass                       = "Nova lozinka"
-croatianMessage ConfirmPass                   = "Potvrda lozinke"
-croatianMessage PassMismatch                  = "Lozinke se ne podudaraju, pokušajte ponovo"
-croatianMessage PassUpdated                   = "Lozinka ažurirana"
-croatianMessage InvalidLogin                  = "Prijava nije valjana"
-croatianMessage NowLoggedIn                   = "Sada ste prijavljeni u"
-croatianMessage LoginTitle                    = "Prijava"
-croatianMessage PleaseProvideUsername         = "Unesite korisničko ime"
-croatianMessage PleaseProvidePassword         = "Unesite lozinku"
-croatianMessage NoIdentifierProvided          = "Nisu dani e-pošta/korisničko ime"
-croatianMessage InvalidEmailAddress           = "Dana adresa e-pošte nije valjana"
-croatianMessage PasswordResetTitle            = "Poništavanje lozinke"
-croatianMessage ProvideIdentifier             = "E-pošta ili korisničko ime"
-croatianMessage SendPasswordResetEmail        = "Pošalji e-poruku za poništavanje lozinke"
-croatianMessage (IdentifierNotFound ident)    = "Korisničko ime/e-pošta nisu pronađeni: " <> ident
-croatianMessage Logout                        = "Odjava"
-croatianMessage LogoutTitle                   = "Odjava"
-croatianMessage AuthError                     = "Pogreška provjere autentičnosti"
+croatianMessage AddressVerified = "Adresa ovjerena, postavite novu lozinku"
+croatianMessage InvalidKeyTitle = "Ključ za ovjeru nije valjan"
+croatianMessage InvalidKey = "Nažalost, taj ključ za ovjeru nije valjan."
+croatianMessage InvalidEmailPass = "Kombinacija e-pošte i lozinke nije valjana"
+croatianMessage InvalidUsernamePass = "Kombinacija korisničkog imena i lozinke nije valjana"
+croatianMessage BadSetPass = "Za postavljanje lozinke morate biti prijavljeni"
+croatianMessage SetPassTitle = "Postavi lozinku"
+croatianMessage SetPass = "Postavite novu lozinku"
+croatianMessage NewPass = "Nova lozinka"
+croatianMessage ConfirmPass = "Potvrda lozinke"
+croatianMessage PassMismatch = "Lozinke se ne podudaraju, pokušajte ponovo"
+croatianMessage PassUpdated = "Lozinka ažurirana"
+croatianMessage InvalidLogin = "Prijava nije valjana"
+croatianMessage NowLoggedIn = "Sada ste prijavljeni u"
+croatianMessage LoginTitle = "Prijava"
+croatianMessage PleaseProvideUsername = "Unesite korisničko ime"
+croatianMessage PleaseProvidePassword = "Unesite lozinku"
+croatianMessage NoIdentifierProvided = "Nisu dani e-pošta/korisničko ime"
+croatianMessage InvalidEmailAddress = "Dana adresa e-pošte nije valjana"
+croatianMessage PasswordResetTitle = "Poništavanje lozinke"
+croatianMessage ProvideIdentifier = "E-pošta ili korisničko ime"
+croatianMessage SendPasswordResetEmail = "Pošalji e-poruku za poništavanje lozinke"
+croatianMessage (IdentifierNotFound ident) = "Korisničko ime/e-pošta nisu pronađeni: " <> ident
+croatianMessage Logout = "Odjava"
+croatianMessage LogoutTitle = "Odjava"
+croatianMessage AuthError = "Pogreška provjere autentičnosti"

From 3640d75c994b34e47601d65a1ecbfe0762b7a15c Mon Sep 17 00:00:00 2001
From: mrkkrp <markkarpov@opmbx.org>
Date: Fri, 11 Mar 2016 14:09:57 +0600
Subject: [PATCH 30/67] Allow lines of dashes in route files

See #1180.
---
 yesod-core/Yesod/Routes/Parse.hs | 4 ++--
 yesod-core/test/Hierarchy.hs     | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/yesod-core/Yesod/Routes/Parse.hs b/yesod-core/Yesod/Routes/Parse.hs
index c1491b84..ba0466e1 100644
--- a/yesod-core/Yesod/Routes/Parse.hs
+++ b/yesod-core/Yesod/Routes/Parse.hs
@@ -18,7 +18,7 @@ import Language.Haskell.TH.Quote
 import qualified System.IO as SIO
 import Yesod.Routes.TH
 import Yesod.Routes.Overlap (findOverlapNames)
-import Data.List (foldl')
+import Data.List (foldl', isPrefixOf)
 import Data.Maybe (mapMaybe)
 import qualified Data.Set as Set
 
@@ -86,7 +86,7 @@ resourcesFromString =
         spaces = takeWhile (== ' ') thisLine
         (others, remainder) = parse indent otherLines'
         (this, otherLines') =
-            case takeWhile (/= "--") $ words thisLine of
+            case takeWhile (not . isPrefixOf "--") $ words thisLine of
                 (pattern:rest0)
                     | Just (constr:rest) <- stripColonLast rest0
                     , Just attrs <- mapM parseAttr rest ->
diff --git a/yesod-core/test/Hierarchy.hs b/yesod-core/test/Hierarchy.hs
index 6c746014..b1d56ccd 100644
--- a/yesod-core/test/Hierarchy.hs
+++ b/yesod-core/test/Hierarchy.hs
@@ -78,6 +78,8 @@ do
     let resources = [parseRoutes|
 / HomeR GET
 
+----------------------------------------
+
 /!#Int BackwardsR GET
 
 /admin/#Int AdminR:

From 0c0cb12a10eb4d356ad9e826d4beb8b2c212adfc Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Wed, 9 Mar 2016 19:40:47 -0700
Subject: [PATCH 31/67] Used form helper for forgot password form

* Removed unused idents
* Isolated form logic
* Added an id around forgot password for styling purposes
---
 yesod-auth/Yesod/Auth/Email.hs | 35 +++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index b9dba026..afcd1b1d 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -107,6 +107,7 @@ data EmailCreds site = EmailCreds
     , emailCredsEmail  :: Email
     }
 
+data ForgotPasswordForm = ForgotPasswordForm { forgotEmail :: Text }
 data PasswordForm = PasswordForm { passwordCurrent :: Text, passwordNew :: Text, passwordConfirm :: Text }
 data UserForm = UserForm { email :: Text }
 data UserLoginForm = UserLoginForm { loginEmail :: Text, loginPassword :: Text }
@@ -421,18 +422,38 @@ getForgotPasswordR = forgotPasswordHandler
 -- Since: 1.2.6
 defaultForgotPasswordHandler :: YesodAuthEmail master => AuthHandler master Html
 defaultForgotPasswordHandler = do
-    tp <- getRouteToParent
-    email <- newIdent
+    ((_,widget),enctype) <- lift $ runFormPost forgotPasswordForm 
+    toParent <- getRouteToParent
     lift $ authLayout $ do
         setTitleI Msg.PasswordResetTitle
         [whamlet|
             <p>_{Msg.PasswordResetPrompt}
-            <form method="post" action="@{tp forgotPasswordR}">
-                <div id="registerForm">
-                    <label for=#{email}>_{Msg.ProvideIdentifier}
-                    <input ##{email} type=text name="email" width="150" autofocus>
-                <button .btn>_{Msg.SendPasswordResetEmail}
+            <form method=post action=@{toParent forgotPasswordR} enctype=#{enctype}>
+                <div id="forgotPasswordForm">
+                    ^{widget}
+                    <button .btn>_{Msg.SendPasswordResetEmail}
         |]
+  where
+    forgotPasswordForm extra = do
+         (emailRes, emailView) <- mreq emailField emailSettings Nothing
+    
+         let forgotPasswordRes = ForgotPasswordForm <$> emailRes
+         let widget = do
+             [whamlet|
+                 #{extra}
+                 ^{fvLabel emailView}
+                 ^{fvInput emailView}
+             |]
+
+	 return (forgotPasswordRes, widget)
+    emailSettings =
+        FieldSettings {
+            fsLabel = SomeMessage Msg.ProvideIdentifier,
+            fsTooltip = Nothing,
+            fsId = Just "forgotPassword",
+            fsName = Just "email",
+            fsAttrs = [("autofocus", "")]
+        }
 
 postForgotPasswordR :: YesodAuthEmail master => HandlerT Auth (HandlerT master IO) TypedContent
 postForgotPasswordR = registerHelper True forgotPasswordR

From 2f0a7fbcc580188a03a19d8be1f63038aca66391 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Wed, 9 Mar 2016 20:04:39 -0700
Subject: [PATCH 32/67] Wrapped email login form with an id

---
 yesod-auth/Yesod/Auth/Email.hs | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index afcd1b1d..a260b708 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -284,13 +284,14 @@ emailLoginHandler toParent = do
 
         [whamlet|
             <form method="post" action="@{toParent loginR}">
-                ^{widget}
-                <div>
-                    <button type=submit .btn .btn-success>
-                        _{Msg.LoginViaEmail}
-                    &nbsp;
-                    <a href="@{toParent registerR}" .btn .btn-default>
-                        _{Msg.RegisterLong}
+                <div id="emailLoginForm">
+                    ^{widget}
+                    <div>
+                        <button type=submit .btn .btn-success>
+                            _{Msg.LoginViaEmail}
+                        &nbsp;
+                        <a href="@{toParent registerR}" .btn .btn-default>
+                            _{Msg.RegisterLong}
         |]
   where
     loginForm extra = do

From 9fb3f61ac8c370a8ba8e678806ab731166654a90 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Thu, 10 Mar 2016 17:23:23 -0700
Subject: [PATCH 33/67] Moved settings to functions to clean up the form

---
 yesod-auth/Yesod/Auth/Email.hs | 37 +++++++++++++++++-----------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index a260b708..7659ae6e 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -295,27 +295,12 @@ emailLoginHandler toParent = do
         |]
   where
     loginForm extra = do
-        emailMsg <- renderMessage' Msg.Email
-        let emailSettings = FieldSettings {
-            fsLabel = SomeMessage Msg.Email,
-            fsTooltip = Nothing,
-            fsId = Just "email",
-            fsName = Just "email",
-            fsAttrs = [("autofocus", ""), ("placeholder", emailMsg)]
-        }
 
-        (emailRes, emailView) <- mreq emailField emailSettings Nothing
+        emailMsg <- renderMessage' Msg.Email
+        (emailRes, emailView) <- mreq emailField (emailSettings emailMsg) Nothing
 
         passwordMsg <- renderMessage' Msg.Password
-        let passwordSettings = FieldSettings {
-            fsLabel = SomeMessage Msg.Password,
-            fsTooltip = Nothing,
-            fsId = Just "password",
-            fsName = Just "password",
-            fsAttrs = [("placeholder", passwordMsg)]
-        }
-
-        (passwordRes, passwordView) <- mreq passwordField passwordSettings Nothing
+        (passwordRes, passwordView) <- mreq passwordField (passwordSettings passwordMsg) Nothing
 
         let userRes = UserLoginForm <$> emailRes <*> passwordRes
         let widget = do
@@ -328,6 +313,22 @@ emailLoginHandler toParent = do
             |]
 
         return (userRes, widget)
+    emailSettings emailMsg = do
+        FieldSettings {
+            fsLabel = SomeMessage Msg.Email,
+            fsTooltip = Nothing,
+            fsId = Just "email",
+            fsName = Just "email",
+            fsAttrs = [("autofocus", ""), ("placeholder", emailMsg)]
+        }
+    passwordSettings passwordMsg =
+         FieldSettings {
+            fsLabel = SomeMessage Msg.Password,
+            fsTooltip = Nothing,
+            fsId = Just "password",
+            fsName = Just "password",
+            fsAttrs = [("placeholder", passwordMsg)]
+        }
     renderMessage' msg = do
         langs <- languages
         master <- getYesod

From d76aa1a16e3d5c691b8e0a71731def1514020034 Mon Sep 17 00:00:00 2001
From: Alex Kardos <alexander.kardos@gmail.com>
Date: Thu, 10 Mar 2016 17:24:03 -0700
Subject: [PATCH 34/67] Converted runFormPosts to generateFormPost

This is a cleaner way to generate forms without ignoring one of the
variables.
---
 yesod-auth/Yesod/Auth/Email.hs | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 7659ae6e..2e0edd4b 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -280,7 +280,7 @@ getRegisterR = registerHandler
 
 emailLoginHandler :: YesodAuthEmail master => (Route Auth -> Route master) -> WidgetT master IO ()
 emailLoginHandler toParent = do
-        ((_,widget),enctype) <- liftWidgetT $ runFormPost loginForm
+        (widget, enctype) <- liftWidgetT $ generateFormPost loginForm
 
         [whamlet|
             <form method="post" action="@{toParent loginR}">
@@ -338,7 +338,7 @@ emailLoginHandler toParent = do
 -- Since: 1.2.6
 defaultRegisterHandler :: YesodAuthEmail master => AuthHandler master Html
 defaultRegisterHandler = do
-    ((_,widget),enctype) <- lift $ runFormPost registrationForm
+    (widget, enctype) <- lift $ generateFormPost registrationForm
     toParentRoute <- getRouteToParent
     lift $ authLayout $ do
         setTitleI Msg.RegisterLong
@@ -424,7 +424,7 @@ getForgotPasswordR = forgotPasswordHandler
 -- Since: 1.2.6
 defaultForgotPasswordHandler :: YesodAuthEmail master => AuthHandler master Html
 defaultForgotPasswordHandler = do
-    ((_,widget),enctype) <- lift $ runFormPost forgotPasswordForm 
+    (widget, enctype) <- lift $ generateFormPost forgotPasswordForm
     toParent <- getRouteToParent
     lift $ authLayout $ do
         setTitleI Msg.PasswordResetTitle
@@ -545,7 +545,7 @@ defaultSetPasswordHandler needOld = do
     selectRep $ do
         provideJsonMessage $ messageRender Msg.SetPass
         provideRep $ lift $ authLayout $ do
-            ((_,widget),enctype) <- liftWidgetT $ runFormPost $ setPasswordForm needOld
+            (widget, enctype) <- liftWidgetT $ generateFormPost $ setPasswordForm needOld
             setTitleI Msg.SetPassTitle
             [whamlet|
                 <h3>_{Msg.SetPass}

From 406694cd29e5ca12446cd095d709fee085aedb72 Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Sun, 13 Mar 2016 08:26:24 +0200
Subject: [PATCH 35/67] Version bump for #1182

---
 yesod-core/ChangeLog.md     | 4 ++++
 yesod-core/yesod-core.cabal | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/yesod-core/ChangeLog.md b/yesod-core/ChangeLog.md
index 35ce9b77..c4844683 100644
--- a/yesod-core/ChangeLog.md
+++ b/yesod-core/ChangeLog.md
@@ -1,3 +1,7 @@
+## 1.4.19.1
+
+* Allow lines of dashes in route files [#1182](https://github.com/yesodweb/yesod/pull/1182)
+
 ## 1.4.19
 
 * Auth logout not working with defaultCsrfMiddleware [#1151](https://github.com/yesodweb/yesod/issues/1151)
diff --git a/yesod-core/yesod-core.cabal b/yesod-core/yesod-core.cabal
index 4a871e2a..31a20e35 100644
--- a/yesod-core/yesod-core.cabal
+++ b/yesod-core/yesod-core.cabal
@@ -1,5 +1,5 @@
 name:            yesod-core
-version:         1.4.19
+version:         1.4.19.1
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>

From e7c6d06d3dca7710b6bad2caa074162170b82a78 Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Sun, 13 Mar 2016 08:26:31 +0200
Subject: [PATCH 36/67] Newer LTS release

---
 stack.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/stack.yaml b/stack.yaml
index 3c1e5bb0..ec7cb30b 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -1,4 +1,4 @@
-resolver: lts-3.7
+resolver: lts-5.6
 packages:
   - ./yesod-core
   - ./yesod-static

From a15070709de5b9bced8fdac73a1fced3378e648f Mon Sep 17 00:00:00 2001
From: Murray <murray.calavera@gmail.com>
Date: Wed, 16 Mar 2016 18:14:40 +0000
Subject: [PATCH 37/67] allow more than one session message and add statuses

---
 yesod-auth/Yesod/Auth.hs              |  8 +--
 yesod-auth/Yesod/Auth/Email.hs        | 22 ++++----
 yesod-auth/Yesod/Auth/GoogleEmail2.hs |  4 +-
 yesod-core/Yesod/Core/Class/Yesod.hs  |  6 +--
 yesod-core/Yesod/Core/Handler.hs      | 74 ++++++++++++++++++++-------
 5 files changed, 75 insertions(+), 39 deletions(-)

diff --git a/yesod-auth/Yesod/Auth.hs b/yesod-auth/Yesod/Auth.hs
index db9e7331..86de266f 100644
--- a/yesod-auth/Yesod/Auth.hs
+++ b/yesod-auth/Yesod/Auth.hs
@@ -189,9 +189,9 @@ class (Yesod master, PathPiece (AuthId master), RenderMessage master FormMessage
     authHttpManager :: master -> Manager
 
     -- | Called on a successful login. By default, calls
-    -- @setMessageI NowLoggedIn@.
+    -- @addMessageI "success" NowLoggedIn@.
     onLogin :: HandlerT master IO ()
-    onLogin = setMessageI Msg.NowLoggedIn
+    onLogin = addMessageI "success" Msg.NowLoggedIn
 
     -- | Called on logout. By default, does nothing
     onLogout :: HandlerT master IO ()
@@ -214,10 +214,10 @@ class (Yesod master, PathPiece (AuthId master), RenderMessage master FormMessage
     maybeAuthId = defaultMaybeAuthId
 
     -- | Called on login error for HTTP requests. By default, calls
-    -- @setMessage@ and redirects to @dest@.
+    -- @addMessage@ with "error" as status and redirects to @dest@.
     onErrorHtml :: (MonadResourceBase m) => Route master -> Text -> HandlerT master m Html
     onErrorHtml dest msg = do
-        setMessage $ toHtml msg
+        addMessage "error" $ toHtml msg
         fmap asHtml $ redirect dest
 
     -- | runHttpRequest gives you a chance to handle an HttpException and retry
diff --git a/yesod-auth/Yesod/Auth/Email.hs b/yesod-auth/Yesod/Auth/Email.hs
index 2e0edd4b..88bba70f 100644
--- a/yesod-auth/Yesod/Auth/Email.hs
+++ b/yesod-auth/Yesod/Auth/Email.hs
@@ -437,17 +437,17 @@ defaultForgotPasswordHandler = do
         |]
   where
     forgotPasswordForm extra = do
-         (emailRes, emailView) <- mreq emailField emailSettings Nothing
+        (emailRes, emailView) <- mreq emailField emailSettings Nothing
     
-         let forgotPasswordRes = ForgotPasswordForm <$> emailRes
-         let widget = do
-             [whamlet|
-                 #{extra}
-                 ^{fvLabel emailView}
-                 ^{fvInput emailView}
-             |]
+        let forgotPasswordRes = ForgotPasswordForm <$> emailRes
+        let widget = do
+            [whamlet|
+                #{extra}
+                ^{fvLabel emailView}
+                ^{fvInput emailView}
+            |]
+        return (forgotPasswordRes, widget)
 
-	 return (forgotPasswordRes, widget)
     emailSettings =
         FieldSettings {
             fsLabel = SomeMessage Msg.ProvideIdentifier,
@@ -479,7 +479,7 @@ getVerifyR lid key = do
                     let msgAv = Msg.AddressVerified
                     selectRep $ do
                       provideRep $ do
-                        lift $ setMessageI msgAv
+                        lift $ addMessageI "success" msgAv
                         fmap asHtml $ redirect setpassR
                       provideJsonMessage $ mr msgAv
         _ -> invalidKey mr
@@ -650,7 +650,7 @@ postPasswordR = do
                       y <- lift $ do
                           setPassword aid salted
                           deleteSession loginLinkKey
-                          setMessageI msgOk
+                          addMessageI "success" msgOk
                           getYesod
 
                       mr <- lift getMessageRender
diff --git a/yesod-auth/Yesod/Auth/GoogleEmail2.hs b/yesod-auth/Yesod/Auth/GoogleEmail2.hs
index d7097f95..82a80a77 100644
--- a/yesod-auth/Yesod/Auth/GoogleEmail2.hs
+++ b/yesod-auth/Yesod/Auth/GoogleEmail2.hs
@@ -59,7 +59,7 @@ import           Yesod.Core               (HandlerSite, HandlerT, MonadHandler,
                                            lift, liftIO, lookupGetParam,
                                            lookupSession, notFound, redirect,
                                            setSession, whamlet, (.:),
-                                           setMessage, getYesod, authRoute,
+                                           addMessage, getYesod, authRoute,
                                            toHtml)
 
 
@@ -200,7 +200,7 @@ authPlugin storeToken clientID clientSecret =
                                     case err of
                                         "access_denied" -> "Access denied"
                                         _ -> "Unknown error occurred: " `T.append` err
-                            setMessage $ toHtml msg
+                            addMessage "error" $ toHtml msg
                             lift $ redirect $ logoutDest master
                 Just c -> return c
 
diff --git a/yesod-core/Yesod/Core/Class/Yesod.hs b/yesod-core/Yesod/Core/Class/Yesod.hs
index b8ee2abe..5147fed7 100644
--- a/yesod-core/Yesod/Core/Class/Yesod.hs
+++ b/yesod-core/Yesod/Core/Class/Yesod.hs
@@ -87,7 +87,7 @@ class RenderRoute site => Yesod site where
     defaultLayout :: WidgetT site IO () -> HandlerT site IO Html
     defaultLayout w = do
         p <- widgetToPageContent w
-        mmsg <- getMessage
+        msgs <- getMessages
         withUrlRenderer [hamlet|
             $newline never
             $doctype 5
@@ -96,8 +96,8 @@ class RenderRoute site => Yesod site where
                     <title>#{pageTitle p}
                     ^{pageHead p}
                 <body>
-                    $maybe msg <- mmsg
-                        <p .message>#{msg}
+                    $forall (status, msg) <- msgs
+                        <p class="message #{status}">#{msg}
                     ^{pageBody p}
             |]
 
diff --git a/yesod-core/Yesod/Core/Handler.hs b/yesod-core/Yesod/Core/Handler.hs
index 7f908c80..d9c0e173 100644
--- a/yesod-core/Yesod/Core/Handler.hs
+++ b/yesod-core/Yesod/Core/Handler.hs
@@ -136,6 +136,9 @@ module Yesod.Core.Handler
     , redirectUltDest
     , clearUltDest
       -- ** Messages
+    , addMessage
+    , addMessageI
+    , getMessages
     , setMessage
     , setMessageI
     , getMessage
@@ -205,7 +208,7 @@ import qualified Data.Text                     as T
 import           Data.Text.Encoding            (decodeUtf8With, encodeUtf8)
 import           Data.Text.Encoding.Error      (lenientDecode)
 import qualified Data.Text.Lazy                as TL
-import qualified Text.Blaze.Html.Renderer.Text as RenderText
+import           Text.Blaze.Html.Renderer.Utf8 (renderHtml)
 import           Text.Hamlet                   (Html, HtmlUrl, hamlet)
 
 import qualified Data.ByteString               as S
@@ -223,7 +226,7 @@ import           Text.Shakespeare.I18N         (RenderMessage (..))
 import           Web.Cookie                    (SetCookie (..))
 import           Yesod.Core.Content            (ToTypedContent (..), simpleContentType, contentTypeTypes, HasContentType (..), ToContent (..), ToFlushBuilder (..))
 import           Yesod.Core.Internal.Util      (formatRFC1123)
-import           Text.Blaze.Html               (preEscapedToMarkup, toHtml)
+import           Text.Blaze.Html               (preEscapedToHtml, toHtml)
 
 import qualified Data.IORef.Lifted             as I
 import           Data.Maybe                    (listToMaybe, mapMaybe)
@@ -521,30 +524,63 @@ clearUltDest = deleteSession ultDestKey
 msgKey :: Text
 msgKey = "_MSG"
 
--- | Sets a message in the user's session.
+-- | Adds a status and message in the user's session.
 --
--- See 'getMessage'.
-setMessage :: MonadHandler m => Html -> m ()
-setMessage = setSession msgKey . T.concat . TL.toChunks . RenderText.renderHtml
+-- See 'getMessages'.
+addMessage :: MonadHandler m
+           => Text -- ^ status
+           -> Html -- ^ message
+           -> m ()
+addMessage status msg = do
+    val <- lookupSessionBS msgKey
+    setSessionBS msgKey $ addMsg val
+  where
+    addMsg = maybe msg' (S.append msg' . S.cons W8._nul)
+    msg' = S.append
+        (encodeUtf8 status)
+        (W8._nul `S.cons` (L.toStrict $ renderHtml msg))
 
--- | Sets a message in the user's session.
+-- | Adds a message in the user's session but uses RenderMessage to allow for i18n
 --
--- See 'getMessage'.
+-- See 'getMessages'.
+addMessageI :: (MonadHandler m, RenderMessage (HandlerSite m) msg)
+            => Text -> msg -> m ()
+addMessageI status msg = do
+    mr <- getMessageRender
+    addMessage status $ toHtml $ mr msg
+
+-- | Gets all messages in the user's session, and then clears the variable.
+--
+-- See 'addMessage'.
+getMessages :: MonadHandler m => m [(Text, Html)]
+getMessages = do
+    bs <- lookupSessionBS msgKey
+    let ms = maybe [] enlist bs
+    deleteSession msgKey
+    return ms
+  where
+    enlist = pairup . S.split W8._nul
+    pairup [] = []
+    pairup [x] = []
+    pairup (s:v:xs) = (decode s, preEscapedToHtml (decode v)) : pairup xs
+    decode = decodeUtf8With lenientDecode
+
+-- | Calls 'addMessage' with an empty status
+setMessage :: MonadHandler m => Html -> m ()
+setMessage = addMessage ""
+{-# DEPRECATED setMessage "Please use addMessage instead" #-}
+
+-- | Calls 'addMessageI' with an empty status
 setMessageI :: (MonadHandler m, RenderMessage (HandlerSite m) msg)
             => msg -> m ()
-setMessageI msg = do
-    mr <- getMessageRender
-    setMessage $ toHtml $ mr msg
+setMessageI = addMessageI ""
+{-# DEPRECATED setMessageI "Please use addMessageI instead" #-}
 
--- | Gets the message in the user's session, if available, and then clears the
--- variable.
---
--- See 'setMessage'.
+-- | Gets just the last message in the user's session,
+-- discards the rest and the status
 getMessage :: MonadHandler m => m (Maybe Html)
-getMessage = do
-    mmsg <- liftM (fmap preEscapedToMarkup) $ lookupSession msgKey
-    deleteSession msgKey
-    return mmsg
+getMessage = (return . fmap snd . headMay) =<< getMessages
+{-# DEPRECATED getMessage "Please use getMessages instead" #-}
 
 -- | Bypass remaining handler code and output the given file.
 --

From 57b7ad8eda16dc140464e5ffae7d659a25c52600 Mon Sep 17 00:00:00 2001
From: Chris Allen <cma@bitemyapp.com>
Date: Thu, 17 Mar 2016 14:18:38 -0500
Subject: [PATCH 38/67] better error provenance for stuff invoking
 withResponse'

---
 yesod-test/Yesod/Test.hs | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index 51912397..86e48933 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -277,15 +277,21 @@ yit label example = tell [YesodSpecItem label example]
 -- response-level assertions
 withResponse' :: MonadIO m
               => (state -> Maybe SResponse)
+              -> [T.Text]
               -> (SResponse -> ST.StateT state m a)
               -> ST.StateT state m a
-withResponse' getter f = maybe err f . getter =<< ST.get
- where err = failure "There was no response, you should make a request"
+withResponse' getter errTrace f = maybe err f . getter =<< ST.get
+ where err = failure msg
+       msg = if null errTrace
+             then "There was no response, you should make a request."
+             else
+               "There was no response, you should make a request. A request was requested because: "
+               <> T.intercalate "\n-" errTrace
 
 -- | Performs a given action using the last response. Use this to create
 -- response-level assertions
 withResponse :: (SResponse -> YesodExample site a) -> YesodExample site a
-withResponse = withResponse' yedResponse
+withResponse = withResponse' yedResponse []
 
 -- | Use HXT to parse a value from an HTML tag.
 -- Check for usage examples in this module's source.
@@ -295,16 +301,17 @@ parseHTML html = fromDocument $ HD.parseLBS html
 -- | Query the last response using CSS selectors, returns a list of matched fragments
 htmlQuery' :: MonadIO m
            => (state -> Maybe SResponse)
+           -> [T.Text]
            -> Query
            -> ST.StateT state m [HtmlLBS]
-htmlQuery' getter query = withResponse' getter $ \ res ->
+htmlQuery' getter errTrace query = withResponse' getter ("Tried to invoke htmlQuery' in order to read HTML of a previous response." : errTrace) $ \ res ->
   case findBySelector (simpleBody res) query of
     Left err -> failure $ query <> " did not parse: " <> T.pack (show err)
     Right matches -> return $ map (encodeUtf8 . TL.pack) matches
 
 -- | Query the last response using CSS selectors, returns a list of matched fragments
 htmlQuery :: Query -> YesodExample site [HtmlLBS]
-htmlQuery = htmlQuery' yedResponse
+htmlQuery = htmlQuery' yedResponse []
 
 -- | Asserts that the two given values are equal.
 assertEqual :: (Eq a) => String -> a -> a -> YesodExample site ()
@@ -569,7 +576,7 @@ fileByLabel label path mime = do
 -- >   addToken_ "#formID"
 addToken_ :: Query -> RequestBuilder site ()
 addToken_ scope = do
-  matches <- htmlQuery' rbdResponse $ scope <> "input[name=_token][type=hidden][value]"
+  matches <- htmlQuery' rbdResponse ["Tried to get CSRF token with addToken'"] $ scope <> "input[name=_token][type=hidden][value]"
   case matches of
     [] -> failure $ "No CSRF token found in the current page"
     element:[] -> addPostParam "_token" $ head $ attribute "value" $ parseHTML element

From 7e10d874923c57849decde4d6605e45ac5923f64 Mon Sep 17 00:00:00 2001
From: Chris Allen <cma@bitemyapp.com>
Date: Thu, 17 Mar 2016 14:33:15 -0500
Subject: [PATCH 39/67] better error formatting, bumping version

---
 yesod-test/Yesod/Test.hs    | 4 ++--
 yesod-test/yesod-test.cabal | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index 86e48933..0ec0d5d3 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -285,8 +285,8 @@ withResponse' getter errTrace f = maybe err f . getter =<< ST.get
        msg = if null errTrace
              then "There was no response, you should make a request."
              else
-               "There was no response, you should make a request. A request was requested because: "
-               <> T.intercalate "\n-" errTrace
+               "There was no response, you should make a request. A request was requested because: \n - "
+               <> T.intercalate "\n - " errTrace
 
 -- | Performs a given action using the last response. Use this to create
 -- response-level assertions
diff --git a/yesod-test/yesod-test.cabal b/yesod-test/yesod-test.cabal
index a10d3a6d..ede0f998 100644
--- a/yesod-test/yesod-test.cabal
+++ b/yesod-test/yesod-test.cabal
@@ -1,5 +1,5 @@
 name:               yesod-test
-version:            1.5.0.1
+version:            1.6.0.0
 license:            MIT
 license-file:       LICENSE
 author:             Nubis <nubis@woobiz.com.ar>

From 776007ffa37fc3185ead6143556ca75d17e53df9 Mon Sep 17 00:00:00 2001
From: Chris Allen <cma@bitemyapp.com>
Date: Thu, 17 Mar 2016 14:35:15 -0500
Subject: [PATCH 40/67] better wording

---
 yesod-test/Yesod/Test.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index 0ec0d5d3..33d60364 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -285,7 +285,7 @@ withResponse' getter errTrace f = maybe err f . getter =<< ST.get
        msg = if null errTrace
              then "There was no response, you should make a request."
              else
-               "There was no response, you should make a request. A request was requested because: \n - "
+               "There was no response, you should make a request. A response was needed because: \n - "
                <> T.intercalate "\n - " errTrace
 
 -- | Performs a given action using the last response. Use this to create

From 9dbcc95c3f50281d1aa17fe419061b7ccd4667a0 Mon Sep 17 00:00:00 2001
From: Murray <murray.calavera@gmail.com>
Date: Fri, 18 Mar 2016 09:17:57 +0000
Subject: [PATCH 41/67] remove single message deprecated directives

---
 yesod-core/Yesod/Core/Handler.hs | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/yesod-core/Yesod/Core/Handler.hs b/yesod-core/Yesod/Core/Handler.hs
index d9c0e173..35e767c0 100644
--- a/yesod-core/Yesod/Core/Handler.hs
+++ b/yesod-core/Yesod/Core/Handler.hs
@@ -568,19 +568,16 @@ getMessages = do
 -- | Calls 'addMessage' with an empty status
 setMessage :: MonadHandler m => Html -> m ()
 setMessage = addMessage ""
-{-# DEPRECATED setMessage "Please use addMessage instead" #-}
 
 -- | Calls 'addMessageI' with an empty status
 setMessageI :: (MonadHandler m, RenderMessage (HandlerSite m) msg)
             => msg -> m ()
 setMessageI = addMessageI ""
-{-# DEPRECATED setMessageI "Please use addMessageI instead" #-}
 
 -- | Gets just the last message in the user's session,
 -- discards the rest and the status
 getMessage :: MonadHandler m => m (Maybe Html)
 getMessage = (return . fmap snd . headMay) =<< getMessages
-{-# DEPRECATED getMessage "Please use getMessages instead" #-}
 
 -- | Bypass remaining handler code and output the given file.
 --

From 289471d1221de4d4e3377b10e03ca9bf2e6319cc Mon Sep 17 00:00:00 2001
From: Chris Allen <cma@bitemyapp.com>
Date: Sun, 20 Mar 2016 12:50:17 -0500
Subject: [PATCH 42/67] appropriate version bump

---
 yesod-test/yesod-test.cabal | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-test/yesod-test.cabal b/yesod-test/yesod-test.cabal
index ede0f998..907624e5 100644
--- a/yesod-test/yesod-test.cabal
+++ b/yesod-test/yesod-test.cabal
@@ -1,5 +1,5 @@
 name:               yesod-test
-version:            1.6.0.0
+version:            1.5.1.0
 license:            MIT
 license-file:       LICENSE
 author:             Nubis <nubis@woobiz.com.ar>

From 04a7c12b65d4bf3ea32aa20fa178db928acbc1f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adam=20Sj=C3=B8gren?= <asjo@koldfront.dk>
Date: Sun, 20 Mar 2016 21:16:14 +0100
Subject: [PATCH 43/67] Add translation to Danish.

---
 yesod-auth/Yesod/Auth/Message.hs | 48 ++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/yesod-auth/Yesod/Auth/Message.hs b/yesod-auth/Yesod/Auth/Message.hs
index 5705aa3c..dcc5cb43 100644
--- a/yesod-auth/Yesod/Auth/Message.hs
+++ b/yesod-auth/Yesod/Auth/Message.hs
@@ -17,6 +17,7 @@ module Yesod.Auth.Message
     , czechMessage
     , russianMessage
     , dutchMessage
+    , danishMessage
     ) where
 
 import           Data.Monoid (mappend,(<>))
@@ -736,3 +737,50 @@ croatianMessage (IdentifierNotFound ident) = "Korisničko ime/e-pošta nisu pron
 croatianMessage Logout = "Odjava"
 croatianMessage LogoutTitle = "Odjava"
 croatianMessage AuthError = "Pogreška provjere autentičnosti"
+
+danishMessage :: AuthMessage -> Text
+danishMessage NoOpenID = "Mangler OpenID identifier"
+danishMessage LoginOpenID = "Login med OpenID"
+danishMessage LoginGoogle = "Login med Google"
+danishMessage LoginYahoo = "Login med Yahoo"
+danishMessage Email = "E-mail"
+danishMessage UserName = "Brugernavn"
+danishMessage Password = "Kodeord"
+danishMessage CurrentPassword = "Nuværende kodeord"
+danishMessage Register = "Opret"
+danishMessage RegisterLong = "Opret en ny konto"
+danishMessage EnterEmail = "Indtast din e-mailadresse nedenfor og en bekræftelsesmail vil blive sendt til dig."
+danishMessage ConfirmationEmailSentTitle = "Bekræftelsesmail sendt"
+danishMessage (ConfirmationEmailSent email) =
+    "En bekræftelsesmail er sendt til " `mappend`
+    email `mappend`
+    "."
+danishMessage AddressVerified = "Adresse bekræftet, sæt venligst et nyt kodeord"
+danishMessage InvalidKeyTitle = "Ugyldig verifikationsnøgle"
+danishMessage InvalidKey = "Beklager, det var en ugyldigt verifikationsnøgle."
+danishMessage InvalidEmailPass = "Ugyldigt e-mail/kodeord"
+danishMessage BadSetPass = "Du skal være logget ind for at sætte et kodeord"
+danishMessage SetPassTitle = "Sæt kodeord"
+danishMessage SetPass = "Sæt et nyt kodeord"
+danishMessage NewPass = "Nyt kodeord"
+danishMessage ConfirmPass = "Bekræft"
+danishMessage PassMismatch = "Kodeordne var forskellige, prøv venligst igen"
+danishMessage PassUpdated = "Kodeord opdateret"
+danishMessage Facebook = "Login med Facebook"
+danishMessage LoginViaEmail = "Login med e-mail"
+danishMessage InvalidLogin = "Ugyldigt login"
+danishMessage NowLoggedIn = "Du er nu logget ind"
+danishMessage LoginTitle = "Log ind"
+danishMessage PleaseProvideUsername = "Indtast venligst dit brugernavn"
+danishMessage PleaseProvidePassword = "Indtasy venligst dit kodeord"
+danishMessage NoIdentifierProvided = "Mangler e-mail/username"
+danishMessage InvalidEmailAddress = "Ugyldig e-mailadresse indtastet"
+danishMessage PasswordResetTitle = "Nulstilning af kodeord"
+danishMessage ProvideIdentifier = "E-mail eller brugernavn"
+danishMessage SendPasswordResetEmail = "Send kodeordsnulstillingsmail"
+danishMessage PasswordResetPrompt = "Indtast din e-mailadresse eller dit brugernavn nedenfor, så bliver en kodeordsnulstilningsmail sendt til dig."
+danishMessage InvalidUsernamePass = "Ugyldigt brugernavn/kodeord"
+danishMessage (IdentifierNotFound ident) = "Brugernavn findes ikke: " `mappend` ident
+danishMessage Logout = "Log ud"
+danishMessage LogoutTitle = "Log ud"
+danishMessage AuthError = "Fejl ved bekræftelse af identitet"

From 89e39464a177c44999f0e7bd9dc5b13555da4fab Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Mon, 21 Mar 2016 12:57:52 +0200
Subject: [PATCH 44/67] Changelog for #1191

---
 yesod-test/ChangeLog.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/yesod-test/ChangeLog.md b/yesod-test/ChangeLog.md
index b678c292..f3b2b3a6 100644
--- a/yesod-test/ChangeLog.md
+++ b/yesod-test/ChangeLog.md
@@ -1,3 +1,7 @@
+## 1.5.1.0
+
+* Better error provenance for stuff invoking withResponse' [#1191](https://github.com/yesodweb/yesod/pull/1191)
+
 ## 1.5.0.1
 
 * Fixed the `application/x-www-form-urlencoded` header being added to all requests, even those sending a binary POST body [#1064](https://github.com/yesodweb/yesod/pull/1064/files)

From df6834a335b124d5aa014b35bd3b5ec00dadd9e2 Mon Sep 17 00:00:00 2001
From: Mark Wotton <mwotton@gmail.com>
Date: Mon, 21 Mar 2016 12:13:23 -0400
Subject: [PATCH 45/67] add followRedirect

---
 yesod-test/Yesod/Test.hs    | 20 ++++++++++++++++++++
 yesod-test/test/main.hs     | 29 +++++++++++++++++++++++++++--
 yesod-test/yesod-test.cabal |  3 ++-
 3 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index 33d60364..32b6b0b1 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -50,6 +50,7 @@ module Yesod.Test
     , get
     , post
     , postBody
+    , followRedirect
     , request
     , addRequestHeader
     , setMethod
@@ -693,6 +694,25 @@ get url = request $ do
     setMethod "GET"
     setUrl url
 
+-- | Follow a redirect, if the last response was a redirect.
+-- ==== __Examples__
+-- > get HomeR
+--
+-- > followRedirect
+followRedirect :: Yesod site
+               =>  YesodExample site ()
+followRedirect = do
+  mr <- getResponse
+  case mr of
+   Nothing ->  failure "no response, so no redirect to follow"
+   Just r -> do
+     if not ((H.statusCode $ simpleStatus r) `elem` [301,303])
+       then failure "followRedirect called, but previous request was not a redirect"
+       else do
+         case lookup "Location" (simpleHeaders r) of
+          Nothing -> failure "No location header set"
+          Just h -> get (TE.decodeUtf8 h)
+
 -- | Sets the HTTP method used by the request.
 --
 -- ==== __Examples__
diff --git a/yesod-test/test/main.hs b/yesod-test/test/main.hs
index 5461e8bd..f7808bc0 100644
--- a/yesod-test/test/main.hs
+++ b/yesod-test/test/main.hs
@@ -20,11 +20,13 @@ import Data.Monoid ((<>))
 import Control.Applicative
 import Network.Wai (pathInfo, requestHeaders)
 import Data.Maybe (fromMaybe)
+import Data.Either (isLeft)
+import Control.Monad.Catch (try)
 
 import Data.ByteString.Lazy.Char8 ()
 import qualified Data.Map as Map
 import qualified Text.HTML.DOM as HD
-import Network.HTTP.Types.Status (unsupportedMediaType415)
+import Network.HTTP.Types.Status (status301, status303, unsupportedMediaType415)
 
 parseQuery_ = either error id . parseQuery
 findBySelector_ x = either error id . findBySelector x
@@ -213,8 +215,28 @@ main = hspec $ do
                 setMethod "POST"
                 setUrl ("/" :: Text)
             statusIs 403
+    describe "test redirects" $ yesodSpec app $ do
+        yit "follows 303 redirects when requested" $ do
+            get ("/redirect303" :: Text)
+            statusIs 303
+            followRedirect
+            statusIs 200
+            bodyContains "we have been successfully redirected"
+
+        yit "follows 301 redirects when requested" $ do
+            get ("/redirect301" :: Text)
+            statusIs 301
+            followRedirect
+            statusIs 200
+            bodyContains "we have been successfully redirected"
 
 
+        yit "throws an exception when no redirect was returned" $ do
+            get ("/" :: Text)
+            statusIs 200
+            r <- followRedirect
+            statusIs 200
+            -- assertBool "expected exception" $ isLeft r
 
 instance RenderMessage LiteApp FormMessage where
     renderMessage _ _ = defaultFormMessage
@@ -235,6 +257,9 @@ app = liteApp $ do
         case mfoo of
             Nothing -> error "No foo"
             Just foo -> return foo
+    onStatic "redirect301" $ dispatchTo $ redirectWith status301 ("/redirectTarget" :: Text) >> return ()
+    onStatic "redirect303" $ dispatchTo $ redirectWith status303 ("/redirectTarget" :: Text) >> return ()
+    onStatic "redirectTarget" $ dispatchTo $ return ("we have been successfully redirected" :: Text)
     onStatic "form" $ dispatchTo $ do
         ((mfoo, widget), _) <- runFormPost
                         $ renderDivs
@@ -290,4 +315,4 @@ postHomeR = defaultLayout
     [whamlet|
         <p>
             Welcome to my test application.
-    |]
\ No newline at end of file
+    |]
diff --git a/yesod-test/yesod-test.cabal b/yesod-test/yesod-test.cabal
index 907624e5..f0c607f6 100644
--- a/yesod-test/yesod-test.cabal
+++ b/yesod-test/yesod-test.cabal
@@ -4,7 +4,7 @@ license:            MIT
 license-file:       LICENSE
 author:             Nubis <nubis@woobiz.com.ar>
 maintainer:         Michael Snoyman, Greg Weber, Nubis <nubis@woobiz.com.ar>
-synopsis:           integration testing for WAI/Yesod Applications 
+synopsis:           integration testing for WAI/Yesod Applications
 category:           Web, Yesod, Testing
 stability:          Experimental
 cabal-version:      >= 1.8
@@ -60,6 +60,7 @@ test-suite test
                           , yesod-form
                           , text
                           , wai
+                          , exceptions
                           , http-types
 
 source-repository head

From 62961ef9313747547220502d7bdeb385ea49729a Mon Sep 17 00:00:00 2001
From: Mark Wotton <mwotton@gmail.com>
Date: Mon, 21 Mar 2016 12:34:38 -0400
Subject: [PATCH 46/67] fix exception test

---
 yesod-test/test/main.hs     | 8 +++++---
 yesod-test/yesod-test.cabal | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/yesod-test/test/main.hs b/yesod-test/test/main.hs
index f7808bc0..c9271df7 100644
--- a/yesod-test/test/main.hs
+++ b/yesod-test/test/main.hs
@@ -21,7 +21,7 @@ import Control.Applicative
 import Network.Wai (pathInfo, requestHeaders)
 import Data.Maybe (fromMaybe)
 import Data.Either (isLeft)
-import Control.Monad.Catch (try)
+import Control.Exception.Lifted(try, SomeException)
 
 import Data.ByteString.Lazy.Char8 ()
 import qualified Data.Map as Map
@@ -234,9 +234,11 @@ main = hspec $ do
         yit "throws an exception when no redirect was returned" $ do
             get ("/" :: Text)
             statusIs 200
-            r <- followRedirect
+            -- This appears to be an HUnitFailure, which is not
+            -- exported, so I'm catching SomeException instead.
+            (r :: Either SomeException ()) <- try followRedirect
             statusIs 200
-            -- assertBool "expected exception" $ isLeft r
+            liftIO $ assertBool "expected exception" $ isLeft r
 
 instance RenderMessage LiteApp FormMessage where
     renderMessage _ _ = defaultFormMessage
diff --git a/yesod-test/yesod-test.cabal b/yesod-test/yesod-test.cabal
index f0c607f6..9f2ee0da 100644
--- a/yesod-test/yesod-test.cabal
+++ b/yesod-test/yesod-test.cabal
@@ -60,7 +60,7 @@ test-suite test
                           , yesod-form
                           , text
                           , wai
-                          , exceptions
+                          , lifted-base
                           , http-types
 
 source-repository head

From 29c335af563799f4ae3df66ee9b131463452700a Mon Sep 17 00:00:00 2001
From: Mark Wotton <mwotton@gmail.com>
Date: Mon, 21 Mar 2016 13:39:49 -0400
Subject: [PATCH 47/67] use Either rather than throwing an exception

---
 yesod-test/Yesod/Test.hs | 10 +++++-----
 yesod-test/test/main.hs  |  7 ++-----
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index 32b6b0b1..4e7afe0e 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -700,18 +700,18 @@ get url = request $ do
 --
 -- > followRedirect
 followRedirect :: Yesod site
-               =>  YesodExample site ()
+               =>  YesodExample site (Either T.Text ())
 followRedirect = do
   mr <- getResponse
   case mr of
-   Nothing ->  failure "no response, so no redirect to follow"
+   Nothing ->  return $ Left "no response, so no redirect to follow"
    Just r -> do
      if not ((H.statusCode $ simpleStatus r) `elem` [301,303])
-       then failure "followRedirect called, but previous request was not a redirect"
+       then return $ Left  "followRedirect called, but previous request was not a redirect"
        else do
          case lookup "Location" (simpleHeaders r) of
-          Nothing -> failure "No location header set"
-          Just h -> get (TE.decodeUtf8 h)
+          Nothing -> return $ Left "No location header set"
+          Just h -> get (TE.decodeUtf8 h) >> return (Right ())
 
 -- | Sets the HTTP method used by the request.
 --
diff --git a/yesod-test/test/main.hs b/yesod-test/test/main.hs
index c9271df7..3cee06be 100644
--- a/yesod-test/test/main.hs
+++ b/yesod-test/test/main.hs
@@ -231,13 +231,10 @@ main = hspec $ do
             bodyContains "we have been successfully redirected"
 
 
-        yit "throws an exception when no redirect was returned" $ do
+        yit "returns a Left when no redirect was returned" $ do
             get ("/" :: Text)
             statusIs 200
-            -- This appears to be an HUnitFailure, which is not
-            -- exported, so I'm catching SomeException instead.
-            (r :: Either SomeException ()) <- try followRedirect
-            statusIs 200
+            r <- followRedirect
             liftIO $ assertBool "expected exception" $ isLeft r
 
 instance RenderMessage LiteApp FormMessage where

From f381c69449fdf6ab8086f0aa49b813bcc7a60e0d Mon Sep 17 00:00:00 2001
From: Mark Wotton <mwotton@gmail.com>
Date: Mon, 21 Mar 2016 13:43:36 -0400
Subject: [PATCH 48/67] expand range of acceptable redirection codes

---
 yesod-test/Yesod/Test.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index 4e7afe0e..dea2a6a3 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -706,7 +706,7 @@ followRedirect = do
   case mr of
    Nothing ->  return $ Left "no response, so no redirect to follow"
    Just r -> do
-     if not ((H.statusCode $ simpleStatus r) `elem` [301,303])
+     if not ((H.statusCode $ simpleStatus r) `elem` [301, 302, 303, 307, 308])
        then return $ Left  "followRedirect called, but previous request was not a redirect"
        else do
          case lookup "Location" (simpleHeaders r) of

From 92f24a73dc0302b160ee612744d36ef935fd93d2 Mon Sep 17 00:00:00 2001
From: Mark Wotton <mwotton@gmail.com>
Date: Mon, 21 Mar 2016 13:44:26 -0400
Subject: [PATCH 49/67] better error messages for followRedirect

---
 yesod-test/Yesod/Test.hs | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index dea2a6a3..f886b399 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -704,13 +704,13 @@ followRedirect :: Yesod site
 followRedirect = do
   mr <- getResponse
   case mr of
-   Nothing ->  return $ Left "no response, so no redirect to follow"
+   Nothing ->  return $ Left "followRedirect called, but there was no previous response, so no redirect to follow"
    Just r -> do
      if not ((H.statusCode $ simpleStatus r) `elem` [301, 302, 303, 307, 308])
        then return $ Left  "followRedirect called, but previous request was not a redirect"
        else do
          case lookup "Location" (simpleHeaders r) of
-          Nothing -> return $ Left "No location header set"
+          Nothing -> return $ Left "followRedirect called, but no location header set"
           Just h -> get (TE.decodeUtf8 h) >> return (Right ())
 
 -- | Sets the HTTP method used by the request.

From ef00ddd80bd12de6082823542603a291b48c1248 Mon Sep 17 00:00:00 2001
From: Mark Wotton <mwotton@gmail.com>
Date: Mon, 21 Mar 2016 17:16:28 -0400
Subject: [PATCH 50/67] test result value, return URL in Right branch, document
 meaning in haddocks

---
 yesod-test/Yesod/Test.hs |  8 ++++++--
 yesod-test/test/main.hs  | 10 ++++++----
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index f886b399..cac92a6a 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -695,12 +695,15 @@ get url = request $ do
     setUrl url
 
 -- | Follow a redirect, if the last response was a redirect.
+-- | Return Left with an error message if not a redirect
+-- | Return Right with the redirected URL if it was.
+--
 -- ==== __Examples__
 -- > get HomeR
 --
 -- > followRedirect
 followRedirect :: Yesod site
-               =>  YesodExample site (Either T.Text ())
+               =>  YesodExample site (Either T.Text T.Text)
 followRedirect = do
   mr <- getResponse
   case mr of
@@ -711,7 +714,8 @@ followRedirect = do
        else do
          case lookup "Location" (simpleHeaders r) of
           Nothing -> return $ Left "followRedirect called, but no location header set"
-          Just h -> get (TE.decodeUtf8 h) >> return (Right ())
+          Just h -> let url = TE.decodeUtf8 h in
+                     get url  >> return (Right url)
 
 -- | Sets the HTTP method used by the request.
 --
diff --git a/yesod-test/test/main.hs b/yesod-test/test/main.hs
index 3cee06be..0ef4354c 100644
--- a/yesod-test/test/main.hs
+++ b/yesod-test/test/main.hs
@@ -20,7 +20,7 @@ import Data.Monoid ((<>))
 import Control.Applicative
 import Network.Wai (pathInfo, requestHeaders)
 import Data.Maybe (fromMaybe)
-import Data.Either (isLeft)
+import Data.Either (isLeft, isRight)
 import Control.Exception.Lifted(try, SomeException)
 
 import Data.ByteString.Lazy.Char8 ()
@@ -219,14 +219,16 @@ main = hspec $ do
         yit "follows 303 redirects when requested" $ do
             get ("/redirect303" :: Text)
             statusIs 303
-            followRedirect
+            r <- followRedirect
+            liftIO $ assertBool "expected a Right from a 303 redirect" $ isRight r
             statusIs 200
             bodyContains "we have been successfully redirected"
 
         yit "follows 301 redirects when requested" $ do
             get ("/redirect301" :: Text)
             statusIs 301
-            followRedirect
+            r <- followRedirect
+            liftIO $ assertBool "expected a Right from a 301 redirect" $ isRight r
             statusIs 200
             bodyContains "we have been successfully redirected"
 
@@ -235,7 +237,7 @@ main = hspec $ do
             get ("/" :: Text)
             statusIs 200
             r <- followRedirect
-            liftIO $ assertBool "expected exception" $ isLeft r
+            liftIO $ assertBool "expected a Left when not a redirect" $ isLeft r
 
 instance RenderMessage LiteApp FormMessage where
     renderMessage _ _ = defaultFormMessage

From f2341355c1846c1a7ce27cb7963427acf01869aa Mon Sep 17 00:00:00 2001
From: Mark Wotton <mwotton@gmail.com>
Date: Mon, 21 Mar 2016 17:20:02 -0400
Subject: [PATCH 51/67] documentation fixes

---
 yesod-test/Yesod/Test.hs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index cac92a6a..928320cf 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -695,12 +695,13 @@ get url = request $ do
     setUrl url
 
 -- | Follow a redirect, if the last response was a redirect.
+-- | (We consider 301, 302, 303, 307 and 308 as redirects.)
 -- | Return Left with an error message if not a redirect
 -- | Return Right with the redirected URL if it was.
 --
 -- ==== __Examples__
--- > get HomeR
 --
+-- > get HomeR
 -- > followRedirect
 followRedirect :: Yesod site
                =>  YesodExample site (Either T.Text T.Text)

From b21e64637f814b92680f230051d4c7b4ead3b7f4 Mon Sep 17 00:00:00 2001
From: Mark Wotton <mwotton@gmail.com>
Date: Mon, 21 Mar 2016 17:21:14 -0400
Subject: [PATCH 52/67] documentation fixes #2

---
 yesod-test/Yesod/Test.hs | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index 928320cf..9a689349 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -695,7 +695,9 @@ get url = request $ do
     setUrl url
 
 -- | Follow a redirect, if the last response was a redirect.
--- | (We consider 301, 302, 303, 307 and 308 as redirects.)
+-- | (We consider a request a redirect if the status is
+-- | 301, 302, 303, 307 or 308, and the Location header is set.)
+-- |
 -- | Return Left with an error message if not a redirect
 -- | Return Right with the redirected URL if it was.
 --

From 23278d651e4fc2119d4ef55b4469e39a51b66ae4 Mon Sep 17 00:00:00 2001
From: Mark Wotton <mwotton@gmail.com>
Date: Mon, 21 Mar 2016 17:41:25 -0400
Subject: [PATCH 53/67] documentation fixes & formatting #3

---
 yesod-test/Yesod/Test.hs | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index 9a689349..7da770ab 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -695,16 +695,15 @@ get url = request $ do
     setUrl url
 
 -- | Follow a redirect, if the last response was a redirect.
--- | (We consider a request a redirect if the status is
--- | 301, 302, 303, 307 or 308, and the Location header is set.)
--- |
--- | Return Left with an error message if not a redirect
--- | Return Right with the redirected URL if it was.
+-- (We consider a request a redirect if the status is
+-- 301, 302, 303, 307 or 308, and the Location header is set.)
 --
 -- ==== __Examples__
 --
 -- > get HomeR
 -- > followRedirect
+followRedirect :: Yesod site
+               =>  YesodExample site (Either T.Text T.Text) -- ^ 'Left' with an error message if not a redirect, 'Right' with the redirected URL if it was
 followRedirect :: Yesod site
                =>  YesodExample site (Either T.Text T.Text)
 followRedirect = do
@@ -713,7 +712,7 @@ followRedirect = do
    Nothing ->  return $ Left "followRedirect called, but there was no previous response, so no redirect to follow"
    Just r -> do
      if not ((H.statusCode $ simpleStatus r) `elem` [301, 302, 303, 307, 308])
-       then return $ Left  "followRedirect called, but previous request was not a redirect"
+       then return $ Left "followRedirect called, but previous request was not a redirect"
        else do
          case lookup "Location" (simpleHeaders r) of
           Nothing -> return $ Left "followRedirect called, but no location header set"

From 94109d9406e69739393383379cd8cbb0e33cb384 Mon Sep 17 00:00:00 2001
From: Mark Wotton <mwotton@gmail.com>
Date: Mon, 21 Mar 2016 17:46:28 -0400
Subject: [PATCH 54/67] duplicated typesig

---
 yesod-test/Yesod/Test.hs | 2 --
 1 file changed, 2 deletions(-)

diff --git a/yesod-test/Yesod/Test.hs b/yesod-test/Yesod/Test.hs
index 7da770ab..36bbb582 100644
--- a/yesod-test/Yesod/Test.hs
+++ b/yesod-test/Yesod/Test.hs
@@ -704,8 +704,6 @@ get url = request $ do
 -- > followRedirect
 followRedirect :: Yesod site
                =>  YesodExample site (Either T.Text T.Text) -- ^ 'Left' with an error message if not a redirect, 'Right' with the redirected URL if it was
-followRedirect :: Yesod site
-               =>  YesodExample site (Either T.Text T.Text)
 followRedirect = do
   mr <- getResponse
   case mr of

From 36bc175f509d8a4a5aa3a2358ef8cd6304468cda Mon Sep 17 00:00:00 2001
From: Sebastien Canart <kokotchy@gmail.com>
Date: Wed, 23 Mar 2016 08:26:44 +0100
Subject: [PATCH 55/67] Add French translation for CurrentPassword

---
 yesod-auth/Yesod/Auth/Message.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-auth/Yesod/Auth/Message.hs b/yesod-auth/Yesod/Auth/Message.hs
index dcc5cb43..4bda1e6c 100644
--- a/yesod-auth/Yesod/Auth/Message.hs
+++ b/yesod-auth/Yesod/Auth/Message.hs
@@ -320,7 +320,7 @@ frenchMessage LoginYahoo = "Se connecter avec Yahoo"
 frenchMessage Email = "Adresse électronique"
 frenchMessage UserName = "Nom d'utilisateur" -- FIXME by Google Translate "user name"
 frenchMessage Password = "Mot de passe"
-frenchMessage CurrentPassword = "Current password"
+frenchMessage CurrentPassword = "Mot de passe actuel"
 frenchMessage Register = "S'inscrire"
 frenchMessage RegisterLong = "Créer un compte"
 frenchMessage EnterEmail = "Entrez ci-dessous votre adresse électronique, et un message de confirmation vous sera envoyé"

From 814ad379b616fde7e85c8917c0ae85aead0f05ef Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Mon, 28 Mar 2016 20:26:42 +0300
Subject: [PATCH 56/67] Disable yesod test for Stack (fixes #1198)

---
 yesod-bin/ChangeLog.md    |  4 ++++
 yesod-bin/main.hs         | 19 ++++++++++++++-----
 yesod-bin/yesod-bin.cabal |  2 +-
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/yesod-bin/ChangeLog.md b/yesod-bin/ChangeLog.md
index d7837a79..71df0ba6 100644
--- a/yesod-bin/ChangeLog.md
+++ b/yesod-bin/ChangeLog.md
@@ -1,3 +1,7 @@
+## 1.4.18
+
+* Disable `yesod test` when using Stack [#1198](https://github.com/yesodweb/yesod/issues/1198)
+
 ## 1.4.17
 
 * Fully remove the `yesod init` command
diff --git a/yesod-bin/main.hs b/yesod-bin/main.hs
index 94b0cd80..07cca4e1 100755
--- a/yesod-bin/main.hs
+++ b/yesod-bin/main.hs
@@ -6,7 +6,7 @@ import           Data.Monoid
 import           Data.Version           (showVersion)
 import           Options.Applicative
 import           System.Environment     (getEnvironment)
-import           System.Exit            (ExitCode (ExitSuccess), exitWith)
+import           System.Exit            (ExitCode (ExitSuccess), exitWith, exitFailure)
 import           System.FilePath        (splitSearchPath)
 import           System.Process         (rawSystem)
 
@@ -15,6 +15,7 @@ import           Devel                  (DevelOpts (..), devel, DevelTermOpt(..)
 import           Keter                  (keter)
 import           Options                (injectDefaults)
 import qualified Paths_yesod_bin
+import           System.IO              (hPutStrLn, stderr)
 
 import           HsFile                 (mkHsFile)
 #ifndef WINDOWS
@@ -130,10 +131,18 @@ main = do
                              }
                        devel develOpts develExtraArgs
   where
-    cabalTest cabal = do touch'
-                         _ <- cabal ["configure", "--enable-tests", "-flibrary-only"]
-                         _ <- cabal ["build"]
-                         cabal ["test"]
+    cabalTest cabal = do
+        env <- getEnvironment
+        case lookup "STACK_EXE" env of
+            Nothing -> do
+                touch'
+                _ <- cabal ["configure", "--enable-tests", "-flibrary-only"]
+                _ <- cabal ["build"]
+                cabal ["test"]
+            Just _ -> do
+                hPutStrLn stderr "'yesod test' is no longer needed with Stack"
+                hPutStrLn stderr "Instead, please just run 'stack test'"
+                exitFailure
 
 handleGhcPackagePath :: IO ([String], Maybe [(String, String)])
 handleGhcPackagePath = do
diff --git a/yesod-bin/yesod-bin.cabal b/yesod-bin/yesod-bin.cabal
index b9357197..e1f8d8fe 100644
--- a/yesod-bin/yesod-bin.cabal
+++ b/yesod-bin/yesod-bin.cabal
@@ -1,5 +1,5 @@
 name:            yesod-bin
-version:         1.4.17.1
+version:         1.4.18
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>

From fd1681d2cea7378d19729bef5342f5abcdbd8ad2 Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Mon, 28 Mar 2016 20:40:11 +0300
Subject: [PATCH 57/67] Version bump

---
 yesod/yesod.cabal | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod/yesod.cabal b/yesod/yesod.cabal
index a9149f9a..d42af4b1 100644
--- a/yesod/yesod.cabal
+++ b/yesod/yesod.cabal
@@ -1,5 +1,5 @@
 name:            yesod
-version:         1.4.2
+version:         1.4.2.1
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>

From 3b9e7829882754a2219332ccebb9f7d8f66b851d Mon Sep 17 00:00:00 2001
From: Maximilian Tagher <feedback.tagher@gmail.com>
Date: Mon, 28 Mar 2016 12:33:25 -0700
Subject: [PATCH 58/67] Fix W3 multiple attribute link

---
 yesod-form/Yesod/Form/Fields.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-form/Yesod/Form/Fields.hs b/yesod-form/Yesod/Form/Fields.hs
index 5ccbe208..81daa7cf 100644
--- a/yesod-form/Yesod/Form/Fields.hs
+++ b/yesod-form/Yesod/Form/Fields.hs
@@ -349,7 +349,7 @@ $newline never
     , fieldEnctype = UrlEncoded
     }
 
--- | Creates an input with @type="email"@ with the <http://www.w3.org/html/wg/drafts/html/master/forms.html#the-multiple-attribute multiple> attribute; browsers might implement this as taking a comma separated list of emails. Each email address is validated as described in 'emailField'.
+-- | Creates an input with @type="email"@ with the <http://w3c.github.io/html/sec-forms.html#the-multiple-attribute multiple> attribute; browsers might implement this as taking a comma separated list of emails. Each email address is validated as described in 'emailField'.
 --
 -- Since 1.3.7
 multiEmailField :: Monad m => RenderMessage (HandlerSite m) FormMessage => Field m [Text]

From da4948592db9d49de0dab9ae1fc7b5d16d2f529f Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Tue, 29 Mar 2016 09:13:38 +0300
Subject: [PATCH 59/67] Version bump

---
 yesod-core/ChangeLog.md          | 4 ++++
 yesod-core/Yesod/Core/Handler.hs | 6 ++++++
 yesod-core/yesod-core.cabal      | 2 +-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/yesod-core/ChangeLog.md b/yesod-core/ChangeLog.md
index c4844683..b8aec9c8 100644
--- a/yesod-core/ChangeLog.md
+++ b/yesod-core/ChangeLog.md
@@ -1,3 +1,7 @@
+## 1.4.20
+
+* `addMessage`, `addMessageI`, and `getMessages` functions
+
 ## 1.4.19.1
 
 * Allow lines of dashes in route files [#1182](https://github.com/yesodweb/yesod/pull/1182)
diff --git a/yesod-core/Yesod/Core/Handler.hs b/yesod-core/Yesod/Core/Handler.hs
index 35e767c0..6dc1dd3c 100644
--- a/yesod-core/Yesod/Core/Handler.hs
+++ b/yesod-core/Yesod/Core/Handler.hs
@@ -527,6 +527,8 @@ msgKey = "_MSG"
 -- | Adds a status and message in the user's session.
 --
 -- See 'getMessages'.
+--
+-- @since 1.4.20
 addMessage :: MonadHandler m
            => Text -- ^ status
            -> Html -- ^ message
@@ -543,6 +545,8 @@ addMessage status msg = do
 -- | Adds a message in the user's session but uses RenderMessage to allow for i18n
 --
 -- See 'getMessages'.
+--
+-- @since 1.4.20
 addMessageI :: (MonadHandler m, RenderMessage (HandlerSite m) msg)
             => Text -> msg -> m ()
 addMessageI status msg = do
@@ -552,6 +556,8 @@ addMessageI status msg = do
 -- | Gets all messages in the user's session, and then clears the variable.
 --
 -- See 'addMessage'.
+--
+-- @since 1.4.20
 getMessages :: MonadHandler m => m [(Text, Html)]
 getMessages = do
     bs <- lookupSessionBS msgKey
diff --git a/yesod-core/yesod-core.cabal b/yesod-core/yesod-core.cabal
index 31a20e35..efd9aa03 100644
--- a/yesod-core/yesod-core.cabal
+++ b/yesod-core/yesod-core.cabal
@@ -1,5 +1,5 @@
 name:            yesod-core
-version:         1.4.19.1
+version:         1.4.20
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>

From 31d07481f19051a2b75f3f0272c4bb1086f91bae Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Tue, 29 Mar 2016 09:15:57 +0300
Subject: [PATCH 60/67] Version bump

---
 yesod-auth/ChangeLog.md     | 4 ++++
 yesod-auth/yesod-auth.cabal | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/yesod-auth/ChangeLog.md b/yesod-auth/ChangeLog.md
index 46640af4..c8ff6e2a 100644
--- a/yesod-auth/ChangeLog.md
+++ b/yesod-auth/ChangeLog.md
@@ -1,3 +1,7 @@
+## 1.4.14
+
+* Multiple session messages. [#1187](https://github.com/yesodweb/yesod/pull/1187)
+
 ## 1.4.13
 
 * Add a CSRF token to the login form from `Yesod.Auth.Hardcoded`, making it compatible with the CSRF middleware [#1161](https://github.com/yesodweb/yesod/pull/1161)
diff --git a/yesod-auth/yesod-auth.cabal b/yesod-auth/yesod-auth.cabal
index 69c13d9d..e254aadf 100644
--- a/yesod-auth/yesod-auth.cabal
+++ b/yesod-auth/yesod-auth.cabal
@@ -1,5 +1,5 @@
 name:            yesod-auth
-version:         1.4.13
+version:         1.4.14
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman, Patrick Brisbin
@@ -23,7 +23,7 @@ library
     build-depends:   base                    >= 4         && < 5
                    , authenticate            >= 1.3
                    , bytestring              >= 0.9.1.4
-                   , yesod-core              >= 1.4.14    && < 1.5
+                   , yesod-core              >= 1.4.20    && < 1.5
                    , wai                     >= 1.4
                    , template-haskell
                    , base16-bytestring

From aa6714e4b05d3274987abd33920f44b2dac21d15 Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Tue, 29 Mar 2016 09:16:33 +0300
Subject: [PATCH 61/67] Undo minor bump that was not needed

---
 yesod-auth/ChangeLog.md     | 5 +----
 yesod-auth/yesod-auth.cabal | 2 +-
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/yesod-auth/ChangeLog.md b/yesod-auth/ChangeLog.md
index c8ff6e2a..aa6b0669 100644
--- a/yesod-auth/ChangeLog.md
+++ b/yesod-auth/ChangeLog.md
@@ -1,10 +1,7 @@
-## 1.4.14
-
-* Multiple session messages. [#1187](https://github.com/yesodweb/yesod/pull/1187)
-
 ## 1.4.13
 
 * Add a CSRF token to the login form from `Yesod.Auth.Hardcoded`, making it compatible with the CSRF middleware [#1161](https://github.com/yesodweb/yesod/pull/1161)
+* Multiple session messages. [#1187](https://github.com/yesodweb/yesod/pull/1187)
 
 ## 1.4.12
 
diff --git a/yesod-auth/yesod-auth.cabal b/yesod-auth/yesod-auth.cabal
index e254aadf..cc7e72d8 100644
--- a/yesod-auth/yesod-auth.cabal
+++ b/yesod-auth/yesod-auth.cabal
@@ -1,5 +1,5 @@
 name:            yesod-auth
-version:         1.4.14
+version:         1.4.13
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman, Patrick Brisbin

From 88a77f88b396801ff927d666d22d4f16feca009e Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Tue, 29 Mar 2016 09:20:11 +0300
Subject: [PATCH 62/67] Version bump

---
 yesod-persistent/yesod-persistent.cabal | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-persistent/yesod-persistent.cabal b/yesod-persistent/yesod-persistent.cabal
index f777d692..a12ca073 100644
--- a/yesod-persistent/yesod-persistent.cabal
+++ b/yesod-persistent/yesod-persistent.cabal
@@ -1,5 +1,5 @@
 name:            yesod-persistent
-version:         1.4.0.3
+version:         1.4.0.4
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>

From 063cef70ee9fbf7a24e74ec00ad0db9c885cd58f Mon Sep 17 00:00:00 2001
From: Michael Snoyman <michael@snoyman.com>
Date: Tue, 29 Mar 2016 09:21:03 +0300
Subject: [PATCH 63/67] Version bump

---
 yesod-form/yesod-form.cabal | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-form/yesod-form.cabal b/yesod-form/yesod-form.cabal
index 04be2974..2d3b9e71 100644
--- a/yesod-form/yesod-form.cabal
+++ b/yesod-form/yesod-form.cabal
@@ -1,5 +1,5 @@
 name:            yesod-form
-version:         1.4.6
+version:         1.4.7
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>

From 28fbaae268b8fb12dd9467bcb11c739b961d26be Mon Sep 17 00:00:00 2001
From: Maximilian Tagher <feedback.tagher@gmail.com>
Date: Mon, 28 Mar 2016 12:21:50 -0700
Subject: [PATCH 64/67] Log a warning when a CSRF error occurs

* Closes #1192
---
 yesod-core/Yesod/Core/Handler.hs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/yesod-core/Yesod/Core/Handler.hs b/yesod-core/Yesod/Core/Handler.hs
index 6dc1dd3c..f8baa37d 100644
--- a/yesod-core/Yesod/Core/Handler.hs
+++ b/yesod-core/Yesod/Core/Handler.hs
@@ -252,6 +252,7 @@ import qualified Yesod.Core.TypeCache as Cache
 import qualified Data.Word8 as W8
 import qualified Data.Foldable as Fold
 import Data.Default
+import Control.Monad.Logger (MonadLogger, logWarnS)
 
 get :: MonadHandler m => m GHState
 get = liftHandlerT $ HandlerT $ I.readIORef . handlerState
@@ -1439,14 +1440,16 @@ hasValidCsrfParamNamed paramName = do
 -- If the value doesn't match the token stored in the session, this function throws a 'PermissionDenied' error.
 --
 -- Since 1.4.14
-checkCsrfHeaderOrParam :: MonadHandler m
+checkCsrfHeaderOrParam :: (MonadHandler m, MonadLogger m)
                        => CI S8.ByteString -- ^ The header name to lookup the CSRF token
                        -> Text -- ^ The POST parameter name to lookup the CSRF token
                        -> m ()
 checkCsrfHeaderOrParam headerName paramName = do
   validHeader <- hasValidCsrfHeaderNamed headerName
   validParam <- hasValidCsrfParamNamed paramName
-  unless (validHeader || validParam) (permissionDenied csrfErrorMessage)
+  unless (validHeader || validParam) $ do
+    $logWarnS "yesod-core" csrfErrorMessage
+    permissionDenied csrfErrorMessage
 
 validCsrf :: Maybe Text -> Maybe S.ByteString -> Bool
 -- It's important to use constant-time comparison (constEqBytes) in order to avoid timing attacks.

From 5a5cfd6c7a6284b6912dc3247ced6d8a7202efcc Mon Sep 17 00:00:00 2001
From: Maximilian Tagher <feedback.tagher@gmail.com>
Date: Mon, 28 Mar 2016 23:33:32 -0700
Subject: [PATCH 65/67] Bump version for CSRF logging changes, and improve
 error message.

---
 yesod-core/ChangeLog.md          | 4 ++++
 yesod-core/Yesod/Core/Handler.hs | 2 +-
 yesod-core/yesod-core.cabal      | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/yesod-core/ChangeLog.md b/yesod-core/ChangeLog.md
index b8aec9c8..4bdfe7bd 100644
--- a/yesod-core/ChangeLog.md
+++ b/yesod-core/ChangeLog.md
@@ -1,3 +1,7 @@
+## 1.4.20.1
+
+* Log a warning when a CSRF error occurs [#1200](https://github.com/yesodweb/yesod/pull/1200)
+
 ## 1.4.20
 
 * `addMessage`, `addMessageI`, and `getMessages` functions
diff --git a/yesod-core/Yesod/Core/Handler.hs b/yesod-core/Yesod/Core/Handler.hs
index f8baa37d..a0230e18 100644
--- a/yesod-core/Yesod/Core/Handler.hs
+++ b/yesod-core/Yesod/Core/Handler.hs
@@ -1458,4 +1458,4 @@ validCsrf Nothing            _param = True
 validCsrf (Just _token)     Nothing = False
 
 csrfErrorMessage :: Text
-csrfErrorMessage = "A valid CSRF token wasn't present in HTTP headers or POST parameters. Check the Yesod.Core.Handler docs of the yesod-core package for details on CSRF protection."
+csrfErrorMessage = "A valid CSRF token wasn't present in HTTP headers or POST parameters. Because the request could have been forged, it's been rejected altogether. Check the Yesod.Core.Handler docs of the yesod-core package for details on CSRF protection."
diff --git a/yesod-core/yesod-core.cabal b/yesod-core/yesod-core.cabal
index efd9aa03..1ed8b27b 100644
--- a/yesod-core/yesod-core.cabal
+++ b/yesod-core/yesod-core.cabal
@@ -1,5 +1,5 @@
 name:            yesod-core
-version:         1.4.20
+version:         1.4.20.1
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman <michael@snoyman.com>

From 5febecf8122aceab7ec3b427d8153b5e95c015ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arthur=20Fayzrakhmanov=20=28=D0=90=D1=80=D1=82=D1=83=D1=80?=
 =?UTF-8?q?=20=D0=A4=D0=B0=D0=B9=D0=B7=D1=80=D0=B0=D1=85=D0=BC=D0=B0=D0=BD?=
 =?UTF-8?q?=D0=BE=D0=B2=29?= <heraldhoi@gmail.com>
Date: Tue, 29 Mar 2016 19:07:04 +0500
Subject: [PATCH 66/67] Improve Russian translation for ConfirmPass message

---
 yesod-auth/Yesod/Auth/Message.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-auth/Yesod/Auth/Message.hs b/yesod-auth/Yesod/Auth/Message.hs
index 4bda1e6c..bfb3226e 100644
--- a/yesod-auth/Yesod/Auth/Message.hs
+++ b/yesod-auth/Yesod/Auth/Message.hs
@@ -625,7 +625,7 @@ russianMessage BadSetPass = "Чтобы изменить пароль, необ
 russianMessage SetPassTitle = "Установить пароль"
 russianMessage SetPass = "Установить новый пароль"
 russianMessage NewPass = "Новый пароль"
-russianMessage ConfirmPass = "Подтверждение"
+russianMessage ConfirmPass = "Подтверждение пароля"
 russianMessage PassMismatch = "Пароли не совпадают, повторите снова"
 russianMessage PassUpdated = "Пароль обновлён"
 russianMessage Facebook = "Войти с помощью Facebook"

From ecdee7f51a06c022ba6b93440b64a7534f212b0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arthur=20Fayzrakhmanov=20=28=D0=90=D1=80=D1=82=D1=83=D1=80?=
 =?UTF-8?q?=20=D0=A4=D0=B0=D0=B9=D0=B7=D1=80=D0=B0=D1=85=D0=BC=D0=B0=D0=BD?=
 =?UTF-8?q?=D0=BE=D0=B2=29?= <heraldhoi@gmail.com>
Date: Tue, 29 Mar 2016 19:07:36 +0500
Subject: [PATCH 67/67] Tidy up imports

---
 yesod-auth/Yesod/Auth/Message.hs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/yesod-auth/Yesod/Auth/Message.hs b/yesod-auth/Yesod/Auth/Message.hs
index bfb3226e..525b2af3 100644
--- a/yesod-auth/Yesod/Auth/Message.hs
+++ b/yesod-auth/Yesod/Auth/Message.hs
@@ -20,7 +20,7 @@ module Yesod.Auth.Message
     , danishMessage
     ) where
 
-import           Data.Monoid (mappend,(<>))
+import           Data.Monoid (mappend, (<>))
 import           Data.Text   (Text)
 
 data AuthMessage =