This change introduces `hashAndSaltPassword` and `verifyPassword` to the
`YesodAuthEmail` type class, allowing users to implement their own hashing
schemes (i.e. to provide compatibility with an existing database). It also
updates the default handlers to use these new functions when appropriate. The
functions have default implementation such that behavior for legacy applications
should not change.
Since the other type signatures of the typeclass has VerKey instead of
Text, it would be better to use VerKey here also to maintain
consistency. Also, IMO this signature is more easy to follow ( I had to
look at source to see how the verification key was generated. )
Return a 403 status code if the csrf tokens are matched. This currently
affects two endpoints: During registration and during password reset
forms.
This curl request demonstrates how this can be exploited to register new
email:
curl -i --header "Accept: application/json" --request POST -F
"email=sibi@psibi.in" http://localhost:3005/auth/page/email/register
With the patch applied, it will respond with this:
{"message":"Permission Denied. A valid CSRF token wasn't present in HTTP
headers or POST parameters. Because the request could have been forged,
it's been rejected altogether. Check the Yesod.Core.Handler docs of the
yesod-core package for details on CSRF protection."}
This needed to happen in order to automatically get CSRF protection
Several changes happened while switching over:
* Relied on built in names for inputs
* Cleaned up naming
* Created password helpers for each field
* Added a translation for current password
The form helpers weren't being used which caused the CSRF tokens to not
be present. This also allows for a bit more flexability and
cleans up the code as well.
This allows users of the library to easily render VerUrl to use in
verification emails to new users, if the user was created outside
of the regular register functionality.
