-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | servant-server/servant-auth compatibility
--   
--   This package provides the required instances for using the
--   <tt>Auth</tt> combinator in your <a>servant</a> server.
--   
--   Both cookie- and token- (REST API) based authentication is provided.
--   
--   For a quick overview of the usage, see the <a>README</a>.
@package servant-auth-server
@version 0.4.4.0

module Servant.Auth.Server.Internal.AddSetCookie
data Nat
Z :: Nat
S :: Nat -> Nat
type family AddSetCookiesApi (n :: Nat) a
type family AddSetCookieApiVerb a
type family AddSetCookieApi a :: *
data SetCookieList (n :: Nat) :: *
[SetCookieNil] :: SetCookieList  'Z
[SetCookieCons] :: Maybe SetCookie -> SetCookieList n -> SetCookieList ( 'S n)
class AddSetCookies (n :: Nat) orig new
addSetCookies :: AddSetCookies n orig new => SetCookieList n -> orig -> new
mkHeaders :: SetCookieList x -> [Header]
instance Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies ('Servant.Auth.Server.Internal.AddSetCookie.S n) oldb newb => Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies ('Servant.Auth.Server.Internal.AddSetCookie.S n) (a -> oldb) (a -> newb)
instance Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies 'Servant.Auth.Server.Internal.AddSetCookie.Z orig orig
instance (GHC.Base.Functor m, Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies n (m old) (m cookied), Servant.API.ResponseHeaders.AddHeader "Set-Cookie" Web.Cookie.SetCookie cookied new) => Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies ('Servant.Auth.Server.Internal.AddSetCookie.S n) (m old) (m new)
instance (Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies ('Servant.Auth.Server.Internal.AddSetCookie.S n) a a', Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies ('Servant.Auth.Server.Internal.AddSetCookie.S n) b b') => Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies ('Servant.Auth.Server.Internal.AddSetCookie.S n) (a Servant.API.Alternative.:<|> b) (a' Servant.API.Alternative.:<|> b')
instance Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies ('Servant.Auth.Server.Internal.AddSetCookie.S n) Network.Wai.Application Network.Wai.Application
instance forall k (n :: Servant.Auth.Server.Internal.AddSetCookie.Nat) (m :: k). Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies ('Servant.Auth.Server.Internal.AddSetCookie.S n) (Data.Tagged.Tagged m Network.Wai.Application) (Data.Tagged.Tagged m Network.Wai.Application)

module Servant.Auth.Server.Internal.ConfigTypes

-- | The policies to use when generating and verifying XSRF cookies
data XsrfCookieSettings
XsrfCookieSettings :: !ByteString -> !Maybe ByteString -> !ByteString -> !Bool -> XsrfCookieSettings

-- | What name to use for the cookie used for XSRF protection.
[xsrfCookieName] :: XsrfCookieSettings -> !ByteString

-- | What path to use for the cookie used for XSRF protection. Default
--   <tt>Just "/"</tt>.
[xsrfCookiePath] :: XsrfCookieSettings -> !Maybe ByteString

-- | What name to use for the header used for XSRF protection.
[xsrfHeaderName] :: XsrfCookieSettings -> !ByteString

-- | Exclude GET request method from XSRF protection.
[xsrfExcludeGet] :: XsrfCookieSettings -> !Bool

-- | The policies to use when generating cookies.
--   
--   If *both* <a>cookieMaxAge</a> and <a>cookieExpires</a> are
--   <tt>Nothing</tt>, browsers will treat the cookie as a *session
--   cookie*. These will be deleted when the browser is closed.
--   
--   Note that having the setting <tt>Secure</tt> may cause testing
--   failures if you are not testing over HTTPS.
data CookieSettings
CookieSettings :: !IsSecure -> !Maybe DiffTime -> !Maybe UTCTime -> !Maybe ByteString -> !Maybe ByteString -> !SameSite -> !ByteString -> !Maybe XsrfCookieSettings -> CookieSettings

-- | <a>Secure</a> means browsers will only send cookies over HTTPS.
--   Default: <tt>Secure</tt>.
[cookieIsSecure] :: CookieSettings -> !IsSecure

-- | How long from now until the cookie expires. Default: <tt>Nothing</tt>.
[cookieMaxAge] :: CookieSettings -> !Maybe DiffTime

-- | At what time the cookie expires. Default: <tt>Nothing</tt>.
[cookieExpires] :: CookieSettings -> !Maybe UTCTime

-- | The URL path and sub-paths for which this cookie is used. Default:
--   <tt>Just "/"</tt>.
[cookiePath] :: CookieSettings -> !Maybe ByteString

-- | Domain name, if set cookie also allows subdomains. Default:
--   <tt>Nothing</tt>.
[cookieDomain] :: CookieSettings -> !Maybe ByteString

-- | <a>SameSite</a> settings. Default: <tt>SameSiteLax</tt>.
[cookieSameSite] :: CookieSettings -> !SameSite

-- | What name to use for the cookie used for the session.
[sessionCookieName] :: CookieSettings -> !ByteString

-- | The optional settings to use for XSRF protection. Default: <tt>Just
--   def</tt>.
[cookieXsrfSetting] :: CookieSettings -> !Maybe XsrfCookieSettings

-- | <tt>JWTSettings</tt> are used to generate cookies, and to verify JWTs.
data JWTSettings
JWTSettings :: JWK -> Maybe Alg -> JWKSet -> (StringOrURI -> IsMatch) -> JWTSettings

-- | Key used to sign JWT.
[signingKey] :: JWTSettings -> JWK

-- | Algorithm used to sign JWT.
[jwtAlg] :: JWTSettings -> Maybe Alg

-- | Keys used to validate JWT.
[validationKeys] :: JWTSettings -> JWKSet

-- | An <tt>aud</tt> predicate. The <tt>aud</tt> is a string or URI that
--   identifies the intended recipient of the JWT.
[audienceMatches] :: JWTSettings -> StringOrURI -> IsMatch
data SameSite
AnySite :: SameSite
SameSiteStrict :: SameSite
SameSiteLax :: SameSite
data IsPasswordCorrect
PasswordCorrect :: IsPasswordCorrect
PasswordIncorrect :: IsPasswordCorrect
data IsMatch
Matches :: IsMatch
DoesNotMatch :: IsMatch

-- | A <tt>JWTSettings</tt> where the audience always matches.
defaultJWTSettings :: JWK -> JWTSettings
defaultCookieSettings :: CookieSettings
defaultXsrfCookieSettings :: XsrfCookieSettings
jwtSettingsToJwtValidationSettings :: JWTSettings -> JWTValidationSettings

-- | Was this request made over an SSL connection?
--   
--   Note that this value will not tell you if the client originally made
--   this request over SSL, but rather whether the current connection is
--   SSL. The distinction lies with reverse proxies. In many cases, the
--   client will connect to a load balancer over SSL, but connect to the
--   WAI handler without SSL. In such a case, the handlers would get
--   <a>NotSecure</a>, but from a user perspective, there is a secure
--   connection.
data IsSecure

-- | the connection to the server is secure (HTTPS)
Secure :: IsSecure

-- | the connection to the server is not secure (HTTP)
NotSecure :: IsSecure
instance GHC.Generics.Generic Servant.Auth.Server.Internal.ConfigTypes.CookieSettings
instance GHC.Show.Show Servant.Auth.Server.Internal.ConfigTypes.CookieSettings
instance GHC.Classes.Eq Servant.Auth.Server.Internal.ConfigTypes.CookieSettings
instance GHC.Generics.Generic Servant.Auth.Server.Internal.ConfigTypes.XsrfCookieSettings
instance GHC.Show.Show Servant.Auth.Server.Internal.ConfigTypes.XsrfCookieSettings
instance GHC.Classes.Eq Servant.Auth.Server.Internal.ConfigTypes.XsrfCookieSettings
instance GHC.Generics.Generic Servant.Auth.Server.Internal.ConfigTypes.JWTSettings
instance GHC.Classes.Ord Servant.Auth.Server.Internal.ConfigTypes.SameSite
instance GHC.Generics.Generic Servant.Auth.Server.Internal.ConfigTypes.SameSite
instance GHC.Read.Read Servant.Auth.Server.Internal.ConfigTypes.SameSite
instance GHC.Show.Show Servant.Auth.Server.Internal.ConfigTypes.SameSite
instance GHC.Classes.Eq Servant.Auth.Server.Internal.ConfigTypes.SameSite
instance GHC.Classes.Ord Servant.Auth.Server.Internal.ConfigTypes.IsPasswordCorrect
instance GHC.Generics.Generic Servant.Auth.Server.Internal.ConfigTypes.IsPasswordCorrect
instance GHC.Read.Read Servant.Auth.Server.Internal.ConfigTypes.IsPasswordCorrect
instance GHC.Show.Show Servant.Auth.Server.Internal.ConfigTypes.IsPasswordCorrect
instance GHC.Classes.Eq Servant.Auth.Server.Internal.ConfigTypes.IsPasswordCorrect
instance GHC.Classes.Ord Servant.Auth.Server.Internal.ConfigTypes.IsMatch
instance GHC.Generics.Generic Servant.Auth.Server.Internal.ConfigTypes.IsMatch
instance GHC.Read.Read Servant.Auth.Server.Internal.ConfigTypes.IsMatch
instance GHC.Show.Show Servant.Auth.Server.Internal.ConfigTypes.IsMatch
instance GHC.Classes.Eq Servant.Auth.Server.Internal.ConfigTypes.IsMatch
instance Data.Default.Class.Default Servant.Auth.Server.Internal.ConfigTypes.CookieSettings
instance Data.Default.Class.Default Servant.Auth.Server.Internal.ConfigTypes.XsrfCookieSettings

module Servant.Auth.Server.Internal.FormLogin

module Servant.Auth.Server.Internal.ThrowAll
class ThrowAll a

-- | <a>throwAll</a> is a convenience function to throw errors across an
--   entire sub-API
--   
--   <pre>
--   throwAll err400 :: Handler a :&lt;|&gt; Handler b :&lt;|&gt; Handler c
--      == throwError err400 :&lt;|&gt; throwError err400 :&lt;|&gt; err400
--   </pre>
throwAll :: ThrowAll a => ServantErr -> a
instance (Servant.Auth.Server.Internal.ThrowAll.ThrowAll a, Servant.Auth.Server.Internal.ThrowAll.ThrowAll b) => Servant.Auth.Server.Internal.ThrowAll.ThrowAll (a Servant.API.Alternative.:<|> b)
instance Servant.Auth.Server.Internal.ThrowAll.ThrowAll b => Servant.Auth.Server.Internal.ThrowAll.ThrowAll (a -> b)
instance Control.Monad.Error.Class.MonadError Servant.Server.Internal.ServantErr.ServantErr m => Servant.Auth.Server.Internal.ThrowAll.ThrowAll (m a)
instance Servant.Auth.Server.Internal.ThrowAll.ThrowAll Network.Wai.Application
instance Control.Monad.Error.Class.MonadError Servant.Server.Internal.ServantErr.ServantErr m => Servant.Auth.Server.Internal.ThrowAll.ThrowAll (Data.Tagged.Tagged m Network.Wai.Application)

module Servant.Auth.Server.Internal.Types

-- | The result of an authentication attempt.
data AuthResult val
BadPassword :: AuthResult val
NoSuchUser :: AuthResult val

-- | Authentication succeeded.
Authenticated :: val -> AuthResult val

-- | If an authentication procedure cannot be carried out - if for example
--   it expects a password and username in a header that is not present -
--   <tt>Indefinite</tt> is returned. This indicates that other
--   authentication methods should be tried.
Indefinite :: AuthResult val

-- | An <tt>AuthCheck</tt> is the function used to decide the
--   authentication status (the <a>AuthResult</a>) of a request. Different
--   <tt>AuthCheck</tt>s may be combined as a Monoid or Alternative; the
--   semantics of this is that the *first* non-<a>Indefinite</a> result
--   from left to right is used and the rest are ignored.
newtype AuthCheck val
AuthCheck :: (Request -> IO (AuthResult val)) -> AuthCheck val
[runAuthCheck] :: AuthCheck val -> Request -> IO (AuthResult val)
instance GHC.Base.Functor Servant.Auth.Server.Internal.Types.AuthCheck
instance GHC.Generics.Generic (Servant.Auth.Server.Internal.Types.AuthCheck val)
instance Data.Foldable.Foldable Servant.Auth.Server.Internal.Types.AuthResult
instance Data.Traversable.Traversable Servant.Auth.Server.Internal.Types.AuthResult
instance GHC.Base.Functor Servant.Auth.Server.Internal.Types.AuthResult
instance GHC.Classes.Ord val => GHC.Classes.Ord (Servant.Auth.Server.Internal.Types.AuthResult val)
instance GHC.Generics.Generic (Servant.Auth.Server.Internal.Types.AuthResult val)
instance GHC.Read.Read val => GHC.Read.Read (Servant.Auth.Server.Internal.Types.AuthResult val)
instance GHC.Show.Show val => GHC.Show.Show (Servant.Auth.Server.Internal.Types.AuthResult val)
instance GHC.Classes.Eq val => GHC.Classes.Eq (Servant.Auth.Server.Internal.Types.AuthResult val)
instance GHC.Base.Semigroup (Servant.Auth.Server.Internal.Types.AuthCheck val)
instance GHC.Base.Monoid (Servant.Auth.Server.Internal.Types.AuthCheck val)
instance GHC.Base.Applicative Servant.Auth.Server.Internal.Types.AuthCheck
instance GHC.Base.Monad Servant.Auth.Server.Internal.Types.AuthCheck
instance Control.Monad.Reader.Class.MonadReader Network.Wai.Internal.Request Servant.Auth.Server.Internal.Types.AuthCheck
instance Control.Monad.IO.Class.MonadIO Servant.Auth.Server.Internal.Types.AuthCheck
instance Control.Monad.Time.MonadTime Servant.Auth.Server.Internal.Types.AuthCheck
instance GHC.Base.Alternative Servant.Auth.Server.Internal.Types.AuthCheck
instance GHC.Base.MonadPlus Servant.Auth.Server.Internal.Types.AuthCheck
instance GHC.Base.Semigroup (Servant.Auth.Server.Internal.Types.AuthResult val)
instance GHC.Base.Monoid (Servant.Auth.Server.Internal.Types.AuthResult val)
instance GHC.Base.Applicative Servant.Auth.Server.Internal.Types.AuthResult
instance GHC.Base.Monad Servant.Auth.Server.Internal.Types.AuthResult
instance GHC.Base.Alternative Servant.Auth.Server.Internal.Types.AuthResult
instance GHC.Base.MonadPlus Servant.Auth.Server.Internal.Types.AuthResult

module Servant.Auth.Server.Internal.JWT

-- | How to decode data from a JWT.
--   
--   The default implementation assumes the data is stored in the
--   unregistered <tt>dat</tt> claim, and uses the <tt>FromJSON</tt>
--   instance to decode value from there.
class FromJWT a
decodeJWT :: FromJWT a => ClaimsSet -> Either Text a
decodeJWT :: (FromJWT a, FromJSON a) => ClaimsSet -> Either Text a

-- | How to encode data from a JWT.
--   
--   The default implementation stores data in the unregistered
--   <tt>dat</tt> claim, and uses the type's <tt>ToJSON</tt> instance to
--   encode the data.
class ToJWT a
encodeJWT :: ToJWT a => a -> ClaimsSet
encodeJWT :: (ToJWT a, ToJSON a) => a -> ClaimsSet

-- | A JWT <tt>AuthCheck</tt>. You likely won't need to use this directly
--   unless you are protecting a <tt>Raw</tt> endpoint.
jwtAuthCheck :: FromJWT usr => JWTSettings -> AuthCheck usr

-- | Creates a JWT containing the specified data. The data is stored in the
--   <tt>dat</tt> claim. The 'Maybe UTCTime' argument indicates the time at
--   which the token expires.
makeJWT :: ToJWT a => a -> JWTSettings -> Maybe UTCTime -> IO (Either Error ByteString)

module Servant.Auth.Server.Internal.Cookie
cookieAuthCheck :: FromJWT usr => CookieSettings -> JWTSettings -> AuthCheck usr
xsrfCheckRequired :: CookieSettings -> Request -> Maybe XsrfCookieSettings
xsrfCookieAuthCheck :: XsrfCookieSettings -> Request -> [(ByteString, ByteString)] -> Bool

-- | Makes a cookie to be used for XSRF.
makeXsrfCookie :: CookieSettings -> IO SetCookie

-- | Alias for <a>makeXsrfCookie</a>.

-- | <i>Deprecated: Use makeXsrfCookie instead</i>
makeCsrfCookie :: CookieSettings -> IO SetCookie

-- | Makes a cookie with session information.
makeSessionCookie :: ToJWT v => CookieSettings -> JWTSettings -> v -> IO (Maybe SetCookie)
noXsrfTokenCookie :: CookieSettings -> SetCookie
applyCookieSettings :: CookieSettings -> SetCookie -> SetCookie
applyXsrfCookieSettings :: XsrfCookieSettings -> SetCookie -> SetCookie
applySessionCookieSettings :: CookieSettings -> SetCookie -> SetCookie

-- | For a JWT-serializable session, returns a function that decorates a
--   provided response object with XSRF and session cookies. This should be
--   used when a user successfully authenticates with credentials.
acceptLogin :: (ToJWT session, AddHeader "Set-Cookie" SetCookie response withOneCookie, AddHeader "Set-Cookie" SetCookie withOneCookie withTwoCookies) => CookieSettings -> JWTSettings -> session -> IO (Maybe (response -> withTwoCookies))

-- | Arbitrary cookie expiry time set back in history after unix time 0
expireTime :: UTCTime

-- | Adds headers to a response that clears all session cookies | using
--   max-age and expires cookie attributes.
clearSession :: (AddHeader "Set-Cookie" SetCookie response withOneCookie, AddHeader "Set-Cookie" SetCookie withOneCookie withTwoCookies) => CookieSettings -> response -> withTwoCookies
makeSessionCookieBS :: ToJWT v => CookieSettings -> JWTSettings -> v -> IO (Maybe ByteString)

-- | Alias for <a>makeSessionCookie</a>.

-- | <i>Deprecated: Use makeSessionCookie instead</i>
makeCookie :: ToJWT v => CookieSettings -> JWTSettings -> v -> IO (Maybe SetCookie)

-- | Alias for <a>makeSessionCookieBS</a>.

-- | <i>Deprecated: Use makeSessionCookieBS instead</i>
makeCookieBS :: ToJWT v => CookieSettings -> JWTSettings -> v -> IO (Maybe ByteString)

module Servant.Auth.Server.Internal.BasicAuth

-- | A <tt>ServerError</tt> that asks the client to authenticate via Basic
--   Authentication, should be invoked by an application whenever
--   appropriate. The argument is the realm.
wwwAuthenticatedErr :: ByteString -> ServantErr
type family BasicAuthCfg
class FromBasicAuthData a

-- | Whether the username exists and the password is correct. Note that,
--   rather than passing a <tt>Pass</tt> to the function, we pass a
--   function that checks an <tt>EncryptedPass</tt>. This is to make sure
--   you don't accidentally do something untoward with the password, like
--   store it.
fromBasicAuthData :: FromBasicAuthData a => BasicAuthData -> BasicAuthCfg -> IO (AuthResult a)
basicAuthCheck :: FromBasicAuthData usr => BasicAuthCfg -> AuthCheck usr

module Servant.Auth.Server.Internal.Class

-- | <tt>IsAuth a ctx v</tt> indicates that <tt>a</tt> is an auth type that
--   expects all elements of <tt>ctx</tt> to be the in the Context and
--   whose authentication check returns an <tt>AuthCheck v</tt>.
class IsAuth a v where {
    type family AuthArgs a :: [*];
}
runAuth :: IsAuth a v => proxy a -> proxy v -> Unapp (AuthArgs a) (AuthCheck v)
class AreAuths (as :: [*]) (ctxs :: [*]) v
runAuths :: AreAuths as ctxs v => proxy as -> Context ctxs -> AuthCheck v
type family Unapp ls res
type family App ls res

-- | <tt>AppCtx</tt> applies the function <tt>res</tt> to the arguments in
--   <tt>ls</tt> by taking the values from the Context provided.
class AppCtx ctx ls res
appCtx :: AppCtx ctx ls res => proxy ls -> Context ctx -> res -> App ls res
instance (Servant.Auth.Server.Internal.Types.AuthCheck v Data.Type.Equality.~ Servant.Auth.Server.Internal.Class.App (Servant.Auth.Server.Internal.Class.AuthArgs a) (Servant.Auth.Server.Internal.Class.Unapp (Servant.Auth.Server.Internal.Class.AuthArgs a) (Servant.Auth.Server.Internal.Types.AuthCheck v)), Servant.Auth.Server.Internal.Class.IsAuth a v, Servant.Auth.Server.Internal.Class.AreAuths as ctxs v, Servant.Auth.Server.Internal.Class.AppCtx ctxs (Servant.Auth.Server.Internal.Class.AuthArgs a) (Servant.Auth.Server.Internal.Class.Unapp (Servant.Auth.Server.Internal.Class.AuthArgs a) (Servant.Auth.Server.Internal.Types.AuthCheck v))) => Servant.Auth.Server.Internal.Class.AreAuths (a : as) ctxs v
instance (Servant.Server.Internal.Context.HasContextEntry ctxs ctx, Servant.Auth.Server.Internal.Class.AppCtx ctxs rest res) => Servant.Auth.Server.Internal.Class.AppCtx ctxs (ctx : rest) (ctx -> res)
instance Servant.Auth.Server.Internal.Class.AppCtx ctx '[] res
instance Servant.Auth.Server.Internal.JWT.FromJWT usr => Servant.Auth.Server.Internal.Class.IsAuth Servant.Auth.Cookie usr
instance Servant.Auth.Server.Internal.JWT.FromJWT usr => Servant.Auth.Server.Internal.Class.IsAuth Servant.Auth.JWT usr
instance Servant.Auth.Server.Internal.BasicAuth.FromBasicAuthData usr => Servant.Auth.Server.Internal.Class.IsAuth Servant.Auth.BasicAuth usr
instance Servant.Auth.Server.Internal.Class.AreAuths '[] ctxs v

module Servant.Auth.Server.Internal
instance (n Data.Type.Equality.~ 'Servant.Auth.Server.Internal.AddSetCookie.S ('Servant.Auth.Server.Internal.AddSetCookie.S 'Servant.Auth.Server.Internal.AddSetCookie.Z), Servant.Server.Internal.HasServer (Servant.Auth.Server.Internal.AddSetCookie.AddSetCookiesApi n api) ctxs, Servant.Auth.Server.Internal.Class.AreAuths auths ctxs v, Servant.Server.Internal.HasServer api ctxs, Servant.Auth.Server.Internal.AddSetCookie.AddSetCookies n (Servant.Server.Internal.ServerT api Servant.Server.Internal.Handler.Handler) (Servant.Server.Internal.ServerT (Servant.Auth.Server.Internal.AddSetCookie.AddSetCookiesApi n api) Servant.Server.Internal.Handler.Handler), Servant.Auth.Server.Internal.JWT.ToJWT v, Servant.Server.Internal.Context.HasContextEntry ctxs Servant.Auth.Server.Internal.ConfigTypes.CookieSettings, Servant.Server.Internal.Context.HasContextEntry ctxs Servant.Auth.Server.Internal.ConfigTypes.JWTSettings) => Servant.Server.Internal.HasServer (Servant.Auth.Auth auths v Servant.API.Sub.:> api) ctxs

module Servant.Auth.Server

-- | <tt>Auth [auth1, auth2] val :&gt; api</tt> represents an API protected
--   *either* by <tt>auth1</tt> or <tt>auth2</tt>
data Auth (auths :: [Type]) val

-- | The result of an authentication attempt.
data AuthResult val
BadPassword :: AuthResult val
NoSuchUser :: AuthResult val

-- | Authentication succeeded.
Authenticated :: val -> AuthResult val

-- | If an authentication procedure cannot be carried out - if for example
--   it expects a password and username in a header that is not present -
--   <tt>Indefinite</tt> is returned. This indicates that other
--   authentication methods should be tried.
Indefinite :: AuthResult val

-- | An <tt>AuthCheck</tt> is the function used to decide the
--   authentication status (the <a>AuthResult</a>) of a request. Different
--   <tt>AuthCheck</tt>s may be combined as a Monoid or Alternative; the
--   semantics of this is that the *first* non-<a>Indefinite</a> result
--   from left to right is used and the rest are ignored.
newtype AuthCheck val
AuthCheck :: (Request -> IO (AuthResult val)) -> AuthCheck val
[runAuthCheck] :: AuthCheck val -> Request -> IO (AuthResult val)

-- | A JSON Web Token (JWT) in the the Authorization header:
--   
--   <pre>
--   Authorization: Bearer <a>token</a>
--   </pre>
--   
--   Note that while the token is signed, it is not encrypted. Therefore do
--   not keep in it any information you would not like the client to know.
--   
--   JWTs are described in IETF's <a>RFC 7519</a>
data JWT

-- | How to decode data from a JWT.
--   
--   The default implementation assumes the data is stored in the
--   unregistered <tt>dat</tt> claim, and uses the <tt>FromJSON</tt>
--   instance to decode value from there.
class FromJWT a
decodeJWT :: FromJWT a => ClaimsSet -> Either Text a
decodeJWT :: (FromJWT a, FromJSON a) => ClaimsSet -> Either Text a

-- | How to encode data from a JWT.
--   
--   The default implementation stores data in the unregistered
--   <tt>dat</tt> claim, and uses the type's <tt>ToJSON</tt> instance to
--   encode the data.
class ToJWT a
encodeJWT :: ToJWT a => a -> ClaimsSet
encodeJWT :: (ToJWT a, ToJSON a) => a -> ClaimsSet
data IsMatch
Matches :: IsMatch
DoesNotMatch :: IsMatch

-- | <tt>JWTSettings</tt> are used to generate cookies, and to verify JWTs.
data JWTSettings
JWTSettings :: JWK -> Maybe Alg -> JWKSet -> (StringOrURI -> IsMatch) -> JWTSettings

-- | Key used to sign JWT.
[signingKey] :: JWTSettings -> JWK

-- | Algorithm used to sign JWT.
[jwtAlg] :: JWTSettings -> Maybe Alg

-- | Keys used to validate JWT.
[validationKeys] :: JWTSettings -> JWKSet

-- | An <tt>aud</tt> predicate. The <tt>aud</tt> is a string or URI that
--   identifies the intended recipient of the JWT.
[audienceMatches] :: JWTSettings -> StringOrURI -> IsMatch

-- | A <tt>JWTSettings</tt> where the audience always matches.
defaultJWTSettings :: JWK -> JWTSettings

-- | A JWT <tt>AuthCheck</tt>. You likely won't need to use this directly
--   unless you are protecting a <tt>Raw</tt> endpoint.
jwtAuthCheck :: FromJWT usr => JWTSettings -> AuthCheck usr

-- | A cookie. The content cookie itself is a JWT. Another cookie is also
--   used, the contents of which are expected to be send back to the server
--   in a header, for XSRF protection.
data Cookie

-- | The policies to use when generating cookies.
--   
--   If *both* <a>cookieMaxAge</a> and <a>cookieExpires</a> are
--   <tt>Nothing</tt>, browsers will treat the cookie as a *session
--   cookie*. These will be deleted when the browser is closed.
--   
--   Note that having the setting <tt>Secure</tt> may cause testing
--   failures if you are not testing over HTTPS.
data CookieSettings
CookieSettings :: !IsSecure -> !Maybe DiffTime -> !Maybe UTCTime -> !Maybe ByteString -> !Maybe ByteString -> !SameSite -> !ByteString -> !Maybe XsrfCookieSettings -> CookieSettings

-- | <a>Secure</a> means browsers will only send cookies over HTTPS.
--   Default: <tt>Secure</tt>.
[cookieIsSecure] :: CookieSettings -> !IsSecure

-- | How long from now until the cookie expires. Default: <tt>Nothing</tt>.
[cookieMaxAge] :: CookieSettings -> !Maybe DiffTime

-- | At what time the cookie expires. Default: <tt>Nothing</tt>.
[cookieExpires] :: CookieSettings -> !Maybe UTCTime

-- | The URL path and sub-paths for which this cookie is used. Default:
--   <tt>Just "/"</tt>.
[cookiePath] :: CookieSettings -> !Maybe ByteString

-- | Domain name, if set cookie also allows subdomains. Default:
--   <tt>Nothing</tt>.
[cookieDomain] :: CookieSettings -> !Maybe ByteString

-- | <a>SameSite</a> settings. Default: <tt>SameSiteLax</tt>.
[cookieSameSite] :: CookieSettings -> !SameSite

-- | What name to use for the cookie used for the session.
[sessionCookieName] :: CookieSettings -> !ByteString

-- | The optional settings to use for XSRF protection. Default: <tt>Just
--   def</tt>.
[cookieXsrfSetting] :: CookieSettings -> !Maybe XsrfCookieSettings

-- | The policies to use when generating and verifying XSRF cookies
data XsrfCookieSettings
XsrfCookieSettings :: !ByteString -> !Maybe ByteString -> !ByteString -> !Bool -> XsrfCookieSettings

-- | What name to use for the cookie used for XSRF protection.
[xsrfCookieName] :: XsrfCookieSettings -> !ByteString

-- | What path to use for the cookie used for XSRF protection. Default
--   <tt>Just "/"</tt>.
[xsrfCookiePath] :: XsrfCookieSettings -> !Maybe ByteString

-- | What name to use for the header used for XSRF protection.
[xsrfHeaderName] :: XsrfCookieSettings -> !ByteString

-- | Exclude GET request method from XSRF protection.
[xsrfExcludeGet] :: XsrfCookieSettings -> !Bool
defaultCookieSettings :: CookieSettings
defaultXsrfCookieSettings :: XsrfCookieSettings

-- | Makes a cookie with session information.
makeSessionCookie :: ToJWT v => CookieSettings -> JWTSettings -> v -> IO (Maybe SetCookie)
makeSessionCookieBS :: ToJWT v => CookieSettings -> JWTSettings -> v -> IO (Maybe ByteString)

-- | Makes a cookie to be used for XSRF.
makeXsrfCookie :: CookieSettings -> IO SetCookie

-- | Alias for <a>makeXsrfCookie</a>.

-- | <i>Deprecated: Use makeXsrfCookie instead</i>
makeCsrfCookie :: CookieSettings -> IO SetCookie

-- | Alias for <a>makeSessionCookie</a>.

-- | <i>Deprecated: Use makeSessionCookie instead</i>
makeCookie :: ToJWT v => CookieSettings -> JWTSettings -> v -> IO (Maybe SetCookie)

-- | Alias for <a>makeSessionCookieBS</a>.

-- | <i>Deprecated: Use makeSessionCookieBS instead</i>
makeCookieBS :: ToJWT v => CookieSettings -> JWTSettings -> v -> IO (Maybe ByteString)

-- | For a JWT-serializable session, returns a function that decorates a
--   provided response object with XSRF and session cookies. This should be
--   used when a user successfully authenticates with credentials.
acceptLogin :: (ToJWT session, AddHeader "Set-Cookie" SetCookie response withOneCookie, AddHeader "Set-Cookie" SetCookie withOneCookie withTwoCookies) => CookieSettings -> JWTSettings -> session -> IO (Maybe (response -> withTwoCookies))

-- | Adds headers to a response that clears all session cookies | using
--   max-age and expires cookie attributes.
clearSession :: (AddHeader "Set-Cookie" SetCookie response withOneCookie, AddHeader "Set-Cookie" SetCookie withOneCookie withTwoCookies) => CookieSettings -> response -> withTwoCookies

-- | Was this request made over an SSL connection?
--   
--   Note that this value will not tell you if the client originally made
--   this request over SSL, but rather whether the current connection is
--   SSL. The distinction lies with reverse proxies. In many cases, the
--   client will connect to a load balancer over SSL, but connect to the
--   WAI handler without SSL. In such a case, the handlers would get
--   <a>NotSecure</a>, but from a user perspective, there is a secure
--   connection.
data IsSecure

-- | the connection to the server is secure (HTTPS)
Secure :: IsSecure

-- | the connection to the server is not secure (HTTP)
NotSecure :: IsSecure
data SameSite
AnySite :: SameSite
SameSiteStrict :: SameSite
SameSiteLax :: SameSite
class AreAuths (as :: [*]) (ctxs :: [*]) v

-- | Basic Auth.
data BasicAuth
class FromBasicAuthData a

-- | Whether the username exists and the password is correct. Note that,
--   rather than passing a <tt>Pass</tt> to the function, we pass a
--   function that checks an <tt>EncryptedPass</tt>. This is to make sure
--   you don't accidentally do something untoward with the password, like
--   store it.
fromBasicAuthData :: FromBasicAuthData a => BasicAuthData -> BasicAuthCfg -> IO (AuthResult a)
type family BasicAuthCfg

-- | A simple datatype to hold data required to decorate a request
data BasicAuthData
BasicAuthData :: !ByteString -> !ByteString -> BasicAuthData
[basicAuthUsername] :: BasicAuthData -> !ByteString
[basicAuthPassword] :: BasicAuthData -> !ByteString
data IsPasswordCorrect
PasswordCorrect :: IsPasswordCorrect
PasswordIncorrect :: IsPasswordCorrect

-- | A <tt>ServerError</tt> that asks the client to authenticate via Basic
--   Authentication, should be invoked by an application whenever
--   appropriate. The argument is the realm.
wwwAuthenticatedErr :: ByteString -> ServantErr
class ThrowAll a

-- | <a>throwAll</a> is a convenience function to throw errors across an
--   entire sub-API
--   
--   <pre>
--   throwAll err400 :: Handler a :&lt;|&gt; Handler b :&lt;|&gt; Handler c
--      == throwError err400 :&lt;|&gt; throwError err400 :&lt;|&gt; err400
--   </pre>
throwAll :: ThrowAll a => ServantErr -> a

-- | Generate a key suitable for use with <tt>defaultConfig</tt>.
generateKey :: IO JWK

-- | Generate a bytestring suitable for use with <a>fromSecret</a>.
generateSecret :: MonadRandom m => m ByteString

-- | Restores a key from a bytestring.
fromSecret :: ByteString -> JWK

-- | Writes a secret to a file. Can for instance be used from the REPL to
--   persist a key to a file, which can then be included with the
--   application. Restore the key using <a>readKey</a>.
writeKey :: FilePath -> IO ()

-- | Reads a key from a file.
readKey :: FilePath -> IO JWK

-- | Creates a JWT containing the specified data. The data is stored in the
--   <tt>dat</tt> claim. The 'Maybe UTCTime' argument indicates the time at
--   which the token expires.
makeJWT :: ToJWT a => a -> JWTSettings -> Maybe UTCTime -> IO (Either Error ByteString)

-- | A class for types with a default value.
class Default a

-- | The default value for this type.
def :: Default a => a

-- | Data type representing the key-value pair to use for a cookie, as well
--   as configuration options for it.
--   
--   <h4>Creating a SetCookie</h4>
--   
--   <a>SetCookie</a> does not export a constructor; instead, use
--   <a>defaultSetCookie</a> and override values (see
--   <a>http://www.yesodweb.com/book/settings-types</a> for details):
--   
--   <pre>
--   import Web.Cookie
--   :set -XOverloadedStrings
--   let cookie = <a>defaultSetCookie</a> { <a>setCookieName</a> = "cookieName", <a>setCookieValue</a> = "cookieValue" }
--   </pre>
--   
--   <h4>Cookie Configuration</h4>
--   
--   Cookies have several configuration options; a brief summary of each
--   option is given below. For more information, see <a>RFC 6265</a> or
--   <a>Wikipedia</a>.
data SetCookie


-- | <i>Deprecated: instance exists in http-api-data-0.3.9. This module
--   will be removed in next major release.</i>
module Servant.Auth.Server.SetCookieOrphan
