Idiomatic authentication in Elm - authentication

I'm trying to wrap my head around Elm. I have experience in Haskell, and a bit of Erlang.
I want to complete the following exercise:
User is shown a login form
On submit, the frontend makes a request to localhost/auth to try and receive an auth token.
On success, the homepage is shown, which fetches some data.
On failure, the login screen displays an error.
This is quite basic, but hopefully complex enough to model the behaviour of a real webapp.
My first problem is with the Model. I only need the data if the client is authenticated. Should I wrap this in something similar to a Maybe monad?
type Model
= NoAuth String String
| AuthFetching
| AuthFailed err
| AuthSuccess String
And then the login screen can display a spinner, and error, or redirect to a new page.
This feels like it ties the rest of the applications state to the authentication state. Although is is "correct", it feels wrong to have the whole model be a (variant type?) with only one record.
It "feels" more correct to have the model like so:
type FetchStatus
= Loading
| Success val
| Err err
type Model =
{ token : RequestStatus String
, data : List number
}
But whenever you update the model, you now need to check if token is still present - i.e. pattern match within the record. In the first example, you only needed to pattern match on the whole model, which is a bit simpler.
And to hold the login form state, I'd need to add extra fields:
type Model =
{ token : RequestStatus String
, data : List number
, username : String
, password : String
}
Which feels incorrect because the password should not be held in memory after login. I'd hold these in records, but I cannot use records in custom type declarations.
All in all, I'm a bit confused. Can someone please shed some light on the most "correct", idiomatic way to do this?

All authorization related stuff should be handled on the backend side. Elm's job is only to display what server has sent to it. In my opinion the first option you proposed is the best for such a little example, but in more real-life application the typesystem would be more complex:
type LoginForm =
{ username : String
, password : String
}
type Activity
= Login LoginForm
| LoginSuccess
| LoginFailure String
type Model =
{ loggedUser : Maybe String
, activity : Activity
, ...
}
You don't need (and shouldn't) keep password on frontend. You also shouldn't perform any authorizations on the client side, as the client may easily replace any script in his browser. The backend will track whether the user is logged in by eg. session cookies. In this scenario even if the loggedUser value is set to Just "someguy" and "someguy" is not marked as logged in the server database, any action that requires authorization shall fail.
Summarizing, handling login and giving permissions to access any content is a job for backend. Elm is frontend language, so it's only purpose here is to display things.

Related

Bloomberg API - How to get user entitlements for user subscription

i'm just trying to check user entitlements for user subscription data from bloomberg api's data feeds.
For this i tried to run Bloombergs example "EntitlementsVerificationSubscriptionExample". As it seems to be working at first sight, on second sight i recognized, that there aren't any entitlements for the data i receive from the api.
that means:
public void processSubscriptionDataEvent(Event eventObj, Session session)
{
foreach(Message msg in eventObj)
{
bool needsEntitlement = msg.HasElement(Name.GetName("EID"));
}
}
is always 'false', as there is never a field called "EID" available.
Is there something wrong on bloomberg service site or better, is there any kind of documentation available, how to use user entitlements within data subscriptions?
thanks in advance,
First, you need to subscribe to the "EID" field, as it's not returned by default.
If the field either is not returned in the message, or had Null value, then that means data in this message does not require entitlements. Otherwise, call the following function and pass the EID value:
bool bEntitled = userIdentity.hasEntitlements(EID);
Function return value indicates whether user is entitled or not.
Data that does not require entitlements can be shared with users who are registered in EMRS (in case of B-Pipe), or with any terminal user within the firm (in case of SAPI) with no further entitlement check. Users who are not registered in EMRS or those who are non-terminal users should not have access to either B-Pipe data, or SAPI data, respectively.

Wit.ai seems to be jumping randomly between stories

I have two separate simple stories on my Wit.ai bot,
the first one takes in the word "Debug", sends "test" then runs a function that outputs context stuff to the console called test_context()
the second one takes in an address, runs a function that changes the context called new_session(), then sends a confirmation of the change to the user structured like "your location has been changed to {address}"
when I type directly into the wit.ai test console it seems to correctly detect the stories and run the corresponding functions, but when I try to use it through the Node.js API it seems to act completely randomly.
Sometimes when typing in an address it will run test_context() followed by new_session(), then output no text, sometimes it will just output the test text followed by the address text and run no functions, sometimes it will act correctly.
The same behavior happens when inputting "Debug" as well.
The back end is set up correctly, as 2 other stories seem to be working perfectly fine.
Both of these stories were working fine earlier today, I have made no changes to the wit stories themselves and no change to the back-end has even touched the debug function.
Is this a known issue?
I encountered this problem as well.
It appears to me as when you do not handle setting context variables in the story from wit.ai correctly (by setting them to null for example), it messes up the story. As a developer it is your own responsability to handle the story correctly "client side", so I can understand wit.ai lets weird stuff happen when you do not do this. Maybe wit.ai decided to jump stories to keep their bot from crashing, still remains a bit mysterious to me. Maybe your problem is of a different kind, just sharing a similair observation and my solution.
Exactly for reasons of testing I created three stories;
handle greetings
tell what the weather in city x is
identify when you want to plan a meeting
The bot is connected to facebook and I handle actions (like planning a meeting) on my nodejs express server.
I said to the bot "I want to plan a meeting tomorrow", resulting in a wit date/time. One timeslot by the way. This is going ok. Then I sent the message "I want to plan a meeting this morning". This resulted in TWO date/time variables in the wit.ai context. In turn, my code could not handle this; two timestamps resulted in null (probably json message getting more complicated and I try to get the wrong field). This in turn resulted in null for the context variable that had to be returned.
So what I did is to catch the error for when the context variable is not filled and just fill in [wit.js could not find date]. This fixed the problem, even though I now of course need to handle this error better.
Old code:
'createAppointment': ({sessionId, context, text, entities}) => {
return new Promise(function(resolve, reject) {
const myDateTime = firstEntityValue(entities, 'datetime');
console.log('the time trying to send ',myDateTime);
createAppointment(context, myDateTime)
context.appointmentText = myDateTime
return resolve(context);
},}
New, working code:
'createAppointment': ({sessionId, context, text, entities}) => {
return new Promise(function(resolve, reject) {
const myDateTime = firstEntityValue(entities, 'datetime');
console.log('the time trying to send ',myDateTime);
if(myDateTime){
createAppointment(context, myDateTime)
context.appointmentText = myDateTime
return resolve(context);
} else {
context.appointmentText = '[wit.js could not find date]'
return resolve(context);
}
});
},
Hope this helps

How do you use Snap's authentication mechanisms during a single POST request?

I'm working on a Haskell Snap-based web app, and I want to expose an API endpoint that will be invoked by a remote service without establishing an authenticated session a-priori; however, I do want that request to be authenticated, so the credentials should be provided at the time of the request.
You could imagine the request containing four fields:
username
password
payload id
payload file
The payload id and file might be irrelevant for this question, but I include them because I (a) need to support file uploads in this request (which, as I understand it, restricts the encoding used to send fields) and (b) need to retrieve at least one non-file field. The combination of those things posed some difficulty when I set this up without authentication, so perhaps it is relevant.
In Snap parlance, let's call this handler uploadHandler.
As indicated above, I have this working fine without authentication, with a setup like this:
uploadHandler :: Handler App App ()
uploadHandler = do
-- collect files / form fields and process as needed.
-- and using the routes:
routes :: [(ByteString, Handler App App ())]
routes = [ ("/login", with auth handleLoginSubmit)
, ("/logout", with auth handleLogout)
, ("/new_user", with auth handleNewUser)
-- handle the upload:
, ("/upload", handleUpload)
]
The naive solution is to simply add 'with auth' and change the type of handleUpload:
uploadHandler :: Handler App (AuthManager App) ()
uploadHandler = do
-- collect files / form fields and process as needed.
-- and using the routes:
routes :: [(ByteString, Handler App App ())]
routes = [ ("/login", with auth handleLoginSubmit)
, ("/logout", with auth handleLogout)
, ("/new_user", with auth handleNewUser)
-- handle the upload, with auth:
, ("/upload", with auth handleUpload)
]
However, this seems to require two requests: (i) authenticate and establish a session, (ii) send the POST request containing the actual payload.
I found a way to do this in one request, but it seems like there should be a more elegant means. Here's the example restricted POST handler I've hacked together:
restrictedPOST :: Handler App (AuthManager App) ()
restrictedPOST = do
mName <- getPostParam "username"
mPass <- getPostParam "password"
let uName = C8.unpack $ fromMaybe "" mName
pass = ClearText $ fromMaybe "" mPass
authResult <- loginByUsername (T.pack uName) pass False
case authResult of
Left authFail -> writeText "Could not log in"
Right user -> writeText (T.append "Hello " (userLogin user))
Is there something like 'with auth' that I can use instead of turning this example (restrictedPOST) into a combinator? I realize it may need to know which fields to get credentials out of, but I also know very little about web services (maybe there is another means? Maybe this is a total non-issue, and I just don't know how to check auth for POST requests. I'm open to any suggestions!)
I don't think you understand what with auth is doing. It has nothing to do with whether authentication is required. All it does is convert a Handler b (AuthManager b) into a Handler b v. No permissions checks are performed. Your restrictedPOST function has the right idea.

Unable to get loginForm after addSiteAccount to update credentials

I am using the rest api. After retrieving the login form for a site, I input incorrect login information. I need to now go back and correct the mistake. At first I tried calling GetSiteLoginForm, which isn't allowed since the user is already associated to the site. I then tried to SiteTraversal/getSiteInfo with valid cobSessionToken and &siteFilter.reqSpecfier=16&siteFilter.siteId=643.
The response I get is:
{"popularity":0,"siteId":643,"orgId":520,"defaultDisplayName":"Chase (US)","defaultOrgDisplayName":"Chase Manhattan Bank","contentServiceInfos":[{"contentServiceId":663,"siteId":643,"containerInfo":{"containerName":"bank","assetType":1}},{"contentServiceId":10441,"siteId":643,"containerInfo":{"containerName":"bill_payment","assetType":0}},{"contentServiceId":3163,"siteId":643,"containerInfo":{"containerName":"credits","assetType":2}},{"contentServiceId":3483,"siteId":643,"containerInfo":{"containerName":"stocks","assetType":1}},{"contentServiceId":7100,"siteId":643,"containerInfo":{"containerName":"loans","assetType":2}},{"contentServiceId":3861,"siteId":643,"containerInfo":{"containerName":"mortgage","assetType":2}},{"contentServiceId":12049,"siteId":643,"containerInfo":{"containerName":"miles","assetType":0}}],"enabledContainers":[{"containerName":"bank","assetType":1},{"containerName":"bill_payment","assetType":0},{"containerName":"credits","assetType":2},{"containerName":"stocks","assetType":1},{"containerName":"loans","assetType":2},{"containerName":"mortgage","assetType":2},{"containerName":"miles","assetType":0}],"baseUrl":"http://www.chase.com/","loginForms":[],"isHeld":false,"isCustom":false,"siteSearchVisibility":true}
Note loginForms is empty. How do I get this value? I tried different values of siteFilter.reqSpecfier and always get the same result. Other things I tried were using both the our public and private urls. I duplicated all of this with Dag Site as well.
There is typo in one of the input parameters because of which the parameter is not being recognized by our API’s and hence returning Null LoginForms.
[ siteFilter.reqSpecifier is incorrectly spelled as siteFilter.reqSpecfier ]
Your Excerpt from below email:
cobSessionToken=11182013_0%3A8e8a9caa264e3b26f15c3c9a3ee05680b2edb76272d0a425852a803e6002383b89847d388de38394b4f08efbb881536b496e323ee4e42c9df7dfdcdc8ae10e16&siteFilter.**reqSpecfier**=16&siteFilter.siteId=643
This should be :
cobSessionToken=11182013_0%3A8e8a9caa264e3b26f15c3c9a3ee05680b2edb76272d0a425852a803e6002383b89847d388de38394b4f08efbb881536b496e323ee4e42c9df7dfdcdc8ae10e16&siteFilter.**reqSpecifier**=16&siteFilter.siteId=643
With corrected parameter I was able to query Site 643 and get the loginForm Array. Below is the response with loginForms[]
{"popularity":0
"siteId":643
"orgId":520
"defaultDisplayName":"Chase"
"defaultOrgDisplayName":"Chase Manhattan Bank"
"contentServiceInfos":[{"contentServiceId":663}
{"contentServiceId":10441}
{"contentServiceId":3163}
{"contentServiceId":3483}
{"contentServiceId":7100}
{"contentServiceId":3861}
{"contentServiceId":12049}]
"enabledContainers":[{
"containerName":"bank","assetType":1}
{"containerName":"bill_payment","assetType":0}
{"containerName":"credits","assetType":2}
{"containerName":"stocks","assetType":1}
{"containerName":"loans","assetType":2}
{"containerName":"mortgage","assetType":2}
{"containerName":"miles","assetType":0}]
"baseUrl":"http://www.chase.com/"
"loginForms":[{"conjunctionOp":{"conjuctionOp":1}
"componentList":[
{"valueIdentifier":"LOGIN","valueMask":"LOGIN_FIELD","fieldType":{"typeName":"TEXT"},"size":20,"maxlength":32
"name":"LOGIN","displayName":"User ID","isEditable":true,"isOptional":false,"isEscaped":false,"helpText":"4710","isOptionalMFA":false
"isMFA":false},
{"valueIdentifier":"PASSWORD","valueMask":"LOGIN_FIELD","fieldType":{"typeName":"IF_PASSWORD"},"size":20,"maxlength":40
"name":"PASSWORD","displayName":"Password","isEditable":true,"isOptional":false,"isEscaped":false,"helpText":"11976","isOptionalMFA":false
"isMFA":false}
]
"defaultHelpText":"324"}]
"isHeld":false
"isCustom":false
"siteSearchVisibility":true}
This should resolve your problem
Regards,
Vishal
Yodlee Team
The flow for updating the credentials is listed in this article UpdateCredentials Flow
You can follow the exact steps from the article.
Even when the user is associated to a particular site , you can still pull the login form using getSiteLoginForm and show the form to the user to enter the correct credentials and then pass the login form in updateSiteAccountCredentials and then proceed with the normal refresh flow.

Docpad : show error/success message on contact form

I added a route in my docpad.coffee file to handle form submissions, that I validate using the express-validator middleware. Now depending on the validation, I want to redirect the users to the same contact page but displaying either a success message when validation is successful (here I'll send an email), or display the error messages.
I didn't manage to pass the validation message to the template to display it. I tried almost all combinations of dynamic: true/false, res.locals = validationMessages, res.sessions = validationMessages, res.templateData = validationMessages with no success.
Furthermore, adding dynamic: true made the changes to the content not appear at all, whatever refresh strategy I use (private mode, cleaning cache, relaunching Docpad, refreshing without cache, etc.). I should probable file a bug about it.
How to ?
I'm using Docpad 6.53.0 (latest to date), node 0.10.15, on OS X 10.8.4
I cheated on this one a bit by appending a hash to the redirect url (eg: "www.mywebsite.com/#messagesent"). I then use client side javascript to read the hash and then show the appropriate message. Something like this:
if (location.hash == "#messagesent") {
$('#message-sent').show();
setTimeout(function () {
$('#message-sent').fadeOut(1000);
}, 1000);
}
Not quite what you were asking though :)