dev:
stack ghcimain
-
allow UUID in postgres
CREATE EXTENSION "uuid-ossp";
- User - CRUD
- Login, get cookies (not JWT)
- Times
-
Main abstraction
- source
- agg-fn
- display-fn
-
data
- commits
- checkin/out
- issues
- PR's
- LoC
- slack activity
- phone/text activity
- crm activity
- email activity
-
A GREAT ABSTRACTION for maintaing types
- make them polymorphic, especially when, say you have a thing that can have an ID or a value, move that to the type
- https://www.reddit.com/r/haskell/comments/6490zu/maybe_use_a_type_parameter/
- http://www.parsonsmatt.org/2017/04/08/maybe_use_a_type_parameter.html
- https://www.youtube.com/watch?v=BHjIl81HgfE
-
timeentry-rel table, make time/user a FK, remove id
-
API returns sane error messages
-
auth roles
-
serving files
-
hide password:
data FrontendUser = FrontEndUser User instane ToJSON FrontendUser where toJSON (FrontEndUser User{..}) = object ["name" .= userName] -
logging
-
replace JWT sessions with actual sessions
-
enforcing role security?
-
enforcing row-level security?
-
enforcing all security things in one place instead of sprinkled throughout
- app/
- main
- src/
- API/
- .hs
- Model.hs
- API.hs
- Config.hs
- API/
-
servant persistent authentication jwt
https://github.com/vishnuixm/servant-persistent-authentication-jwt-example/blob/master/src/Api.hs
-
db: multi-tenant user model
https://www.getdonedone.com/building-the-optimal-user-database-model-for-your-application/
login -> user <- membership -> account
- login
- email PRIMARY
- pass hash+salt
- user
- email PRIMARY
- name, other details
- membership
- ties to account
- ties to roles
- account
- name
- planlevel
- login
-
Tokens
-
Don't Use JWT for Sessions
-
password reset tokens
-
Or compromise with refresh tokens?
-
-
Servant, Persistent, and DSLs (auth, access control, db failures)
https://hbtvl.wordpress.com/2015/06/28/servant-persistent-and-dsls/ https://www.reddit.com/r/haskell/comments/3a4qrl/libraryframework_suggestions_for_a_rest_api_in/cs9lujd/ https://www.reddit.com/r/haskell/comments/3a4qrl/libraryframework_suggestions_for_a_rest_api_in/
- distinguished name (
DN) and PKI server - role-based auth
- Operational Monad for DSL
- distinguished name (
-
Auto incrementing ids on a per-user-basis
http://stackoverflow.com/questions/42449568/how-do-i-create-autoincrementing-ids-in-a-composite-key-that-sequence-according http://stackoverflow.com/questions/41902775/how-create-a-column-that-increase-according-to-the-value-of-another-column/41914370#41914370
-
JSON hijacking, issue for JSON servers, mediated by prepending
while(1);and&&&START&&&to json responses, never sending JSON over GET (POST ok), and never do JSON arrays, so [{...}]=bad, {...}=ok. Auth Headers don't protect this attack.https://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses
-
Misc Security - XSSI, CSRF, XSRF, XSS, SQL injection, JSON hijacking, CORS, DDOS, CDN JS,
-
CORS