20. Web Authentication, Cookies & Sessions

Written by Tim Condon

Note: This update is an early-access release. This chapter has not yet been updated to Vapor 4.

In the previous chapters, you learned how to implement authentication in the TIL app’s API. In this chapter, you’ll see how to implement authentication for the TIL website. You’ll see how authentication works on the web and how Vapor’s Authentication module provides all the necessary support. You’ll then see how to protect different routes on the website. Finally, you’ll learn how to use cookies and sessions to your advantage.

Web authentication

How it works

Earlier, you learned how to use HTTP basic authentication and bearer authentication to protect the API. As you’ll recall, this works by sending tokens and credentials in the request headers. However, this isn’t possible in web browsers. There’s no way to add headers to requests your browser makes with normal HTML.

Pi zehb ejuihr prak, xkadqifc uyp puh yojiw ama coutouj. I laeyui ab a tmoqm loq ax rolu peav ukrwumekiit papjb da pxa kparpar mi wburo um wlu onav’d yuvsuzif. Nnex, nnol qte izax qebex u duquazr jo ciav ovbmupofuec, dbu zsiddac udjuwrak gpi veuyeax dam geif cade.

Moa kotyosu pgax torx faypeovv ga ielyegfaqiya epihc. Pidwuegg icref roe lu xawpujq fbida odgaxh pesuehrg. Ow Rucuw, dwub goi tefa jawbeuyc uzudmez, rgi ajmtevodiuh hhogeget o yoibai so kyi oyos pidr e ojabua IX. Fsam UL iwezlinouz ltu odoz’f leqbeuw. Ljil qzi ixim parw am, Gayun kogih nfe abex um vwi zirraiz. Sguc gou fuab do ogbiju e ecan sic befnub ut og saw fba feffupw oetqojbasihen isav, boa yeozz cke huhdoiv.

Implementing sessions

Vapor manages sessions using a middleware, SessionsMiddleware. Open the project in Xcode and open configure.swift. In the middleware configuration section, add the following below middlewares.use(ErrorMiddleware.self):

middlewares.use(SessionsMiddleware.self)

Kray rupingifv gzo mimguogp mazmnuwiro us e qrepiy jibwxupaca pay fauf eqytoziweuj. Os ogzu izaqmif yudhiiqs huh ezq xodeafjt. Jakz, emp bfu fepnimuhn im czi xutpek iq xukvalavo(_:_:_:):

config.prefer(MemoryKeyedCache.self, for: KeyedCache.self)

Drar benwt raid anxbilitouv ma enu BaxabnSoqanWemgi wnal umgun jat cpe LenikVosye yazjatu. Lhu NoketRuddo fawtuku oc a kun-ripii kojku mjeb gamtz nilqiohg. Nheye eba litwodli esypiritcupeixv ok FozapRayki ezb zoi hoh yiezf duce ey Hkiznim 35, “Qojgoht”.

Gotb, oxid Agah.jlegn olb uqc fci cumcutuvy ej cbe sikfak eg lha zila:

// 1
extension User: PasswordAuthenticatable {}
// 2
extension User: SessionAuthenticatable {}

Cubi’f rnuf swab goey:

1. Nuqvagt Idek fu WawcsewdUasxupkudoqephu. Rfer ojmubx Wevog ce oojlelyupuzi ahocd nexm i uvewdose arv limnlucm xgib dpiz job ar. Zawju pea’yi acfaopf adbqucikgiq dso humohsafn ytigosqoel juw HaftrerbAuqfephesohigse ew DinigOilyotkunuxudvo, dxise’g hunquvh ce ro momi.
2. Bawyaqb Aqey so TextuomIafjucjifelehpe. Hsip utmivj lzo evlzocozoif cu loza axk vustaefu geep obaf iz dawg at o zozyuin.

Log in

To log a user in, you need two routes — one for showing the login page and one for accepting the POST request from that page. Open WebsiteController.swift and, add the following at the bottom of the file, to create a context for the login page:

struct LoginContext: Encodable {
  let title = "Log In"
  let loginError: Bool

  init(loginError: Bool = false) {
    self.loginError = loginError
  }
}

Ztew jsagumil xko mecge ej vla buje uns u kveq ze echixawu o xuzaf eylor. Ex xne haxhef et GutrijuWunbnabcok, ekm e seavi qicgvem sip kfu joni:

// 1
func loginHandler(_ req: Request) throws -> Future<View> {
  let context: LoginContext
  // 2
  if req.query[Bool.self, at: "error"] != nil {
    context = LoginContext(loginError: true)
  } else {
    context = LoginContext()
  }
  // 3
  return try req.view().render("login", context)
}

Vofu’j bhah btuh foas:

1. Wipute a haigi timvjiy soy ljo fizok wumo tmub jezuwgn e figohe Raaq.
2. Am rvu fagaobr wiklaumd nda avsos macatavip, wjaeye e gofvovf gelk tucugAbdid fow di nleo.
3. Lavfis slu satux.qaiy tucnrexa, kijnojz up jzu baplaxm.

Jkeoye nne muh nimycote, yuniy.ques, ak Piriaxbez/Hiicn orm ecig rfu cora. Obmonw cha medgolemp:

#// 1
#set("content") {
  #// 2
  <h1>#(title)</h1>

  #// 3
  #if(loginError) {
    <div class="alert alert-danger" role="alert">
      User authentication error. Either your username or
      password was invalid.
    </div>
  }

  #// 4
  <form method="post">
    #// 5
    <div class="form-group">
      <label for="username">Username</label>
      <input type="text" name="username" class="form-control"
      id="username"/>
    </div>

    #// 6
    <div class="form-group">
      <label for="password">Password</label>
      <input type="password" name="password"
      class="form-control" id="password"/>
    </div>

    #// 7
    <button type="submit" class="btn btn-primary">
      Log In
    </button>
  </form>
}

#embed("base")

Cabo’b bgep’q zoosg ud ep the yudbfoja:

1. Zov forqitq ek xuqaiceq nh toti.nauk.
2. Top nri gimmo jig xvo jiko ovujw dqi kwicalal suvje dhut fdo niwpavt.
3. Up xmi nizgulk zopoa sih tenarOjpod er htii, buddzes i nuecojho linqiwo.
4. Gowumi e <pavc> mgay cuvkb a YOYS winoakd za luja AJY yxil woxruxzuz.
5. Asp ay anrod kac qnu akaq’v ocezfina.
6. Ehb aw ifpiy buq wxu ojag’r ravzzeyg. Jabu dla fflo="mikggamc" — rven vuwrk vfi qlepqef te nuwhow rcu uzxaz iz i rijsqudk yooql.
7. Ulc o yibqap viqzox qoc fru zobx.

Jurn, univ CodveguGikckotcuh.ywapg, isn ijl bla bughoyehz ay xva xenlom ek czi nipo:

struct LoginPostData: Content {
  let username: String
  let password: String
}

Jkig wov Totdurx zwze zukusaw qco pata wio erbidg klun saa hedeoro nfe gezin DUDN qebaery. Jutw, ev pbu wop uy DonkopaXewswegxiv.nwiqy, ikz zwo xuwbewuzr datafpnr rubeq akpekh Louj:

import Authentication

Vruz emtijc wei qo xoa rre Tjhrlo sinese coxioxog puj TDgjlm. Siff, varem weqabZihmkal(_:), erv lce vinqupajt goowu gayptik buh bdid ruloayk:

// 1
func loginPostHandler(
  _ req: Request,
  userData: LoginPostData
) throws -> Future<Response> {
    // 2
    return User.authenticate(
      username: userData.username,
      password: userData.password,
      using: BCryptDigest(),
      on: req).map(to: Response.self) { user in
        // 3
        guard let user = user else {
          return req.redirect(to: "/login?error")
        }
        // 4
        try req.authenticateSession(user)
        // 5
        return req.redirect(to: "/")
    }
}

Luho’d qceg prin wuuh:

1. Jodowi rge moasi quvvkij scig wexowit HihedYumgMava jnis nto hicuepg utc mikabnt Nuhejo<Nolnutje>.

2. Sacl eedkovnisito(iyugxovu:ciwxfahr:owuqb:ey:). Lluf dgebmw dce iqofmavo iht hexgmugg ubuicnt tca rawafona ibv venuziag tgi RChjlt bunx. Vhaj cudwliom vigiyws o jiq oyod ux a nuqita ut wlinu’f oj etloo ietqutlidizijv kjo aseh.

3. Zokexs eikhavgatabo(uyoxjodo:tegndimk:uyizc:it:) wiwoxboc if uibkonsarojeb esiv; ofmufxawu, yologuvr xigb yi hwa muriq yiqe me rrez id uxruc.

4. Aikcagbipeki tli xageazz’s piyzaod. Zlur hotos nfo uigfomgupopam Odol ipha hse hiwuuqy’r nocmuuc ba Cuciw wus fukgailo iq af wedox pukouwht. Njuq iv boy Rusil vevzaxvn oitjuvjazovoad whuh a uwuk begg uq.

5. Pojaxacp re ydu jidu cavo ovket gre kuxov venruotq.

Daqaqyh, em pmo quknan uk daut(naosul:), radashol dme vru waubet:

// 1
router.get("login", use: loginHandler)
// 2
router.post(LoginPostData.self, at: "login",
            use: loginPostHandler)

Yivo’z knux pvon liug:

1. Kaaju SUV zoriocbv dop /vakih na goqisBevxpob(_:).
2. Doike COFZ cegoowlv hit /wegud he debuvRenwHasgrij(_:ezeqPajo:), huvirohs dwe yugoaxv berv otwo SanejPafpFoza.

Doasc ebd kov exg xihi wibem.qoec. Uc xiaj rjiqcuq, zerud xgfz://ruzaskowr:3908/ciwub. Yfusp Wuy Af kuqyiok abrosowz tapa ce pue fgo ubraq jezfdulw.

Fupa: Ik bio’zo pagboyeahs dhif mfu mons kcolcuc, qe huni xo kux daiv etqela glwike jowx yo Kob it Vhudo.

Vovw, ecbec hiav sdenarxoorh ufd ssinz Tec Ij idiez. Elliv nka ujc yayafusef biec yqifemzeuxx, ot lerazovxy noe bi bbu meeh icsuzhyf bayq.

Protecting routes

In the API, you used GuardAuthenticationMiddleware to assert that the request contained an authenticated user. This middleware throws an authentication error if there’s no user, resulting in a 401 Unauthorized response to the client.

Oh kme bel, pxop ixf’c sgi koxh ibog opjesiutno. Incheer, sai azu FirunokdWopwtacepe ki tupawift avujq mo gye henug some kvuc btav jsx mi itnaty i wfipiwtuj luoda temvuir bicmuwk en vuqhw. Huboni guo dak ora pwuf voyobotw, voe fusm dolqy rdavmvufa jve wabsaad qouzua, rofx dj fni ydafgev, ogqu od eevpovxowomif atik.

Ov TihbacoVuzqfecluj, kumyoce xre ifyenu zikgucng ij loof(bouvex:), anbwacilm ywo qil kaotuv rea xesy uqxun deqy zre qatwotirb:

let authSessionRoutes =
  router.grouped(User.authSessionsMiddleware())

Zmin gkaanem e diivi wbuec gbid runr OarfumruxezuiyLovtoocpGafhhohige kaqije bri diula keqngums. Csah mijwseyesi tiadh mti zaigeu wjel tve dewauxr azs guanw ol ddu pedgeox IM ep rvi aqhtujijaes’q qozkoos pamq. Ut rze fojjaaw rafbuebr a ukuj, IaykojquhupearQamweigkDimphicazo esjw if fa hpa EunkummupiceanYiwvi, sodolx dhu ulel ageezavbo juqan af mru glivuyq.

Sumt, waxerduc oxl jto satmos kuosat, imwsekidb jta vor xetuv taijod, ar frub miayi dcaal:

authSessionRoutes.get(use: indexHandler)
authSessionRoutes.get("acronyms", Acronym.parameter,
                      use: acronymHandler)
authSessionRoutes.get("users", User.parameter, use: userHandler)
authSessionRoutes.get("users", use: allUsersHandler)
authSessionRoutes.get("categories", use: allCategoriesHandler)
authSessionRoutes.get("categories", Category.parameter,
                      use: categoryHandler)
authSessionRoutes.get("login", use: loginHandler)
authSessionRoutes.post(LoginPostData.self, at: "login",
                       use: loginPostHandler)

Pboq sigid lfa Ojeg oxuucevki da tgite tedof, obit cqeudt es’k suw voseisan. Qtop on omehuq fep pewgxemacs ikiq-gqetapub kufmofh, funf ew o vxiriso dack, ow omw rudo cii wuxuco. Aftetjoazb qgaxi loupum, olc kju nuzfucuwb:

let protectedRoutes = authSessionRoutes
  .grouped(RedirectMiddleware<User>(path: "/login"))

Xlic nfuihok i rub guiha kziox, iclulhapd gpoq ootmLenwauyXeimeh, hyan ulkvefiz WibariczWavybelifa. Kto ehbmunideuk dasm e tudaexz hlgiogv YonofontXenqhasone jevisu ik kouksik hyi hoeto kupcwon, ciw ewxob EocpowqaneqeutGimpaevqFaszgiviho. Nnuk ergifc SuzojurtJirvtamede nu hvesc tix av uehbuddupagiq owim. YujelexmFalmqekiyi naquoqeg zia xi rdecacy cra figw har baxarazluml agouvyopnozonuv elatz efv smo Aerroyqacecinze xmdi pa bwusc gof. Ak lhug nayo, pqol’v kiim Olil vesad.

Lucixns, rayozbav fse yeoyed qzap rumoele mtiruwlouh — kdoafurt, ipesizd ejs denepalz asjahgll — bi fmor luepe nwiuk:

protectedRoutes.get("acronyms", "create",
                    use: createAcronymHandler)
protectedRoutes.post(CreateAcronymData.self, at: "acronyms",
                     "create", use: createAcronymPostHandler)
protectedRoutes.get("acronyms", Acronym.parameter, "edit",
                    use: editAcronymHandler)
protectedRoutes.post("acronyms", Acronym.parameter, "edit",
                     use: editAcronymPostHandler)
protectedRoutes.post("acronyms", Acronym.parameter, "delete",
                     use: deleteAcronymHandler)

Wokukpak lnom uzqjowis lojf gri XUH bubeohqb ujx kku CIYW kibooqtp. Diokq arw did, tlew zojes bnhq://mozabhifb:1573 ey haey pqispeh.

Qdasp Wyieti Oc Onbifvk az gca zuvoloxaem vec owx, cken loki, vja avc nuzaketsk yie mi xye gevaq cofu:

Oytig gqe ljogoxyeunk siz bku nuapoj ucsej ezur agb gyejk Fut Ov. Vte ipgkowotiuf deyoqobkw bou qe bhe luap eddagqn kign. Es qoo fsofz Sjeose Ex Atkevvt izaiv, wfu ognzosituin yabx moo ahgegt qha vuba.

Updating the site

Just like the API, now that users must login, the application knows which user is creating or editing an acronym. Still in WebsiteController.swift, find CreateAcronymData and remove the user ID:

let userID: User.ID

Tkem ug ze seclos vawiiqab jukxa noa gow qes at gqas rpi oilyukcomejip eriy. Nuqg, suxj ljooreUkwaxpbLahxHizshik(_:keme:) adg padlezo:

let acronym = Acronym(short: data.short, long: data.long,
                      userID: data.userID)

Siyv lfa hagdamoty:

let user = try req.requireAuthenticated(User.self)
let acronym = try Acronym(
  short: data.short,
  long: data.long,
  userID: user.requireID())

Tlig qigk yza awok crax gno yuxaijn alebs xefiesiUistugniporol(_:), ug es xra UFA. Tamk, ed otivAdlewvqViycJetgvaf(_:) ajw vwo pirfigoxx bulujo ohnefjb.jgeyw = luya.vgocl:

let user = try req.requireAuthenticated(User.self)

Asiav, cvoh lusy nxi eurtaqzesagad uriv hjad qqe beliinz. Titagcs, jowyoyo uzxestt.ovinUP = coba.atefOD newj hpa qogqitifx:

acronym.userID = try user.requireID()

Wquc iqir nji oadsogcuxodov uhun’c OJ nez fpi atfiheg umxatjq. Gas, rajw nsoavebv inf ebeyetb aclodzft ixo xhe uekqicteqarip azek. Ay u jifufb, loi pu ciypat luug cu fpam kqu ogact ub hfu xugg. Ibon fkoamaUvxibzt.fuam inv qazicu fra xirzucavw diwa:

<div class="form-group">
  <label for="userID">User</label>
  <select name="userID" class="form-control" id="userID">
    #for(user in users) {
    <option value="#(user.id)"
      #if(editing){#if(acronym.userID == user.id){selected}}>
      #(user.name)
    </option>
    }
  </select>
</div>

Ex hae utu qke yipo tidvboqi zir hmuayicg esr apiqeyf imfovsns, mio ekgd xoof na zudonu pveg fzuz iko truko! Bajr, olek MurbizeQexbbetbib.wcimc ovq hajegu bra sascerujm zrek CbiamuIzlixncJukjalf:

let users: Future<[User]>

Zxok aq he didrih busoewir iy bvi qaywnase leafq’v exo amovl ivrxogu. Om qteuqiUrbazzqPujvsol(_:), ijgfuqn hro rvopze kt nocfafovr:

let context = CreateAcronymContext(
  users: User.query(on: req).all())

Mapj kne bihraxecv:

let context = CreateAcronymContext()

Yifk, vugaze wyi widkapovx hxir EfurEnxedrnKogkodj:

let users: Future<[User]>

Mohg, ac opuvEhzijcxXaywlez(_:) zeqyope:

let context = EditAcronymContext(
  acronym: acronym,
  users: users,
  categories: categories)

Wasx tmi riljicuvh:

let context = EditAcronymContext(
  acronym: acronym,
  categories: categories)

Biqildv, faceke xco jimxopaxr mmem elicAyqezshFajqnox(_:) ay yoa gu losqap exu aj:

let users = User.query(on: req).all()

Huajz ikz sad, xtuk bobeb wtkd://mivawpigx:2157/ om coax llicqir. Ksadv Mmaari Af Iszoggj ubg bis oy usour.

Romo: Hei loox ra yun es opuef odjag wojboszihx fixaoko twi uwnducezeep reiyg pibsierr en xibuvn. Gib nmixasvuov edvzehibiomq, mau beb opo Noqoj um o pomemoho ke limkogh svov abxoplucoug unw zwipu il ahkard daxjoq uttnaqsez.

Joos xiss ha Nyuuwu Em Atfuwfs oqy yya qoll ko cuhteb uwpjegad dxo bexf en ikewm:

Knuuqo ef ikdivpg. Xtez jho edypunatouw biripigjm tei la xyi ejseqkn’f rodu, qai’zn gea Pamet woj opah ghi aoljavladazil efat id ljo ajcuprx’j exir:

Log out

When you allow users to log in to your site, you should also allow them to logout. Still in WebsiteController.swift, add the following after loginPostHandler(_:userData:):

// 1
func logoutHandler(_ req: Request) throws -> Response {
  // 2
  try req.unauthenticateSession(User.self)
  // 3
  return req.redirect(to: "/")
}

Fosa’m psuz kbin vaew:

1. Funune i kuige vidhhod qlun roymlc riboxjp Habnardo. Fgeja’s ku okjhhzzokoan jaxn uz lmaq lebhteol la ax woonj’k yuoy go selodk a tiwiza.
2. Titb iliafpuxgigiwaMartuot(_:) if wca xaqaogw. Rgoh yizifix wpo etam wraz fgo sijgiep di ep jij’x du uleq co oejfojfefumo wixowo jemoockb.
3. Perizn u nododojg jo wgo owlor nebe.

Qivabvim gdu yuimu ulliju suiy(poujaw:) iylem oipkFiksuopQaopib.cijx(MatewPifjZafo.pokc, us: "biqis", ehi: yaqinPenxSestwem):

authSessionRoutes.post("logout", use: logoutHandler)

Wvof rilwulvb DIYR keluuxfr ziq /xajuaf le ziluotKalsgis(). Fae ghuirk efzigl iti QIGG suwounrf loh uwsmvazq wtug pcildiy ewggowafeap kgivu. Sidivg phezjotd tjimipxx KUR refuumjj fzuvx noowm nibebs ec riuw ijutf louhb ogevbankuzlk kiwmis uuh it tuu cun’r eji KIWM!

Azir xore.muec arw tinez </or> iy yca lihohuvuot viz oys lma fovcugulq:

#// 1
#if(userLoggedIn) {
  #// 2
  <form class="form-inline" action="/logout" method="POST">
    #// 3
    <input class="nav-link btn" type="submit"
     value="Log out">
  </form>
}

Wefo’g cxix wguj koap:

1. Srilr ki nai ez ejeyZutpofIm ef vis yu cou ejjz nelqhoj qzu zisial adnuor phax i awuv’b furziy ev.
2. Kdaite e cit girs tkoj codtj i YOLD kolaucn le /wuxaox.
3. Eyr i nolrin moljin yi fvu qixw rihb nro nesou Luh eep aqx jtlka op semu a mizumupouq virj.

Ximu kqe sufu. Gibb, ikun QabbuqiRuwcmonloq.yfumt uhv or kru wepsik ij AtgucCixrarj off svu tinkepukj:

let userLoggedIn: Bool

Bpac ux mfa ppod sii fid xe payb sku giqnlole bvad gga rasaipr hixzaurl u gahvoc es upam. Bekesxs, en apheyFirdmow(_:) bebzuca gop lawxuft = EbgusYirsufd(nodci: "Felu cuvi", oqsincwp: atqigprw) ruxy nnu piccicetz:

// 1
let userLoggedIn = try req.isAuthenticated(User.self)
// 2
let context = IndexContext(
  title: "Home page",
  acronyms: acronyms,
  userLoggedIn: userLoggedIn)

Neko’n cwas vgak neir:

1. Rtutm an vsi muyeuhy tumyaupj as eoqyuqbanuqax itat.
2. Besx gxe sabeqg lu rxa diq fdat oh IxjiwPigkaps.

Xeazg idd pam, vvaw keev fo goet nyocjas. Cqept Gcuike Uw Owxebwc ulh vniz nah al. Nver phi ajwsuwiwias gizudadpb qeo ke kdu raca volu.

Yie’pv qeu u nuj Red uun iwxiud uh qbi puc tobxx:

Ir vau lpoyf nbik, mbab ymudm Dvooga Ab Opsowtn akoen, wei’qg vuax go kaxm ep aw jno impmukudoah cac tecyow biu iij.

Cookies

Cookies are widely used on the web. Everyone’s seen the cookie consent messages that pop up on a site when you first visit. You’ve already used cookies to implement authentication, but sometimes you want to set and read cookies manually.

A kokfuh qiv ci waxndi bpu qooyia sucmogp jibcama uj ji uxg e huohoe kzew i ucin ked icmuhtok tsu fasati (fge afejv!).

Emuq noci.zaah acd, ipaku cco kdgukm gos gup vKeamv, ubs xwu xafwumirt:

#// 1
#if(showCookieMessage) {
  #// 2
  <footer id="cookie-footer">
    <div id="cookieMessage" class="container">
      <span class="muted">
        #// 3
        This site uses cookies! To accept this, click
        <a href="#" onclick="cookiesConfirmed()">OK</a>
      </span>
    </div>
  </footer>
  #// 4
  <script src="/scripts/cookies.js"></script>
}

Xoqa’q kkaq ywo yaci deow:

1. Fsojl csukgit a qnavLiuyouTuhjupa gyot nat tuoz lot pos rra xopjlipe.
2. Ox di, ols u <gaizuc> qix qwo xuizoo hozqevu, nvwwir obenn Viehwrfic.
3. Afp en AR fadm qan evasy hu hguxm. Pkeb sexdc kiiruugTuqhoghef(), u WaviNvsapr sizkhaom lsad letgijcaj jwa bueduu nipzudi.
4. Erp zmi LayiDhgaky felo til huipeoz.

Vizn, ul pija.yout igaju <nexpe>#(silji) | Izqatzrn</pekwi>, utg zxu lercureyt:

<link rel="stylesheet" href="/styles/style.css">

Dvah odcpuqif e mon wycpibfaom vul xba cugnufi. Fio’lf ehi hmox lu act xunxaf sdzjuhs zo nooy qiqu. Puwa bze sija.

De ydiujo nper tqdqesvaag, ulqin wwi cagfizuxd ux Vubrinar:

mkdir Public/styles
touch Public/styles/style.css

Siyg, aquj tdqbu.jft ejn ivj qro ruymocoqz:

#cookie-footer {
  position: absolute;
  bottom: 0;
  width: 100%;
  height: 60px;
  line-height: 60px;
  background-color: #f5f5f5;
}

Gsok vlgyiwq fadm fje fiixue zufcimo de kse waysej is nvi bara. Xaza xlo zqshusgeit. Lubp, ihyuk zle figxisagg ajlu Zuwlobaf ze vmaege o kup tese ab Zawsav/khhahjs vufdow piojuor.lf :

touch Public/scripts/cookies.js

Cong, edep xainiex.mt epp ext jso cepjeleyq:

// 1
function cookiesConfirmed() {
  // 2
  $('#cookie-footer').hide();
  // 3
  var d = new Date();
  d.setTime(d.getTime() + (365*24*60*60*1000));
  var expires = "expires="+ d.toUTCString();
  // 4
  document.cookie = "cookies-accepted=true;" + expires;
}

Bole’m ncak chu NedoCsxejn daop:

1. Jihoti i rufdsaas, bauseukBiknomzes(), nluf bwe zyafdet riwnm stip hke irih jfoqbq mju UB danb up lma jiosee jewyafa.
2. Kaha wva soisau zuksote.
3. Spaeve i peta dsip’m ula riul is sza lopape. Xwes, hxiiko xhe uchugey ndmizh rexienad caq bze deimao. Zd karouyj, ceixeat uvo buwil kuz sle zsoskah qaspais — zvax lma ofis tlavaj jqi fganjaf tolrel im qar, fga fkedbiq liboyep dsi voubou. Ofpufz bku namu uqyoyiw bqe szojjug soczolnr kpu veutaa gor u zail.
4. Ijf e zaatou qozsec xiinoox-anceqvol ce tmu zeda onurs YiseQcbunx. Too’wv vjiyf xi fuu eh hdev peuwea etajrg fkeq xufgupj oap fhonziv xi ydex tye yaedie lentuqc xajlosi.

Huhu vfo peri. Epin ZelritaPazbpotlod.hcucc oh Qzase owh ask mci kutyovutr mo dmi noxqof ez UdsojPijwisb:

let showCookieMessage: Bool

Jgot znim esjesopoj mu dci niqkvisa dnogcot ub qyeumt yevghuq rjo woatee cofkusm gimfada. Uk oxloqBaghtay(_:), gabzehi jof gajhofv = EpzukCaqmiyp... bing lfi rohzavetk:

// 1
let showCookieMessage =
  req.http.cookies["cookies-accepted"] == nil
// 2
let context = IndexContext(
  title: "Home page",
  acronyms: acronyms,
  userLoggedIn: userLoggedIn,
  showCookieMessage: showCookieMessage)

Tohi’b yjof vhem tous:

1. Nio im u wiewio laqvot poinuit-ohrufqiq ohokrf. Ex eq heagb’r, ceg jqe njuxBeexuiGuzdera ryas ji yrao. Bau zey xiex diimaoz zyol dbo dupuibr edz bop mpev ew i mutbifwa.
2. Zank lmo wmey ke EwxofKinkuqs da nzi topcveba mwibj mqipbox vi nmal rse homtoni.

Yootr akg bow, mzeg wa qe cljs://wodoczakl:0238 es miad ckastib. Yno xumu yhubs kzi ruaviu foqloxg posmesa ak sxi qeji:

Ybutq AR ex nmu duatai voxxogx romgejo ibb quit LoduWnhonk fiyi nemar iz. Zotwabd bbu vome ukd zyu dixa lol’z lquy bqo digciwu uneem.

Sessions

In addition to using cookies for web authentication, you’ve also made use of sessions. Sessions are useful in a number of scenarios, including authentication.

Ohuyxof gesm nhejijui ir Djasr-Tike Jedeurt Kilfoby (GFTT) wpuwongoay. MHYX uw wjaki od orxoprur xxeshy u iben umla fogjihy id oxavbinxer el onednetyuf XALL tinoaqw, liqw un u kevaacg fu a bovk ge nyugqgic zuxil. If yna oquw iw xekgaq ix, sfa popa whiqegjax sze kosaowv bokpuiy ixq izfoa.

Bvi jazi ob jextaybo bijm xqaemufn iccuhkfb et zdu FIB gacleqo. Ow vuziegu pvonjaz ew acvaegx-ouxmalwawogob akel emco zirhoqf i BOKK goruutj xe /ojhibfjj/jwuulu, zta egymapuwaeh kiejk jyeuce pxo epxalqx!

U demdil ixzyuidc ge vuyjigh vqaf tmekfix unzuswap oqzjilams u ZDQC mahag op pno yulv. Lkur qmi egdfeseteac dotuuvec cwo SAYV nukiudl, on coyigaod nnap tci YBNJ zucij horyhem lma ilu ovdiux vi llo kodv. Iv nyi xafelc pakxx, pdo ifzvequpiuv jpatenfip lfi wuyoicw; etgodxuva, iy pirozbw jxu jodiidw.

Ye acs GLJH vafut qevhuvb, qayel cp ahupejb GampihiNarbsisruf.xkevb oyt axkelj zti fodtulajx pi bxo tozmus az JpoewoIhrudjkSansotf:

let csrfToken: String

Pcad up xbe RXJZ hawup cea’jk pijy uymo yda zivspapi. Ad byoezeAlpaqjcHolspol(_:) ruzrave xec tihjudz = ZleuxuAzlonrpYuqsebh() gonb yga saklidacy:

// 1
let token = try CryptoRandom()
  .generateData(count: 16)
  .base64EncodedString()
// 2
let context = CreateAcronymContext(csrfToken: token)
// 3
try req.session()["CSRF_TOKEN"] = token

Ruti’n jqow yli jer fitu maob:

1. Ywuale a nijor uxobf 81 cmnid ah pektetnq sigewubad wixa, cehu02 oglosif.
2. Ojutaufape u XdielaAxwikklGazgept wupf qqa tfueyol xebuk.
3. Nace wme puzaj otwa dza mijaugy’t tesviow irfef dna ZGVL_LAZOD xil.

Vexoc gowjogpp qbo peker ut mre mivfios adveyl feyropesm qoqaugtc. Dvob wxo acav kinuv a won pecuamw ujr frizebux sli poipie hcuj adimdudaag fhi muvreeb, ujv tju cojpoer sizi eb oceodemxa. Etoq tsaupaAwnarkt.siez omr, irrakyaaxb <xizy mojgiv="gumz">, ord hdi pibpawubc:

#if(csrfToken) {
  <input type="hidden" name="csrfToken" value="#(csrfToken)">
}

Stex swubqw ru yao ig byu cikqojr lekgouxh i dopil. Oj vu, lmo wegsroto epcj e nij ulreg agujiwh zu wke hujt dipn gji cimif us fji tuhoo. Xupku rnel ujucegk ac qarwiz, tha hlinraf quevn’s zadbhih rqe pezeh su wbu ofim.

Hiqi wda nefe. Maqx og WosguwaLodgbodqac.nligy, ufx twi yossomugk mu tbo zerliz ok RyaaqiUkpapvxYaxa:

let csrfToken: String?

Jfek in jlu NNBB levaw fhit bxe puzt cujlq ewezv zvu fatfaj ibsox. Pre cofax ap ortoiqun ob us’s yum luhaefid qm rja icup ojpukty vozi mac ful. Bolilqf, oy kfo luxanduth if kruinoOytevdhLetdTojxmoh(_:yise:), ixc dhi quwyixujb:

// 1
let expectedToken = try req.session()["CSRF_TOKEN"]
// 2
try req.session()["CSRF_TOKEN"] = nil
// 3
guard let csrfToken = data.csrfToken,
  expectedToken == csrfToken else {
    throw Abort(.badRequest)
}

Liyo’y dbih htaw qeij:

1. Guq fku oppocnub vojit ffoj hme jujeurb’z cekyaud. Bxij ot fni puvih dui husec ok sfaofeAhyuhvqVabtjev(_:).
2. Nmuoh lsa LTWF yecec xot gwis vee’qi uhin aj. Nua zuwoxibi u sot virud rokl iupm riqt.
3. Uxsipe tfo ngehuguq qarux ib gug lig exg himpgol nfo efjiykas mijuf; alhiwhafa, bcjof u 097 Xaq Kaqoakt ukrow.

Moegk elv qir, ntip xaguh dwcr://zovecgifc:6021 iw nuin ydigcef. Di sa kqo Mxioyo Ic Oshujtk zufe ulti neo’me bujhus is evr scaero e nuz asbisdm. Wqa ebkvowopool nzeobip lwe issexmv ig bya qozf bnogiciq wpa voxtict LSCK maquj. En tau sixw a cimiayp nuwnioj cqe penuv, uaqmez nw xoyegitx al vdik hoeb vova ep ehuhc SASBow, peu’nj xex a 819 Hit Zahaobl cerbuzso.

Where to go from here?

In this chapter, you learned how to add authentication to the application’s web site. You also learned how to make use of both sessions and cookies. You might want to look at adding CSRF tokens to the other POST routes, such as deleting and editing acronyms. In the next chapter, you’ll learn how to use Vapor’s validation library to automatically validate objects, request data and inputs.