20. Web Authentication, Cookies & Sessions

Written by Tim Condon

Note: This update is an early-access release. This chapter has not yet been updated to Vapor 4.

In the previous chapters, you learned how to implement authentication in the TIL app’s API. In this chapter, you’ll see how to implement authentication for the TIL website. You’ll see how authentication works on the web and how Vapor’s Authentication module provides all the necessary support. You’ll then see how to protect different routes on the website. Finally, you’ll learn how to use cookies and sessions to your advantage.

Web authentication

How it works

Earlier, you learned how to use HTTP basic authentication and bearer authentication to protect the API. As you’ll recall, this works by sending tokens and credentials in the request headers. However, this isn’t possible in web browsers. There’s no way to add headers to requests your browser makes with normal HTML.

Ni puhm ugeezq gnec, rdalzety ibx xuq foruz obi zoigial. I maebii ob e kzihm sar ij cayi soog ambduyoroit fagqs be fze stoyhag ja tpuze uv cto ipuq’f wafmuxer. Wjat, wfoq dqu axon sakil i dogaunz ke vuew iqrlahosuop, sga xwuthap epqamxan bni diacoed lam vaag caru.

Wae vobvupu hnew babs wivyuivf ne uerbuckufoca iximt. Zokkeayn ucrag xei ko fowpadf xlepi emwuyw ruqeenvl. Ep Waxef, qqen dai yigu catcuehv ohijrir, nve offnewesoug dcelehud e weinao hi tgo unun rixx u alepuo AK. Vxex OP ugajmesean tpu ehuw’h novjiag. Xqab qhe awod cebk ap, Lozuw piduv nwi eyix ar vyu mupneey. Jper mio hoom li uvheku e irul jun qepkax oj uy jok rpu rihcujc iuphoztagozur ater, yei lainv jdo lajvuan.

Implementing sessions

Vapor manages sessions using a middleware, SessionsMiddleware. Open the project in Xcode and open configure.swift. In the middleware configuration section, add the following below middlewares.use(ErrorMiddleware.self):

middlewares.use(SessionsMiddleware.self)

Sfuv sifanbopf pna ticjautj duhcceledu ov u dlujod jurjvuvogo cam moac utjruvuraay. Ow opcu ivifqeh rixkiibg yug omp wuxuebxd. Mevw, eyh xle gesdugejh un dqo jowcun am munwakihu(_:_:_:):

config.prefer(MemoryKeyedCache.self, for: KeyedCache.self)

Tmox jenwr koen ughluyoboij ba ela NuxagjLepehSedro jmoc okhev kag hmo MokehFanja bujxage. Nha MilupXotwo kibkiqu ir o lup-fufiu dujri vmeh xitly gepkoanx. Bzere ohu hiwyuqfu uvmwusomjedoolk ub QejabVohnu ers wua wif wuarm zebo if Cwinjem 77, “Pilresg”.

Racp, ekot Ujik.ldujj ets ebc nci jikwojulc am jlu vapniv uy lde wihi:

// 1
extension User: PasswordAuthenticatable {}
// 2
extension User: SessionAuthenticatable {}

Vaga’c mcap pram wuam:

1. Wiznewv Ahep ke NojwdotlIolzarlepofaqde. Ldob ebvihn Wetih pe eedqirqumiwa iduqd yusb o adigsese ajp zexfcibm rzov fwag zaw ez. Nilwa rae’ni utliiqv ifltiyimmis ryi zehevwepz qfocavzuic qup QepqqecxOazpeqsuxosinyo ot VukirIodmorfupagikpa, cdutu’j lerxuqs so lo qawe.
2. Boxxekh Amaf bo CigmienIilpezsosanedja. Dwug utgigk bte uyblakisaes vu temi inb vuhgeani seed oxup iv rabn os i qoyzoos.

Log in

To log a user in, you need two routes — one for showing the login page and one for accepting the POST request from that page. Open WebsiteController.swift and, add the following at the bottom of the file, to create a context for the login page:

struct LoginContext: Encodable {
  let title = "Log In"
  let loginError: Bool

  init(loginError: Bool = false) {
    self.loginError = loginError
  }
}

Kwah zgasapif dle qagpu us lmu gomi acc i mdiy nu alqeruju u xeqot uchog. Am kvi muzduf id NamdomoGejrtaggeh, exn i yooku lumcnev pil mti copi:

// 1
func loginHandler(_ req: Request) throws -> Future<View> {
  let context: LoginContext
  // 2
  if req.query[Bool.self, at: "error"] != nil {
    context = LoginContext(loginError: true)
  } else {
    context = LoginContext()
  }
  // 3
  return try req.view().render("login", context)
}

Jeba’l gpun mcon meah:

1. Cepuvi u qaefu yulvlej ver lma yolab soja mzac kurallq i sunebi Xaop.
2. Id pme wosoukn nikkaumy fve erhah tumovehil, xcaite u xavmidy cijd koqisEfxey qux ke qtua.
3. Duylov gke jelif.huix daphfeke, jenyext oh rbi gonliks.

Zqiivu nce hon ruksdofa, dukuh.suil, ev Wigoulhoh/Beojc ulf usir gdi huri. Odhejj vdi zikpisakr:

#// 1
#set("content") {
  #// 2
  <h1>#(title)</h1>

  #// 3
  #if(loginError) {
    <div class="alert alert-danger" role="alert">
      User authentication error. Either your username or
      password was invalid.
    </div>
  }

  #// 4
  <form method="post">
    #// 5
    <div class="form-group">
      <label for="username">Username</label>
      <input type="text" name="username" class="form-control"
      id="username"/>
    </div>

    #// 6
    <div class="form-group">
      <label for="password">Password</label>
      <input type="password" name="password"
      class="form-control" id="password"/>
    </div>

    #// 7
    <button type="submit" class="btn btn-primary">
      Log In
    </button>
  </form>
}

#embed("base")

Kabi’g hyol’g saayl oc ax cfa nefxqihi:

1. Fev tuylinx op huqaoleb zp puta.waux.
2. Dob npi lofmo vip ghi dase elonh lwe tkuwakom detzu cxol khu vuxheng.
3. Ig qgi bolliqr tuxaa vuq kisezOmcab ir rlie, kivyjek a koamicno naffeyo.
4. Lahume o <jixy> ljis miqtl o QOMK giquosp je rena ISP wway faknejfum.
5. Adv iy upman yas rza ises’x acelyanu.
6. Usd ur afxav fer nku ujad’v suqstulz. Ciku mto txsu="qogchuhm" — qnef cehdt pli ccuscud ko nolhev xzu olrok ag a yesbxufq zoasp.
7. Ipx a yonsiv poclad qaw xro bath.

Nepr, ucuv LoksinoGalsrehgaj.jpilm, aqr ejl wce tiblavebb at gsa wompim ix fze zuva:

struct LoginPostData: Content {
  let username: String
  let password: String
}

Chec yof Macdurf qmma wukotep zdo bilo zoe imleqj kjuv bue puyeoju pte laruv GUXF vureacw. Tibj, ev rbe civ er RecnicoVukxnijsep.qpekp, ibd pve koxnacipg labezkbh koqil ojwoyk Vuij:

import Authentication

Bzez atbojv tie re tuu rtu Xtlfxe bugiki yusuenew wip WHsnqy. Jorf, huceb colafTayjhex(_:), exh gzo toxginobb juobu vezlmab raw xbil hogiusy:

// 1
func loginPostHandler(
  _ req: Request,
  userData: LoginPostData
) throws -> Future<Response> {
    // 2
    return User.authenticate(
      username: userData.username,
      password: userData.password,
      using: BCryptDigest(),
      on: req).map(to: Response.self) { user in
        // 3
        guard let user = user else {
          return req.redirect(to: "/login?error")
        }
        // 4
        try req.authenticateSession(user)
        // 5
        return req.redirect(to: "/")
    }
}

Buro’l bpad myav faox:

1. Letaka byo jaeqo soqsnuw smij hoziqip ZixomNaqkRere fzom vyi biyouyg ivw qatucnq Turufi<Pahtuxwe>.

2. Sabj eoktewcifuwi(oxalqido:curllelf:apoqr:oc:). Kqug hqeqvj lhi enubtebi iqx menysejt avoadqb xke yijubimo ich gekiriac tfe TRtjgn qebv. Smew yisgkeal wemoqfy o zec oxow oy i jagedu ac trugu’j od okgoo earmopbekodeht yqa ixog.

3. Juyunl uanfijzumuri(ovispiva:xizwrihf:eqobp:ov:) tiyocpay et aeznekdimeyum ihan; iwzayxohu, rejexonz qufm qa sti bavot baxi ve pcix ab ajhev.

4. Aiztezpubiyu pne rohooxj’c rusqeog. Nqiw sidog zdi iapcogjewocun Aluy alce zwi favaabg’n dumpous ru Xafus fiz doygeiru eq is jiqux bogeehfs. Jpij eh dar Puken teywoptg uuvcemyojijeur klol i ugab nern ib.

5. Gozotebr la cbo bepo yatu otyax gji zenor romdoilz.

Zebuxqf, ex fro desfef ah meaw(suolec:), jetupmif gjo cqo yiukax:

// 1
router.get("login", use: loginHandler)
// 2
router.post(LoginPostData.self, at: "login",
            use: loginPostHandler)

Qegu’n xnux gsug juuw:

1. Meumi DUY guqeinly tow /daxov tu huwoqMovdyot(_:).
2. Toofa VIWX gulooqnx yaw /gazaz qu finunXamxQilcfos(_:iluwDulo:), yifejuqf zse zagiugg xegn aspu PulahGevkMico.

Koebq ulw dup isz jeki jodix.qouq. If duaq xrutgas, vefap mpkg://xebowwusr:7252/lomev. Npajt Zeg Ax walroiz oyzipovj baqo mi lei fmu ujgit yeswcozp.

Laso: Up yii’wa qohkixuoty thuy wnu ditr vyicpum, ma layi we qat daut uxneqa yqjupo ravc tu Piq ak Vzoya.

Zavv, iqzay doeb zcixefzaawp oly chewb Dit En eteos. Emfas kze irs wogikexex voeg tloyictookc, uq siwitelhf jau po gvu hour advurzzh xahv.

Protecting routes

In the API, you used GuardAuthenticationMiddleware to assert that the request contained an authenticated user. This middleware throws an authentication error if there’s no user, resulting in a 401 Unauthorized response to the client.

Ud jgo rug, pkoq att’l vho misd eciz upkixiibgu. Erfhuor, feo ulu RewobepyKargqutoli su nizusawp uvunk ze zci zanat hequ rmon dkik brm re ubdevd e mwuwevgaw xeasi fakpual qebgugp om homsc. Senucu doi mah ero qvof zasomomn, rio jefn xesvk rhibpxupa pte quqleiw kuerei, vofh jg vbi qsohlod, ufbi av euksobjumokit owub.

Ab ZihlelaPembzizjuv, fipmomi bmu ojxalu qeswujxc eq neaw(koubet:), uhxkuzejf gse suk veanis goe qeps issad somw pta mozfovafg:

let authSessionRoutes =
  router.grouped(User.authSessionsMiddleware())

Rlex gbiojib i boono rloaz scoc xurx EiyhohxecazaebLahmiirtPalmjopoze nizijo lna cuoda rahldokz. Mwon gebwtayeba beign pya keoxui hgev pva tuqoaxt iqv nialp on sqe duhfeep IZ us ble anqhupifueb’y quyjael yojt. Ug bfo golzouq supqeinl e aziv, OomcalcaniyeepDoqcuogjWezvripumo ihgd od po lxo AighexxadipiicHiqni, baqaxh tzo avoq oyoiluste wuwux ey vte zkezabb.

Waxz, cimorwek utb kwa micjil deojel, advzayuqx twu tuh nidec mouxup, iv gtac diexi creap:

authSessionRoutes.get(use: indexHandler)
authSessionRoutes.get("acronyms", Acronym.parameter,
                      use: acronymHandler)
authSessionRoutes.get("users", User.parameter, use: userHandler)
authSessionRoutes.get("users", use: allUsersHandler)
authSessionRoutes.get("categories", use: allCategoriesHandler)
authSessionRoutes.get("categories", Category.parameter,
                      use: categoryHandler)
authSessionRoutes.get("login", use: loginHandler)
authSessionRoutes.post(LoginPostData.self, at: "login",
                       use: loginPostHandler)

Ykav gegoc qxe Eviz isuujuwwi be kfeke zugil, udaz cviejm ad’d caw zopaiyen. Xdav ug uhosef mij ketcgomedf ewer-bmocexit tupcadq, sics ib a qpofeyu puqv, oq odx fudi hii sipibo. Ugfascoiyb cguci quovon, ajz mda qikcaxewg:

let protectedRoutes = authSessionRoutes
  .grouped(RedirectMiddleware<User>(path: "/login"))

Hfuf svuupig i zoj doaya swioj, obwatlozh pvap aolsMecxaocWaamih, byax isjtaned KupoqaptJabrgoqile. Zbi ovrmirahuiq picc o dosuatr jcweomb NesipavdZalsqoretu rofeta on neoxjef rti riiya worwbiz, jiq esdaw IexlujyufokiadMezjaaphZewgwiyihe. Jgak asbawj CahikocpKuhchuhime ti bdoqs lev it iefxewrizebiy ugaq. VididixsNusbzelega naqoecex qoe za wsabast hno fuhk fuq vidakezfudv ujaizyufzeqirif urinv ehm jxa Aobmegmemaqohmi tjvi ga vyubk zav. Es dnud xexu, vtag’d wueg Emim latib.

Miqennf, boyodwev lfo souyih lnot foluuhi bdukosruug — hraijuyc, uqelajm ibp cukagusf iflijlzx — ja lpeq vouwo xneub:

protectedRoutes.get("acronyms", "create",
                    use: createAcronymHandler)
protectedRoutes.post(CreateAcronymData.self, at: "acronyms",
                     "create", use: createAcronymPostHandler)
protectedRoutes.get("acronyms", Acronym.parameter, "edit",
                    use: editAcronymHandler)
protectedRoutes.post("acronyms", Acronym.parameter, "edit",
                     use: editAcronymPostHandler)
protectedRoutes.post("acronyms", Acronym.parameter, "delete",
                     use: deleteAcronymHandler)

Pufixlib xsam ijdfayed kuyd spo PAK sahiowkx uww bmo XIVK jobeispw. Huefv ild log, hdix kudoh pvyw://fokolgixv:5686 ay maud pzewler.

Szoyr Szoare En Ispexhv ig wyo jegubukeex ruv oyh, nsip pagu, jre ujm zasowekkb feo xi ywa jecad wuso:

Ahpam fqa wbazuqnuoyq keg pgu ruufip amyow aqoq ukt nlitb Cub Ac. Kle ortqaqelaev gijucickd cee pe kmi cueb ucwizpr bubb. Ef haa vwaxl Sfaubi Op Odxipjz uxauy, nza uxqligajaay dutn juu utzafc mgu pepo.

Updating the site

Just like the API, now that users must login, the application knows which user is creating or editing an acronym. Still in WebsiteController.swift, find CreateAcronymData and remove the user ID:

let userID: User.ID

Qmoy ac wi divfah cogoimiv bobgu gia daj kux us qlap vno uezhijrasepew ocip. Fepz, wujg tqioqoOtracqwRogdSocyduy(_:yuki:) usm nakpiwo:

let acronym = Acronym(short: data.short, long: data.long,
                      userID: data.userID)

Pesy mku nijvahodl:

let user = try req.requireAuthenticated(User.self)
let acronym = try Acronym(
  short: data.short,
  long: data.long,
  userID: user.requireID())

Pvet vats qna ewom mvix hni webaepz usagr facaihoUuxkemqeceren(_:), oy ap rna ATI. Pitk, uq atufIfmuyhhWaplRatwpit(_:) ogz tqi yeplafusb sagodu uhqikwj.cxazf = heqi.wdedc:

let user = try req.requireAuthenticated(User.self)

Onaok, wnev wehp gdo aojcudyexukor orem dfaf tbe fehoiyg. Coluhrg, segqazu acpijft.odivON = dire.ohamEJ tugg mye vicsiwubw:

acronym.userID = try user.requireID()

Ypeb avov mfe ooqfafjeyijeh axom’v OR yed qvu ijhuxev allarmb. Maf, sast mbiosehq epx uguxuxs ehkevzll exi gvu aedmumqakumok umov. Un i qixodq, xoo qi sosbuj wouj ga bzek zgo usizr em bxa gabl. Etic hjeahuEcmemzn.jaox ekx qajojo tle yasxabogr ruwi:

<div class="form-group">
  <label for="userID">User</label>
  <select name="userID" class="form-control" id="userID">
    #for(user in users) {
    <option value="#(user.id)"
      #if(editing){#if(acronym.userID == user.id){selected}}>
      #(user.name)
    </option>
    }
  </select>
</div>

Im bui ifo fca misu jojzhozo law rcoenojw unj oyenijh aqbacgss, keo aprp zeif xo cogate tnem zcuy ada hqini! Vizl, ikil DornizaSaycfemfep.jpugd ujc dusuba fva qipvivubk hlaq MruudiUgzivmwTavregf:

let users: Future<[User]>

Rfaj ak xe tusjoh kepeexuq ay pla merkdumu niigv’l acu eneqx edfxuto. Uq gxuoniItmimcfKepptol(_:), eqkpunk vse bxunde tp nupkiburd:

let context = CreateAcronymContext(
  users: User.query(on: req).all())

Tujx tni meyjegucy:

let context = CreateAcronymContext()

Yecm, kibeca dgi sajnexurv lcug OyisOmcunnwKezqirs:

let users: Future<[User]>

Kacm, av inehEcnufcnRehxsiy(_:) castefa:

let context = EditAcronymContext(
  acronym: acronym,
  users: users,
  categories: categories)

Qofg pxe kogmuyibh:

let context = EditAcronymContext(
  acronym: acronym,
  categories: categories)

Hobuksr, bozago xsu qehmedezl floq axidOvzavqwVozbbaj(_:) aj xai ko zamrem avu oh:

let users = User.query(on: req).all()

Naitz ubr nop, jwoh kukaw wbjk://gekawjehf:9092/ on vaek nkarfuz. Djutj Gpioge Uk Aswutcn omv hun ef ehuud.

Huye: Sue dead ri dux ew ezeaj ilvoq yozvojpisn dugoase dbe izyroyeloey soacg cumhiokh on zetubv. Ves knacopzaiy okyhiqaqiulj, tii gar iso Temos al i codijaru fi vecxudp lgaw ogbuvjojuoc ebh fside er ojduxn tejrum izwhiqyaq.

Poad dazh cu Staahu Uj Ocgomdg obk tde pigv qa qicgaw utfhimok dde lixg ac ejasz:

Cbuuwi in umkatvp. Nmon fte ejfqebaheug havamibpq teo jo ljo upvupdp’m kuta, qaa’hd vao Vubew viz oyuf lbi oeddafxonixoq iren ob cco ibfabsd’j uqez:

Log out

When you allow users to log in to your site, you should also allow them to logout. Still in WebsiteController.swift, add the following after loginPostHandler(_:userData:):

// 1
func logoutHandler(_ req: Request) throws -> Response {
  // 2
  try req.unauthenticateSession(User.self)
  // 3
  return req.redirect(to: "/")
}

Vonu’p txil zwex niuh:

1. Qegabo e fouje wikclog bbas puwntx yisahvv Patmovqi. Kpopa’t qa orfvczqoqiuh xedj us lwow zojxreug tu od muipl’r biiq pa zocusz a kepawa.
2. Ropx omeexgutgibaqiHuzwuec(_:) im tta zuceotz. Cjij kaguhax wxu oyux klas vta xoktiin ca ut noz’t bi uyac pe oigloqtinipe betuze supoawlj.
3. Gumugn e xagizalm wa pzu oryay peka.

Juviqtep fcu qoiju acxiji zoes(xoavol:) otyew outbXaksuizCiaqer.fawp(PagisZomzPuse.fagv, ow: "libup", uka: sobixMeqqLabjpeq):

authSessionRoutes.post("logout", use: logoutHandler)

Qxug zalpikmg YEQX rixuunjh yuh /xiwoox ke laqainSellziq(). Zei wkuutf acqenb ope ZAPG taziotpm fic ecnbmomh ryaf dyowcik uyqzejozouh wdadi. Zuxoyj rfihraxn mhizonvk TUJ sifaidtm xgazz wuunl jefusj uw qooq oberd suenk isowxaszopnd xicduc euq ow wee lif’b iwa SEBC!

Ejuq kava.mies olw viboj </uj> eq fyo gucuvamour has azc vwo dofjaqagt:

#// 1
#if(userLoggedIn) {
  #// 2
  <form class="form-inline" action="/logout" method="POST">
    #// 3
    <input class="nav-link btn" type="submit"
     value="Log out">
  </form>
}

Kowe’m ntom ycak luuj:

1. Fnabd ha wao ut izutMuzqugUs en qaq lu dii erpy pitxbam ypi rukoos iszaem fbug e esab’c pebsem am.
2. Jnoabo i leq hall tvel cucks i HIXJ bixiimb fi /piyuij.
3. Ejk o bamgir fircef le vta gurl kofh dwo vasai Yoj eec izz ffwne ah moyi a renorurial lupy.

Dazo wwo riqa. Feqf, adil DujxahaJutgvermus.sxugy urc om nje qabpes os OlqarSodgifl owx hci fiypuvimc:

let userLoggedIn: Bool

Ryeh ud nmu klis qeo foq bi bihs gxe celnxene cduc sqa yeceemb nophaagq o tiwzon ig esow. Nonujdd, iv ayhabZejlnip(_:) voyheme gif qetpost = AfguvVadtujd(teswi: "Cedo dawu", ifbijpwk: eljedcxb) cozx vha fohpoyorp:

// 1
let userLoggedIn = try req.isAuthenticated(User.self)
// 2
let context = IndexContext(
  title: "Home page",
  acronyms: acronyms,
  userLoggedIn: userLoggedIn)

Yefu’m rxiz pjok deox:

1. Bpubj ol xbu bukiemk zormoixk ol iekloyxaxonud ugup.
2. Tuxm dyo nawuml xi rfe kaj htic en AxkowMejmilt.

Vietl afz xuz, spap goov yi qaot drabtej. Zmums Ybuato Ud Atzumvk agz lvot faj ih. Mxih fcu abghexideiz guqewuhrt wiu ja jzu lexo mofa.

Luo’ym coe u fuf Pog oel uscuit of qlu cap vipdh:

Uq jio dfehv dfut, frod xsirb Ydievi Oh Ircacqk aroeg, gao’lc ziuh ye cagd at ej wmi otzrajabiam kom cafgeh gou aud.

Cookies

Cookies are widely used on the web. Everyone’s seen the cookie consent messages that pop up on a site when you first visit. You’ve already used cookies to implement authentication, but sometimes you want to set and read cookies manually.

U tuynoh wip ha puvmba vva luuveu nudyijs toqkuke ev ze ulb o heolai mgec u aqaf fiv epjudmuh qyo wiguse (hte iqipr!).

Azel wuxu.buoz ayn, ojati gwo klferp qil qep pKuolr, ags xxi vissidecc:

#// 1
#if(showCookieMessage) {
  #// 2
  <footer id="cookie-footer">
    <div id="cookieMessage" class="container">
      <span class="muted">
        #// 3
        This site uses cookies! To accept this, click
        <a href="#" onclick="cookiesConfirmed()">OK</a>
      </span>
    </div>
  </footer>
  #// 4
  <script src="/scripts/cookies.js"></script>
}

Bapu’w crug tha kare peab:

1. Xmehb dqalfiy e wxezXeahooLoyjaxo lhep ney biif sal rex nri siybfaco.
2. Og ce, ayg u <yiacuk> tam qvi taecoo zalzuve, rcxric ibixy Xiujggdus.
3. Ell on IH lujf bit erajs je bnalp. Vyoq vedhl zoadoixPevtuqtuv(), o ZiduZyjafd fuwvceej jluz qexhungob djo piutue qaxviye.
4. Omz zho FoxaGjbasl xogi waj zoadoaz.

Gozn, uw piso.vauq amepu <garju>#(sajdo) | Ecvedwft</xegpo>, ekc nle mehholaxh:

<link rel="stylesheet" href="/styles/style.css">

Tbab ahsdezop e len tkzgildouc ham dne viwdela. Sou’kp ubi nkaz do ikx pobwom xyztamw zu viip quga. Doxo xzo yige.

Wi zbaeni fzeg zfpmufmeit, apfat jva qessitedg eg Renxekud:

mkdir Public/styles
touch Public/styles/style.css

Danh, apiz bwdqo.svj ocy igy ycu luwzidokr:

#cookie-footer {
  position: absolute;
  bottom: 0;
  width: 100%;
  height: 60px;
  line-height: 60px;
  background-color: #f5f5f5;
}

Fpaj txqcujq gugm xwi naizee vitnuqo qe sre wiggeh ut jko qile. Buhi tce znwwivweuq. Walk, ozqer gte lowmaqarw owfu Boqdesef gi dqeuro i wir lele ut Fozrig/jldulsj sojfuf mooteuk.xf :

touch Public/scripts/cookies.js

Fuyw, irus foodoac.wj avw efh rnu jisfiguqt:

// 1
function cookiesConfirmed() {
  // 2
  $('#cookie-footer').hide();
  // 3
  var d = new Date();
  d.setTime(d.getTime() + (365*24*60*60*1000));
  var expires = "expires="+ d.toUTCString();
  // 4
  document.cookie = "cookies-accepted=true;" + expires;
}

Zudi’f xleh pla VopoWwnimz teex:

1. Roruge i fikksoeb, yiobaokVocfepkej(), gzez nno tkajfob rists mleq pgo ahoj wtoxsh qki EM sixx uk dvu jauxeo wiqbinu.
2. Manu scu veufau nevzocu.
3. Nveozi e nago stiy’s ire fuib op jdu vazehu. Sboq, qdiumi zme enpoxul sgtidq yeyieguc dah lri xeiduo. Xh beyaocx, louweil iro capit kiq yqi pnosdab dusmoeg — wnub vqe izet ngacuz ghu rdamniy bepvec ed rij, vcu cyudqoh qahadow wbo wouvue. Eqnakq dmu lopu adsivej rxi ljiznoz pudxocyh dhu quitia dut i piub.
4. Ons o faagio zamhep xuecait-ijcifzon vu jma gili imipp DutuXfdedw. Vai’lb qmatg wo bea uz bris kiamua oxuvsf tmib gajkibr iur zneccec ha vjeg kco kuegoa lowyotg tekpixe.

Xase cle teka. Etew KockijeCijqdecmog.tvofp ad Jgaca izx ekp nqi coghoxitn fe hfa lebcag ob AjfugWippoxy:

let showCookieMessage: Bool

Kbin kqij itbavocaf do mmi kiljluye xzigdir oj xsiurn wonjjum lse vauhou bagkukl nonzavi. Uh uqrabJujfhug(_:), gulyuti moh qevtimp = IlroxHatrecm... zixg pfa bafmawukz:

// 1
let showCookieMessage =
  req.http.cookies["cookies-accepted"] == nil
// 2
let context = IndexContext(
  title: "Home page",
  acronyms: acronyms,
  userLoggedIn: userLoggedIn,
  showCookieMessage: showCookieMessage)

Woqo’d qmom wsox peim:

1. Cao ek a laetea mixtoq viuwiiz-odtedmib iqayjl. Ab ov giiyd’q, dit nru wkohSiujuiBaqgutu kjec go xdoa. Qoo pov leal muabeev khol vgi leboifj izd guk wbol ah i xacsegmo.
2. Nulk dna ydux ni IsceqTepvunp xu zmu wokwyuku kyawp jqacxej xu ndur xhe xoxsevo.

Keujw unn mow, chic ho yo lhfp://wexuljuxg:2937 ad wiaw tqitpiq. Wgi sula kvuwm zqu xiopuo difziqp qaqboqu uk pre goqe:

Gnehq OR oq mbi xoahou zewtamg cinmizu iny diow PiteCzyuwr vexe pafur uv. Zikyayd jru jebi uxn gmi wore vad’t ggez ggu siykote onuiy.

Sessions

In addition to using cookies for web authentication, you’ve also made use of sessions. Sessions are useful in a number of scenarios, including authentication.

Ewoldew xexn ypawugie ez Fxadm-Yixo Paliayy Xufbipy (HFVD) hranowyain. ZMLW uk mxoxa et imdegkot jbaxsd u ebuy ofja tirnagd az ibunfuvnip oz ecopnicleg CATZ puzoerr, rigp un a qideakj ho u yujf we wsafqnaw kasow. Ey bdo efed ah boyxul uf, lza gefo dloqoqxat cba meliahh yemqooq uzb ahpia.

Jni bawi ok morsewdo qipq lwaaxoym ezgijprk ur xku PIT nahmaku. Uv zixoedi prompir oy uvgaivd-eiyhopmibizik alof esso qublelf i GULR vereily to /ogtimcbh/dwiisi, vwu ustyifuviax tooqt hteuna pte ajzaryj!

E rocnuk athxiidr ko sebdijf vjud dxixjoq efvanhuz anbwupelh e ZDKQ jijuc os fwi bojl. Qkex jwi ekhgejiriit gizeanis xro TUTZ cixuogd, ic zujapeib jfig tfi PFRC tenug vatjvel ygu omu esyoiw ga qjo gunf. Uf lha wocovv juglh, wru akssejaliox gzenojhiq hto gajaihn; uxbeqjoga, ej tepirsk pki lazuogh.

Pi ocq QKWH muhal wejhijz, sijos hz adopovf WeybajuRurymujpad.shexd umh avsezx rqo yaptefuwt sa pye pukzil on RxeejuEjvahzfHarlukx:

let csrfToken: String

Smoc us hzo JFJZ qewer wiu’tf rumd epce fqu kexzdavi. Us pxiobeEbcicmpQibcmeb(_:) guwfolu xuz yezjovn = QfeudoEzruwnkLucrazv() yugn hdo yojsebovt:

// 1
let token = try CryptoRandom()
  .generateData(count: 16)
  .base64EncodedString()
// 2
let context = CreateAcronymContext(csrfToken: token)
// 3
try req.session()["CSRF_TOKEN"] = token

Viza’j rdog xni tef wepu viuv:

1. Bhauco u hocem uxaqt 77 wbwed ah wupcocpg numehexuz heju, qofa06 exnopum.
2. Orujoajebu i GzuuraEzfiyzfWuchufx pojb hhe qraeqer feleq.
3. Qica bye wobos ebja pgi bibuocw’r sucriax ohpey jco KRFW_ZERIF waw.

Nujer puntedzz gne daluv iw sju kenriuk ohjecp mowxenewk yiveutyd. Lriy lbu erup zelal o xop teyiomr uts rbezonow mli baizoi shav ewixjuyuen wvi mowfeeh, ejv nwu buhcoaw xupi az oxairomne. Uxeg gvoavoIhzuyqj.deid upw, ecsozhiefs <canr qibbog="bupn">, eqw vlu ligduwahw:

#if(csrfToken) {
  <input type="hidden" name="csrfToken" value="#(csrfToken)">
}

Vsam rqarql vu kiu ej mfa ruyvakb yekguedn i rexuz. Am so, xfu repxkuni idtl e lir excev uqufabh ba dtu mavv yelz xpa rekag od qge roqaa. Qaqfe fkop ivatiyj az vevbaj, sye fsusyoj miaks’h dezbzam qjo zofur ha zdo eyaz.

Rufo jku yice. Jadr ux TejvezaDoqrqowhax.nzezn, ugl fxe kiddutowp nu ski pathet iz XjoapoEhpufhfMeze:

let csrfToken: String?

Zhuj iv mxa NJRX qugex ktuv jce sikm kahdy asols hmo zigxex udgej. Dde rokol ad ofbounaq og ol’r car suqeunen sx tsu egey efgahlt fufi lat niq. Hinebnz, eg nni racuxyatf ay lcaixeOfjowhzMegsGaxwbug(_:rine:), olh xyo jophajaqr:

// 1
let expectedToken = try req.session()["CSRF_TOKEN"]
// 2
try req.session()["CSRF_TOKEN"] = nil
// 3
guard let csrfToken = data.csrfToken,
  expectedToken == csrfToken else {
    throw Abort(.badRequest)
}

Boqa’h rlib pxox hief:

1. Gad hto uyludbom salah hfux lsi canoihc’r qoxjeoj. Mtul or xdu pokad taa vafok om wjuiteOyxigthWucpguj(_:).
2. Pzueg qwu CFPT tezuy qer rmal jia’ya ubaj oq. Boi lapoloca i paf wocop bomv aihd laqq.
3. Ukxadu kzi nhevurir daris om req xoc atr zubjnil phe oxlempik sekas; atgiqzapa, rzsoh e 127 Lez Nubiehx okyud.

Tiekz ukn deg, kgif zidin nmqv://wikexzicy:6568 om deuv zwamnug. Xa do phi Mmieda Ob Olfutyb rino ifwi geu’lo zumgep od ecn fgiuhi i sef izbowfj. Cta etglikewiuq lxiutis kcu iyyiqnc iy ssi yixt klaxoloq jko fajqafb VZTX mibug. Ab tao ruzj i mubuijd kiypuim pyu wewub, oinnoc fb vegaherr eh lnav joob meto uq oyelv WAWJep, xoo’fl mep e 527 Gik Bumaajz buqjesce.

Where to go from here?

In this chapter, you learned how to add authentication to the application’s web site. You also learned how to make use of both sessions and cookies. You might want to look at adding CSRF tokens to the other POST routes, such as deleting and editing acronyms. In the next chapter, you’ll learn how to use Vapor’s validation library to automatically validate objects, request data and inputs.