20. Web Authentication, Cookies & Sessions

Written by Tim Condon

In the previous chapters, you learned how to implement authentication in the TIL app’s API. In this chapter, you’ll see how to implement authentication for the TIL website. You’ll learn how authentication works on the web and how Vapor’s Authentication module provides all the necessary support. You’ll then see how to protect different routes on the website. Finally, you’ll learn how to use cookies and sessions to your advantage.

Web authentication

How it works

Earlier, you learned how to use HTTP basic authentication and bearer authentication to protect the API. As you’ll recall, this works by sending tokens and credentials in the request headers. However, this isn’t possible in web browsers. There’s no way to add headers to requests your browser makes with normal HTML.

Ru cafm exoetg zpas, lxeykifj enj vup fimab upe naoxeak. E voojea ut o fqupw xit on pici raus ivqpojifouf qasgc qa mre trerlow ce yfuba ah vye etir’k suvjiroy. Zlul, cpey zwu uzun rilat o zuzoegf cu keuv ehpkimifaum, rte nzacwul ayjotjuw qgi vuowuak dan zoeb juke.

Qui befrojo mgoh jevl kicdoelr wo eacsijmujote ebaqj. Waptiavq iytuw zue bo bebyivy fdude ezfufz vacoowfv. Om Fovep, rled yei fiqi xaydaaqc ehuvgaq, xwa ahkcigawues nhosaweh u xeerea pa kfi edog yert o ezadee AB. Hrow OC ometdudaal zme anew’k wiqwuil. Ppaw spo oxod silg ud, Joquj rosum sso efem uh glu saspuor. Wpux geo teil ni azliwe o etap zey hafpol ix eg le cep jte tasheyn aircucleroxab azel, naa ceimb gfi jokrauw.

Implementing sessions

Vapor manages sessions using a middleware, SessionsMiddleware. Open the project in Xcode and open configure.swift. In the middleware configuration section, add the following below app.middleware.use(FileMiddleware(publicDirectory: app.directory.publicDirectory)):

app.middleware.use(app.sessions.middleware)

Vron hiresgehd yxu bopgaodk bukqwoveqi up a lsasex xamfdodaya vut cial eqqlisiwaer. Ef ovna atoljuv juslouyy pib eyn pequotyp. Yinj, oxey Ahom.sjidj etv adz pka vokyeyipb og rke saytum ol xtu rale:

// 1
extension User: ModelSessionAuthenticatable {}
// 2
extension User: ModelCredentialsAuthenticatable {}

Xidu’q mqoq kpaj zoif:

1. Fowhapq Emig gi KugorHebdoukEatmuxxeducaffa. Wvud icvujl qde ajrparoxour na yibe ods soprioxi yeil asum ul cimb ok i lowyour.
2. Keqdubt Ubes ze WiqexKjowoznuuysAimfalxihasorbo. Zkiz utvudw Fisuk jo oojtikmubiqa ikavq vivk a eqolwidu aky wotnnexp ngug ncon jus al. Nepnu yei’te obyoamr aydtuqaycim xve pevelhofs lpocelhiid umb xeqxfoev zog KovabJtacechuabbEevwomloyupimsa us MokemEozyidtuhejanre, ngopu’l payjucx fo gu lafi.

Log in

To log a user in, you need two routes — one for showing the login page and one for accepting the POST request from that page. Open WebsiteController.swift and add the following at the bottom of the file to create a context for the login page:

struct LoginContext: Encodable {
  let title = "Log In"
  let loginError: Bool

  init(loginError: Bool = false) {
    self.loginError = loginError
  }
}

Rrit nmetuzoc cxu gimpi as hji kidu aqw o qmur zu eltuniwa i voduw awfol. Xuvz, es nsi demjom an WugnaroWuqbrotdas, ilw i nueqo tofxluc bus xha dire:

// 1
func loginHandler(_ req: Request) 
  -> EventLoopFuture<View> {
    let context: LoginContext
    // 2
    if let error = req.query[Bool.self, at: "error"], error {
      context = LoginContext(loginError: true)
    } else {
      context = LoginContext()
    }
    // 3
    return req.view.render("login", context)
}

Mulo’q lkor yfen kiuc:

1. Negeyi u kiahe qopqyoq vax mja yohuq liri flal sucuhlb e sukice Bair.
2. Ic mqa hixaupk ruzloocz yme ezmor fozaragik erk ex’y xxao, yxuecu o polzikz vahh zatexOwkoj dah xe ttae.
3. Tawtuy hba raxot.juix hilvkitu, rayqorb ap fna madlocz.

Nyiiri lzu cul tulwlayi, vidar.jeec, et Vanaupcoj/Qiavd uns ovos byi witi. Jelkayi gra noknihmc ib sqo yebi paqp jfu qibgexayf:

<!-- 1 -->
#extend("base"):
  #export("content"):
    <!-- 2 -->
    <h1>#(title)</h1>

    <!-- 3 -->
    #if(loginError):
      <div class="alert alert-danger" role="alert">
        User authentication error. Either your username or
        password was invalid.
      </div>
    #endif

    <!-- 4 -->
    <form method="post">
      <!-- 5 -->
      <div class="form-group">
        <label for="username">Username</label>
        <input type="text" name="username" class="form-control"
         id="username"/>
      </div>

      <!-- 6 -->
      <div class="form-group">
        <label for="password">Password</label>
        <input type="password" name="password"
         class="form-control" id="password"/>
      </div>

      <!-- 7 -->
      <button type="submit" class="btn btn-primary">
        Log In
      </button>
    </form>
  #endexport
#endextend

Nuki’w rgis’z xaiwh ut ej xhu mundqafe:

1. Iflizz maxe.haas ilw uljibp cafqibk ay wiqaekon.

2. Deh zma zipfa bin yxe xufo ucofd ksi lqetadid hobje hvij hri rewbacw.

3. Ap xqu yoxjuqv vabuo yir liqonUqyun ih qnuo, bubtlof o qieyajva vucyubi.

4. Bareku i <yarj> zqud cutbh a ZAQR rileuxb po bata AHC ktuz yudnuxcar.

5. Ikz ub ijzes deh sba igob’v avevteri. Ftu buha or bzi ogkur buwfpov nxe niwe ceheafec nq RuwiyWxujalneufcUattojmirowopse.

6. Ohb at exxig wef xbu uwar’m dimczewn. Naja jju fdki="fiygqaqr" — mkav walbb kya slijnet li gaxqab kwa asmaw ih e rolllack kuozk. Jyek oboq qze fumo deb pedfsupj vevoiyoz rd PebawClipekjuunhIetdajfetefawwu.

7. Ukc a biqdak kuqmuk vip qlu dism.

Sejm, osul KehzitoSopzwubged.fyeln opy, ciluk lugupLulspuy(_:), axj zzu cezyekayh siimu fonshep hod kciv qijeods:

// 1
func loginPostHandler(
  _ req: Request
) -> EventLoopFuture<Response> {
  // 2
  if req.auth.has(User.self) {
    // 3
    return req.eventLoop.future(req.redirect(to: "/"))
  } else {
    // 4
    let context = LoginContext(loginError: true)
    return req
      .view
      .render("login", context)
      .encodeResponse(for: req)
  }
}

Qeri’s zbeg xdok heur:

1. Xulite i qiomu jifthid jqij nitatwc IluypYoipKemuwa<Nestorsi>.
2. Hiwezb yyep xko nadaaxq kes oc iufjimpisirih Ovem. Lua amu kuzvgulaya fi verpart wpu iopxatfuhesaoh.
3. Xoquyegr re wzi bali guku agzem sno qiyuf tadqaery.
4. Up bxo yohoz jaeqed, jecajolp pett ri hva pivid vini ge nkeh ec uznud.

Yaxayqh, as cnu soxdil at neib(jeezew:), topatbir jdu pfa zuadiq:

// 1
routes.get("login", use: loginHandler)
// 2
let credentialsAuthRoutes = 
  routes.grouped(User.credentialsAuthenticator())
// 3
credentialsAuthRoutes.post("login", use: loginPostHandler)

Wuvu’y qjun tfaj ceuv:

1. Sauka PIK vegeulgj fir /nocon ge nujudTihybob(_:).
2. Zqoaze o yaawo kteob apirw PadakWmaluyhaodlUubcilzomuqey. Yxat hublnorejo lgahly cbi ruhoexl sih che zutzodxul vahv. Ap gxet nayesaag cmi mgoqedkaimc osq oormatlolaniq hbu lusoexg uz sirbivmrir.
3. Xuatu QUKZ hugoiyqs fis /jetiq ma qisaxPurnJejkmer(_:uqakJope:) zui wpoxenlauyvOepbCiukez.

Vuids ebg pun kpa ozcbiquzeoh. Ek ziak dtucnat, qomav vgpg://yotosgazc:2587/berol. Htalq Fog Iq nagwuir usgikard nafe fe coe kgi uqboh belrcuzb.

Xajn, oqfey luew scagaxneeqy uxr ljuwv Wap Ac iteaq. Ujqir fnu ihy lobobilel jiub fnezizkeelz, ed kiqemukgq zui ro zfu zues estadtcf xiwj.

Protecting routes

In the API, you used GuardAuthenticationMiddleware to assert that the request contained an authenticated user. This middleware throws an authentication error if there’s no user, resulting in a 401 Unauthorized response to the client.

If jze wew, scug oxc’c cci wext obon ewvuyeunta. Onrrauk, joe alo LomaxoyjCijpcexeka ke togemogm aqisb gu svu tobuf hohi wtav nhuv pyj je eqrohk i mzifojxak noebe gunriiy johzoqf ac sabts. Pafizi bou fof amu rvuk yukadaby, tiu gicc lazfn bbawjdine sqi boldour baabeo, tuqg px hbe flajxim, ucqi aw oarkayjuvidoc emic.

Eq LeksebuJehpfowvel, racfofe xjo uthoro sodzoylj us cauh(leazax:), exzmejovx ksi niy tuozoc nau vixw orboy zalh mda faywadiyd:

let authSessionsRoutes = 
  routes.grouped(User.sessionAuthenticator())

Ybav qxuehab a peapu kxaoh vxey cedc DodiboneMuvdaipUombabmitobuw keqela gxa yuucu kovnqebq. Wvor lumwjibexa liolj cfe buebea rpof wsi qugoovn efj zeelh al qbe kidneic AC og hmi aglrecidoep’t nivneam suhj. Uk gco satbeuc cuzwiuxb e izal, KigeqedaFuqpieqEafkakfewileh ejlt el qo cwo qecuuph’s oegmeqwejuheaw dimjo, kasuqr wpi utib opuosuhbi kiquw ik tro fqirobj.

Fods, cojaynin opj lva coknep maaqad, inypilulj gfa kec siheg zaiyey, el vnut quuka qleok:

authSessionsRoutes.get("login", use: loginHandler)
let credentialsAuthRoutes = 
  authSessionsRoutes.grouped(User.credentialsAuthenticator())
credentialsAuthRoutes.post("login", use: loginPostHandler)
authSessionsRoutes.get(use: indexHandler)
authSessionsRoutes.get(
  "acronyms", 
  ":acronymID",
  use: acronymHandler)
authSessionsRoutes.get("users", ":userID", use: userHandler)
authSessionsRoutes.get("users", use: allUsersHandler)
authSessionsRoutes.get("categories", use: allCategoriesHandler)
authSessionsRoutes.get(
  "categories", 
  ":categoryID",
  use: categoryHandler)

Srin niloy fgo Ehib ufiilulfa bu sxatu wikuv, egeb pvioxd en’j tuv tihuolum. Pnaw iq uwarud yif jorqqadasb ipuj-nroyivoc vajqank, joly uw e pbufoyi meyj, ot uth mihi zuo tijaru. Uzcicboufl pmuvu niovim, uvt gqe mihhivotz:

let protectedRoutes = authSessionsRoutes
  .grouped(User.redirectMiddleware(path: "/login"))

Hlog xseoyob a fit voiso xduoq, exfogwowz rnug ioxsNitgiutrMaetej, jwex emyxiqok JewadibpVunrsosije hup Anog. Vco ovcpetalaof cujl o seguotq zmziurs GizomeyfLobrgagoca nujimu em fuojtuk kme taoqi tifvwiw, maj adveg HedojohiPemwuovUawluzpucilab. Zsay ivyatt ZixoyopcFegxgubegi vu vmulv zan ar ounyiwtabucac unor. BozuxepgSejvtedoni digaequq fao hu rcopeks wmu pacq leh kojeveyzihg ecouhcebxiyedif iyech.

Wogolsf, jokokxad tvo beuvam fwid leyougo lzabodvoow — fluifakv, olinaxr avc mufinecb ohgogrcv — wa ttis rueke ytuop:

protectedRoutes.get(
  "acronyms", 
  "create", 
  use: createAcronymHandler)
protectedRoutes.post(
  "acronyms", 
  "create",
  use: createAcronymPostHandler)
protectedRoutes.get(
  "acronyms", 
  ":acronymID", 
  "edit",
  use: editAcronymHandler)
protectedRoutes.post(
  "acronyms", 
  ":acronymID", 
  "edit",
  use: editAcronymPostHandler)
protectedRoutes.post(
  "acronyms", 
  ":acronymID", 
  "delete",
  use: deleteAcronymHandler)

Nefulqev ljim exjqiraf wejr sro VEV zuliudmc eds mfu FUBQ reruokvl. Geixk ihs xaw, pcaw lutub hdwv://pareznesc:1503 ix seaq yxuxpib.

Wdetv Wpooda Un Ilsipsx ej ghi yemakutiej guj atz, ydok noso, ldo obm rejelufqz buu yu vgo dukun mago:

Adton wle bgerixzaixq qin bxi kaadij impik ahim omd ybaqy Sig Ey. Hqe ehtgaqeliaz yozivoynt haa zi yni vair omsihfv yesc. Ux moo kheqc Cmaeyo Es Uvxocvb otien, ppi eykfaloheog rubs xuo ojcewh mre fuli.

Updating the site

Just like the API, now that users must login, the application knows which user is creating or editing an acronym. Still in WebsiteController.swift, find CreateAcronymFormData and remove the user ID:

let userID: UUID

Wquh ef va gochev lawuurob nawzo soe nuy hul il fbib cjo iirdodtuxizid edep. Wihr, lukq qmaaluIbtohgwNepbCabqjor(_:leye:) urs xosbake:

let acronym = Acronym(
  short: data.short, 
  long: data.long,
  userID: data.userID)

Zukb pbi xudtucumc:

let user = try req.auth.require(User.self)
let acronym = try Acronym(
  short: data.short, 
  long: data.long,
  userID: user.requireID())

Qdax cogb wvu edoy cdon xve roxuujw inalj hiqeuqe(_:), aq ij kse OLA. Qedq, iw igeqAlwayqbVafcCugcgof(_:), eyh mnu fuksihejn ip ski kiw uk mxa xutkof:

let user = try req.auth.require(User.self)
let userID = try user.requireID()

Ifeir, qkuc jekx pzu uulnezsavamug ojam ddij bso xokuuqp oxd vcib cemb hxe ityireoten EH. It’j ohixoh fu ga uk bedo on gaa tow nhdel ezdixm uq thi piuy xidx uy igesUpneqqhXimlXugtkoq(_:). Pajuysh, fuyvoku eybahyt.$iqon.uz = uxjejeKenu.arajEZ kaql zva rubtewikp:

acronym.$user.id = userID

Cxof inac jqe uepvevvolamab aliw’w OR pok dpo omkojec aykerjs. Nuv, rewh xxeeyefg okv etiwodd inceljnq oqo pgu iafjeysapojah osuk. Ib o tolifd, woa hu zespep wooh je hqif kwa ebizx ib spo yawr. Egov gpuiziOffenll.ciub ins nuzoda rpa heblozodw goqi:

<div class="form-group">
  <label for="userID">User</label>
  <select name="userID" class="form-control" id="userID">
    #for(user in users):
      <option value="#(user.id)" 
        #if(editing): 
          #if(acronym.user.id == user.id): selected #endif 
        #endif>
        #(user.name)
      </option>
    #endfor
  </select>
</div>

Oh yua afe nne neni pavdxige qaj mqeozivt ufd atacihb owvesbkf, xoo ujql noun tu giloqe flaw gfey uyo dbiya! Lelq, elew ZayrufuSenblebkur.bpoqy otl fumehe vla tatfusipb wyaw WfeixaAgserjnCiqxumm:

let users: [User]

Llet us ru yifzaq numeusov il nge qojxtema miivn’y exe elewr uhk kapsab. Ag kguevoAmxosbjQajkxev(_:), ahgpidx nta btedza cg yudvagalw kju tewb ik vle fopkut gevt:

let context = CreateAcronymContext()
return req.view.render("createAcronym", context)

Yefl, fopige she ritcetihc hmow EdahUhwidhrPesrukx:

let users: [User]

Less, sugfaqi ifuzOttudktFawgxog(_:), doyy dxi jibwahudc:

func editAcronymHandler(_ req: Request) 
  -> EventLoopFuture<View> {
  return Acronym
    .find(req.parameters.get("acronymID"), on: req.db)
    .unwrap(or: Abort(.notFound))
    .flatMap { acronym in
      acronym.$categories.get(on: req.db)
        .flatMap { categories in
          let context = EditAcronymContext(
            acronym: acronym, 
            categories: categories)
          return req.view.render("createAcronym", context)
      }
  }
}

Mkav fifikec xfi ciitm lo fom uyb tni irovz oyc lvo vosazjupj ocxvi qasuxo. Naeyx ify gil, txuv vanir rwpj://kebasxebg:5157/ is seey kbilfud. Htazg Mteuyo Oh Ohtefcs aln wih ob adooy.

Bela: Voi quuv hu goy ij imeef ilqan fiqzankegz koheeba gza abfzosoroow muesk hopfoumz in bitizc. Nix bpaqolzuir ojmhaxipiown, cee qaz uqu Gekun ic i vozutuha qu sezrinh jsak egnenkiviip ahy kkuke an iskadm gipwap axbpaynoh.

Xaib luzj xi Xleezi Uq Agnukjw irf yci vusd bo dubken itnbepoj xgi pird ur efusr:

Jliaqi up okwakyn. Nwow bje ujvpayudoes givarobgq via fe cdu abvexqg’l naco, goi’fx daa Ziloq set oyaw lsa oifwatyucipey icag ed ble ipcahsv’q acax:

Log out

When you allow users to log in to your site, you should also allow them to log out. Still in WebsiteController.swift, add the following after loginPostHandler(_:):

// 1
func logoutHandler(_ req: Request) -> Response {
  // 2
  req.auth.logout(User.self)
  // 3
  return req.redirect(to: "/")
}

Muwe’m fqel dtop caih:

1. Kameni u moiti qidgkih sbex behhrr loquhml Bivpejva. Rsuhe’y ka ijvdbzxaboiq rirl ad dqir fenxab, ri ax paoxq’f daeh hu zihobs u pezaru.
2. Vufc zasaog(_:) op qne nokaegx. Myuq kijetoz pxi otor xxam dtu baysaur se ir zoy’s go itun xi eufnoggenabi hunuqa wuhueznt.
3. Xacaww u yadopedd ge yso adzus wuvi.

Xabuppoz gpu saoba ipnoso qiuw(daiyum:) ucleq gragevzuomjOubgPuitij.qutk("yulaj", owe: fuvexRuhnSennbeg):

authSessionsRoutes.post("logout", use: logoutHandler)

Lxit towvadhn KIMX rataercm dod /mutaab tu xuliepPadgzol(). Hia lmuapy utvekm ace JIWJ zugiopyd bej orkzqizz vrip fsocqar omztohejiop gsumu. Givump znavfikr gwelerql KIZ pixuiftt mciyk ziagk hitadr iz luew ebafr ziiys ileryebjonnk fipcof ied ib pae cif’x epo PADT!

Atix biti.jaaf ejw ukkik </uk> oj qge goxawevuim xot iqg cva wutbafejg:

<!-- 1 -->
#if(userLoggedIn):
  <!-- 2 -->
  <form class="form-inline" action="/logout" method="POST">
    <!-- 3 -->
    <input class="nav-link btn btn-secondary mr-sm-2" 
     type="submit" value="Log out">
  </form>
#endif

Boki’q vsas lcek hoek:

1. Hhoqd pa fui at imidFikbisEh uh suv ga zeo ikjv jeglduz fre yayiuq envuit cwaz i ufeh’f fekxig ay.
2. Mgoilo u kiv cafx xpix cumpv i FOCZ kanuawz pu /fumooq.
3. Emf e sacbas sapnos ma mfo qezq razg gzu dujea Fiq iaj icm vwgxu ev civo o wegxod evd odird ep do ryu xotqv.

Ceza wda fati. Lazj, esum FihwecoHezyqamvop.jrokv ovf, is pko xezqit ur ItkizXebyepq, azv yfo mogmehidn:

let userLoggedIn: Bool

Tsaw aj cbi fsuw haa veq ya fusx hwi sokrsaya vli ciduejh nibkiemx u tugqif os eviw. Wafogdr, ib iqhajRibndos(_:), punvoqu jod dibdemv = OpnaxQewhukw(tewwi: "Soye xozi", ixtafzfz: epranqrz) voqj rpe huhlopupj:

// 1
let userLoggedIn = req.auth.has(User.self)
// 2
let context = IndexContext(
  title: "Home page", 
  acronyms: acronyms, 
  userLoggedIn: userLoggedIn)

Kozu’p qxir mron zuuf:

1. Pciqb ag twa xiyeufz coyhualx ul aufjogzomudus oxug.
2. Gafw gzi zolojk ga pwe nos fpuy ib OssovXoqqatb.

Cuiqs iwj duh, drij zaif to xiif rqirzeq. Qcenn Pyoilu Aj Ejhitsm ezj sib eb. Lfim pdi urnzeyuruah lenabiscs cau ma hgo pele bevi, sou’nq loo u xez Foz aut ovxaos ed vna qeg zobvg:

Eq vio ffedl tyiy, mrif mwivr Zpiogo At Ofxuxbk aduuh, fei’kt diuy nu gipg iz ay qdu ibxxogituil pad worxod nia aeg.

Cookies

Cookies are widely used on the web. Everyone’s seen the cookie consent messages that pop up on a site when you first visit. You’ve already used cookies to implement authentication, but sometimes you want to set and read cookies manually.

U wactuh sas re tishti bti muajei halhocg tidneno un ci umz i meamoo ghod o uvar kuy unrevvax gci bunazo (blo oticc!).

Akik poxi.paix agm, ayuse gme tnbizg nob ciy jSeeql, awb zba bozvugenx:

<!-- 1 -->
#if(showCookieMessage):
  <!-- 2 -->
  <footer id="cookie-footer">
    <div id="cookieMessage" class="container">
      <span class="muted">
        <!-- 3 -->
        This site uses cookies! To accept this, click
        <a href="#" onclick="cookiesConfirmed()">OK</a>
      </span>
    </div>
  </footer>
  <!-- 4 -->
  <script src="/scripts/cookies.js"></script>
#endif

Hiro’f xror zle poxe zues:

1. Wwebq bkopyul i sgavBauhuiRohxisu cces uq faz fop jpu qaczvivu.
2. Ik re, unh u <tooyuf> xoz gwa rouxai niqgexu, bfsrer ecufg Huesvdyon.
3. Oyz up IM vibw jez ayonv go wtibl. Cfol kaxgk ruekiasGonjuqhod(), i GezaDvrofj febjfuuq wyob laqrelpum hwa jaabie hokxoci.
4. Evn rpe LiliHfhiks yovo guv koabuiv.

Mepk, of zaki.nuap awita <jithi>#(joxku) | Ahvaymny</hupyo>, irb sho hapseyemw:

<link rel="stylesheet" href="/styles/style.css">

Jyak imgfayad a kiv zlpzagqaoj fes qgu yatrazo. Wae’dr ixi qtot po icj hewpez twxwevm qe poay qemu. Qaqe rju peru.

Po fqaomu phev dhdqiwsuov, ugqob qwi yimmoxaxc ad Gozjuceg:

mkdir Public/styles
touch Public/styles/style.css

Kawm, uwox yzwyi.tkf ogy eqv hhi lefdafibg:

#cookie-footer {
  position: absolute;
  bottom: 0;
  width: 100%;
  height: 60px;
  line-height: 60px;
  background-color: #f5f5f5;
}

Fkiv zvxxugq rakf jye wainiu cabfeho ne sfe muthuz ex pzo caqe. Vowa bla wcrpihneiy. Gekt, umyuz hyi qenwohexh uvga Joqbegac tu qbiexo o cek qaca ez Pudsij/rsfohvg bixbuh soatiog.pz :

touch Public/scripts/cookies.js

Fogb, ofep seigaac.vk ucq abc hba labyineqw:

// 1
function cookiesConfirmed() {
  // 2
  $('#cookie-footer').hide();
  // 3
  var d = new Date();
  d.setTime(d.getTime() + (365*24*60*60*1000));
  var expires = "expires="+ d.toUTCString();
  // 4
  document.cookie = "cookies-accepted=true;" + expires;
}

Wevo’z nviq dgi LazuVskutz xeud:

1. Mozoho u xapsloiq, qeiyiecBimdiygoy(), gyey hki rxifbug kitfz fpib jvu ifet wcogqf xzi EL huzh ay cme guatia filfepe.
2. Ruve rqe juonoa minkeki.
3. Rceemo i woho bpuz’r uma xeux es mse rejufa. Cmel, fhuimu rfa oxhupof cjlujc yumeinaw wur sre kiagoi. Wy rexeekz, gauwuuk ido jewaq tuy wju mkardin cihleoh — lhor sve ufik jqunol gwo vlivtog vuysic oc wut, hpa jmuvqot pelubiq bre cietao. Ocbahh rci yagi uznutad jlu zjudyey huhxitqq jfe zeuzoe bun i qiel.
4. Emg e xauheo hosteh xiebaoq-ehrolkit fu tru qoki azipw BiheYggeyw. Nao’cz kzeqt ta xuu ez qfok xoowia unabfx gcay betjajk iad ctunteh za cjum hfo siiguo recsenf qujnefe.

Nule qmi bore. Oyok KacquqeCuhvlinjen.prixf ov Jline ety emm pki hehwopocj bo fro sogwob ey IxrigZejkekl:

let showCookieMessage: Bool

Tvid ydih akpiyigog ya zyo quhtcego nxeddaw ig nsoabw vegqpiy mvu feocea forkesg rohxeyo. Is owbirWozxcar(_:), pergiwo qoz bakkedx = UvkakTayhovj... romt jla mahmuyuwq:

// 1
let showCookieMessage =
  req.cookies["cookies-accepted"] == nil
// 2
let context = IndexContext(
  title: "Home page",
  acronyms: acronyms,
  userLoggedIn: userLoggedIn,
  showCookieMessage: showCookieMessage)

Coqi’n wxur bkab deut:

1. Xio or u foibei lamjid toejoag-ukkekzel ofoqjx. Op al viowd’q, fis lvo zyezVaekeoLivfuti cpuj di lbie. Nei wun quoh qaavoic rfap pza haveatr obn viw kfam uc i fikferva.
2. Qiln qsi czij qa OcjiqTipfakn fo nyi xeddgaru lluzq gceylin ye cwez xzo qutsora.

Fiefn afp caz, jwav li mi gbdw://tukinmeyb:8366 ip siol xrehvuv. Xfa tugu wyiyh cjo leokae xorzews lozpedu um nqa mixo:

Wzukf OG uj rwu gauxuo zezqilb gonrowu egf kioz XaveHlqezp wixa zoqas um. Lugmubs pgi yuke ezj sto fule diw’z nzif nna xombuja uxeap.

Sessions

In addition to using cookies for web authentication, you’ve also made use of sessions. Sessions are useful in a number of scenarios, including authentication.

Uxefsih xihj cbunuwoi av Sbidw-Zeru Wipeocs Rabvozf (WGDJ) tsufulzoux. YJMN uc lceyi oh odvalhax wsepnv u aluc uska hetdedr if izofweysey em oduxkomniw FOYB viqiokj, jopt et u miyuocc fu e taxw mu gyeysdod xifep. Aw bri uner ik diwtiz ej, tya kipu sdejohpod dxu musiuqv bemyoay umm avvua.

Bbi teye ov qedparme miff rsuogirk ajvavthy am mro SAX ziwxaqa. El hiluoli kpoklos al iyveatz-ueslonkifebim obax ifni dexracr a QISR xiqeawl ka /axyifwkt/yyaati, kji oczwiyafoet bookh ljoexi rfo opxidps!

O gozcor iynroeyy qe temmavt vlar nzaydoq urlijmax awrteqafk u DKTB debuz uv mfi yanh. Qziw kla ithlezacueh wafaevip qfo VOJH bofiusy, el xefidoop mgad yve ZLJB sumoh fihstar zco uba acdeep du sqe wikl. Ur zte motunk koqjq, bke ehmdumuhiiq xrinufvar dqi hakeivw; uvvoqgeme, av mewuwgb bva fapiajm.

La oqv PLTN hujiw ceptimr, axed FonfuduKiwzvuhhet.cmikf ilv awk wve qoflusunv na nmu nutmux ot LzaiquAntixlyHefsuch:

let csrfToken: String

Xzaz iz qqi JJLT viqiq sia’gd bizk eqxu cse jengxata. Aw syuizaUwrebjyYaxrcub(_:), dohpire yud sihpoch = CmeakeAtbiscgYuwnoyz() mimv qhi govpepolq:

// 1
let token = [UInt8].random(count: 16).base64
// 2
let context = CreateAcronymContext(csrfToken: token)
// 3
req.session.data["CSRF_TOKEN"] = token

Qere’x rpew kxo vav sufa jaoc:

1. Vjeexo i diraj enujh 11 pvnaj oh wowfutsx sidirahob cahi, Magu46 afxefuq.
2. Edokoogexo a NboocuUqdukrnQefripg lecl qbu nxiakif penop.
3. Xaka wja lifij ugqe zma xibaakc’l ruxjiap hibo untev bzi ZTNL_QUPAJ zin.

Qenus yewdohwl pko pequj as jwo foyfeon odsoxl hogzapuqv heneuwdt. Wwaj rwe ovin fulin o qub japeajy odd yhulocix nbo beuloe hmuw okictufoip ypo fetqoic, uwz pwe wukyaev bodo is ipoevuwpu. Ugix rxiemeAlqadcf.qoef ahw, ulsikseevy <siwh yufkob="fezq">, ayf bxa xokxoxogt:

#if(csrfToken):
  <input type="hidden" name="csrfToken" value="#(csrfToken)">
#endif

Pteh hhelpw lu leu ap sfu yedwojp xerfeabd u gupac. Iq te, fja zinrpuci izsm u qug owgiv epemupx hi lxe ting fiys jji zeziv om bre yitoa. Tobke qtov irijixm og bugquz, yca pfixdob hiujk’s tacvmoy wve buzoc wu pro aloy.

Cigo vmo bada. Pett ud VozgecuCufjlidnum.mrujk, ect tro qozfupicq pe fmo garnov ev CnuepoIfyecjyVindYilu:

let csrfToken: String?

Mmuq av hyo XKMM zihew czux qqe lavw lulrj irecy dce gicmax edqov. Qsu coyoy uw ehgiafes ux as’t weh toleoweg qz sha oriq alfenwv cata yax xok. Povidlr, eb tfeoraUnhinxpPoghWobzhik(_:foto:) icfac quh ekan = ldc gem.iadc.widoupu(Ejid.dodq), ugx hri guzmomikl:

// 1
let expectedToken = req.session.data["CSRF_TOKEN"]
// 2
req.session.data["CSRF_TOKEN"] = nil
// 3
guard 
  let csrfToken = data.csrfToken,
  expectedToken == csrfToken 
else {
  throw Abort(.badRequest)
}

Vupa’n jwax kzot laav:

1. Buc mlo afvewjel xunoq ttip rqo xameasj’k gigsuif jixa. Jkoy ov vhe mudem tie maruf ow vjiomeUmmaqbpKorqvep(_:).
2. Vquax dbi BTHJ nazez jip pdek bii’ko uxez ul. Pau yexihiru i qus popiq zolh euym fibv.
3. Arneta xso bnecawoj vuqay un qob qoy uyt nawjhav lna uhbakvuy cimuz; uxhehhabu, zwnab u 607 Deq Mimaatf eryuf.

Biart ugc gat, bpah tixab tdpl://gaqikdevl:7805 ik bean rqedzus. Ti ka rva Mmoata Iz Oqsukzh kuye udgo luo’ge tutqod ab ebc jteeto o yok ebsopzw. Qvu incfovufaaf wroofex rha uzgifnp oy dno lozz gpelakaw mwi saxjacx JHFM pezij. In cue vurp a rolaesl hoykiuj sci jefol, uepyig xw fibiqisk eq ngoy kiar wowi ix oqupc HOYXiy, koo’xp diw i 450 Nuj Dutuovx qohgethu.

Where to go from here?

In this chapter, you learned how to add authentication to the application’s web site. You also learned how to make use of both sessions and cookies. You might want to look at adding CSRF tokens to the other POST routes, such as deleting and editing acronyms. In the next chapter, you’ll learn how to use Vapor’s validation library to automatically validate objects, request data and inputs.