{-# LANGUAGE OverloadedStrings, LambdaCase #-}

module Auth (
    ensureAuth
) where

import Control.Monad (unless)
import Crypto.Hash (hash, Digest, SHA512)
import Data.ByteArray.Encoding (convertToBase, Base(Base64))
import Data.Text.Encoding (encodeUtf8)
import Yesod

import Config

ensureAuth :: MonadHandler m => Config -> m ()
ensureAuth cfg = lookupBasicAuth >>= \case
    Nothing -> notAuthenticated
    Just (user, pw) -> unless (hashSha512 pw == encodeUtf8 (confPwHash cfg) && user == confUser cfg) $ permissionDenied "Wrong username/password"
  where hashSha512 pw = convertToBase Base64 $ (hash $ encodeUtf8 pw :: Digest SHA512)