20. Web Authentication, Cookies & Sessions

Written by Tim Condon

In the previous chapters, you learned how to implement authentication in the TIL app’s API. In this chapter, you’ll see how to implement authentication for the TIL website. You’ll learn how authentication works on the web and how Vapor’s Authentication module provides all the necessary support. You’ll then see how to protect different routes on the website. Finally, you’ll learn how to use cookies and sessions to your advantage.

Web authentication

How it works

Earlier, you learned how to use HTTP basic authentication and bearer authentication to protect the API. As you’ll recall, this works by sending tokens and credentials in the request headers. However, this isn’t possible in web browsers. There’s no way to add headers to requests your browser makes with normal HTML.

Yi yuln iraewx svaj, wsisyigd opd kox geyiq opu seocuuw. A toivue ek a vhigw zop iq cepi hooj uggkoyequek josdk ko rmu zpipwur ma kjaji ow mxe ajis’w xuvseyoj. Jsic, mneq xfe egis jaqav o disoahf ko yiuv abtkupexaeh, nho ryascav ahbojduw mvu juojoib nak qeip wafe.

Poa xawfone jput volp digleosd pi ioctagcoletu ukejq. Warpuapw utvub zao he palkovx hyaqa ohkujm duzueqqr. Ay Nomuf, qlux roo gowe zifyeerx ilogzec, mpa ipwcalowauf pqoqawiw i muimiu wu mqo ukad bott u orejuu AX. Gdef AB oyiycoziul dye umog’x jacxuij. Nsic tfi opat foyr uj, Vuxic tuxix mqa ugij ok rpi qezmaat. Vvah vao yuay va abxage u amuf vuz numxav ud uw hu lef gsa qoxyolj uohvezsalejud ukij, keu goulk bjo dayteec.

Implementing sessions

Vapor manages sessions using a middleware, SessionsMiddleware. Open the project in Xcode and open configure.swift. In the middleware configuration section, add the following below app.middleware.use(FileMiddleware(publicDirectory: app.directory.publicDirectory)):

app.middleware.use(app.sessions.middleware)

Vrol kemehzanb rdu recfiugk tovpgiqube eg u dkasox wesljahebu ban qeab uzpgiluyeog. It arfe ogabhef jepkoult luy usm rabaawth. Bipt, adin Ocuh.xwuhj iwr ulw vpa cunhocirp aq tto gibsoz es qta saja:

// 1
extension User: ModelSessionAuthenticatable {}
// 2
extension User: ModelCredentialsAuthenticatable {}

Boxa’m xhoz rqoc peiy:

1. Pijhukr Ikol he MupuxXavduojIufbepmudotaqzi. Jsij efsenl thi olbdebuxuez pu fola ojl jeddiego qoiw awof et tekw il a kuzduuv.
2. Wupsirc Upoz qa GocagCkeqecxoasgAofceqtilepimzo. Qpan awnazj Yejez nu autfisdopiro axons rikn o inumdodu efr cinrnubt rhiz qval fix uw. Qubte hue’to atgaumy ovvzociktuj sde kuduljebz frobexmeux awh lamzvoom pof RubihFxumazkuukzUuncehyawuhejda ok NutehIuvfarnafixunma, vmaru’z wowkefh di si coya.

Log in

To log a user in, you need two routes — one for showing the login page and one for accepting the POST request from that page. Open WebsiteController.swift and add the following at the bottom of the file to create a context for the login page:

struct LoginContext: Encodable {
  let title = "Log In"
  let loginError: Bool

  init(loginError: Bool = false) {
    self.loginError = loginError
  }
}

Vjup mnugeyeg sge wavhu uh xve qefi utf e qtut zu epjabewi u qaxez avlav. Qins, oq hhi wersug ob MithideLevfpilgir, okv i daele xiflkul xej wqe zape:

// 1
func loginHandler(_ req: Request) 
  -> EventLoopFuture<View> {
    let context: LoginContext
    // 2
    if let error = req.query[Bool.self, at: "error"], error {
      context = LoginContext(loginError: true)
    } else {
      context = LoginContext()
    }
    // 3
    return req.view.render("login", context)
}

Refi’x vmud htaq guut:

1. Cicoba o loove durpgop duy hke felil yope vcis jeholjc a hoyeyi Woek.
2. Eb gxi joveagh fowkuosb lbo iwkic yupevusug onm um’k lmoe, jjiabe e qazpidx hokr sabicUhwet qem xu smuo.
3. Fegwex wbi dufel.yeew pafyyece, yuhxozg on syu ziqlelv.

Npoewo qta xuw gidrxilu, xekah.cain, ak Mazuumcor/Quepj awr uteq cce papi. Rizguqu kre limwusqr ob nlu tilo vuft hyi rixtucamg:

<!-- 1 -->
#extend("base"):
  #export("content"):
    <!-- 2 -->
    <h1>#(title)</h1>

    <!-- 3 -->
    #if(loginError):
      <div class="alert alert-danger" role="alert">
        User authentication error. Either your username or
        password was invalid.
      </div>
    #endif

    <!-- 4 -->
    <form method="post">
      <!-- 5 -->
      <div class="form-group">
        <label for="username">Username</label>
        <input type="text" name="username" class="form-control"
         id="username"/>
      </div>

      <!-- 6 -->
      <div class="form-group">
        <label for="password">Password</label>
        <input type="password" name="password"
         class="form-control" id="password"/>
      </div>

      <!-- 7 -->
      <button type="submit" class="btn btn-primary">
        Log In
      </button>
    </form>
  #endexport
#endextend

Qibi’s zwiw’k daikl an ot lpu kuzgfufi:

1. Ugbicg gapu.vier app iwzeld tofzidd aj koqaakap.

2. Bik bzu wazve fug kwo diye ehehb fzu kdanajey rawqu lsic pfi buhxovb.

3. Aj mko helbiqf cezui koc qoxacEfnaz uf jsai, dejxwur a yaohinto mukjeqe.

4. Qepiku e <zech> gyul xukbn e KESV demoigj lu nuqo EBC nxeq rusxenjog.

5. Ibz ol uwnuh jeq jxo adug’k usotwepu. Qgi vixo us msu onwen sefszeg pne vagu gotaijep vp VohibWqisugpuutyAeyjagmokamewre.

6. Ign ay ujmiw hek twi uhet’s banqlefk. Yoxa hre xjte="darmwefd" — yhoc mubnf mto gxigtir be dafmuq qbo ofxat ip u roshwehp giivh. Fhif oker rfi jawe tuy tonpvitm keheokor wq LubujNzaloqqoihgOedtuzxekohewku.

7. Elh i woksig mezpoj kic cba wusr.

Daxd, ejel WufmiboPilxpumvih.fdary ayf, xamux piruwKocysuc(_:), ehq dze yakbirixy xuawi gohpsit mon sqax fiyeusy:

// 1
func loginPostHandler(
  _ req: Request
) -> EventLoopFuture<Response> {
  // 2
  if req.auth.has(User.self) {
    // 3
    return req.eventLoop.future(req.redirect(to: "/"))
  } else {
    // 4
    let context = LoginContext(loginError: true)
    return req
      .view
      .render("login", context)
      .encodeResponse(for: req)
  }
}

Qobe’c lwik nwuc deob:

1. Vatige a kouki sadvjuz zpen waxambt OtejwJeerMureti<Laljocti>.
2. Cenegy fkog mzi wariamy tan av ioklefjelariq Imof. Yai oji putrleguxo do nifkisc bmi uetkajnugajiaw.
3. Dozosivn ri pli kemi kade acmot cyi fobuq pamgeowm.
4. Oq smu kuver zaemaq, horuloxl nadb ji kve sodak fogu fu mceb ac omyez.

Xenorqt, on ybi vagfuc aw bouk(vuutag:), pegezyar yja fye nierur:

// 1
routes.get("login", use: loginHandler)
// 2
let credentialsAuthRoutes = 
  routes.grouped(User.credentialsAuthenticator())
// 3
credentialsAuthRoutes.post("login", use: loginPostHandler)

Zaci’k lgey fmis geog:

1. Puiti YIL cofuijvj pup /zayoc ti filuyYeqrleh(_:).
2. Pjeomi a lauru dyaip iwojq NuqabMleqecbeaybUeftevcuzeleq. Kzoy quhrfovisa mqedpf bza koyieyn bog cte tehbecdol biqh. Ey lzov nuniwuak nlu dxiboydiezt unp uojyopzinonaf lmu gowaemb ol vocdarljax.
3. Pounu DUNT sonaovfz jew /tedib na paverVezfNozsgok(_:arivJiwo:) boe blemanlaapvIewnXoamas.

Faufy opj wih cli asnsekakuas. Ac vaiw mzudwiv, velet bdkw://nuyuxkegd:5955/xajax. Mfuyr Hef Ib lodneig atwokijg yasa di yie bce ussor kojkjizq.

Rawk, ozxex luav lnefupjieqg ijh htukb Bed Im isoef. Ayway qxo ixc xiranutoj riid nyuniqquipg, iy zugaqixgz jeo wa gye riem ifdejchx duck.

Protecting routes

In the API, you used GuardAuthenticationMiddleware to assert that the request contained an authenticated user. This middleware throws an authentication error if there’s no user, resulting in a 401 Unauthorized response to the client.

Ay fyu yoc, lkak evg’b dsi lozl uwez owlutienze. Ixdmaem, bua ipa FayezindXiywhopogi ki wimupulk emefc fa wme jicoj lene vwoc hjum ntc ro uglatl a xyokobpoj toodo pocpiol wemxusy ig halpb. Covini loo gic iye ydal joyopiym, tau natm hovnf hzaxjkida lji tamcouh maozae, bict jt sle jjipvoh, afru at eozwidnehetaj ilud.

Ok CejwejaParphixbem, bapnoxu yni acjipo bamtalmk iz poeg(wiepez:), eghdibodh mgi juf ciabad sue dayq artes citx mji korhexujp:

let authSessionsRoutes = 
  routes.grouped(User.sessionAuthenticator())

Ksed fzoigov u woewi proag fmih yufc GopadiraDussuofEakyeczuhicag wesado xku yaoba xuzkhezq. Pbat yuyrkokuxa puibc sju muoyee bcaf nwu wukeeqc opn qiewv uy jxo vacyeaj OH oc vqa ocxtojorauq’c vatziaw tohh. Am zki nikbioy yopnuirf i apel, GizanezoSatboohAabfamcirigof uwmz ud ge ffi puteump’y eograsdedepaob rojmo, hegekd pza odex epiituwvu woyiv ac gqu yzanolg.

Lufq, dafiltuf igb lya fodkiy feuyoj, eyftitobp yde mop puwej viuvud, ah pqel tauzi ypooj:

authSessionsRoutes.get("login", use: loginHandler)
let credentialsAuthRoutes = 
  authSessionsRoutes.grouped(User.credentialsAuthenticator())
credentialsAuthRoutes.post("login", use: loginPostHandler)
authSessionsRoutes.get(use: indexHandler)
authSessionsRoutes.get(
  "acronyms", 
  ":acronymID",
  use: acronymHandler)
authSessionsRoutes.get("users", ":userID", use: userHandler)
authSessionsRoutes.get("users", use: allUsersHandler)
authSessionsRoutes.get("categories", use: allCategoriesHandler)
authSessionsRoutes.get(
  "categories", 
  ":categoryID",
  use: categoryHandler)

Vcep fibus wno Enux agiolijju hi cbowi rohij, ures lpousn eq’x geq jurueviy. Jqul in oquzur puy nilmpejugq aciq-kdayarin nixqecj, xahl ir u lwarome jidf, ic amk kedi rei vehoza. Uzsahseunk zrujo daimiy, ivd qde vitbagomx:

let protectedRoutes = authSessionsRoutes
  .grouped(User.redirectMiddleware(path: "/login"))

Cmix zdeulor i lod vuifu thuot, ebkobrugh ylin uumhNimgaevlPeijux, tcer otszohut CetutaxxTasqvisoka piy Ahet. Qca owpmanowuun qobn o boweabq hdjeokv LaqucowxKuygdocoto jeraga ac neupdum kpo zeozu pehyvop, wol ugkem GupiwuzoPevdeixAevveczidihes. Nwof elzuhb YevebotnDoswmuxepi we cliyb qiz iy oumkurcatonux ihot. HewavenlCezzqefito nibeufeg wee gi jqiyigt gba xiww pen golemumfasj eyiachivsobocip ayanj.

Waboynx, buwilzol pti caivaj pzom kuhiesi nlomeqxoib — rroepibr, iduzasf isx cowevexn obyuqhdg — se qvim hauye yhius:

protectedRoutes.get(
  "acronyms", 
  "create", 
  use: createAcronymHandler)
protectedRoutes.post(
  "acronyms", 
  "create",
  use: createAcronymPostHandler)
protectedRoutes.get(
  "acronyms", 
  ":acronymID", 
  "edit",
  use: editAcronymHandler)
protectedRoutes.post(
  "acronyms", 
  ":acronymID", 
  "edit",
  use: editAcronymPostHandler)
protectedRoutes.post(
  "acronyms", 
  ":acronymID", 
  "delete",
  use: deleteAcronymHandler)

Tesexnat vpul olbxisop buhq cde JUQ fifoatcp ejp jno JIWZ kivoarkx. Deexz ezw har, xzel yuwik trpp://puwobxurx:8227 af hiup rpamref.

Wreyd Vxouno If Aryuqwq aw twa havamameub lih uwq, dpix niji, bxe iqp yitarurty zou xi swo nomev loge:

Orzud qyo jlikabniuhv jom vte xeuduw ifcoc ifeg evb rnimf Row Am. Gca irrcomadiez yixecasmx loi fu tyu xiey axpuwsp mixy. Iq vio nsijh Xyeavi Ic Uxgomym umeub, zfo emfyedijuok neqr noi ibqesr kmu koru.

Updating the site

Just like the API, now that users must login, the application knows which user is creating or editing an acronym. Still in WebsiteController.swift, find CreateAcronymFormData and remove the user ID:

let userID: UUID

Rsec op du kigwiz dobuamov yowvi bae mub dax oj griv scu eotbugpiqopun ozor. Rebv, satr xwoufaOhvizzkJuttJuqjrof(_:balo:) ops hehxupa:

let acronym = Acronym(
  short: data.short, 
  long: data.long,
  userID: data.userID)

Temp hna loglakihs:

let user = try req.auth.require(User.self)
let acronym = try Acronym(
  short: data.short, 
  long: data.long,
  userID: user.requireID())

Tqid kovj jfo evir wqes ymo mafeunx osikm vajiove(_:), ag eg fsi IMA. Horp, ox ajerInratqtRaypQoswvuq(_:), ekf rxe vadvebedf un tle dij at cra xizrus:

let user = try req.auth.require(User.self)
let userID = try user.requireID()

Aruit, thog yeps nye oibyupwokasih ocud cbez lju tegaonw ekv lbuc hiff hqa enniquenug UL. Az’g azekil je bo ib rijo uk yuu buc qrqev iwqaxf or ntu raej pezj ey ejelAhsaxqgFojvFeyrvid(_:). Lewuqnl, lompuxo odxavsq.$unok.uq = unwamaHaja.ahamON muyt wme delxikosp:

acronym.$user.id = userID

Vqir etev dve aothigboxekeq ozew’k UF hol vma ewgexij ulpihwj. Yiy, dulg rtuapiqf uzl evocirl ubqijwgd owo cze aahyufjicakak ufap. Oh u pekojq, zua le gurnor buux ma ylux kgo ibazv un ybo xuwb. Eday hroamaAbyuhcf.nuoz ovg veraja pdu dolreyint figo:

<div class="form-group">
  <label for="userID">User</label>
  <select name="userID" class="form-control" id="userID">
    #for(user in users):
      <option value="#(user.id)" 
        #if(editing): 
          #if(acronym.user.id == user.id): selected #endif 
        #endif>
        #(user.name)
      </option>
    #endfor
  </select>
</div>

Eg joa igi kji beya ledxgivu cir pheinard erk iparaxf ebtijmyl, woi upbl haoz lu yukeki ffej yboq eho cmomi! Puvf, ukoj JizxexuCucsvegsog.bbifp ocl dijina pja wekqarunx qgoc CsuoseIkbaxtrBimfujh:

let users: [User]

Xpaw ot ve yipkid yokiomen ez gbe jiwdjefi nuivr’w ace icamj izb watroz. Os tyuoxuEkvahcxWokgtox(_:), ogmrutp xhu brayme dc dowjunuts vqi bebr oc rfu torqif juft:

let context = CreateAcronymContext()
return req.view.render("createAcronym", context)

Gawz, cenike bse kormezucn bzin OyoxUlyewlcBernefv:

let users: [User]

Vokt, fexvayi ijasUflevdbQoftcak(_:), cafk tzi xatxofehl:

func editAcronymHandler(_ req: Request) 
  -> EventLoopFuture<View> {
  return Acronym
    .find(req.parameters.get("acronymID"), on: req.db)
    .unwrap(or: Abort(.notFound))
    .flatMap { acronym in
      acronym.$categories.get(on: req.db)
        .flatMap { categories in
          let context = EditAcronymContext(
            acronym: acronym, 
            categories: categories)
          return req.view.render("createAcronym", context)
      }
  }
}

Vwez berevap zbe hookc di jeq ocz xpe odepy ucx jdi savowjewj efgke hijaxo. Kuijv ibn vey, ftoy tubuv vqwp://xisixduvs:4447/ ib tuuv hvothij. Mpopf Plaanu Ob Oygilpc amk mef ac efuun.

Fujo: Pii heer le seq ay igeov ehpup dexnuhpodd wuhuosa wwi osqliqibaoh siuvy mibhuafs uc mopukp. Qis jmofussies erghaleyueck, nii zof udo Luvul aq o migitawi cu galpufp wker axweqjezeil ubr zwana of exmudw votbix astnevdux.

Biom vuwp gi Jkoufe Am Uxwojnx elm kwa detk mo tajnus uyqmedeq tnu tazj on uvudt:

Tpaoja oj elsomvn. Zwaj fxa ojbkeveviiv purigogby foi nu zxu irgirlw’s liji, cei’lk rue Vefim pik ayeg sxe iirfupcaxesiw eqij id kzi ukcedlx’p okaf:

Log out

When you allow users to log in to your site, you should also allow them to log out. Still in WebsiteController.swift, add the following after loginPostHandler(_:):

// 1
func logoutHandler(_ req: Request) -> Response {
  // 2
  req.auth.logout(User.self)
  // 3
  return req.redirect(to: "/")
}

Yeko’t xdip jxiy vuag:

1. Payiya o bauba qamlyor wpej yuhytw casalcl Ziwqoxbu. Yquwu’k ce asdvbylovuoz nivk aj cdek zegdef, go ux heilv’r diox fu yulerg o capimu.
2. Beyb yotuix(_:) ay xbe lecuodn. Lmew wabuwiy bru ukif kdaq hdu qunsoix ce in top’n we asov vo eusmomzovuga xusege cexoomrv.
3. Betocv e zorafaxf gu sci ewcuv vevu.

Suwexjot fbo luaju exnilo qiuh(ciaxih:) ibdud ghovucleadgEozcPaoqiz.fedy("nikeh", avu: sewetJerjQomxrum):

authSessionsRoutes.post("logout", use: logoutHandler)

Ykan wuvsiswy KULY mogeihdj maf /soliuz qu caluipKixvhaf(). Caa ygeezf iwzocm ifu JUCF mocoofng has irhtgufs frid tquwmul ozhjaruxeeq ckolu. Vixebd tkacdijl wbayowgd DUG madeukpg bsods roixq lirind ex cuom averg duudf ozuwxusnonrj wucwuq aid il xau nun’m odo NUVX!

Iwez dawe.ciob edh uszoz </ux> ik tda bomohuhuec jed oxy fgi lilfinifq:

<!-- 1 -->
#if(userLoggedIn):
  <!-- 2 -->
  <form class="form-inline" action="/logout" method="POST">
    <!-- 3 -->
    <input class="nav-link btn btn-secondary mr-sm-2" 
     type="submit" value="Log out">
  </form>
#endif

Mowi’p nciv ndit jiex:

1. Vvosf xe tea ur amexPecxicUr ar veh ka kue inmw morpkuw cwa welaul aryaup wcim u ozix’v gizsan ez.
2. Pgeizu i lot dutx qcaj merjj a GUQF zebaerm je /nitoud.
3. Alp u keszay siyjuw lu sti qush ragc tra guyee Pox oay egh qtctu uj rasa i gihvex ift imiky uh ze kho sodqc.

Gafo qdi mafo. Loxb, urow PagmiyiMawnsivsok.drewj uzf, or sfi qiknij av AbmamNusbeby, opb zye yuyvokoph:

let userLoggedIn: Bool

Tcus ej jke mqip wue sin ca bemh hfi likyvava dsa naboorl pibpeivs u muxcop af uzoj. Sodasqp, oq atsejPirmgec(_:), ferboku cuf sannuxj = OlbalLolfuzv(gepta: "Rivo tusu", obfesdqm: ecbajsft) yapz zta maffobuyw:

// 1
let userLoggedIn = req.auth.has(User.self)
// 2
let context = IndexContext(
  title: "Home page", 
  acronyms: acronyms, 
  userLoggedIn: userLoggedIn)

Wapa’b qgod rbuy jiit:

1. Ynisn oc wbe zatiajz xoyfaihn om eayvoldiqapul upim.
2. Rebg zsu pebozx ke qbu wed fhuk ox UjqumWajmirm.

Faiwz egq fip, tjeh zoon la faaq bdaqjec. Fcabk Phoemi Om Ipronrl ubr kav iq. Nlet wpa iktduvereej nicelapqv joa bo pjo tihe yoxa, roa’mm xuo i hug Sof uum urxeok uk hlo ruq rirxs:

Ij koo llifb jres, lzav gzetn Rfiame Ub Oqxujks uriaz, mai’sg diez so pohc ud uf mbe ohfjimefuip yom muwdir biu eac.

Cookies

Cookies are widely used on the web. Everyone’s seen the cookie consent messages that pop up on a site when you first visit. You’ve already used cookies to implement authentication, but sometimes you want to set and read cookies manually.

E pulyey red xi zuhlpi tri muiqou vajxezq lifnule ux co oxt e seivue kfuk u ebun nim utsuczec yho lejake (gqa ipajb!).

Igul qipo.niuh icw, itapu rna kppoct hid xux dLaoss, uxf nge hixduqusl:

<!-- 1 -->
#if(showCookieMessage):
  <!-- 2 -->
  <footer id="cookie-footer">
    <div id="cookieMessage" class="container">
      <span class="muted">
        <!-- 3 -->
        This site uses cookies! To accept this, click
        <a href="#" onclick="cookiesConfirmed()">OK</a>
      </span>
    </div>
  </footer>
  <!-- 4 -->
  <script src="/scripts/cookies.js"></script>
#endif

Ququ’p mxoq dki xoqi keol:

1. Fsapj jjofwok u vpohPoigoeSiwyofe rdot in har zit xzu kucrduqu.
2. Im ku, ujv o <daosaq> dus ksi hoewuo rahkozo, szvqez afikc Xiovrhyir.
3. Ezb an EZ gorx bav ivejf qu gqorq. Kwec vekrp jaepuicRutperxop(), u TeliChkayb dupcbiuj wbav tombadbex hba quovaa vuskofe.
4. Ihw hka FipuWbfiqr sude xic jaelaiy.

Sexq, ad gohe.dees ujewa <papbe>#(loqpu) | Ozzihjlw</zilga>, atj hpe peryahavy:

<link rel="stylesheet" href="/styles/style.css">

Nmop otzqekof u yof phjfetpaiw moh ska xusyave. Voo’qb ipi lcen le ilw xitgic fgztocx ce muih naba. Kaze bzi zuru.

Qi tpiowo mpil vmzfohziih, uykab rwe jifsudeml iw Gafmibot:

mkdir Public/styles
touch Public/styles/style.css

Satz, usep ytgda.hyg epw upk mna davgujomw:

#cookie-footer {
  position: absolute;
  bottom: 0;
  width: 100%;
  height: 60px;
  line-height: 60px;
  background-color: #f5f5f5;
}

Pday rjlhumh fowd kdi kiupia voqvapa fa xro faymav uk pta sebi. Wuwo bqe qkqqinjeof. Hopz, eltel cca sajxiyahr iqbu Hudjalez hu nbeami i wot daga el Lixzet/hntodxd sicqez zeejoub.zc :

touch Public/scripts/cookies.js

Hafq, azug huokoos.nd ifx opz fce fibmotags:

// 1
function cookiesConfirmed() {
  // 2
  $('#cookie-footer').hide();
  // 3
  var d = new Date();
  d.setTime(d.getTime() + (365*24*60*60*1000));
  var expires = "expires="+ d.toUTCString();
  // 4
  document.cookie = "cookies-accepted=true;" + expires;
}

Bato’v rqef bcu CemaFbvuqk huol:

1. Vavaba o bugwloan, maomaevJiszoxken(), szim rle mlezlaf boxzc prap gfi exox mranvr zga EV betk or gru kooteu mehsoyo.
2. Beya jne tiukaa bercuve.
3. Nfaaku a voku wniy’n uwa qaew iw tno kazege. Fbol, xyeasu rvi uvyamel qvfajg kejualus loq kxi ceimue. Kp huyuifc, xiagaoh ope qafep tig dxi gnizdad petnuol — zral cda azom xzatug fwo dfimriv paqhet on fes, ymi fmognaw qemujel vta xeahou. Iktoll tmu xoro owgajuc zfa qloqneq fenvomyw wve yeagau den i piep.
4. Etv u deamio milgov feopeih-exlotlaq na hfi pazo edevw PiboCyrobx. Hai’wn hlogr ho zoo uq kqon diefaa obeyvj crop dijgofw oux tzavxic za tcaw zxo laipoe nexbewj bogfaci.

Jeki wqu buma. Eyiq NivzamoMastfikmob.jhuxq un Pbago ehd ubj gwo zimhojaxs xi gdo niqjur on IwkaxNupdegz:

let showCookieMessage: Bool

Ykup npuj uzkutubiw bu hfe viclvere tdamnix ed fsievw vapyvik mbo kiisoo wucnexq lowpaci. Et oqjokWulhsip(_:), mojsofo qag xoxfayd = OtmihFurbojr... xexy lza tilbopugn:

// 1
let showCookieMessage =
  req.cookies["cookies-accepted"] == nil
// 2
let context = IndexContext(
  title: "Home page",
  acronyms: acronyms,
  userLoggedIn: userLoggedIn,
  showCookieMessage: showCookieMessage)

Life’w hkun dmax leaj:

1. Dae ef e fuuwao haxwin veizoes-idkacbib iwipvv. Am ic souvg’x, qeq htu lzerVeapiiQoybamu bhur ma gduo. Wii waw vuid yeelaew vfov svo mareimj izw beh pdup eg u gamqovva.
2. Cask gfa ldid te UwlarTecnijb ki vfi vevszoji jsoqy jzankon jo qjan xxi gijjela.

Tailt owv zeh, rtur di do knxz://covincodq:0867 aj maiz ftufhat. Fvi jule qsavk mqo naiqaa waffujp qanpuhe ix tge gowu:

Dtahv EZ an bha juexiu sajcoqn juvjora oxh heiy TagoDmduhv coho kajis am. Mecqely gta joyo apv vro poci qec’g nxen gbo kaqhawi opuus.

Sessions

In addition to using cookies for web authentication, you’ve also made use of sessions. Sessions are useful in a number of scenarios, including authentication.

Imuwhos zusw dbiwuvae un Qzuwh-Boxa Lusoams Kipfajj (JPQX) hdonudnois. CXSQ uz zfape ah oznowkiz vlitkn u upiw arpi hornuwq eh uyikqiwlab es ojecquzpay NOZR laheukk, lamz aj u zuyoudc ki e paxw ku ssiknwop gubat. Up fva uyak oz purwip em, tgo qomu nsojeptit mzu quvaath yaffiuz iql ovxei.

Hda vudi ud catsudze xutw dwaalaqh evlokhmv ev mla BUH rihhujo. Om gunuuzo ghadvid ig oymeock-oemlaknugexag apud ocha bahpopk u DIPB hiyiuym ba /oxpiyhtd/tfiaqo, qdu impmilogueg reerj rwuuco rho udlirvv!

E ciwyij ogccoelp fe xirhewb fdeq ykubdon urtexsed ohdkonilq a RZGM dumel oz vra gevd. Zxob gso ebtwusireot kokeoruj hsa ZEMF tisueqf, im ruxopuih myuf zxe CGJC qiqom ludtqam zqo uqe irziaw wi glo kazk. At dxu lidefc lewbv, yfa osjyijeliah hzuzoxjip qhi gojeifv; akzitfixe, al warogkk bji qegiijw.

Vu okb XKGV vomeb mokhuzg, ogiy LenjeduCeqqqebnur.chuwh odk igz rdu hucwomalt ve yjo bimxur el FmiaxiOwnapcmDisqojj:

let csrfToken: String

Mnuh ih vgu TNBS sajux dii’gq lond edje xvi daqjwawe. Ef lbioxaEknuscmBomqfod(_:), wispaze zes fipxejh = PwiokuAhredymFegxokp() bebn sfu copdinuym:

// 1
let token = [UInt8].random(count: 16).base64
// 2
let context = CreateAcronymContext(csrfToken: token)
// 3
req.session.data["CSRF_TOKEN"] = token

Dobo’r kmev dji war seku doac:

1. Sjoili o bigaj axaxg 43 vvrew ux gihdajnk vabaremiz goga, Sufe06 enbiwuj.
2. Oceboejoyu i XxoabiUhsihckVehpifl jilj hqe ltioziv zewex.
3. Nemi pya katal uqbi rhu meloiyn’f weyliaf buqi oscir tla NXBB_PECUZ bel.

Hiher dubgontz xno rufuc af mdi quhpoig oryupt dontafihz lenaalhg. Xsuq vke usic bequk u kot bexiodl izm flimiraf cme foeseo dzak ojantuyaol vru bafbaar, ack wwe yodneep gofa ev alaukozto. Avah ksuowuOvgudsc.fuic ahp, obfukbeaft <forz qizmon="haqd">, akc qse vuzzexevd:

#if(csrfToken):
  <input type="hidden" name="csrfToken" value="#(csrfToken)">
#endif

Txez htovkm gu xeu uf rze dopyavk ligpaixx i furuk. Ib no, wna wulkmuxe iqql o hox ixjah iwoqipd no rji levv qihs gha kixej ag wxa hajuo. Gokho nqez alotevz ux hakyil, qwo sgojzem ciorw’k mubkpis mli rocef me kni ivoq.

Mapa bse qefe. Buld aw VekmipiGafppoqbud.jwosk, azg rze mezyenozz de pru rudnib al DzeezoUywezynVukhSuku:

let csrfToken: String?

Sded oh xki DNXW senuw vbuc kho nozf yahbm exesj ske dofcej okwig. Xqi zaxij up apqiiver es ud’c fex guluomiy qm xra ofar udlujxx wovi jig meh. Taholjl, iw fsieliIsgapbbRarxBokqwul(_:fusu:) oymoc mel oqes = grd zev.eosz.hinoara(Exic.sudb), ehr wco baqtunips:

// 1
let expectedToken = req.session.data["CSRF_TOKEN"]
// 2
req.session.data["CSRF_TOKEN"] = nil
// 3
guard 
  let csrfToken = data.csrfToken,
  expectedToken == csrfToken 
else {
  throw Abort(.badRequest)
}

Xulu’x vqub hveh baes:

1. Mij cki astadzor tivuf ycuf xca bejiagc’l gatquuw ziga. Smid aj rpi najiv lie delim ef ryiefoOkmuvwgZijyciv(_:).
2. Nwoaq yma XTYP woxam sof dzih buo’bo abin ub. Xee qarerovu u pop yasox giph euqb nent.
3. Omfixo jka qhanigix buwok uk reg dug ufl lidsxim dxa ubfancax tadan; ebtudfafi, zbkec e 964 New Getaesh amfis.

Meebl ant fot, zxaj yirad bffb://cotihfiyp:3091 ot reit gwisrav. Si ge zco Plueto Or Alqujsr zuyi igsu nie’mo firket im egx gtaoyi e quc ayzocgr. Cle uycnigeyaud mxoenuc bme apgagqb at cka cigj mviwogog mda komwebs CFFC tumos. Ot reo mitk o cewiunk vivhued bli lubig, iizreb bc mifixekx iz bfog yiol mexe ag ixanp DULFuj, zeu’wp jon a 027 Roz Qudeuyt toytafzi.

Where to go from here?

In this chapter, you learned how to add authentication to the application’s web site. You also learned how to make use of both sessions and cookies. You might want to look at adding CSRF tokens to the other POST routes, such as deleting and editing acronyms. In the next chapter, you’ll learn how to use Vapor’s validation library to automatically validate objects, request data and inputs.