Improving the state of servant-auth

[Kleidukos]

At the time of writing, the state of servant-auth has a margin of improvement when it comes to both design, security and supported authentication schemes. I would like to take the time with industrial users to setup a better workflow in how we use Servant to protect endpoint and authenticate requests.

This is a work on design, implementation and documentation.

cc @domenkozar @divarvel @Fresheyeball

[Fresheyeball]

@Kleidukos how can I support this effort most efficiently?

[Kleidukos]

@Fresheyeball Sharing your experience and/or setups can be very helpful. The main pain points that you've had, and if there are designs from other languages/libraries that you think would be a better fit

[domenkozar]

I took over the maintenance after a lot of help from @alpmestan when I needed to figure out servant-auth. I share the same experience as others of wasting countless hours, but I did put a lot of those hours back so that it's a tiny bit better nowadays.

Here's a short overview of incremental changes with the most impact:

• write tutorials for common use cases (this would solve most of newcomers as they can have a working version they can revert to - see Set-Cookie JWT - happens if there is cookie in request #167)
• remove XSRF being required for GET requests Remove XSRF Cookie #192
• Rewrite documentation #129

Commonly requested features:

• BasicAuth support in client #140
• authorization How to implement new authorization schemes #119 Authorization versus Authentication #73
• not requiring JWT for cookie auth Cookie Auth SEPARATE from JWT Auth? #151

Last but not least, the plan is to port servant-auth to servant and deprecate the old auth: haskell-servant/servant#805

These days I'm in brutal prioritization mode of scaling my business, so I can't do much maintenance but I do want to do everything I can for someone else to step up!