Cookie headers and collision with other packages

[piwonskp]

Hi,

There seem to be no issue for this so I'm creating one. Let me paste a link first, as comments in code are pretty self-explanatory.

This issue seem to affect and break code when using some other packages like servant-checked-exceptions. I've been trying to set up a new auth protected endpoint which resulted in type error.

Simple API example using servant-auth and servant-checked-exceptions:

data SomeError = SomeError deriving (Eq, Read, Show)
instance ToJSON SomeError where toJSON = toJSON .show
instance ErrStatus SomeError where toErrStatus _ = status401
data SomeResp = SomeResp {a :: Integer} deriving (Generic, Show)
instance ToJSON SomeResp

type SomeRoute = "route" :> Throws SomeError :> Get '[JSON] SomeResp

type API = "api" :> "v1" :>  Servant.Auth.Server.Auth '[Cookie] Token :> SomeRoute

someHandler :: Handler (Envelope '[SomeError] SomeResp)
someHandler = pureSuccEnvelope $ SomeResp 1

someH :: Servant.Auth.Server.AuthResult Token -> Server SomeRoute
someH _ = someHandler

server :: CookieSettings -> JWTSettings -> Server API
server cs jwts = someH

Results in error:

• Couldn't match type ‘servant-checked-exceptions-core-2.0.0.0:Servant.Checked.Exceptions.Internal.Envelope.Envelope
                             '[SomeError]
                             (Headers
                                '[Header "Set-Cookie" SetCookie, Header "Set-Cookie" SetCookie]
                                SomeResp)’
                     with ‘Headers '[Header "Set-Cookie" SetCookie] cookied1’
        arising from a use of ‘serveWithContext’
    • In the second argument of ‘($)’, namely
        ‘serveWithContext api cfg (server defaultCookieSettings jwtCfg)’
      In the second argument of ‘($)’, namely
        ‘addCors
           $ serveWithContext api cfg (server defaultCookieSettings jwtCfg)’
      In the second argument of ‘($)’, namely
        ‘logStdoutDev
           $ addCors
               $ serveWithContext api cfg (server defaultCookieSettings jwtCfg)’
   |
50 |     serveWithContext api cfg (server defaultCookieSettings jwtCfg)
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Also while login endpoint has to explicitly specify Set-Cookie headers, they are automagically added to protected endpoints. In my opinion it might be quite confusing for newcomers. It would be nice if we maintain similar level of verbosity between endpoints.

[domenkozar]

iirc the problem is that servant-checked-exceptions doesn't support responses that set headers - cdepillabout/servant-checked-exceptions#4

Please reopen if you think servant-auth could do something better here.