16:33:42 <stepkut> hmm. I wonder if web-routes should be using absolute or relative urls.. using relative urls (just the path, no host/port) makes it easier to serve the same site over http and https.. but it screws up things like openid which needs to know the absolute path
16:36:47 <stepkut> (relative root link)
16:45:18 <stepkut> seems that root relative is pretty popular
16:45:54 <stepkut> so. I need a solution that does 'root relative' by default, and then a mkAbs variant for when you really need the absolute
17:07:44 <HugoDaniel> i like relative paths :D
17:08:06 <HugoDaniel> in yesod there is an option to render routes absolute or relative
17:10:59 <stepkut> yeah
17:11:08 <stepkut> I am trying to figure out where in the stack that option should go
17:11:25 <stepkut> web-routes itself doesn't care.. but maybe it should
17:11:53 <stepkut> sometimes things can be too general :)
17:13:40 <stepkut> in yesod, is that something you decided at compile time that applies to all routes? Or something you can do on a per-route basis?
17:13:49 <stepkut> not per-route..
17:14:27 <stepkut> but on a per-use basis.. so that you can use relative someplaces in your app and absolute others
17:15:53 <HugoDaniel> hmm
17:16:03 <HugoDaniel> in yesod by default it renders the full routes
17:16:27 <HugoDaniel> this is because google auth and other auths require full routes in the links
17:16:54 <stepkut> when using web-routes, you supply the base-uri that the routes should be appended to.. so if you pass in "/" they will be root relative, and if you pass in "http://example.org/" they will be absolute
17:17:09 <stepkut> right.. openid is exactly the issue I am dealing with
17:18:22 <stepkut> the problem is that if you are using https then everything has two routes http & https, so root relative is nice because the browser will just the resources via http or https depending on how it requested the page
17:18:26 <stepkut> but.. then openid is sad
17:18:52 <stepkut> if you do everything absolute.. then the url rending code needs to know if the page is being served via http or https
17:19:43 <HugoDaniel> :/
17:19:47 <stepkut> or.. i can try mixed-mode where things are root relative by default.. but you can use a different function to render the URL when you need absolute
17:19:59 <HugoDaniel> that is very good
17:20:17 <HugoDaniel> in yesod you need to specify the routes that are to be an exception in the rendering function
17:20:25 <HugoDaniel> which is a pain if you have lots of them
17:20:35 <stepkut> ah, so it is per-route then
17:20:56 <HugoDaniel> and if you forget to add them there, boom, runtime failure if its a feature that you are depending on
17:21:24 <HugoDaniel> like require js which i think uses relative routes
17:21:29 <stepkut> one thing I am not clear on is if root relative are really that useful in themselves
17:21:55 <stepkut> some people think that root relative links are the only way to go.. but I don't know why I should believe them
17:22:16 <HugoDaniel> yeah, i also dont have an opinion
17:22:43 <HugoDaniel> im not sure, but i think require js, angular and montage use relative links
17:23:22 <stepkut> the safest thing to do is to leave it up to the end user to decide.. which in this case means leaving web-routes and web-plugins alone and just modifying clckwrks do what I need
17:23:41 <stepkut> perhaps I should do that, and then come back to it again later when I have more insight
17:24:04 <stepkut> I am a bit loathed to add more complexity to web-routes when I don't know that it is really the right thing anyway
17:24:51 <HugoDaniel> yeah :/
17:25:36 <HugoDaniel> my approach is "no by default" which usually makes me opt by not changing or not doing if im in doubt
17:25:40 <HugoDaniel> in life in general
17:30:12 <donri> not just auth stuff: rss/atom, opensearch... these things all want full URIs i think
17:30:47 <donri> how about look at the request to see if it's https and change the approot accordingly?
17:31:38 <stepkut> donri: that is one option I am considering
17:31:50 <stepkut> rqSecure <$> askRq
17:32:19 <donri> either by parsing the approot or by changing the api to take a schema-less url
17:33:11 <donri> but maybe we need a generic solution that also solves the problem of CDN assets?
17:33:35 <donri> these two problems may or may not be related :)
17:34:34 <donri> i think some sites only use https for the login, but i don't think that's secure because then you're still sending the auth token cookie in plain text
17:40:20 <stepkut> yeah
17:40:35 <stepkut> in happstack-authenticate, if you authenticate over plain http, then you get a plain (unsafe) auth cookie
17:40:51 <stepkut> if you authenticate over https, then we set the secure option on the cookie, and it will only be usuable over https
17:55:32 <HugoDaniel> :)
18:05:50 <donri> stepkut: oh yea tables is on hackage now
18:06:09 <stepkut> epic
18:06:22 <stepkut> hopefully I will have some time to check it out next week
18:06:30 <stepkut> and maybe start migrating to it :)
18:07:02 <stepkut> gotta fix these https related issues first
18:39:59 <HugoDaniel> can i do google auth with happstack ?
18:40:10 <HugoDaniel> like, easily :)
18:40:15 <stepkut> HugoDaniel: yes, using the happstack-authenticate library
18:40:41 <stepkut> I will be releasing a new and improved version in the next day or so
18:41:08 <stepkut> the happstack-authenicate library is a bit scary looking, but you really only need to call one function :)
18:41:22 <stepkut> unless you have special requirements
18:41:35 <stepkut> in which case you can roll-your-own solution from the various pieces
18:42:15 <stepkut> the code I am about to push fixes the handling of session timeouts and improves https support
18:42:20 <stepkut> and updates the demo to be better
18:42:32 <stepkut> I think it will be in pretty good shape then
18:42:34 <HugoDaniel> very cool :)
18:43:03 <stepkut> the changes are mostly internal, so it should not break much
18:43:06 <stepkut> if anything
18:43:13 <HugoDaniel> great :)
18:44:27 <HugoDaniel> ill be using happstack for the next project at work
18:44:33 <stepkut> excellent!
18:45:58 <stepkut> I need to finish (1) updating happstack-authenticate (2) fixing what happens when a non-admin user logs into clckwrks (3) factor the pages stuff out of clckwrks into clckwrks-plugin-pages, and then clckwrks should be pretty spanky