For many use cases, third-party authentication of email will be sufficient. Occasionally, you’ll want users to actually create passwords on your site. The scaffolded site does not include this setup, because:
In order to securely accept passwords, you need to be running over SSL. Many users are not serving their sites over SSL.
While the email backend properly salts and hashes passwords, a compromised database could still be problematic. Again, we make no assumptions that Yesod users are following secure deployment practices.
You need to have a working system for sending email. Many web servers these days are not equipped to deal with all of the spam protection measures used by mail servers.
The example below will use the system’s built-in sendmail
executable. If you would like to avoid the hassle of dealing with an
email server yourself, you can use Amazon SES. There is a package called
mime-mail-ses, which provides a
drop-in replacement for the sendmail code used below. This is the
approach we use on the Haskellers.com site.
But assuming you are able to meet these demands, and you want to have a separate password login specifically for your site, Yesod offers a built-in backend. It requires quite a bit of code to set up, since it needs to store passwords securely in the database and send a number of different emails to users (account verification, password retrieval, etc.).
Let’s have a look at a site that provides email authentication, storing passwords in a Persistent SQLite ...