webapp: Use securemem for constant time auth token comparisons.

Debian stable does not have securemem, but neither does it have warp-tls,
so just disable use of securemem when not building with https support.

Assistant/WebApp/Notifications.hs

@@ -22,6 +22,7 @@ import Assistant.DaemonStatus
 import Assistant.Types.Buddies
 import Utility.NotificationBroadcaster
 import Utility.Yesod
+import Utility.WebApp
 
 import Data.Text (Text)
 import qualified Data.Text as T
@@ -64,7 +65,7 @@ notifierUrl route broadcaster = do
 		[ "/"
 		, T.intercalate "/" urlbits
 		, "?auth="
-		, secretToken webapp
+		, fromAuthToken (authToken webapp)
 		]
 
 getNotifierTransfersR :: Handler RepPlain

Assistant/WebApp/Types.hs

@@ -41,7 +41,7 @@ mkYesodData "WebApp" $(parseRoutesFile "Assistant/WebApp/routes")
 
 data WebApp = WebApp
 	{ assistantData :: AssistantData
-	, secretToken :: Text
+	, authToken :: AuthToken
 	, relDir :: Maybe FilePath
 	, getStatic :: Static
 	, postFirstRun :: Maybe (IO String)
@@ -52,11 +52,11 @@ data WebApp = WebApp
 
 instance Yesod WebApp where
 	{- Require an auth token be set when accessing any (non-static) route -}
-	isAuthorized _ _ = checkAuthToken secretToken
+	isAuthorized _ _ = checkAuthToken authToken
 
 	{- Add the auth token to every url generated, except static subsite
 	 - urls (which can show up in Permission Denied pages). -}
-	joinPath = insertAuthToken secretToken excludeStatic
+	joinPath = insertAuthToken authToken excludeStatic
 	  where
 		excludeStatic [] = True
 		excludeStatic (p:_) = p /= "static"