We do something similar in www.fpcomplete.com. You can do this by overriding the maybeAuthId
method in the YesodAuth
typeclass to check for the Bearer token. For fpcomplete.com, we check for an authorization request header, which looks something like:
req <- waiRequest
mUserId <-
case lookup "authorization" (requestHeaders req) of
Nothing -> doNormalAuthentication
Just authHeader -> checkAuthHeader