Would you mind posting the old and new code... did you just need another ( ) ?

Or 1 less ( )... calling it as a function

Sure. Old and bad: (let [error-msg (str "Non-unique: " coll)] #?(:clj (throw (Exception. error-msg)) :cljs (js/Error. error-msg) )) New and good: (let [error-msg (str "Non-unique: " coll)] #?(:clj (throw (Exception. error-msg)) :cljs (throw (js/Error. error-msg)) ))

I suppose I could also have moved one of the parens.

and the :clj reader macro

ahh, makes a lot more sense, need the throw added in there

Yeah, and in retrospect the log traces pointed to this problem, but I'm just starting in with this javascript stuff, and I didn't know what I was looking at.

Like in Chrome and Safari, 25 frames are logged in < 1 second. In Firefox it takes 25 seconds.

Looks like it might be codepen causing this behavior. Happens for me on your link but not in fullview. https://codepen.io/jayzawrotny/full/XGLoKx

Might be the iframe >You should call this method whenever you're ready to update your animation onscreen. This will request that your animation function be called before the browser performs the next repaint. The number of callbacks is usually 60 times per second, but will generally match the display refresh rate in most web browsers as per W3C recommendation. requestAnimationFrame() calls are paused in most browsers when running in background tabs or hidden <iframe>s in order to improve performance and battery life. https://developer.mozilla.org/en-US/docs/Web/API/window/requestAnimationFrame

Interesting! Thanks for the help.

I would have used nginx for this

It takes away all the library dependent challenge problems

you mean you will set Access-Control-Allow-Origin, Access-Control-Allow-Headers, Access-Control-Allow-Credentials by nginx proxy?

I have bypassed CORS with nginx

it still doesn’t solve issue about redirections

No need to set CORS

I'd have to check if nginx proxy can share sessions

So redirection worls

mmm but on dev.localhost I have to set all this parameters to work in the same domain, but different port.

> No need to set CORS How is it work to not set it?

hmm

The topic is much harder, than I expected

🙂

I thought there is oauth2-clj library or something like that which just do the job

It is involved

Still I am not sure if solving CORS is really what I need to Single Sing On solution. I mean it is connected, but not sure if it is right way to achieve the goal.

I mean maybe I should use OAuth2 library or something

Does it make sense?

As I understand OAuth 2 + OpenID Connect 1.0. do the job?

Ech I am too confuse 🙂

Yes. For redirects.

Or I don’t need it as long as I use 1 domain and subdomains?

It solves cross domain problem

oh redirects, true

so still do you recommend nginx proxy or OAuth2?

I would have kept the auth server on the main domain

Personally... I'd use nginx

Proxy alias it

But its my own hack... not standard

why not oauth2?

Because oauth2 will need libraries to support it

If you can find stable library... then ok

mmm probably my main issue is I can’t find libraries for clj / cljs for SPA 🙂

How about raw JS libraries?

I stuck on server side at that moment

You can also load react libraries into cljs

But didn’t look deep into raw Java

But JS npm is always breaking stuff

I'd prefer a server solution

I'd test if clojure-cors can handle redirects

Or move the auth server onto the main domain

Is this for a company or just personal?

I really want to avoid doing my own solution, because of security reason 🙂

Ya... that's why I ask... what is it for

well it is project which will became company if I will finish it 🙂 Besides of it I want to learn how do it right.

Experience is in price 🙂

But stuff about auth took my so long time

Ok... move auth to main domain

And use cors library

Then you just need cors for any ajax calls

+ redirections

Redirection is from having a different auth system on a subdomain?

But I am afraid about injecting JS a little. Some of this SPA will deal with JS rendering as template.

it should be secured, but anyway it is something what I am afraid of

Any templates need sanitized

That is XSS attack

*redirections - http://spa1.foo.com/path -> http://auth.foo.com -> http://spa1.foo.com/path

If anything... allowing redirections opens up more security problems

So that is why my first thought went to OAuth2

Because I can authorize off that http://auth.foo.com server by middle man

I can middle man attack if redirections are allowed

Another reason to keep auth on the main domain

Are you sure you are right? Then it will mean OAuth2 is not secure.

it is probably about right solution

not an issue in 100% cases

Oauth uses a handshake

It is not a 1 way message

Better make sure to set HSTS too

Or I can force drop SSL on a man in middle

I hacked my own corporate logins before... no HSTS

HSTS - thank, I don’t know this one

cool, sounds good

Ya. Don't do that unless you have a pen testing contract. Highly illegal.

What do you mean?

oh hacking

sure

So summarise this up: 1) I can use http://foo.com and subdomains with Access-Control-Allow-Origin, Access-Control-Allow-Headers, Access-Control-Allow-Credentials, Strict-Transport-Security + care about redirections for login purpose. 2) OAuth2, but there is no library to recommend

https://github.com/weavejester/ring-oauth2

but it is client for ring

I need server side for ring

Idk

Oauth2 is really client side from my understanding

Server side... would be things like sessions

Shared sessions on the backend

there is buddy, but authentication there is not for SPA SSO. Unless maybe use buddy for redirections (OAuth) but handle CORS myself hmm

There is Oauth2 server side?

yes, but also for redirections

While it is for client, it needs to be for server too 🙂

Ahhh I understand

I need to do a break, it blows up my minds. Still not sure what to do. But maybe there is no ready to use full solution. Maybe I need to care about this CORS part myself

You want to setup your own Oauth2 Server... gotcha

exactly 🙂

to solve SPA SSO issue

it can be a solution

I haven't done that, yet

yeah me too 😕

Sounds fun though

but in theory it should solve redirections + Single Sing On

Ya, take a break. Maybe we can collab on github

But as I understand OAuth2 solutions can be different and do authentication in different ways

Put your stuff on github

And I didn’t find solution in clj / cljs for this

> Maybe we can collab on github Sure 🙂

Maybe community needs a library

So as I understand the best will be OAuth2 + OpenId connect

But I didn’t find this one

there is https://github.com/mbuczko/cerber-oauth2-provider but it looks very fresh

> Maybe community needs a library At least I needs library or documentation how to achieve it in clj / cljs 🙂 But…. maybe I can just use Java library or something. I don’t know what is right way to do it.

ok, I need to do a break. See you later 🙂

If you figure out something let me know! 🙂