Fork me on GitHub
#fulcro
<
2021-08-19
>
Alister Lee11:08:40

Hi all, I'm using the template and I'm striking a problem that when my login function writes to the session using augment-response, it causes the next request to fail the CSRF test. My call to augment looks like this:

(fmw/augment-response
  result
  (fn [resp]
    (log/debug resp)
    (log/spy :debug (clojure.core/update resp :session merge result))))

- {}
- (clojure.core/update resp :session merge result) => {:session {:k/id 1, :k/name "hhh", :k/valid? true}}
I can read that update on the :session key in the response, but the immediate next request doesn't get out of wrap-defaults. The failing request does include the same ring-session value in the cookie, and has an unchanged x-csrf-token. Any hints? thanks!

Alister Lee11:08:17

Oh, it looks like I need to carry the session including anti-forgery-token across from the request in my mutation?

Alister Lee12:08:13

This seems like a problem when there are multiple augmentations, and they each merge the original request session, undoing the effect of prior augments?

Alister Lee12:08:28

The patch might be for handle-api-request to take an option with the starting map, merge with {:status 200 ...}, so you could inject the request's session.

Alister Lee13:08:48

Ok, it just depends on the order you merge the maps, except when one augment removes a key, and the next refreshes it from the request.

tony.kay17:08:29

Do you feel like you found a bug, or are you just clarifying?

Alister Lee23:08:52

Thanks @U0CKQ19AQ - bug is too strong a word. The docs in s11.4.4 don't mention this side effect and I didn't come to understand it until I logged quite a bit and looked more carefully at the template. Would you like a patch for the docs or handle-api-request idea to consider?

tony.kay00:08:19

A patch for the docs is fine if you have some ideas or extra examples you'd like to give. Not sure what you mean by the handle-api-request idea, but shoot

Alister Lee01:08:29

@U0CKQ19AQ pull requests submitted..

tony.kay17:08:21

Because it doesn't need to be.

sheluchin17:08:19

@U0CKQ19AQ just two lines above is the same namespace, but this time wrapped in a vector. Is there some reason for the duplication? Maybe just a minor harmless bug?

tony.kay19:08:45

ah, no need for duplication

tony.kay19:08:59

but also no need for a vector if you aren't specifying aliases/refers/etc.

👍 3