has anyone done something to automatically audit live repls?
auditing is quite important if you want to allow people to live repl into production for example, but not sure how you would do that with Clojure repls
if the repl is only accessible with an SSH tunnel for example you can audit who connects to it at least, but might be good to know what expressions were evaluated as well I guess
I guess you could add a nrepl-middleware that sits before the eval OP and just logs every eval to a file, or something that hits a service that will log it, so it can't be edited?
Yeah it should but be too hard
you can copy the example here https://nrepl.org/nrepl/design/middleware.html
but instead of checking the time? op, check for the eval one
and always log and then forward the message with (h msg)
cool yeah, and stupid question, to add the middleware the best way is to pass the extra options like
\"nrepl.cmdline\"\ \"--middleware\"\ \"\[refactor-nrepl.middlewareI've seen there is also https://nrepl.org/nrepl/design/middleware.html#dynamic-middleware-loading otherwise
but I guess it's better to do it at startup time ?
in prod I guess you can create a repl by calling start-server (https://github.com/nrepl/nrepl/blob/71db5258c0561268c05d25dff435ccafd1dac45c/src/clojure/nrepl/server.clj#L164) from your main, which accepts a :handler. You can build that handler by calling default-handler https://github.com/nrepl/nrepl/blob/71db5258c0561268c05d25dff435ccafd1dac45c/src/clojure/nrepl/server.clj#L137 which accepts extra middlewares to wrap the handler
You can call start-server like this https://nrepl.org/nrepl/usage/server.html#embedding-nrepl but providing the :handler yourself