Fork me on GitHub

Interesting that nubank is using Flutter for delivery of mobile applications. fluff piece ->

💡 8
Ahmed Hassan16:04:07

How do you approach authentication and authorization in Clojure apps? I want to build application using Fulcro and PostgreSQL.

eccentric J17:04:35

Hopefully someone more knowledgeable will chime in with a better answer but I recall that being asked a few times on reddit.;restrict_sr=1

Ahmed Hassan17:04:32

There's also Keycloak ( keycloak-clojure ( EDIT: I wanted to know if Keycloak is worth the effort.


I use 2 methods: A function that (acl-query env current-user tx) that remove attributes that the user can't access from query And directily on resolvers

Vishal Gautam17:04:24

Okay thats too broad - what kind of authentication OAuth, Session, JWT? Session, JWT you can use buddy library. it will take care of all of your authentication needs

Ahmed Hassan17:04:01

@UGMEQUCTV JWT seems simpler mechanism, because application don't have to store sessions on server.

Ahmed Hassan17:04:27

For user roles and permissions can be used.


This may be of benefit too, as an example of how to do Authentication:


Pretty neat.


You don’t have to use JWTs if you need stateless sessions; you can still use session cookies, just replace the session ID stored in the cookie with the data you would store in the JWT. Just keep in mind that stateless sessions prevent you from implementing things like “log out from every session”. I always feel like I’m taking crazy pills when I talk about JWTs, because everyone is quick to use them when I think they have a number of problems. First, if you’re forcing your UI to store the JWTs in local/session storage, then any third-party library bundled with your UI JS can access those tokens, potentially giving them access to the user’s account. Further, if you need to support authenticated downloads, then they either need to be small enough to load into memory via a JS-driven HTTP request, or you have to generate short-lived, one-off download URLs that don’t require authentication (JWTs have to be manually added to requests; the browser sends session data for you). They also make server-side rendering difficult if not impossible (again, because the initial page request comes from the browser, which can send cookies but not JWTs).

💯 4
eccentric J19:04:21

@UGTAV6LR2 I agree with you. I think JWTs are great for server-to-server communication but would not use them for user sessions.

☝️ 8

don't use stateless sessions either


Agreed. I never use stateless sessions.


Try keycloak with keycloak's gatekeeper. Gatekeeper forces the user to log in, and verifies the access token so you don't have to

Vishal Gautam13:04:32

Yea, assuming your browser is your only client, then session is your buddy. but what if you want to target the mobile devices i.e ios andriod phones. then session doesnt play out well. in such scenario jwt plays out particularly well. in short, there is no right answer, it depends on what you are trying to build!

Ahmed Hassan14:04:07

@U2J4FRT2T kindly elaborate these methods, it would be great if there's sample code or examples. They seem relevant to Fulcro/Pathom. Thanks.


I'm out-of-time ATM But once I get same free time, I'm planning to release a realworld-app using fulcro/pathom/<top-secret-wip-library>, maybe with some blogposts about that.

Vishal Gautam15:04:59

@UCMNZLJ93here is a real world example using fulcro, you can refer to this atm.


(letfn [(filter-tx [allow? tx]
          (->> tx
               (eql/transduce-children (filter (comp allow? :dispatch-key)))
  (let [role->alloed-attributes {:admin  (constantly true)
                                 :guest #{:a}}]
    (filter-tx (:guest role->alloed-attributes)
               [{:a [:c :a]}
                {:b [:c :a]}])))
=> [{:a [:a]}]


Just found out from Reddit. Expecting an official announcement in Slack as well!

parrot 8
🔥 8

See #clojurescript