Hopefully someone more knowledgeable will chime in with a better answer but I recall that being asked a few times on reddit. https://www.reddit.com/r/Clojure/search/?q=authentication&restrict_sr=1

There's also Keycloak (http://www.keycloak.org/) keycloak-clojure (https://github.com/jgrodziski/keycloak-clojure) EDIT: I wanted to know if Keycloak is worth the effort.

I use 2 methods: A function that (acl-query env current-user tx) that remove attributes that the user can't access from query And directily on resolvers

Okay thats too broad - what kind of authentication OAuth, Session, JWT? Session, JWT you can use buddy library. it will take care of all of your authentication needs

github repo: https://github.com/funcool/buddy guide: http://rundis.github.io/blog/2015/buddy_auth_part1.html

@UGMEQUCTV JWT seems simpler mechanism, because application don't have to store sessions on server.

For user roles and permissions https://github.com/tuhlmann/permissions can be used.

This may be of benefit too, as an example of how to do Authentication:

https://grison.me/2020/04/23/webauthn-with-clojure/

Pretty neat.

You don’t have to use JWTs if you need stateless sessions; you can still use session cookies, just replace the session ID stored in the cookie with the data you would store in the JWT. Just keep in mind that stateless sessions prevent you from implementing things like “log out from every session”. I always feel like I’m taking crazy pills when I talk about JWTs, because everyone is quick to use them when I think they have a number of problems. First, if you’re forcing your UI to store the JWTs in local/session storage, then any third-party library bundled with your UI JS can access those tokens, potentially giving them access to the user’s account. Further, if you need to support authenticated downloads, then they either need to be small enough to load into memory via a JS-driven HTTP request, or you have to generate short-lived, one-off download URLs that don’t require authentication (JWTs have to be manually added to requests; the browser sends session data for you). They also make server-side rendering difficult if not impossible (again, because the initial page request comes from the browser, which can send cookies but not JWTs).

@UGTAV6LR2 I agree with you. I think JWTs are great for server-to-server communication but would not use them for user sessions.

don't use stateless sessions either

Agreed. I never use stateless sessions.

Try keycloak with keycloak's gatekeeper. Gatekeeper forces the user to log in, and verifies the access token so you don't have to

Yea, assuming your browser is your only client, then session is your buddy. but what if you want to target the mobile devices i.e ios andriod phones. then session doesnt play out well. in such scenario jwt plays out particularly well. in short, there is no right answer, it depends on what you are trying to build!

@U2J4FRT2T kindly elaborate these methods, it would be great if there's sample code or examples. They seem relevant to Fulcro/Pathom. Thanks.

I'm out-of-time ATM But once I get same free time, I'm planning to release a realworld-app using fulcro/pathom/<top-secret-wip-library>, maybe with some blogposts about that.

@UCMNZLJ93here is a real world example using fulcro, you can refer to this atm. https://github.com/walkable-server/realworld-fulcro

(letfn [(filter-tx [allow? tx]
          (->> tx
               eql/query->ast
               (eql/transduce-children (filter (comp allow? :dispatch-key)))
               eql/ast->query))]
               
  (let [role->alloed-attributes {:admin  (constantly true)
                                 :guest #{:a}}]
    (filter-tx (:guest role->alloed-attributes)
               [{:a [:c :a]}
                {:b [:c :a]}])))
=> [{:a [:a]}]