This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-03-30
Channels
- # babashka (18)
- # beginners (90)
- # calva (33)
- # clara (6)
- # cljfx (11)
- # cljs-dev (22)
- # cljsrn (9)
- # clojure (71)
- # clojure-australia (2)
- # clojure-czech (15)
- # clojure-europe (27)
- # clojure-germany (9)
- # clojure-nl (4)
- # clojure-serbia (3)
- # clojure-uk (10)
- # clojurescript (17)
- # conjure (12)
- # data-oriented-programming (2)
- # deps-new (6)
- # fulcro (29)
- # graphql (10)
- # hugsql (6)
- # jobs (1)
- # lsp (59)
- # malli (8)
- # off-topic (76)
- # pathom (15)
- # polylith (130)
- # re-frame (9)
- # reagent (15)
- # releases (4)
- # rewrite-clj (6)
- # ring (6)
- # rum (9)
- # shadow-cljs (116)
- # specter (5)
- # testing (7)
- # tools-deps (24)
- # vim (6)
- # xtdb (17)
UBM's relationship with Clojure seems weird. He's occasionally advocated for it for 10+ years (https://news.ycombinator.com/item?id=1700588) but I've never had the impression that we actually uses it. Of course one cannot keep tabs on individual people, but you'd think that someone with his name would leave some memorable evidence of using it... e.g. a talk given in a Clojure conf, an issue opened in github, a library, etc Like other people, I have the vague impression that some of these big-name consultants can pull off making a living out of fluff, using only past knowledge/experience and not necessarily keeping up to date with the realities of modern software engineering
Any recommendations for a ui/mobile online mockup tool? To help me visualise an app idea.
I haven’t used it much myself, but a friend recommended it and it looks pretty good; recently I’ve been preferring … pen & paper! Often I find that the most productive 🙂
I’ve always been a massive fan of Balsamiq https://balsamiq.com/wireframes/ and not just because it was created by a bunch of my ex-colleagues from Macromedia 🙂
I genuinely think that this deliberately “lo-fi” approach helps stop folks getting distracted by pixel-perfect design issues.
There’s a free cloud trial — might cover your immediate needs? 🙂
I’m also a fan of pen & paper, but these days I do that (and scribble programming notes) on an e-ink tablet. It helps to reduce paper clutter.
That's would I would do. Supposedly, Remarkable is the best one to write on too. I use a Max Lumi.
Also a fan of starting with pen & paper to explore ideas and diverge. When converging, I really like https://www.figma.com/ for both design and prototyping. It’s free (unless you need collaborative features) and simple to use. Of course it’s easy to get bogged down in pixel perfect designs. You could use a https://www.figma.com/file/2fkn66F1J3H594BhgcLlsY template to keep things at high level.
Hi all, we want to add OAuth2 “authorization server” support to our (ring-based) web server, so that clients can integrate with our server. I’m wondering how to best do that in a Clojure project? I found things like “friend” and “buddy”, but that all seems quite old so I’m not sure if that’s the right direction. Any recommendations? Thanks!
Is buddy though? Four years since last release seems quite long for a security-focused library…
buddy is built upon bouncycastle, which currently, in buddy core is 1.67, came out in November 2020 (i.e., 4 months ago).
Yeah makes you think indeed. But I’m not sure if it’s the same use case. In my case it’s not server-server communication, it’s about a user of one system accessing another without having to explicitly login.
yes, there are mitigation strategies you can do at the service layer, network layer, for deflecting those side channel attacks
@stefan.van.den.oord their client libraries, i.e., javascript etc., all use basic auth too.
i bet there's a lot of ancillary stuff to that: quick account lockdown, ip recognition and clamping down from suspected ips with otherwise valid credentials. perhaps pending transactions if they aren't sure, insurance to cover transactions that end up fraudulent, etc. I don't think i would just look at basic auth and think its a single layer of approach
But then there are maybe also different security trade-offs for them? It’s just a financial decision: accepting that sometimes things may go wrong a bit (as a financial risk), versus the cost of making more advanced things. I’m wondering if they would use the same approach for securing medical health record data.
sure, I guess it works if you have a team dedicated to security that ensures everything is locked down around it. Otherwise stg like oauth is quite easy to use
I had some success with auth0 in the past too if you want to fully externalise the thing and get integration with a lot of stuff for "free"
perhaps if you can hand off the complexities of security to something that is designed to be all about security (and have developers working totally on that aspect), that could be a quick way to move on and let it become someone else's headache 🙂
yes, that. Implementing oauth flow with all its little variations from service to service can be a pita when you have to do it for multiple providers
I feel I’m a bit more with @mpenet on this: keeping this data safe is a big responsibility, and we’re just a couple of devs. Relying on standards gives some sense of security, false or not…
not really. if you are basing your decision on something that is simple, easy to maintain and proveably secure, with a small team of devs, then basic auth would be higher on my list
if you want to go down the oauth rabbit hole, then you'll need to devote more time and energy on it
Yeah I do get your point and I think there’s a lot of merit to it. You definitely made me think and I will seriously consider it!
on the other hand, if you can delegate the security to a product (that can be run on-prem, and is free) and let it do all the work for you, with a straight-forward way of providing auth/authz, then something else to consider 🙂
in the end, it's still very commendable to at least consider all the options to give your users the best, secure experience possible! so kudos!
FWIW. I’d be inclined to go with oauth. What’s expedient now might be a point of weakness in 6 months, or 12 months. I’ve had success with buddy and ouath (Okta). It’s a bit of a pita to get going as others have pointed out, but I sleep a little better.
Speaking of auth, has anyone experience with Ory Kratos (https://github.com/ory/kratos)? If so, what’s your impression of working with it?
@stefan.van.den.oord I've used Keycloak and it's alright, can be a lot to learn tho. And redhat / ibm might do something weird eventually