This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2020-11-03
Channels
- # announcements (2)
- # asami (1)
- # babashka (32)
- # beginners (125)
- # calva (4)
- # cider (1)
- # clj-kondo (16)
- # clj-together (1)
- # cljs-dev (15)
- # clojure (30)
- # clojure-australia (3)
- # clojure-europe (41)
- # clojure-italy (1)
- # clojure-losangeles (1)
- # clojure-nl (4)
- # clojure-spec (68)
- # clojure-uk (28)
- # clojurescript (36)
- # conjure (2)
- # cryogen (1)
- # cursive (2)
- # data-science (2)
- # datascript (2)
- # datomic (70)
- # events (2)
- # fulcro (11)
- # graalvm (1)
- # jobs (4)
- # kaocha (4)
- # leiningen (4)
- # malli (52)
- # meander (21)
- # off-topic (11)
- # pathom (7)
- # pedestal (17)
- # reagent (23)
- # reitit (5)
- # remote-jobs (5)
- # reveal (7)
- # shadow-cljs (24)
- # spacemacs (36)
- # sql (21)
- # vim (18)
- # xtdb (7)
In case the user is trying to access some path that they’re not allowed into, I want my service to short-circuit and return HTTP status 403 immediately. What is the right way to do this? Should I throw an exception in one interceptor and then handle it in another?
Also, based on http://pedestal.io/guides/hello-world-content-types > One important note here: As soon as any interceptor attaches a response to the context map, Pedestal considers the request handled. Remaining interceptors won’t be called, and only the ones that are already on the stack will have their `:leave` functions called. This is a “short-circuit” behavior like an early-exit in code. I would expect an interceptor chain consisting of two interceptors where the first one attaches a 403 response to short-circuit the chain, but it doesn’t seem to do so? This is the code for the interceptor:
(ic/interceptor
{:name ::session-guard
:enter (fn [ctx]
(assoc ctx :response {:status 403}))})This is the relevant route:
#{["/guarded" :get [(ic/session-guard conf) (guarded-page)] :route-name ::guarded-page]}So I followed the Pedestal source code all the way to
(defn- terminator-inject
[context]
(interceptor.chain/terminate-when context #(ring-response/response? (:response %))))(defn response?
"True if the supplied value is a valid response map."
{:added "1.1"}
[resp]
(and (map? resp)
(integer? (:status resp))
(map? (:headers resp))))(defn session-guard
[{:keys [users]}]
(ic/interceptor
{:name ::session-guard
:enter (fn [ctx]
(assoc ctx :response {:status 403
:headers {}}))}))there is a io.pedestal.http/response?, that is used by the standard not-found-interceptor 😉
seems kind of sloppy that two only slightly different predicate functions are in use for termination and not-found… wonder why?
actually I discovered that if you just assoc a response to the context in an interceptor, it stops the chain right there and sends your response
(assoc context :response (u/forbidden msg))There’s also “terminate” http://pedestal.io/api/pedestal.interceptor/io.pedestal.interceptor.chain.html#var-terminate
but I wonder if that's as valid as I tested
yeah I did see terminate, but why not just set the response if it's enough?
Yeah the :response value should trigger the short-circuiting. I wasn’t aware of the header requirement, but in our services we always attach content-type headers.
To me throwing an error in your interceptor, then catching it in another error interceptor and returning a 403 seems like a good way to do it. Especially if you are in a place where it’s easier to throw an exception than return a response. But would be interesting to know how other people handle that.
We usually check permissions at the very beginning of the interceptor stack.
So don’t find myself needing to do that.
for the header, I use the :leave interceptor io.pedestal.http/json-body and never had an issue (I never set them manually)
json-body docs
Set the Content-Type header to "application/json" and convert the body to
JSON if the body is a collection and a type has not been set.