This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2021-07-11
Channels
- # announcements (6)
- # architecture (14)
- # babashka (26)
- # beginners (22)
- # calva (11)
- # clj-kondo (2)
- # clj-on-windows (1)
- # cljsrn (10)
- # clojure (116)
- # clojure-europe (5)
- # clojure-uk (1)
- # clojurescript (5)
- # cursive (9)
- # datomic (21)
- # depstar (1)
- # events (1)
- # fulcro (2)
- # graalvm (17)
- # graalvm-mobile (28)
- # helix (3)
- # introduce-yourself (2)
- # jobs (2)
- # lsp (4)
- # meander (1)
- # off-topic (4)
- # pathom (5)
- # polylith (6)
- # practicalli (5)
- # reagent (67)
- # reitit (1)
- # releases (2)
- # shadow-cljs (24)
- # tools-deps (23)
Hi, question about JWT use in the clojure-polylith-realworld-example-app
Why would anyone want to store the token in the database? Isn’t it only supposed to be generated and returned to the user and then validated in other requests? The payload of the token contains unique user identifier that can be used to fetch the user.
What’s the purpose of storing it?
Once user logs in, a JWT is generated and returned back to the client application. The client application includes this token in the Authorization
header of the subsequent requests. If you check out the https://github.com/furkan3ayraktar/clojure-polylith-realworld-example-app/blob/e7e213d0fb48c1d97d3e7dbe7d03a7370324adc2/bases/rest-api/src/clojure/realworld/rest_api/middleware.clj#L7 in the rest-api
base, you’ll notice that the currently logged in user is found by querying the database with the received token.
I cannot say that this is the most secure or the only way of implementing the JWT authentication, but it is a simple way and serves to the demonstration purposes.
Yes, i saw it in the code. Just didn’t understand why not to decode the token (using the same clj-jwt
library, which also validates the signature) and use :sub
claim to query the database by user id
I didn’t actually pay much attention to that specific part. People are using it as a reference project so it could be nice to fix. Especially for the junior developers who might just copy paste what I wrote. Thanks for pointing out to a better implementation.