Fork me on GitHub
#ring-swagger
<
2017-02-21
>
ikitommi06:02:50

@mrchance btw, you can enforce that all apis are secure by inspecting the route-tree too. Just emit custom swagger-data (everything starting with :x- is legal in the spec) and make a test for all routes. Something like:

ikitommi06:02:05

(defmethod compojure.api.meta/restructure-param ::auth [_ roles acc]
  (assert (set? roles) "Roles should be a set”) 
  ; add the security check here  
  (assoc-in acc [:swagger :x-roles] roles))

(compojure.api.routes/get-routes
  (api
    (GET "/secure" []
      ::auth #{:user}
      (ok "pong"))

    (GET "/unsecure" []
      (ok "pong"))

    (context "/admin" []
      ::auth #{:admin}

      (GET "/always" []
        (ok "pong"))

      (GET "/secure" []
        (ok "pong")))))
: =>
; [["/secure" :get {:x-roles #{:user}}]
; ["/unsecure" :get {}]
; ["/admin/always" :get {:x-roles #{:admin}}]
; ["/admin/secure" :get {:x-roles #{:admin}}]]

mrchance08:02:57

@ikitommi Cool, thanks. I found the first point myself, using compojure-api.core/middleware around my context, but the :mw solution looks better. Ensuring security through the routes looks useful too, that way we can also catch when someone removes the middleware by accident or something like that as well. Nice solutions all around, thanks a lot!

daveliepmann13:02:11

@ikitommi We talked about an issue last week that you asked me to write up a GH issue for, but now that I've come back to do so, Slack history has forbidden me from seeing that far into the past. I think we were talking about providing a top-level fn for routes so that defroutes and api would be decoupled—does that sound right?

mrchance15:02:18

@ikitommi Is there a way to wrap a middleware around every single route? I need to get the :compojure/route for logging/monitoring purposes. The :middleware key you mentioned above wraps too far out for that

mrchance15:02:53

(It looks like it's :middleware , not :mw unless I did something wrong)

ikitommi15:02:49

@mrchance currently not an easy way. What kind of data are you logging? Isn't there enough route info in the original ring request?

mrchance16:02:42

@ikitommi We measure response time for every endpoint, so we need the compjure route as a tag. We could match that uri against the pathes, but that feels weird. Maybe I'll just rewrite my metadata handler to insert a middleware to pass that information back?