Fork me on GitHub

I am trying to use the “Log In with Apple” Oauth Flow with ring, ring-oauth2 and site-defaults. Site defaults adds an anti forgery token, which needs to be included in any POST requests. Unfortunately, Apple insists that the Token redirect uses POST, and obviously it doesnt know about the anti forgery token. Has anybody managed to do this, is there a way to disable the AF token for a specific URL? Or even better, pass it into the OAuth flow? There is already the state for that, so it would be redundant, wouldn’t it? I don’t want to disable it entirely


@javahippie If you want to disable it for all requests, you should be able to do something like this in your middleware stack

       (-> ring-defaults/site-defaults
           (as-> % (merge-with merge % (:ring-defaults config)))
           (assoc-in [:security :anti-forgery] false)))

👍 4

(ignore the as-> line if you don't want to override other stuff)


Thanks for your response. For debugging, I already disabled it like this, but in general, having this anti forgery token is a good idea and I’d like to keep it

Pavel Klavík22:04:13

Hi, you can set different ring middleware for different routes so your solution would be disable antiforgery on just a single route. For this, you have to have routing before wrap-defaults. In Orgpad, we do routing twice (using Bidi):

(b/make-handler ["" [["/api/" [[true api-handler]]]
                         [true site-handler]]])
For site-handler, I am using site defaults. But for api-handler, I am checking the access permissions directly.


Nice, I forgot about that. We even have our routes split into web app and rest api routes, that’s a great idea, thank you!


Our apps are nearly all REST APIs and have their security (we have our own OAuth2 service and separate Auth/Login servers) so the Ring built-in stuff isn't useful.


I will have to think about this. I am going with serverside rendering, and I have some forms on the page with post data to the server