ring

seancorfield 2024-08-12T04:36:03.774519Z

For folks who don't want to drag Cheshire/Jackson into their projects. I intend to track all changes to ring-json (and versions will track one patch level ahead of it), although this initial release, 0.5.2, does not support Clojure 1.7.0 which ring-json 0.5.1 does -- and that's because I've switched to deps.edn and Cognitect's test-runner instead of Leiningen.

🎉 5
Daniel Manila 2024-08-12T19:21:12.867279Z

I'm trying to get oauth2 to work with https://github.com/weavejester/ring-oauth2, and it seems to be working just fine except that the :oauth2/access-tokens isn't being populated at the end of the flow, which is of course the whole point. I've set up cookies to have same-site set to lax and added wrap-params to my middleware stack. Any other gotchas or things I should know why it isn't working? There's. unfortunately no errors so I'm not sure what's up.

Daniel Manila 2024-08-12T19:27:13.142479Z

For reference here is my setup, (working with an electric app):

(defn wrap-oauth-landing [next-handler]
  (fn [{:keys [uri request-method] :as request}]
    (let [signature [uri request-method]]
      ;(println request)
      ;(println "session" (:session request))
      ;(println (:oauth2/access-tokens request))
      (cond
        (= signature ["/oauth2-landing" :get]) (handle-sign-in request)
        :default (next-handler request)))))

(defn http-middleware [config]
  ;; these compose as functions, so are applied bottom up
  (-> not-found-handler
      (wrap-index-page config)                              ; 3. otherwise fallback to default page file
      wrap-oauth-landing
      (wrap-oauth2 {:cognito
                    {:authorize-uri    ""
                     :access-token-uri ""
                     :client-id        "13dbhvme9fpl6nf31vuaea36rm"
                     :client-secret    "3suph700u9sb5hgnqm8kdmu6a5q81ejc6t1nbn0m91q7ejl1ur6"
                     :scopes           ["openid", "email"]
                     :launch-uri       "/oauth2"
                     :redirect-uri     "/oauth2-return"
                     :landing-uri      "/oauth2-landing"
                     }})

      (wrap-defaults (-> site-defaults (assoc-in [:session :cookie-attrs :same-site] :lax)))
      (wrap-params)

      ;(wrap-defaults (-> site-defaults (assoc-in [:session :cookie-attrs :same-site] :lax)))
      (wrap-resource (:resources-path config))              ; 2. serve static file from classpath
      (wrap-content-type)                                   ; 1. detect content (e.g. for index.html)
      ))

2024-08-12T19:51:52.741259Z

Are sessions working?

Daniel Manila 2024-08-12T19:52:57.033549Z

:session
{:ring.middleware.oauth2/state "_185OoSSPpg9",
:ring.middleware.anti-forgery/anti-forgery-token
"VBBVX4ELanEb2gRTW3+qUboEaMWh7pDSqQ9giyTgsIKl/Vm46rdRbAcXpt1LDkOD9N08XRMeAEck1iWz"}}

Daniel Manila 2024-08-12T19:53:05.221979Z

Yep the session looks something like the above

2024-08-12T19:53:10.577689Z

Like if you store a uuid in the session if one is not already there, an print it out every request, do you always see the same one

2024-08-12T19:54:36.359139Z

That tells you you have a session, which is good, but the real question is if the session is properly persistenting state between requests

Daniel Manila 2024-08-12T19:54:46.509199Z

I'll do a quick check

2024-08-12T19:56:51.072079Z

The default session store is just an in memory map, so for example if you are load balancing between servers and don't have any kinds of session affinity at the load balancer you'll get balanced between nodes that aren't aware of your session

Daniel Manila 2024-08-12T19:57:36.246849Z

This all running locally so it shouldn't be impacted by that. But I think site-defaults sets sessions to be cookie based

Daniel Manila 2024-08-12T20:01:11.298819Z

Session seems to be working fine using that test you suggested

Daniel Manila 2024-08-12T20:03:06.293049Z

Hmmm, actually just saw an issue that the cookie isn't being set because it's too long. Wonder why that is

2024-08-12T20:08:42.704069Z

using a cookie for the session store can result in an unbounded cookie size 😕

Daniel Manila 2024-08-12T20:10:03.659169Z

Hmm weird that it defaults to that

2024-08-12T20:10:04.982089Z

you can try and insert a custom middleware to log the session before it gets serialized as a cookie, but annoying to get in the right place when using wrap-defaults

2024-08-12T20:10:48.744869Z

the size of the cookie depends entirely on the size of the :session map when serialized

Daniel Manila 2024-08-12T20:24:03.813609Z

That was the problem, switching to in memory store fixed the issue. Frustrating that this silently failed but that's on the browser not on anyone's code here

Daniel Manila 2024-08-12T20:24:20.299389Z

This is a test app, so for now I'll just stick to an in-memory session store

Daniel Manila 2024-08-12T20:25:18.098519Z

Thanks for helping me debug that @hiredman!

2024-08-12T20:25:40.170689Z

👍