ring

Roger S 2024-08-22T08:57:37.168669Z

it seems ring's wrap-anti-forgery only works when applied to the "root" handler -> if I try to wrap it on specific routes, it will somehow not bind the anti-forgery token correctly, setting it as Unbound: #'ring.middleware.anti-forgery/*anti-forgery-token* .

wevrem 2024-08-23T16:35:13.002929Z

I’ve been waiting to see what others had to say about this. So far, nothing. I’m using wrap-anti-forgery on one of my main route trees, but not the other (where I’m using JWT), and I haven’t noticed any issues. I am using reitit and it’s https://cljdoc.org/d/metosin/reitit/0.7.1/doc/ring/middleware-registry#middleware-registry feature, but I’m not sure that it makes any practical difference compared to the simple example you are showing.

Roger S 2024-08-22T08:58:15.539309Z

but I can't use wrap-anti-forgery globally on all routes. I need to exclude that middleware on certain routes. how can this be done?

Roger S 2024-08-22T08:59:18.149619Z

in other words, someting like the below, then combining these routes in a handler with a further call to (routes csrf-routes non-csrf-routes) does not work:

(defn csrf-routes [a-routes b-routes]
  (wrap-routes
    (routes
       a-routes
       b-routes))
  (wrap-anti-forgery))

(defn non-csrf-routes [c-routes d-routes]
  (wrap-routes
    (routes
      c-routes
      d-routes))
  (wrap-other-middleware))

wevrem 2024-08-23T16:37:20.034099Z

These examples aren’t quite right. It seems like you are missing a threading macro that will chain together the wraps.

wevrem 2024-08-23T16:40:31.448869Z

Something like this:

(def csrf-routes [a b]
  (-> (routes a b)
      wrap-routes
      wrap-anti-forgery))
I see that you are just providing these as examples, so maybe this isn’t how your real routes are strung together (or else they wouldn’t work!).