it seems ring's wrap-anti-forgery only works when applied to the "root" handler -> if I try to wrap it on specific routes, it will somehow not bind the anti-forgery token correctly, setting it as Unbound: #'ring.middleware.anti-forgery/*anti-forgery-token* .
I’ve been waiting to see what others had to say about this. So far, nothing.
I’m using wrap-anti-forgery on one of my main route trees, but not the other (where I’m using JWT), and I haven’t noticed any issues. I am using reitit and it’s https://cljdoc.org/d/metosin/reitit/0.7.1/doc/ring/middleware-registry#middleware-registry feature, but I’m not sure that it makes any practical difference compared to the simple example you are showing.
but I can't use wrap-anti-forgery globally on all routes. I need to exclude that middleware on certain routes. how can this be done?
in other words, someting like the below, then combining these routes in a handler with a further call to (routes csrf-routes non-csrf-routes) does not work:
(defn csrf-routes [a-routes b-routes]
(wrap-routes
(routes
a-routes
b-routes))
(wrap-anti-forgery))
(defn non-csrf-routes [c-routes d-routes]
(wrap-routes
(routes
c-routes
d-routes))
(wrap-other-middleware))These examples aren’t quite right. It seems like you are missing a threading macro that will chain together the wraps.
Something like this:
(def csrf-routes [a b]
(-> (routes a b)
wrap-routes
wrap-anti-forgery))
I see that you are just providing these as examples, so maybe this isn’t how your real routes are strung together (or else they wouldn’t work!).