This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2017-03-22
Channels
- # beginners (42)
- # boot (73)
- # cider (17)
- # clara (1)
- # cljs-dev (47)
- # cljsrn (9)
- # clojars (4)
- # clojure (241)
- # clojure-italy (11)
- # clojure-norway (5)
- # clojure-russia (93)
- # clojure-spec (28)
- # clojure-uk (32)
- # clojurescript (170)
- # core-async (20)
- # cursive (62)
- # data-science (2)
- # datomic (47)
- # dirac (4)
- # events (1)
- # funcool (12)
- # gsoc (1)
- # hoplon (59)
- # immutant (8)
- # lambdaisland (4)
- # luminus (3)
- # lumo (11)
- # off-topic (13)
- # om (81)
- # onyx (1)
- # pedestal (47)
- # planck (30)
- # re-frame (2)
- # reactive (1)
- # reagent (2)
- # ring-swagger (15)
- # rum (1)
- # slack-help (5)
- # specter (5)
- # testing (5)
- # uncomplicate (8)
- # untangled (16)
- # vim (71)
- # yada (16)
Edit: Problem solved. I juse needed to provide an authorization scheme as well.
{:scheme :deny-all
:authorization
{:methods
{:get :foo.bar.baz}}}
Hi. I'm struggling with access-control in yada. I've defined a verify method that should always deny access.
As far as I can tell from the documentation, returning nil
should make Yada return a 401 response.
(defmethod verify :deny-all
[ctx _]
(clojure.tools.logging/info "DENY REQUEST, RETURN NIL!")
nil)
I then set the resource's :access-control to use the :deny-all scheme:
:access-control {:scheme :deny-all}
The server does log the "DENY REQUEST..." string, but goes on to handle the request with the :response
handler. Am I missing something?
I'm running Yada 1.2.Very interesting discussion about a pitfall of using spec for forms yesterday. If you call s/keys
on a map you got from a user (e.g. via a submitted form), it could contain a key of :some-library/slow-to-validate-spec
. That opens you up to ddos attacks quite easily. A caution for anyone here already doing that is all.
Apparently you should validate input before passing it to s/keys. Feels a little "Yo dawg" to me.
@snorremd I have a full article almost ready about auth
Happy to send you a link to the draft if it would help
Just a tiny reminder about that draft link. You can direct message it to me if you don't want to share it publicly.
@malcolmsparks I believe that would be very helpful indeed. I'm just about to start implementing JWT based authentication for my Yada-based API.
Yes. But not well documented
Also missing a plain ol' jws implementation from the same library. I have one lying around I need to PR back.
https://github.com/juxt/yada/blob/master/ext/jwt/src/yada/jwt.clj is perhaps the best starting point
@dominicm Yeah, I saw. Though as far as I could see it assumes the JWT is passed as a cookie value.
I would likely want to use a request header instead (the API is not browser-facing).
That would help. Perhaps also an optional map of buddy.jwt/unsign options.
edit: As of now buddy.sign.jws/unsign defaults :alg
to :hs256
. I also believe it would be practical for testing purposes to be able to specify :now
. This will allow you to pass a hard-coded JWT with an old exp
value, and then make buddy travel back in time so it does not fail the old token.