Edit: Problem solved. I juse needed to provide an authorization scheme as well.

{:scheme :deny-all
                       :authorization
                               {:methods
                                {:get :foo.bar.baz}}}

(defmethod verify :deny-all
  [ctx _]
  (clojure.tools.logging/info "DENY REQUEST, RETURN NIL!")
  nil)

:access-control {:scheme :deny-all}

Very interesting discussion about a pitfall of using spec for forms yesterday. If you call s/keys on a map you got from a user (e.g. via a submitted form), it could contain a key of :some-library/slow-to-validate-spec. That opens you up to ddos attacks quite easily. A caution for anyone here already doing that is all.

Apparently you should validate input before passing it to s/keys. Feels a little "Yo dawg" to me.

@snorremd I have a full article almost ready about auth

if you keywordize your json via (keyword nil k) it should be safe

Happy to send you a link to the draft if it would help

@malcolmsparks I believe that would be very helpful indeed. I'm just about to start implementing JWT based authentication for my Yada-based API.

@snorremd jwt is already implemented

Yes. But not well documented

Also missing a plain ol' jws implementation from the same library. I have one lying around I need to PR back.

https://github.com/juxt/yada/blob/master/ext/jwt/src/yada/jwt.clj is perhaps the best starting point

@dominicm Yeah, I saw. Though as far as I could see it assumes the JWT is passed as a cookie value.

I would likely want to use a request header instead (the API is not browser-facing).

Would be good if it could take a function to look it up in the ctx 🙂

That would help. Perhaps also an optional map of buddy.jwt/unsign options. edit: As of now buddy.sign.jws/unsign defaults :alg to :hs256. I also believe it would be practical for testing purposes to be able to specify :now. This will allow you to pass a hard-coded JWT with an old exp value, and then make buddy travel back in time so it does not fail the old token.