Fork me on GitHub
#yada
<
2020-03-11
>
Braden Shepherdson02:03:46

I'm really liking yada! but I'm struggling with the documentation, and apparently some drift in the design of auth

Braden Shepherdson02:03:12

can anyone point me to a current example of auth against the edge version (1.5.0 alpha)?

Braden Shepherdson02:03:37

ideally, custom cookie-based authentication, with role-based authorization, but I'll take what I can get.

Braden Shepherdson02:03:22

I can't find any projects doing this on Github, because I just end up finding hundreds of projects with the edge example.

Braden Shepherdson03:03:41

https://github.com/juxt/yada/wiki/Authentication-design looks like the most recent documentation, and the code seems to be in place to implement this, but the authorization section is just a sketch and doesn't suggest how to actually attach them, or what the arguments are. I guess more code digging is in order.

Danny Almeida06:03:48

Same here ...`https://juxt.pro/yada/manual/index.html#cookie-authentication` the following example

{:access-control
  {:scheme :cookie
   :cookie "session"
   :verify (fn [cookie] …}}
Gives an error..invalid keyword :cookie . Any help appreciated

Braden Shepherdson15:03:29

@dionysius.almeida yeah, the auth in that document seems hopelessly out of date. I suppose it's always possible to hack up the interceptor chain to remove the (broken?) stock auth interceptors and replace them with my own. but for only slightly more effort, I could send a PR to build out the design in that wiki link.

Braden Shepherdson15:03:37

looking at the code I actually think the current state is that the authentication part of that wiki design is in place, but that the authorization part has not been fully designed, and not at all implemented. I could be wrong, though. there's a lot of backward-compatible legacy strata in the codebase that are confusing me a lot, since I'm not very familiar with any version of yada yet.

4
Braden Shepherdson17:03:39

okay, I've done enough digging to see how the (I think?) modern one works, and written up a page of notes on it. I've also got it working for a request in my app, but that's a bit more involved. I can post the whole mess to a Gist, hang on.

4
Braden Shepherdson17:03:10

there's a sketch of it working. don't sweat the with-db and Toucan t/select-one database stuff if you're not familiar. anyway, that outlines how I'm logging users in, checking their cookie, and authorizing for each method on a resource.

Braden Shepherdson17:03:18

it's not very extensively tested.

Braden Shepherdson17:03:03

once I'm more confident in this, I'll send a PR to update the auth docs.

Danny Almeida20:03:11

@braden.shepherdson Thank you so much for taking the time to do this. I'll go through the note and if something is not clear, I'll bother you again. Cheers 🙂👍:skin-tone-3: