compojure-api icon indicating copy to clipboard operation
compojure-api copied to clipboard

Published 20 hours ago verified publisher icon metosin

Security as first class citizen (with Buddy samples)

Open ikitommi opened this issue 9 years ago • 11 comments

separate namespace compojure.api.buddy with registered dispatchers for making it easy to use them from c-api. Something like:

(context* "/api" []
  :authenticated? true
  (context* "/admin" []
    :auth-handlers [admin-access operator-access]
    ...))

EDIT 18.8.2015. Should be security in general. Goes for Ring-Swagger too.

ikitommi avatar Jun 02 '15 10:06 ikitommi

Would love a feature like this! :+1:

dadair-ca avatar Jul 25 '15 23:07 dadair-ca

Also, if this isn't a high priority, having a quick HTTP Basic buddy-auth example in the wiki/README would be fantastic!

dadair-ca avatar Jul 26 '15 00:07 dadair-ca

Agreed with David, it would be great to have such a feature at hand!

nikos avatar Aug 09 '15 16:08 nikos

I'll poke the guys I know are using buddy with compojure-api.

ikitommi avatar Aug 18 '15 18:08 ikitommi

Here's a sample of using Buddy: https://gist.github.com/Deraen/ef7f65d7ec26f048e2bb

Deraen avatar Aug 25 '15 11:08 Deraen

awesome! We could have an examples folder with standalone projects of these? would need a maintainer thou.

ikitommi avatar Aug 26 '15 16:08 ikitommi

We already have separate example repo (https://github.com/metosin/compojure-api-examples) should we extend that or should we have all examples in this repo? No sense having multiple examples here and single example on another repo.

The reason for having the example in this repo is that it's using the same lein project as the implementation so it makes testing changes easy.

Deraen avatar Aug 26 '15 18:08 Deraen

I think we need both types:

  • embedded project for testing stuff when developing
  • real example projects (could be in a folder here too)

external project could have more maintainers (to keep up with versions etc.), embedded examples would be easy to find. Both are right, dunno which is better.

ikitommi avatar Aug 26 '15 19:08 ikitommi

Authenticated Compojure API is an example that works pretty well using Buddy with HTTP Basic and JWT (token) auth. You could build on that or direct people to it. We recently updated it to work with the 1.0.0-SNAPSHOT and @JarrodCTaylor has further enhancement plans.

sventech avatar Jan 23 '16 15:01 sventech

awesome! didn't know about that. Will add a link to it and read the source to learn out of it.

We seem to be re-implementing a role-based auth with all the projects, via :roles - restructuring. Thinking of adding those to c-api, doesn't cover how the actual authentication should work, one could use Buddy (or Friend), just how they can be used to guard routes. With 1.0.0, one could also filter swagger-docs based on roles (or by any other access rules), e.g. only only admins see the admin-routes.

ikitommi avatar Jan 24 '16 21:01 ikitommi

I would be happy to have the project linked here. I am very open to feedback and enhancement suggestions as well.

JarrodCTaylor avatar Jan 25 '16 03:01 JarrodCTaylor