Okay, armed with the new clarity, I felt embolden to tackle this once more.
Here's the next steps for those trying to tack CSRF protection onto a
Reagent project created with lein new reagent.
In handler.clj - you'll add the ring.middleware.anti-forgery and refer to
*anti-forgery-token*
(ns myapp.handler
(:require
[ring.middleware.anti-forgery :refer [*anti-forgery-token*]]))
Then, lower down in your code you'll have something like this:
(html5
[:head
[:meta {:csrf-token *anti-forgery-token*}]
This will create a token for you.
Now I haven't gone the rest of the distance with this problem so I can't
say that it's all downhill from here, it's possible I'm messing up and
re-generating a token that won't match what's already matched in the
session. Let me know if that's what I'm doing :(
But the next thing I would do, is in /cljs/myapp/core.cljs - I would find a
way to pull in this token from the meta tag (maybe by using vanilla
javascript) and then add it to my post commands.
A couple things that confused me:
It's not obvious that you have to add ring.middleware.anti-forgery to
handler.clj, because in the examples in the documentation we're pulling
that in so we can do "wrap-anti-forgery" in our middleware.clj. However,
this is done automatically using ring.middleware.defaults, in the
middleware.clj file, so it looks like ring.middleware.anti-forgery doesn't
need to be anywhere.
However, without ring.middleware.anti-forgery, it seems
*anti-forgery-token* isn't bound.. once you require that, that it exists!
Let me know if my assumptions are wrong on this - it's possible I'm going
down the wrong direction and that *anti-forgery-token* is actually stored
in the session somewhere, but I have no idea how to access the session at
this point.. That sounds like a whole nother bag of worms.
*Epilogue*
The turning point for me was realizing that the ring-defaults file is
ridiculously easy to comprehend on Github. I'm so used to php projects
where inspecting classes is basically impossible - in order to understand
one thing, you need to understand 12 other things, which in turn require an
understanding of 3 other things etc. To open up defaults.cli and see that
site-defaults is just a simple map, literally made me sigh in relief :p
I'm beginning to grasp the structure of packages of namespaces, which makes
seeing into the code easier. It strikes me Clojure is a system which
dramatically rewards investment into it's fundamental building blocks. I
feel like I have a lot to learn, but it's all worth learning. Thanks!
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to [email protected]
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
