Yeah, I guess client vs server side was confusing. I think Oauth is what people usually think of as client side, although technically authentication is still happening on a server (just not yours). My point was more that with a SPA (which I assume is what you are building if using Om) there are really two (or more) parts that need to be secured - the application itself, and the rest endpoints (or whatever) on your server.
If you are serving up your app through Ring, which it sounds like you are, the easiest way is to authenticate the user when they request the page containing your app, then use the Ring session middleware to setup a secure session, which will also authenticate any api calls your app makes. Then the question becomes how to authenticate users and secure endpoints and all that. A really easy solution I've used before to get started is to simply store my own usernames and (encrypted) passwords in the db and use something like lib-noir to wrap routes that need to be secure. This is easy to setup for development, but almost certainly NOT what you want to use in production. If you haven't heard of it, Friend is sort of the canonical library to use for this and has a lot of options for different authentication mechanisms. There seems to have been several attempts to supplant Friend, but AFAIK it's still the best bet out there- if someone wants to correct me on that, I would be interested in knowing other viable options for production use. Using something like Sente, it is possible to authenticate entirely over web sockets, which is appealing in case where you want to serve your page from a CDN instead of your server. Sean Corfield has a demo I think is called Om-sente where he sets up some basic infrastructure for this. I played around with it several months ago and it's a promising approach, but for serious production work I would rather wait and see more experience from others in this area. Call me old fashioned, but security is just not an area I'm comfortable with "experimenting" in. Interesting that you brought up Firebase. I've used Firebase a lot, and it certainly makes auth easy but of course only makes sense if you are using Firebase. That being said, I highly recommend it. Even if you plan on using a different server later on, Firebase makes it ridiculously easy to get your client up and running without having to worry about the server side. If you are careful about not coupling your code, you can easily replace Firebase with web sockets and/or Ajax calls later. For example, my Firebase handlers only operate on the app state directly and my Reagent components aren't even aware of Firebase, which makes it simple to replace when needed. It's really worth looking into, if you haven't already. -- Note that posts from new members are moderated - please be patient with your first post. --- You received this message because you are subscribed to the Google Groups "ClojureScript" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/clojurescript.
