Security as first class citizen (with Buddy samples)

metosin / compojure-api

Sweet web apis with Compojure & Swagger

http://metosin.github.io/compojure-api/doc/

Eclipse Public License 1.0

1.11k stars 149 forks source link

Security as first class citizen (with Buddy samples) #122

Open ikitommi opened 9 years ago

ikitommi commented 9 years ago

separate namespace compojure.api.buddy with registered dispatchers for making it easy to use them from c-api. Something like:

(context* "/api" []
  :authenticated? true
  (context* "/admin" []
    :auth-handlers [admin-access operator-access]
    ...))

EDIT 18.8.2015. Should be security in general. Goes for Ring-Swagger too.

dadair-ca commented 9 years ago

Would love a feature like this! :+1:

dadair-ca commented 9 years ago

Also, if this isn't a high priority, having a quick HTTP Basic buddy-auth example in the wiki/README would be fantastic!

nikos commented 9 years ago

Agreed with David, it would be great to have such a feature at hand!

ikitommi commented 9 years ago

I'll poke the guys I know are using buddy with compojure-api.

Deraen commented 9 years ago

Here's a sample of using Buddy: https://gist.github.com/Deraen/ef7f65d7ec26f048e2bb

ikitommi commented 9 years ago

awesome! We could have an examples folder with standalone projects of these? would need a maintainer thou.

Deraen commented 9 years ago

We already have separate example repo (https://github.com/metosin/compojure-api-examples) should we extend that or should we have all examples in this repo? No sense having multiple examples here and single example on another repo.

The reason for having the example in this repo is that it's using the same lein project as the implementation so it makes testing changes easy.

ikitommi commented 9 years ago

I think we need both types:

embedded project for testing stuff when developing
real example projects (could be in a folder here too)

external project could have more maintainers (to keep up with versions etc.), embedded examples would be easy to find. Both are right, dunno which is better.

sventech commented 8 years ago

Authenticated Compojure API is an example that works pretty well using Buddy with HTTP Basic and JWT (token) auth. You could build on that or direct people to it. We recently updated it to work with the 1.0.0-SNAPSHOT and @JarrodCTaylor has further enhancement plans.

ikitommi commented 8 years ago

awesome! didn't know about that. Will add a link to it and read the source to learn out of it.

We seem to be re-implementing a role-based auth with all the projects, via :roles - restructuring. Thinking of adding those to c-api, doesn't cover how the actual authentication should work, one could use Buddy (or Friend), just how they can be used to guard routes. With 1.0.0, one could also filter swagger-docs based on roles (or by any other access rules), e.g. only only admins see the admin-routes.

JarrodCTaylor commented 8 years ago

I would be happy to have the project linked here. I am very open to feedback and enhancement suggestions as well.