A template for web apps with user auth using OWASP best practices and pedestal
A project containing the extracted authorization aspect of an application, especially relevant for projects using pedestal. Includes packaging and deployment config as well.
Seems the session must be tied to a user - which makes me thinking how would you implement features like "require captcha after logging in failed for 3+ times" ?
The sessions can be anonymous - user_id is null in the db row in that case (to be specific).
See the anonymous-session interceptor here: https://github.com/bpringe/auth-template/blob/954b8a78f7e6d91b4dd12446ec69aba004c53d1e/src/auth_template/service.clj#L208
There may be a better way to handle anon sessions - but this is a simple starting point / works.
https://github.com/bpringe/auth-template
A template for web apps with user auth using OWASP best practices and pedestal A project containing the extracted authorization aspect of an application, especially relevant for projects using pedestal. Includes packaging and deployment config as well.
flow chart for proper REST resource for-GET/http-decision-diagram https://github.com/for-GET/http-decision-diagram An activity diagram to describe the resolution of HTTP response status codes, given various headers. http://hyperrest.github.io/2013-06-10-http-hell-no https://github.com/for-GET/http-decision-diagram|for-GET/http-decision-diagramfor-GET/http-decision-diagram | 17 Feb 2013 | Added by GitHub
Seems the session must be tied to a user - which makes me thinking how would you implement features like "require captcha after logging in failed for 3+ times" ? The sessions can be anonymous - user_id is null in the db row in that case (to be specific). See the anonymous-session interceptor here: https://github.com/bpringe/auth-template/blob/954b8a78f7e6d91b4dd12446ec69aba004c53d1e/src/auth_template/service.clj#L208 There may be a better way to handle anon sessions - but this is a simple starting point / works.