Clojurians Log v2

Clojure programming
Channels
# 100-days-of-code# aatree# admin-announcements# adventofcode# ai# alda# aleph# all-the-channels# announcements# arachne# architecture# asami# atlanta-clojurians# atom-editor# autochrome-github# avi# aws# aws-lambda# babashka# babashka-sci-dev# bangalore-clj# beginners# berlin# biff# bigdata# bitcoin# boot# boot-dev# boulder-clojurians# braid-chat# braveandtrue# brevis# bristol-clojurians# business# calva# capetown# carry# cbus# cestmeetup# chestnut# chlorine-clover# cider# circleci# clara# clj-commons# cljdoc# cljfx# clj-http# clj-kondo# clj-on-windows# cljs-dev# cljs-experience# cljsfiddle# cljsjs# cljsrn# cljtogether# clojars# clojure# clojure-android# clojure-argentina# clojure-art# clojure-austin# clojure-australia# clojure-austria# clojure-bangladesh# clojure-bay-area# clojure-beijing# clojure-belgium# clojure-berlin# clojure-boston# clojure-brasil# clojurebridge# clojurebridge-ams# clojure-canada# clojure-chennai# clojure-chicago# clojure-china# clojure-colombia# clojure-conj# clojurecup# clojure-czech# clojured# clojure-denmark# clojure-denver# clojure-derby# clojuredesign-podcast# clojure-dev# clojure-dusseldorf# clojure-ecuador# clojure-egypt# clojure-estonia# clojure-europe# clojure-filipino# clojure-finland# clojure-france# clojure-gamedev# clojure-germany# clojure-greece# clojure-guangzhou# clojure-hamburg# clojure-hk# clojure-houston# clojure-hungary# clojure-india# clojureindia# clojure-indonesia# clojure-ireland# clojure-israel# clojure-italy# clojure-japan# clojure-kc# clojure-korea# clojure-losangeles# clojure-madison# clojure-mexico# clojure-miami# clojure-mk# clojure-mke# clojure-morsels# clojure-my# clojure-new-zealand# clojure-nl# clojure-nlp# clojure-norway# clojure-poland# clojure-portugal# clojure-provo# clojure-quebec# clojureremote# clojure-romania# clojure-russia# clojure-sanfrancisco# clojurescript# clojurescript-ios# clojure-sdn# clojure-seattle# clojure-serbia# clojure-sg# clojure-shanghai# clojure-spain# clojure-spec# clojuresque# clojure-survey# clojure-sweden# clojure-switzerland# clojure-taiwan# clojure-turkiye# clojure-uk# clojure-ukraine# clojureverse-ops# clojurewerkz# clojurewest# clojurex# clojure-za# clojurian-chat-app# clojutre# cloverage# cloxp# clr# code-art# code-reviews# community-development# component# conf-proposals# conjure# consulting# contributions-welcome# copenhagen-clojurians# core-async# core-logic# core-matrix# core-typed# cryogen# crypto# css# cursive# cz-clojure# d2q# datacrypt# datahike# datalevin# datalog# data-oriented-programming# data-science# datascript# datavis# dato# datomic# defnpodcast# deps-new# depstar# devcards# devops# dirac# docker# docs# domino-clj# duct# dunaj# eastwood# editors# emacs# error-message-catalog# etaoin# ethereum# euroclojure# events# exercism# expound# figwheel# figwheel-main# flambo# fulcro# funcool# functionalprogramming# funimage# garden# ghostwheel# girouette# gis# google-cloud# gorilla# graalvm# graalvm-mobile# graclj# graphql# gratitude# gsoc# hammock-driven-dev# helix# heroku# hispano# holy-lambda# honeysql# hoplon# hugsql# humor# hypercrud# hyperfiddle# immutant# improve-getting-started# incanter# indycljs# inf-clojure# instaparse# integrant# interceptors# interop# introduce-yourself# iot# iotivity# ipfs# jackdaw# jaunt# java# javascript# javelin# jobs# jobs-discuss# jobs-rus# joker# jukebox# juxt# jvm# kaocha# keechma# kekkonen# keyboards# klipse# kosmos# lambdaisland# ldnclj# ldnproclodo# lein-figwheel# leiningen# liberator# liquid# livestream# local-first-clojure# london-clojurians# lsp# luminus# lumo# mail# malli# mathematics# meander# melbourne# membrane# mental-health# microservices# mid-cities-meetup# midje# minecraft# minimallist# missionary# monads# mount# music# new-channels# new-clojure# nextjournal# nginx# nrepl# numerical-computing# nyc# observability# off-topic# om# om-next# onyx# other-languages# other-lisps# overtone# pamela# parinfer# pathom# pedestal# perun# philosophy# phzr# planck# plastic# play-clj# podcasts# polylith# portal# portkey# portland-or# powderkeg# practicalli# precept# prelude# programming-beginners# project-updates# proletarian# proton# protorepl# pulsar# pure-frame# qa# qlkit# quil# random# rdf# react# reactive# reading-clojure# reagent# reclojure# re-frame# reitit# releases# remote-jobs# respo# rethinkdb# reveal# rewrite-clj# ring# ring-swagger# robots# rum# schema# sci# sfcljs# shadow-cljs# _silence# sim-testing# sioux-falls# slack-help# sneer# sneer-br# spacemacs# specmonstah# specter# speculative# spirituality-ethics# sql# startup-in-a-month# sydney# test200# test-check# testing# thejaloniki# timbre# tmp-json-parsing# tools-build# tools-deps# trading# tree-sitter# uncomplicate# unrepl# untangled# utah-clojurians# videos# vim# vrac# vscode# wasm# web-security# windows# xtdb# yada# yleinen
Apps

liberator

2016-12-07T03:44:12.000007Z

so, I have a RESTful endpoint POST /token that receives a body with username and password keys and return an auth token. I wanted the following rules to be true: 1. if there is an invalid json, return 400 (malformed) 2. if the json is valid, but there’s no username or no password, or they’re not strings (spec check), then return 422 (unprocessable entity); 3. if everything is valid, but username/password match are not found in database, return 401 (unauthorized). I have two doubts about this: from an HTTP/REST perspective, is this right? and if it is, how would I implement it in liberator? the authorized? decision comes before processable?, so the only way I can see this working is doing the whole logic inside post! or sth like that

2016-12-07T03:55:02.000008Z

I could throw 404 instead of 401 as well and it should work...

2016-12-07T04:03:32.000009Z

it kinda makes sense, as the resource token really does not exist for that username+password. but it feels hacky

ordnungswidrig 2016-12-07T13:43:10.000010Z

you’ve got two options to “flip” the order of authorized? and processable?

ordnungswidrig 2016-12-07T13:44:58.000012Z

@caio you can parse the body in authorized? and in case that fails, return true and store a flag in the context, e.g. {::parse-json-failes? true}. In processable? check for that flag.

ordnungswidrig 2016-12-07T13:47:37.000013Z

the other way is to defer the authorization check until processable? and return a response with a (forced) status code 401. Simply return (ring-response {:your-normal “response”} {:status 401}). This anything in the second map overrides what liberator would generate in the ring response

2016-12-07T14:07:36.000014Z

But that's hacking the state machine. The need to hack it to make it work seems like a bad sign

ordnungswidrig 2016-12-07T15:40:56.000015Z

the state mashine is opinionated. that’s ok 🙂

ordnungswidrig 2016-12-07T15:41:12.000016Z

I, personally, would return 422 if the json is unprocessable.

2016-12-07T15:46:42.000017Z

yeah my feeling’s always been that malformed was for the HTTP request itself, not the body… but all said and done it’s pretty arbitrary

2016-12-07T16:23:33.000018Z

Idk. If the content type is application/json and the body nontains invalid json, I'd say it's malformed (maybe the body is a valid XML and the content type header is the wrong one - there's no way for the backend to know)

2016-12-07T16:24:58.000019Z

If you can parse the json, you have an entity. If it's missing required fields, then it's unprocessable, even though it's a valid entity

2016-12-07T16:28:16.000020Z

But yeah, the standards are really broad. The unauthorized really seems like a stretch (there're no auth headers), but 422 also looks bad: the credentials were processed, it's just that there were no user to generate a token from

2016-12-07T16:29:18.000021Z

Meh. I think I'll return 418 - I'm a teapot

2016-12-07T16:29:46.000022Z

Does liberator have support for that? 😂

2016-12-07T16:30:34.000023Z

:teapot? decision handler

ordnungswidrig 2016-12-07T18:29:25.000025Z

Nope. But you can once again use ring-response to force a status code. Yada supports it imho.