off-topic

https://github.com/clojurians/community-development/blob/master/Code-of-Conduct.md Clojurians Slack Community Code of Conduct. Searchable message archives are at https://clojurians-log.clojureverse.org/
vemv 2021-03-30T00:11:23.390800Z

UBM's relationship with Clojure seems weird. He's occasionally advocated for it for 10+ years (https://news.ycombinator.com/item?id=1700588) but I've never had the impression that we actually uses it. Of course one cannot keep tabs on individual people, but you'd think that someone with his name would leave some memorable evidence of using it... e.g. a talk given in a Clojure conf, an issue opened in github, a library, etc Like other people, I have the vague impression that some of these big-name consultants can pull off making a living out of fluff, using only past knowledge/experience and not necessarily keeping up to date with the realities of modern software engineering

Faris 2021-03-30T03:51:15.391100Z

He could have saved a lot of time by just posting the second last paragraph of his rant.

👍 1
😛 1
dharrigan 2021-03-30T03:57:20.391700Z

Any recommendations for a ui/mobile online mockup tool? To help me visualise an app idea.

simongray 2021-03-30T09:13:56.395600Z

I’m also a fan of pen & paper, but these days I do that (and scribble programming notes) on an e-ink tablet. It helps to reduce paper clutter.

dharrigan 2021-03-30T09:52:30.397100Z

Maybe I should break out my remarkable2...

simongray 2021-03-30T11:54:43.397700Z

That's would I would do. Supposedly, Remarkable is the best one to write on too. I use a Max Lumi.

flightcubs 2021-03-30T12:43:25.398500Z

Also a fan of starting with pen & paper to explore ideas and diverge. When converging, I really like https://www.figma.com/ for both design and prototyping. It’s free (unless you need collaborative features) and simple to use. Of course it’s easy to get bogged down in pixel perfect designs. You could use a https://www.figma.com/file/2fkn66F1J3H594BhgcLlsY template to keep things at high level.

👍 1
raspasov 2021-03-30T04:17:38.392Z

https://excalidraw.com

dharrigan 2021-03-30T04:19:24.392400Z

noice! thank you!

👍 1
raspasov 2021-03-30T04:29:31.393Z

I haven’t used it much myself, but a friend recommended it and it looks pretty good; recently I’ve been preferring … pen & paper! Often I find that the most productive 🙂

seancorfield 2021-03-30T05:38:12.393300Z

I’ve always been a massive fan of Balsamiq https://balsamiq.com/wireframes/ and not just because it was created by a bunch of my ex-colleagues from Macromedia 🙂

seancorfield 2021-03-30T05:38:45.393600Z

I genuinely think that this deliberately “lo-fi” approach helps stop folks getting distracted by pixel-perfect design issues.

dharrigan 2021-03-30T05:41:14.393800Z

oh, I used to use that, I recall. I see they are charging now

seancorfield 2021-03-30T05:42:14.394Z

There’s a free cloud trial — might cover your immediate needs? 🙂

Stefan 2021-03-30T13:58:39.401800Z

Hi all, we want to add OAuth2 “authorization server” support to our (ring-based) web server, so that clients can integrate with our server. I’m wondering how to best do that in a Clojure project? I found things like “friend” and “buddy”, but that all seems quite old so I’m not sure if that’s the right direction. Any recommendations? Thanks!

borkdude 2021-03-30T14:06:22.402200Z

I would prefer using buddy over friend, as friend isn't really maintained

Stefan 2021-03-30T14:09:48.402800Z

Is buddy though? Four years since last release seems quite long for a security-focused library…

dharrigan 2021-03-30T14:14:50.403500Z

buddy is built upon bouncycastle, which currently, in buddy core is 1.67, came out in November 2020 (i.e., 4 months ago).

borkdude 2021-03-30T14:14:56.403800Z

The sub-libraries have more recent updates

borkdude 2021-03-30T14:15:10.404100Z

like buddy-hashers, buddy-auth

Stefan 2021-03-30T14:15:56.404500Z

Ah right, should have seen that myself, thanks 😅

Stefan 2021-03-30T14:41:38.406Z

Doesn’t seem to support oauth2 authorization code flows though it seems…

Stefan 2021-03-30T14:44:07.406600Z

Not sure about the trade-offs between that and simpler token-based flows.

dharrigan 2021-03-30T14:48:26.407Z

You know what. I've designing an API too, and I'm taking the stripe approach

dharrigan 2021-03-30T14:48:39.407400Z

They are a multi-billion dollar company, working with money

dharrigan 2021-03-30T14:48:43.407600Z

and all they use is basic auth

dharrigan 2021-03-30T14:48:49.407800Z

good enough for them....

Stefan 2021-03-30T14:50:00.409100Z

Yeah makes you think indeed. But I’m not sure if it’s the same use case. In my case it’s not server-server communication, it’s about a user of one system accessing another without having to explicitly login.

dharrigan 2021-03-30T14:50:26.409700Z

surely the user would be using a client of sorts to delegate on their behalf

mpenet 2021-03-30T14:50:32.410Z

basic auth alone is dangerous, I'd suspect they do a bit more than that

dharrigan 2021-03-30T14:50:36.410300Z

nope

dharrigan 2021-03-30T14:50:40.410500Z

they just use basic auth

mpenet 2021-03-30T14:50:45.410800Z

at least to prevent replay attacks and whatnot

dharrigan 2021-03-30T14:51:01.411200Z

their api is mostly form url encoded

dharrigan 2021-03-30T14:51:06.411400Z

with GETs

dharrigan 2021-03-30T14:51:09.411600Z

they must be doing something right

dharrigan 2021-03-30T14:51:21.412Z

they are hugely successful, and I have yet to hear of their api being hacked

dharrigan 2021-03-30T14:51:26.412300Z

(or compromisedc)

dharrigan 2021-03-30T14:52:10.413100Z

yes, there are mitigation strategies you can do at the service layer, network layer, for deflecting those side channel attacks

dharrigan 2021-03-30T14:52:21.413600Z

however, their login is just basic auth

mpenet 2021-03-30T14:52:24.413700Z

that's what I am saying, it's not "just" basic auth and done

dharrigan 2021-03-30T14:52:28.413900Z

agreed 🙂

dharrigan 2021-03-30T14:53:35.415Z

@stefan.van.den.oord their client libraries, i.e., javascript etc., all use basic auth too.

dharrigan 2021-03-30T14:54:15.415400Z

security is hard. I favour the very simple approach.

dpsutton 2021-03-30T14:55:41.418100Z

i bet there's a lot of ancillary stuff to that: quick account lockdown, ip recognition and clamping down from suspected ips with otherwise valid credentials. perhaps pending transactions if they aren't sure, insurance to cover transactions that end up fraudulent, etc. I don't think i would just look at basic auth and think its a single layer of approach

Stefan 2021-03-30T14:56:04.418700Z

But then there are maybe also different security trade-offs for them? It’s just a financial decision: accepting that sometimes things may go wrong a bit (as a financial risk), versus the cost of making more advanced things. I’m wondering if they would use the same approach for securing medical health record data.

dharrigan 2021-03-30T14:56:07.418900Z

absolutely, security is like an onion

🥲 1
mpenet 2021-03-30T14:56:19.419200Z

yeah imho you're better off using oauth & the like ultimately 🙂

dharrigan 2021-03-30T14:57:46.420200Z

I have an opposing view 😉

Stefan 2021-03-30T14:58:11.420600Z

That’s what makes it an interesting conversation 🙂

mpenet 2021-03-30T14:58:53.421500Z

sure, I guess it works if you have a team dedicated to security that ensures everything is locked down around it. Otherwise stg like oauth is quite easy to use

dharrigan 2021-03-30T14:59:23.422300Z

I believe we shouldn't default reach to oauth, simply because others are doing it.

mpenet 2021-03-30T14:59:32.422800Z

sure

dharrigan 2021-03-30T14:59:34.422900Z

It's just one of many options

mpenet 2021-03-30T14:59:36.423100Z

depends on the use case

mpenet 2021-03-30T14:59:51.423500Z

I had some success with auth0 in the past too if you want to fully externalise the thing and get integration with a lot of stuff for "free"

dharrigan 2021-03-30T15:00:03.423800Z

Yeah, maybe something like keycloak?

mpenet 2021-03-30T15:00:43.424400Z

then again depends on use case

dharrigan 2021-03-30T15:01:13.425Z

perhaps if you can hand off the complexities of security to something that is designed to be all about security (and have developers working totally on that aspect), that could be a quick way to move on and let it become someone else's headache 🙂

dharrigan 2021-03-30T15:02:21.426400Z

There is even a library to help out <https://github.com/jgrodziski/keycloak-clojure>

mpenet 2021-03-30T15:02:22.426500Z

yes, that. Implementing oauth flow with all its little variations from service to service can be a pita when you have to do it for multiple providers

dharrigan 2021-03-30T15:02:34.426800Z

totally

dharrigan 2021-03-30T15:02:46.427500Z

throw it over the wall, make it someone else's problem 🙂

Stefan 2021-03-30T15:02:59.427700Z

I feel I’m a bit more with @mpenet on this: keeping this data safe is a big responsibility, and we’re just a couple of devs. Relying on standards gives some sense of security, false or not…

dharrigan 2021-03-30T15:03:21.428Z

basic auth is a standard

Stefan 2021-03-30T15:03:37.428400Z

yeah of course, I think you know what I mean right 😉

Stefan 2021-03-30T15:04:12.429400Z

It’s just a basic standard 😜

dharrigan 2021-03-30T15:04:17.429600Z

not really. if you are basing your decision on something that is simple, easy to maintain and proveably secure, with a small team of devs, then basic auth would be higher on my list

dharrigan 2021-03-30T15:04:35.430100Z

if you want to go down the oauth rabbit hole, then you'll need to devote more time and energy on it

Stefan 2021-03-30T15:04:56.430600Z

Yeah I do get your point and I think there’s a lot of merit to it. You definitely made me think and I will seriously consider it!

dharrigan 2021-03-30T15:05:37.431500Z

on the other hand, if you can delegate the security to a product (that can be run on-prem, and is free) and let it do all the work for you, with a straight-forward way of providing auth/authz, then something else to consider 🙂

dharrigan 2021-03-30T15:06:19.432100Z

in the end, it's still very commendable to at least consider all the options to give your users the best, secure experience possible! so kudos!

Stefan 2021-03-30T15:06:57.432400Z

Thanks for your thoughts guys!

KJO 2021-03-30T15:18:16.434900Z

FWIW. I’d be inclined to go with oauth. What’s expedient now might be a point of weakness in 6 months, or 12 months. I’ve had success with buddy and ouath (Okta). It’s a bit of a pita to get going as others have pointed out, but I sleep a little better.

🙏 1
flightcubs 2021-03-30T16:31:14.437800Z

Speaking of auth, has anyone experience with Ory Kratos (https://github.com/ory/kratos)? If so, what’s your impression of working with it?

emilaasa 2021-03-30T17:15:37.439300Z

@stefan.van.den.oord I've used Keycloak and it's alright, can be a lot to learn tho. And redhat / ibm might do something weird eventually

emilaasa 2021-03-30T17:17:04.439900Z

Also depending on what clients you have you might not get a whole lot more than basic auth security anyway.