ring

javahippie 2020-04-28T15:49:01.048500Z

I am trying to use the “Log In with Apple” Oauth Flow with ring, ring-oauth2 and site-defaults. Site defaults adds an anti forgery token, which needs to be included in any POST requests. Unfortunately, Apple insists that the Token redirect uses POST, and obviously it doesnt know about the anti forgery token. Has anybody managed to do this, is there a way to disable the AF token for a specific URL? Or even better, pass it into the OAuth flow? There is already the state for that, so it would be redundant, wouldn’t it? I don’t want to disable it entirely

seancorfield 2020-04-28T16:09:44.049300Z

@javahippie If you want to disable it for all requests, you should be able to do something like this in your middleware stack

(ring-defaults/wrap-defaults
       (-> ring-defaults/site-defaults
           (as-> % (merge-with merge % (:ring-defaults config)))
           (assoc-in [:security :anti-forgery] false)))

👍 1
seancorfield 2020-04-28T16:10:10.050Z

(ignore the as-> line if you don't want to override other stuff)

javahippie 2020-04-28T16:10:38.050600Z

Thanks for your response. For debugging, I already disabled it like this, but in general, having this anti forgery token is a good idea and I’d like to keep it

javahippie 2020-04-29T10:30:08.052800Z

Nice, I forgot about that. We even have our routes split into web app and rest api routes, that’s a great idea, thank you!

seancorfield 2020-04-28T16:11:35.051700Z

Our apps are nearly all REST APIs and have their security (we have our own OAuth2 service and separate Auth/Login servers) so the Ring built-in stuff isn't useful.

javahippie 2020-04-28T16:14:20.052300Z

I will have to think about this. I am going with serverside rendering, and I have some forms on the page with post data to the server

2020-04-28T22:32:13.052600Z

Hi, you can set different ring middleware for different routes so your solution would be disable antiforgery on just a single route. For this, you have to have routing before wrap-defaults. In Orgpad, we do routing twice (using Bidi):

(b/make-handler ["" [["/api/" [[true api-handler]]]
                         [true site-handler]]])
For site-handler, I am using site defaults. But for api-handler, I am checking the access permissions directly.