So when I use cljs-ajax to post to my APP I get an Invalid anti-forgery
token error.
Despite there being dozens of posts about this issue, none of them have a
solution that seems to work if you started your project using this:
lein new reagent myapp
The first post that comes up as a "solution" actually recommends disabling
CSRF protection, which seems like just avoiding the problem rather than
solving it, but they don't actually tell you how to do that either!
After 4 hours of searching for any solution, I admit that the only fix that
I found was this:
(ns reformdems.middleware
(:require [ring.middleware.defaults :refer [site-defaults wrap-defaults]]
[ring.middleware.json :refer [wrap-json-params]]
[prone.middleware :refer [wrap-exceptions]]
[ring.middleware.reload :refer [wrap-reload]]))
(defn wrap-middleware [handler]
(-> handler
(wrap-defaults (merge site-defaults {:security {:anti-forgery false}
:params {:keywordize true}}))
wrap-exceptions
wrap-reload
wrap-json-params))
By setting :security :anti-forgery to false, I no longer get the
Anti-Forgery issue. But yeah, this isn't a real solution.
What I'm looking to do is get one of the solutions involving
"*anti-forgery-token*"
or (anti-forgery-field) working.
Unfortunately, these instructions here, don't work, and only produce hard
to understand errors:
https://github.com/ring-clojure/ring-anti-forgery
As a side note, it's really confusing when all the libraries use this
language:
(use 'ring.util.anti-forgery)
(anti-forgery-field)
Meanwhile "use" is not in any of the code generated using lein. I would
expect this would be the proper way to use the libraries:
(ns myapp.server
(:require
[ring.util.anti-forgery) :refer [anti-forgery-field]]))
Of course, I'm just guessing at that refer command, but my point is this
inconsistency makes me feel like I'm looking at solutions designed for an
older version of Clojure or something?
I'm also concerned that given a library [ring/ring-anti-forgery "1.0.1"]
there is no way to intuitively know how to "require" that library in your
code. In the above situation the word "util" gets added when requiring it..
*Anyways, my main question is this:*What is the modern way to do CSRF
protection?
Secondly, I'm concerned I'm doing something wrong - ring.middleware feels
like a magical thing where you apply wrappers, and then stuff just
magically works. I'm not a big fan of magic, I want to be able to see a
pathway for finding a solution, not just google around and figure out a
wrapper needs to be added.. Any recommendations on that front?
Thanks!
Seth
--
You received this message because you are subscribed to the Google
Groups "Clojure" group.
To post to this group, send email to clojure@googlegroups.com
Note that posts from new members are moderated - please be patient with your
first post.
To unsubscribe from this group, send email to
clojure+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/clojure?hl=en
---
You received this message because you are subscribed to the Google Groups
"Clojure" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to clojure+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
