setting redirect to false fails to touch the session

[sritchie]

as discussed on irc: https://gist.github.com/sritchie/7552129

[sritchie]

My dirty hack, a clone of authenticate:

(defn authenticate [ring-handler auth-config]
  (fn [request]
    (let [response-or-handler-map (friend/authenticate-request request
                                                               auth-config)
          response (if-let [handler-map (:friend/handler-map
                                         response-or-handler-map)]
                     (friend/handler-request ring-handler handler-map)
                     response-or-handler-map)
          response (friend/authenticate-response response request)]
      (if (json/json-login-route? (merge request {::friend/auth-config
                                                  {:login-uri default-login-uri}}))
        (assoc response
          :session (-> response-or-handler-map
                       :friend/ensure-identity-request
                       :session))
        response))))

[cemerick]

OK, where does the {"ok":true,"reason":"Authentication succeeded! Save the cookie returned in the cookie header."} response in the gist come from? It's not being emitted by the json workflow. Do you have a separate route that matches /login?

[sritchie]

Yes, in the basic Compojure style. I implemented POST and GET methods
for "login", and because the json-login workflow doesn't redirect them,
I should only hit them after successful authentication.

Chas Emerick wrote:

OK, where does the |{"ok":true,"reason":"Authentication succeeded!
Save the cookie returned in the cookie header."}| response in the gist
come from? It's not being emitted by the json workflow. Do you have a
separate route that matches |/login|?

—
Reply to this email directly or view it on GitHub
#83 (comment).

Sam Ritchie (@sritchie)
Paddleguru Co-Founder
703.863.8561
www.paddleguru.com http://www.paddleguru.com/
Twitter http://twitter.com/paddleguru// Facebook
http://facebook.com/paddleguru

[cemerick]

Yup, I agree, just making sure I'm grokking your setup properly. I think you're the first person to impl a workflow that returns non-redirecting auths. Congrats. ;-P Hoping to have a fix this week, going to take a little bit to add some more tests and make sure the matrix of possibilities is covered.

[caprica]

I wonder if this is similar to my own use-case here: http://stackoverflow.com/questions/20273190/use-friend-for-authentication-and-authorisation-in-a-single-page-clojure-web-app

My interest is precisely in not using any redirects when authenticating in my single-page web application.

[cemerick]

Sounds plausible. Both this and #82 are blocking on my properly revisiting the issue of relative redirects, spec compliance of the same, etc. I'd like to try to make things work properly and be compliant, rather than stacking on an option for such a bit of trivia.

[statik]

I am also very interested in using Friend with a single page web app, in my case Ember.js rather than Angular. I'd like to use RFC 6749 (OAuth 2.0), specifically the "Resource Owner Password Credentials Grant Type", which is described here: https://github.com/simplabs/ember-simple-auth#the-rfc-6749-oauth-20-authenticator . I don't know enough clojure to work on a PR for this, but thought I would mention that this would make clojure a very attractive option for the server backend of Ember apps.

[ivnsch]

Also interest here to use in spa - json api / no redirects.

[cemerick]

Redirecting and touching the session are orthogonal, so options are now provided for both. ::friend/redirect-on-auth? has implied both until now, and will continue to do so to not break existing apps. (Ideally it should cause the redirect, but not imply setting the session.) Workflows can now set ::friend/ensure-session on the meta of returned authentication maps; the default here is true, so only those that want to disable setting the session (e.g. HTTP Basic) need to worry about it.

A new 0.2.1-SNAPSHOT is now available that includes this change. Would love to hear one way or the other whether this addresses the problem before I cut 0.2.1 final.