

Complete authentication app based on Clojure, Noir and MongoDB - xavi
https://github.com/xavi/noir-auth-app

======
graue

        GET /resend-activation?email=:email
        GET /email-changes/cancel
        GET /email-changes/resend-confirmation
    

Shouldn't these all be POST? GETs are supposed to not have side effects.

~~~
xavi
You're probably right. I'll change that.

Apart from the REST argument, the best single reason I can come up with to
justify changing these to use POST is that otherwise it's possible to cancel
an email change or resend a confirmation of a logged in user by having him
load a page containing an image tag like <img src="url-to-cancel-email-change"
/> . This is the same reason for which noir-auth-app handles logouts through
POST instead of GET. Not really dangerous I guess, annoying at most, but worth
to fix it anyway.

By the way, in twitter.com (and I guess a lot of other not so popular
websites) these are handled as GETs, and so they're subject to this kind of
"attacks".

Thanks for raising the issue.

~~~
graue
I suppose these particular paths aren't as exploitable as a logout (which
isn't a GET on Twitter, either, it seems), but what about, e.g., Chrome's link
prefetching? I'm not sure how it would know not to prefetch, for instance, the
"cancel email confirmation" link.

Anyway, I'm teaching myself Clojure right now and this looks like great sample
code to study, so thank you for sharing it.

~~~
xavi
From what I understand, Chrome doesn't prefetch HTTPS URLs

<https://developers.google.com/chrome/whitepapers/prerender>

but Firefox does

[https://developer.mozilla.org/en-
US/docs/Link_prefetching_FA...](https://developer.mozilla.org/en-
US/docs/Link_prefetching_FAQ#Are_there_any_restrictions_on_what_is_prefetched.3F)

So, using HTTPS could be a way to avoid prefetching, but it would not always
work.

In any case, I've already committed the changes that you suggested, so now
noir-auth-app is free from these problems.

------
alexatkeplar
Many thanks for posting this! Only the other day I was evaluating Noir for a
webapp and the lack of a capable user auth capability was the main blocker...

~~~
dmix
It's pretty easy to put together. Just encrypt the password and use
noir.validation for the form fields.

For example, heres a Noir app I wrote using bcrypt and Redis to store the
data.

User model:
[https://github.com/dmix/documeds/blob/master/src/documeds/mo...](https://github.com/dmix/documeds/blob/master/src/documeds/models/user.clj)
(most of the model code is redis interface code)

Login / Signup views:
[https://github.com/dmix/documeds/blob/master/src/documeds/vi...](https://github.com/dmix/documeds/blob/master/src/documeds/views/users.clj)

------
sandGorgon
Any apps like this which use a traditional DB (mysql or pg) ? Want to see how
a relational model translates to clojure.

~~~
tensor
SQL in Clojure looks very much like you are used to in other languages. Take a
look at either the Clojure JDBC wrapper library or Korma for more syntactic
sugar and composing SQL fragments:

<https://github.com/clojure/java.jdbc/> <http://sqlkorma.com/>

There is also the Friend authentication library that you might want to take a
look at:

<https://github.com/cemerick/friend>

------
eranation
Looks really nice, authentication is something many are doing wrong and it's
important to have good templates

One question, why not use ensureIndex ? is there a real performance running it
once it's created?

~~~
xavi
Thanks, and sorry but I don't understand what you mean about ensureIndex,
which is actually used by calling CongoMongo's add-index! in

[https://github.com/xavi/noir-auth-
app/blob/master/src/noir_a...](https://github.com/xavi/noir-auth-
app/blob/master/src/noir_auth_app/models/user.clj)

which in turn calls ensureIndex in the underlying Java driver, see
[https://github.com/aboekhoff/congomongo/blob/master/src/somn...](https://github.com/aboekhoff/congomongo/blob/master/src/somnium/congomongo.clj)

~~~
eranation
good, this explains it :)

