I'm trying to test my routing in isolation using Midje. For some routes that hit the database I have no trouble using (provided ...) to isolate the route from a real db call. I've introduced Friend for authentication and I've been unable to fake the call to the credential function.
My credential function looks like this (It's implemented like this because I don't want it getting called just yet):
(defn cred-fn
[creds]
(println (str "hey look I got called with " creds))
(throw (Exception.)))
The middleware for the routes then look like this:
(def app
(-> app-routes
(wrap-json-body {:keywords? true :bigdecimals? true})
wrap-json-response
(wrap-defaults defaults)
(friend/authenticate
{:unauthorized-handler json-auth/login-failed
:workflows [(json-auth/json-login
:login-uri "/login"
:login-failure-handler json-auth/login-failed
:credential-fn auth/cred-fn)]})
(ring-session/wrap-session)))
I've also tried without using the auth-json-workflow, the implementation for the routes looks almost identical and I can add that if it helps but I get the same result.
And then my tests look like this (using ring-mock):
(defn post [url body]
(-> (mock/request :post url body)
(mock/content-type "application/json")
app))
(fact "login with incorrect username and password returns unauthenticated"
(:status (post "/login" invalid-auth-account-json)) => 401
(provided
(auth/cred-fn anything) => nil))
(fact "login with correct username and password returns success"
(:status (post "/login" auth-account-json)) => 200
(provided
(auth/cred-fn anything) => {:identity "root"}))
I then get the following output running the tests:
hey look I got called with {:password "admin_password", :username "not-a-user"}
FAIL at (handler.clj:66)
These calls were not made the right number of times:
(auth/cred-fn anything) [expected at least once, actually never called]
FAIL "routes - authenticated routes - login with incorrect username and password returns unauthenticated" at (handler.clj:64)
Expected: 401
Actual: java.lang.Exception
clojure_api_seed.authentication$cred_fn.invoke(authentication.clj:23)
hey look I got called with {:password "admin_password", :username "root"}
FAIL at (handler.clj:70)
These calls were not made the right number of times:
(auth/cred-fn anything) [expected at least once, actually never called]
FAIL "routes - authenticated routes - login with correct username and password returns success" at (handler.clj:68)
Expected: 200
Actual: java.lang.Exception
clojure_api_seed.authentication$cred_fn.invoke(authentication.clj:23)
So from what I can see the provided statement is not taking effect, and I'm not sure why. Any ideas?
I recently ran into a similar issue, and after some digging I
think I understand why this is happening. Let's take a look at how
the bindings for auth/cred-fn change over time.
(clojure.pprint/pprint (macroexpand '(defn cred-fn
[creds]
(println (str "hey look I got called with " creds))
(throw (Exception.)))))
(def
cred-fn
(clojure.core/fn
([creds]
(println (str "hey look I got called with " creds))
(throw (Exception.)))))
As you can see above, the defn macro interns the symbol cred-fn in the current namespace and binds it to a Var referencing
your dummy function.
(def app
(-> app-routes
(wrap-json-body {:keywords? true :bigdecimals? true})
wrap-json-response
(wrap-defaults defaults)
(friend/authenticate
{:unauthorized-handler json-auth/login-failed
:workflows [(json-auth/json-login
:login-uri "/login"
:login-failure-handler json-auth/login-failed
:credential-fn auth/cred-fn)]})
(ring-session/wrap-session)))
Here's the important piece. At compile time, we thread
app-routes through a series of functions. One of these functions
is friend/authenticate, which takes a map with key :workflows.
The value of :workflows is a vector populated with the results of
a call to json-auth/json-login, which receives auth/credential-fn
as a parameter. Remember, we are inside a def, so this is all
happening at compile time. We look up the symbol cred-fn in the
auth namespace, and pass in the Var which the symbol is bound
to. At this point, that's still the dummy implementation.
Presumably, json-auth/json-login captures this implementation
and sets up a request handler which invokes it.
(fact "login with incorrect username and password returns unauthenticated"
(:status (post "/login" invalid-auth-account-json)) => 401
(provided
(auth/cred-fn anything) => nil))
Now we're at runtime. In our precondition, Midje rebinds the
symbol auth/cred-fn to a Var that references the mock. But the
value of auth/cred-fn has already been captured, when we def'd
app at compile time.
So how come the workaround you posted works? (This was actually the clue that led me to
Eureka moment - thanks for that.)
(defn another-fn []
(println (str "hey look I got called"))
(throw (Exception.)))
(defn cred-fn [creds]
(another-fn))
And in your tests...
(fact "login with incorrect username and password returns unauthenticated"
(:status (post "/login" invalid-auth-account-json)) => 401
(provided
(auth/another-fn) => nil))
(fact "login with correct username and password returns success"
(:status (post "/login" auth-account-json)) => 200
(provided
(auth/another-fn) => {:identity "root"}))
This works because, at compile time, the value of auth/cred-fn that
gets captured is a function that simply delegates to
auth/another-fn. Note that auth/another-fn has not been
evaluated yet. Now in our tests, Midje rebinds auth/another-fn
to reference the mock. Then it executes the post, and somewhere
in the middle-ware, auth/cred-fn gets invoked. Inside
auth/cred-fn, we look up the Var bound to auth/another-fn (which
is our mock), and invoke it. And now of course, the behavior is
exactly as you expected the first time.
The moral of this story is, be careful with the def in Clojure
I'm still not sure why this is happening but I have a work around. If I replace my credential-fn with:
(defn another-fn
[]
(println (str "hey look I got called"))
(throw (Exception.)))
(defn cred-fn
[creds]
(another-fn))
And then create a fake for the new function in the test, like this:
(fact "login with incorrect username and password returns unauthenticated"
(:status (post "/login" invalid-auth-account-json)) => 401
(provided
(auth/another-fn) => nil))
(fact "login with correct username and password returns success"
(:status (post "/login" auth-account-json)) => 200
(provided
(auth/another-fn) => {:identity "root"}))
I get the result I was expecting. cred-fn still gets called but another-fn doesn't get called due to the provided.
If anyone knows why this is the case I'd be interested in knowing. It might be due to the way that the credential function gets called? - https://github.com/marianoguerra/friend-json-workflow/blob/master/src/marianoguerra/friend_json_workflow.clj#L46
Related
I'm trying to set up a simple middleware in a luminus project that uses compojure and ring. I'm sure I'm missing something simple, but I've set up a simple middleware to test and I'm not getting the results I expect.
(defn wrap-api-auth [handler]
(if (= 2 2)
(unauthorized {:body "unauthorized"})
handler))
I would expect this to give back a 401, but it keeps returning a 404. If I change the if expressions (= 2 3) the route fires correctly. For reference, here's the route, it's one of the default that luminus generates with the middleware added.
(GET "/plus" []
:return Long
:middleware [wrap-api-auth]
:query-params [x :- Long, {y :- Long 1}]
:summary "x+y with query-parameters. y defaults to 1."
(ok (+ x y)))
A handler is a function from request to response.
A middleware is a function that takes a handler and returns another handler wrapping the first.
Your wrap-api-auth gets called when your service starts up, does its check, and if the check returns true, stores a response as a handler, and then each request gets handled by a constant response instead of a handler. Since a response is a map, and maps in Clojure can be used as functions, this does probably not produce a helpful error but just returns nil, which is then treated as "not found".
Schematically, your wrapper should maybe look like this:
(defn wrap-api-auth [handler]
(fn [request]
(if (check-authorization request)
(handler request) ; pass to wrapped handler
(unauthorized …)))) ; do something else
I am new to re-frame and not quite sure how to build a user authentication/authorization system with it.
From what I gathered I should create an auth interceptor and place my auth logic inside :before section then inject the interceptor into every events reg-event-db and reg-event-fx that I want to protect.
Am I on the right track?
Not sure if my solution is particularly idiomatic, but I used something like the following in one of my projects. Consider it a Works For Me.
Create a map for the ajax request with a special value for error cases (ignore the context-uri function):
(defn xhrio-map [method path format success-event]
{:method method
:uri (context-uri path)
:timeout 5000
:response-format format
:on-success [success-event]
:on-failure [::ajax-failure]})
Then I use an fx handler for the failure (this is a bit more complicated as it also handles a loading indicator):
(rf/reg-event-fx
::ajax-failure
(fn [{:keys [db]} [_ http-result]]
(if (= 403 (:status http-result))
{:db (assoc db :loading-indicator nil)
:dispatch [::logout]}
{:db (assoc db :loading-indicator nil)
:dispatch
[::error-msg (str "Error fetching from " (:uri http-result)
": " (:response http-result))]})))
The ::logout events sets the document location. This also triggers the logout in the backend.
(rf/reg-event-fx
::logout
(fn [coefx [ev]]
{::location "./logout"}))
Finally, the loading of resources works like this:
(defn load-with-indicator [db xhrio-data]
{:db (assoc db :loading-indicator true)
:http-xhrio xhrio-data})
(rf/reg-event-fx
::load-documentation
(fn [{:keys [db]} _]
(load-with-indicator
db
(xhrio-map :get "documentation/"
(ajax/json-response-format {:keywords? true})
::received-documentation))))
The :received-documentation is handled by some code which invokes the correct display functions.
This uses the day8.re-frame/http-fx and ajax.core
On the backend, I use something similar to the demo code I published over at https://github.com/ska2342/ring-routes-demo.
Hope that helps.
License of the code in this post
In addition to the default license of the StackOverflow site, I also publish these lines under the Eclipse Public License either version 1.0 or (at your option) any later version.
I hope I can explain this in such a way that it makes sense!
I'm using Liberator to prototype some web services that I need to expose to clients and have route(s) defined like so:
(defroutes fish
(context "/fish"
[]
(ANY "/cod/:id/count"
[id]
(cod-fish id))))
(def handler
(-> fish
wrap-params
path-wrapper))
The intention of path-wrapper is to output some information about the matched path. It currently looks like so:
(defn path-wrapper
[handler]
(fn [request]
(println "in" (:request-method request) (:uri request))
(let [response (handler request)]
(println "out")
response)))
This prints out what you'd expect:
in :get /fish/cod/123/count
out
However, what I'd like it to print out is:
in :get /fish/cod/:id/count
out
That is, the path that matched rather than the URI that matched it.
I'm almost certain that the answer is in Clout somewhere but I don't seem able to find it! :(
Any advice?
Cheers,
Peter
In cases like this I'm fond of putting in a debugging statement like:
(let [response .... ]
(log/errorf "in: request was: %s"
(with-out-str (clojure.pprint/pprint request))
....
and look for the data you want in the output (then remove the statement) or if you have a working and modern emacs+cider environment you can add debugging to the function with C-uC-cC-c and catch the value of request that way. If the data you wan't is available it will likely be in that output. If you are not using a logging framework then remove the log and with-out-str parts and just call pprint directly.
Sorry if i'm misunderstanding or perhaps is's a typo in the question though:
(let [response handler]
(println "out")
response)
looks like it's returning the handler itself rather than the result of calling that handler, should it be :
(let [response (handler request)]
(println "out")
response)
I have a ring middleware which does some check on request maps with the header values.
For the check I have to hit the database.
If a defroutes as a set of routes starting with acommon URI pattern.
I don't want a middleware to run for any random URL that matches the pattern before getting handled.
I only want middleware to run for a certain set of URIs that I am suing inside of defroutes only. The reason being there is a database access in the middleware which I want to avoid for 404 responses having the same pattern.
Here is comporoute, a ring handler without any macro magic, aimed at composability and extensibility.
Even though it's in early alpha state it has precise docstrings already. It has a feature called inner middleware to solve the issue you are having. You may (and should) use it only for what you need it for and leave the rest to Compojure.
Given your Compojure handler/app is called compojure:
(defn demo-middleware
"A test midleware associng :bar to :foo of request"
[handler]
(fn [request]
(handler (assoc request :foo :bar))))
(defn demo-handler [request]
(ring.util.response/response
(str "id is " (get-in request [:params :id]) " "
":foo is" (:foo request))))
(def app
(comporoute.core/router
[["/demo-with-middleware"
[demo-middleware ;; all handlers in this vector are
;; wrapped via demo-middleware
["/:id" :demo-with demo-handler]]]
["/demo-without-middleware"
["/:id" :demo-without demo-handler]]]
:page-not-found compojure)
At the shell
curl http://localhost:8080/demo-without-middleware/1234
id is 1234 :foo is
curl http://localhost:8080/demo-with-middleware/1234
id is 1234 :foo is :bar
# Everything else will be handled by compojure.
Dependency vector [comporoute "0.2.0"]
I am beginning to use luminus framework to develop a web app, and I am trying to use friend for auth, I am stacked here, I don't know how to use that like using gem in rails app.
I don't know where should I put the code in luminus, is there anyone can show me a demo. Or tell me what to do next?
Well, you can also tell me how to write a log in function in luminus.
The login sort of works like it is posted in the Luminus Docs. Not sure if you managed to read that part, but I'll show you a simplified version of the code I use. I want to mention that I removed quite a bit of code to make everything a bit easier to understand, so this may not work as-is since I only deleted code and extra parens. Since it is from actual working code, it will work with a bit of tweeking:
The first part is getting the login form:
(defn login-page []
(html5
[:h3 "Login"]
[:form {:method "POST" :action "login"}
[:div "Username:"
[:input {:type "text" :name "username" :required "required"}]]
[:div "Password:"
[:input {:type "password" :name "password" :required "required"}]]
[:div
[:input {:type "submit" :value "Log In"}]]]]))
Notice that there is a "POST" method? In order to get the routes to work, you have to have a "POST" route, but you will also need a "GET" route. This is the simplified version of the "GET" "POST" loop that I have:
(defroutes app-routes
(GET "/login" []
(log/login-page))
(POST "/login" [username password]
(do-login username password)))
The (do-login) function is where I authenticate the user / password combo, which then sets the session, which is shown downn below.
Notice that the POST route needs arguments. The arguments must match the "name" parameters in the form.
Finally, to get it all to work, you have to hook up some sessions. I personally use lib-noir.sessions:
(ns myapp.handler
(:require [noir.session :as sesh])
Then you have to create a map to hold the session, which I'm wrapping in a function here (note that the :key must match whatever you have in your database:
(defn set-user [username]
(sesh/put! :handle username))
And finally, you have to tell clojure that you want to allow sessions to be handled via middleware:
(def app
(sesh/wrap-noir-session
(handler/site
app-routes)))
Hopefully that gives you a bit of a headstart. I did not include how to connect to a database or how to use a map, but the above should be enough to get you on your way. I also did not touch on authorization and security (please don't skip this!). Using a database, map, or friend isn't a huge quantum leap from here. Just wanted to offer just enough to get you started.
Here's an example from when I did a luminus+friend combination, granted, they've changed the template several times, so this is from an older version, but the concepts the same, I hope it helps.
(def all-routes
[home-routes cljs-routes test-routes app-routes])
(def app
(-> all-routes middleware/app-handler ))
(def secured-app
(handler/site
(friend/authenticate app{
:login-uri "/login"
:unauthorized-redirect-uri "/login"
:credential-fn (partial creds/bcrypt-credential-fn users)
:workflows [(workflows/interactive-form)]})))
(def war-handler
(middleware/war-handler secured-app))