A template for web apps with user auth using OWASP best practices and pedestal

I recently started a project that required user authentication, and I decided to take care of the auth part first for the sake of learning and to have a foundation for future projects. Tools like luminus are great for standing up something with solid standard libraries, but there are so many tools in the Clojure world now; things are moving quickly and there are so many choices.

Anyway, I knew the tools I wanted to use but I needed to figure out how to put them together myself. After doing so I felt like maybe someone else will benefit from having it as a reference. I read through relevant OWASP material to get a grasp of security best practices while building it. I’m not a security expert and some things may still need to be tweaked for more security; some things, of course, are business-specific as well.

Features:

  • user sign up with email address
  • email verification via link with token emailed to user
  • user login
  • user logout
  • forgot password / password reset

Tooling:

  • clojure cli
  • pedestal for the backend service
  • java-time for handling time and dates
  • postal for sending emails
  • yogthos/config for configuration
  • next.jdbc for database interaction
  • hiccup for rendering html
  • buddy-hashers for hashing passwords and checking raw passwords against stored hashes
  • hikaricp for database connection pooling
  • docker for packaging and deployment
  • shadow-cljs for clojurescript compilation

Feedback is welcome!

5 Likes

Looks good! Do you have a roadmap for the evolution of auth-template?

I imagine you’ve thought about some or all of these but some useful enhancements might be:

  • Password policy (configurable) with options for:
    ** strength (length, composition, dictionary)
    ** age
    ** reuse
  • Brute force prevention (strikes or other mechanism, lockout policy)
  • Multi-factor auth (TOTP, fido, other. Note: https://github.com/suvash/one-time is Clojure TOTP lib)
  • Admin lockouts
  • Forced password rotation (e.g. in the event of a breach)
  • step-up auth for sensitive actions

I think it’s great that you’re creating this template. Getting login security right is a job for specialists and it takes a lot of experience and dedication to detail since there are so many ways for it to go (invisibly) wrong. Since most developers won’t have the time or expertise to do a thorough job, this can really help in making Clojure apps more secure!

3 Likes

Thanks a lot for the feedback and ideas! I have thought of ways to improve upon it, and those points you mention are great (some/most of which have crossed my mind).

I was at a point to start adding features specific to my app, but I knew I had something worth sharing and felt that if I put it off, I might not go back to it later, or I’d have to pick things apart later. In an effort not to get side-tracked from my app, I drew a line with how far to go with the template for now, knowing people can add what they need for the time being.

So I’m letting it sit for a while as-is while I continue to focus on the app it spawned from, but I’m open to ideas and others helping improve it. Your points provide a good reference for later improvements, for sure!

P.S. - Thanks for the one-time link!

This might be exactly what I’ve been working without. Thanks, truly, for sharing!

1 Like