I recently started a project that required user authentication, and I decided to take care of the auth part first for the sake of learning and to have a foundation for future projects. Tools like luminus are great for standing up something with solid standard libraries, but there are so many tools in the Clojure world now; things are moving quickly and there are so many choices.
Anyway, I knew the tools I wanted to use but I needed to figure out how to put them together myself. After doing so I felt like maybe someone else will benefit from having it as a reference. I read through relevant OWASP material to get a grasp of security best practices while building it. I’m not a security expert and some things may still need to be tweaked for more security; some things, of course, are business-specific as well.
- user sign up with email address
- email verification via link with token emailed to user
- user login
- user logout
- forgot password / password reset
- clojure cli
- pedestal for the backend service
- java-time for handling time and dates
- postal for sending emails
- yogthos/config for configuration
- next.jdbc for database interaction
- hiccup for rendering html
- buddy-hashers for hashing passwords and checking raw passwords against stored hashes
- hikaricp for database connection pooling
- docker for packaging and deployment
- shadow-cljs for clojurescript compilation
Feedback is welcome!
Looks good! Do you have a roadmap for the evolution of auth-template?
I imagine you’ve thought about some or all of these but some useful enhancements might be:
- Password policy (configurable) with options for:
** strength (length, composition, dictionary)
- Brute force prevention (strikes or other mechanism, lockout policy)
- Multi-factor auth (TOTP, fido, other. Note: https://github.com/suvash/one-time is Clojure TOTP lib)
- Admin lockouts
- Forced password rotation (e.g. in the event of a breach)
- step-up auth for sensitive actions
I think it’s great that you’re creating this template. Getting login security right is a job for specialists and it takes a lot of experience and dedication to detail since there are so many ways for it to go (invisibly) wrong. Since most developers won’t have the time or expertise to do a thorough job, this can really help in making Clojure apps more secure!
Thanks a lot for the feedback and ideas! I have thought of ways to improve upon it, and those points you mention are great (some/most of which have crossed my mind).
I was at a point to start adding features specific to my app, but I knew I had something worth sharing and felt that if I put it off, I might not go back to it later, or I’d have to pick things apart later. In an effort not to get side-tracked from my app, I drew a line with how far to go with the template for now, knowing people can add what they need for the time being.
So I’m letting it sit for a while as-is while I continue to focus on the app it spawned from, but I’m open to ideas and others helping improve it. Your points provide a good reference for later improvements, for sure!
P.S. - Thanks for the one-time link!
This might be exactly what I’ve been working without. Thanks, truly, for sharing!
This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.