I recently started a project that required user authentication, and I decided to take care of the auth part first for the sake of learning and to have a foundation for future projects. Tools like luminus are great for standing up something with solid standard libraries, but there are so many tools in the Clojure world now; things are moving quickly and there are so many choices.
Anyway, I knew the tools I wanted to use but I needed to figure out how to put them together myself. After doing so I felt like maybe someone else will benefit from having it as a reference. I read through relevant OWASP material to get a grasp of security best practices while building it. I’m not a security expert and some things may still need to be tweaked for more security; some things, of course, are business-specific as well.
Features:
user sign up with email address
email verification via link with token emailed to user
user login
user logout
forgot password / password reset
Tooling:
clojure cli
pedestal for the backend service
java-time for handling time and dates
postal for sending emails
yogthos/config for configuration
next.jdbc for database interaction
hiccup for rendering html
buddy-hashers for hashing passwords and checking raw passwords against stored hashes
Forced password rotation (e.g. in the event of a breach)
step-up auth for sensitive actions
I think it’s great that you’re creating this template. Getting login security right is a job for specialists and it takes a lot of experience and dedication to detail since there are so many ways for it to go (invisibly) wrong. Since most developers won’t have the time or expertise to do a thorough job, this can really help in making Clojure apps more secure!
Thanks a lot for the feedback and ideas! I have thought of ways to improve upon it, and those points you mention are great (some/most of which have crossed my mind).
I was at a point to start adding features specific to my app, but I knew I had something worth sharing and felt that if I put it off, I might not go back to it later, or I’d have to pick things apart later. In an effort not to get side-tracked from my app, I drew a line with how far to go with the template for now, knowing people can add what they need for the time being.
So I’m letting it sit for a while as-is while I continue to focus on the app it spawned from, but I’m open to ideas and others helping improve it. Your points provide a good reference for later improvements, for sure!