My routes (reitit) have the following branches, from my handler:
(ring/ring-handler
(ring/router
[(home-routes)
(service-routes)]))
Home routes are those which our SPA handles, and service routes are those with DB connection functions. The home-routes don’t care about CSRF (they are all received via GET), but they are responsible for providing the csrf token that will be used by POST requests to the service-routes. Originally we had an issue in that wrap-csrf was being applied in the :middleware of each one, causing token mismatch failures. Then I tried putting it in a over-arching middleware like so (this being a use of reitit I haven’t tried before).
;; used below:
(defn wrap-base [handler]
(-> ((:middleware defaults) handler)
wrap-flash
wrap-csrf
(wrap-session {:cookie-attrs {:http-only true}})
(wrap-defaults
(-> site-defaults
(assoc-in [:security :anti-forgery] false)
(dissoc :session)))
wrap-context
wrap-internal-error))
;;;
;;;
(ring/ring-handler
(ring/router
[(home-routes)
(service-routes)])
(ring/routes
(ring/create-resource-handler
{:path "/"})
;(wrap-webjars (constantly nil)) ;; In other applications this was the answer to applying certain middleware
(ring/create-default-handler
{:unauthorized
(constantly (error-page {:status 401, :title "401 - Unauthorized",
:image "anakin_sitting.jpg", :caption "It's unfair! How can you be on this website and not be an admin?!"}))
:not-found #(do (println "Not found:" (prn-str %))
(error-page {:status 404, :title "404 - Page not found",
:image "missing_planet.jpg", :caption "This page ought to be here... but it isn't."}))
:method-not-allowed
(constantly (error-page {:status 405, :title "405 - Not allowed",
:image "anakin_obiwan_mustafar.jpg", :caption "Obi-Wan: Anakin, this is a get method!<br/><br/>Anakin: From my point of view, this is a post method!"}))
:not-acceptable
(constantly (error-page {:status 406, :title "406 - Not acceptable"}))}))
;;;;;; AND NOW
{:middleware [[wrap-base]]})
But now, however, I’m receiving this ugliness, which looks like a pretty low-down error:
2020-06-10 13:32:12,154 [XNIO-7 task-18] ERROR y-video-back.middleware.exception - UT000034: Stream is closed
java.io.IOException: UT000034: Stream is closed
at io.undertow.io.UndertowInputStream.read(UndertowInputStream.java:87) ~[undertow-core-1.4.14.Final.jar:1.4.14.Final]
at io.undertow.io.UndertowInputStream.read(UndertowInputStream.java:78) ~[undertow-core-1.4.14.Final.jar:1.4.14.Final]
at ring.middleware.format_params$slurp_to_bytes.invokeStatic(format_params.clj:42) ~[na:na]
at ring.middleware.format_params$slurp_to_bytes.invoke(format_params.clj:35) ~[na:na]
at ring.middleware.format_params$wrap_format_params$fn__27504.invoke(format_params.clj:77) ~[na:na]
at ring.middleware.format_params$wrap_format_params$fn__27504.invoke(format_params.clj:92) ~[na:na]
at ring.middleware.format_params$wrap_format_params$fn__27504.invoke(format_params.clj:92) ~[na:na]
at ring.middleware.format_response$wrap_format_response$fn__27681.invoke(format_response.clj:194) ~[na:na]
at y_video_back.middleware$wrap_formats$fn__64106.invoke(middleware.clj:90) ~[na:na]
at ring.middleware.anti_forgery$wrap_anti_forgery$fn__25266.invoke(anti_forgery.clj:94) [na:na]
at immutant.web.internal.undertow$wrap_undertow_session$fn__47145.invoke(undertow.clj:72) [na:na]
;;;;;; elided
I thought I’d ask here in case anyone has a solution in place for using :middleware and applying CSRF to multiple branches of a route tree, but if not, I’ll make an issue of it for Reitit.