112 lines
3.8 KiB
Clojure
112 lines
3.8 KiB
Clojure
(ns yenu.middleware
|
|
(:require [clojure.tools.logging :as log]
|
|
[ring.middleware.anti-forgery :refer [wrap-anti-forgery]]
|
|
[ring.middleware.webjars :refer [wrap-webjars]]
|
|
[ring.middleware.format :refer [wrap-restful-format]]
|
|
[ring.middleware.flash :refer [wrap-flash]]
|
|
[ring.middleware.cookies :refer [wrap-cookies]]
|
|
[ring.middleware.defaults :refer [site-defaults wrap-defaults]]
|
|
[ring.util.response :refer [redirect]]
|
|
[immutant.web.middleware :refer [wrap-session]]
|
|
|
|
[yenu.env :refer [defaults]]
|
|
[yenu.config :refer [env]]
|
|
[yenu.layout :refer [*app-context* *identity* error-page]]
|
|
|
|
[buddy.auth :refer [authenticated?]]
|
|
[buddy.auth.middleware :refer [wrap-authentication wrap-authorization]]
|
|
[buddy.auth.backends.session :refer [session-backend]]
|
|
[buddy.auth.accessrules :refer [wrap-access-rules success error restrict]]
|
|
|
|
[digest :as digest])
|
|
(:import [javax.servlet ServletContext]))
|
|
|
|
(defn wrap-context [handler]
|
|
(fn [request]
|
|
(binding [*app-context*
|
|
(if-let [context (:servlet-context request)]
|
|
;; If we're not inside a servlet environment
|
|
;; (for example when using mock requests), then
|
|
;; .getContextPath might not exist
|
|
(try (.getContextPath ^ServletContext context)
|
|
(catch IllegalArgumentException _ context))
|
|
;; if the context is not specified in the request
|
|
;; we check if one has been specified in the environment
|
|
;; instead
|
|
(:app-context env))]
|
|
(handler request))))
|
|
|
|
(defn wrap-internal-error [handler]
|
|
(fn [req]
|
|
(try
|
|
(handler req)
|
|
(catch Throwable t
|
|
(log/error t)
|
|
(error-page {:status 500
|
|
:title "Something very bad has happened!"
|
|
:message "We've dispatched a team of highly trained gnomes to take care of the problem."})))))
|
|
|
|
(defn wrap-csrf [handler]
|
|
(wrap-anti-forgery
|
|
handler
|
|
{:error-response
|
|
(error-page
|
|
{:status 403
|
|
:title "Invalid anti-forgery token"})}))
|
|
|
|
(defn wrap-identity [handler]
|
|
(fn [request]
|
|
(binding [*identity* (get-in request [:session :identity])]
|
|
(handler request))))
|
|
|
|
(defn wrap-formats [handler]
|
|
(let [wrapped (wrap-restful-format
|
|
handler
|
|
{:formats [:json-kw :transit-json :transit-msgpack]})]
|
|
(fn [request]
|
|
;; disable wrap-formats for websockets
|
|
;; since they're not compatible with this middleware
|
|
((if (:websocket? request) handler wrapped) request))))
|
|
|
|
(defn on-error [request response]
|
|
(redirect (format "/login?next=%s" (:uri request))))
|
|
|
|
(defn creator-access [request]
|
|
(let [identity (:identity request)]
|
|
(if (= identity :creator)
|
|
true
|
|
(error "Not a creator."))))
|
|
|
|
(defn external-access-with-pw [request]
|
|
(if (= (get (:query-params request) "password") (digest/md5 (:user-password env)))
|
|
true
|
|
(error "Wrong password.")))
|
|
|
|
(def rules
|
|
[{:uris ["/feed"]
|
|
:handler external-access-with-pw}
|
|
{:uris ["/upload" "/statistics" "/comments"]
|
|
:handler creator-access}
|
|
{:pattern #"^/.*"
|
|
:handler authenticated?}])
|
|
|
|
(defn wrap-auth [handler]
|
|
(-> handler
|
|
(wrap-access-rules {:rules rules :on-error on-error})
|
|
(wrap-authentication session-backend)
|
|
(wrap-authorization session-backend)))
|
|
|
|
(defn wrap-base [handler]
|
|
(-> ((:middleware defaults) handler)
|
|
wrap-webjars
|
|
wrap-flash
|
|
(wrap-session {:timeout (* 60 60 24 7)
|
|
:cookie-attrs {:http-only true}})
|
|
wrap-cookies
|
|
(wrap-defaults
|
|
(-> site-defaults
|
|
(assoc-in [:security :anti-forgery] false)
|
|
(dissoc :session)))
|
|
wrap-context
|
|
wrap-internal-error))
|