Authentication for AJAX calls

[Jonathon McKitrick]

I've applied Friend to my page authentication with great success, but I'm not sure how to do the same with my AJAX API calls. Obviously, you don't want to pass cleartext credentials around.

What have you all used in this case?

[Tobias Quinn]

I've used Friend for a single page app. It serves the main page to anyone and has a route that can issue a json web token (jwt) using http basic authentication. I used clj-jwt to generate the token.

Then, the api routes required by the app are authenticated using the jwt in the authorization header.

It involved writing a friend workflow for the jwt which is similar to the http-basic workflow.

[Jonathon McKitrick]

That's a good suggestion, thanks. Now, the only issue I need to figure out is how to use both the interactive-form workflow for the main login page, and then http-basic to get the jwt token, without passing around credentials in cleartext if possible.

[Jonathon McKitrick]

Can this be done without SSL?

--
Note that posts from new members are moderated - please be patient with your first post.
---
You received this message because you are subscribed to a topic in the Google Groups "ClojureScript" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/clojurescript/QTHydMobkl8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to clojurescrip...@googlegroups.com.
To post to this group, send email to clojur...@googlegroups.com.
Visit this group at http://groups.google.com/group/clojurescript.

--

--
Jonathon McKitrick

[Jonathon McKitrick]

I have it almost completely figured out.  The only part left is handling unauthorized/unauthenticated calls.  Currently, they are forwarding to '/api/login' which is not what I want.  I just want them to return HTTP 401.  I think that's an option, but I haven't figured it out yet.

Any ideas?

--
Jonathon McKitrick