Simple authentication for Clack-based Common Lisp web applications.
See the demo app for a complete example.
To mitigate the risks of the NSA convincing people to hash passwords with things like SHA-256, only PBKDF2 (And eventually scrypt) is supported
:pbkdf2-sha1
:pbkdf2-sha256
:pbkdf2-sha512
Hermetic is not opinionated, doesn't integrate into an existing database or
create any models. As such, it needs to be told how to find a user's
information to provide authentication. This is what setup
is for:
(setup
:user-p ;; str->bool, t if a username exists, nil otherwise
:user-pass ;; str->str, maps a username to a password (hash, hopefully)
:user-roles ;; str->(list sym), maps a username to a list of roles,
;; for example: (:user) (:user :tester :staff) (:user :admin)
:session ;; the /expression/ for the session object. ningle:*session* on
;; Ningle <https://github.com/fukamachi/ningle>.
:denied ;; A function that displays an "access denied" message
)
For example, if your users are stored in a simple in-memory hash-table as in the demo app:
(defmacro get-user (username)
`(gethash ,username *users*))
(setup
:user-p #'(lambda (user) (get-user user))
:user-pass #'(lambda (user) (getf (get-user user) :pass))
:user-roles #'(lambda (user) (getf (get-user user) :roles))
:session *session*)
When creating your login view, the login
macro handles most of the work for
you.
Grants access to a site only to users whose roles intersect with the roles in the first argument.
If an access denied page is not provided, the global one is used instead.
Example:
(setf (route *app* "/user/profile/:userid" :method :GET)
(lambda (params
(auth (:user)
(render-template "templates/profile.html")
(render-error "You have to log in to view user profiles.")))))
When auth
isn't enough to determine who gets to use what, Hermetic provides a
few functions for accessing user data from inside a view.
logged-in-p
: Exactly what it says on the tin.user-name
: Returns the username of the current user.roles
: Returns the list of roles of the current user.role-p
: Checks if a user has a role.
Logs the user out. Takes two expressions, on-success
and on-failure
.
Copyright (c) 2013 Fernando Borretti (eudoxiahp@gmail.com).
Licensed under the MIT License.