001 - Cookie Sessions

Date: 2024-06-5

Status: accepted

Context

Initially I wanted ShipClojure to use JWT tokens and refresh token rotation but that turned out to be problematic especially when it comes to server rendering.

Another issue is that the Clojure community is more set on cookies. You can observe this from the strategies and auth packages already existent.

Decision

Authentication will be done through a session cookie store, signed with a secret found in system.md. The secret is persistent so sessions aren't revoked every time we restart our server.

Consequences

The code for access/refresh token logic will be deleted, however you can still find it in the history. Here is the last working commit with refresh token logic

ShipClojure will make heavy use of cookies. The session will be accessible in the :session map from each request incoming to the server

One problem with this approach is that from user management, we cannot revoke a session. As a solution, we will implement a persistent session memory (redis or persistent atom) that can be deleted.

Last updated