How to apply ring-anti-forgery on specific reitit routes?

Question

I keep getting "Invalid anti-forgery token" when wrapping specific routes created with metosin/reitit reitit.ring/ring-router. I've also tried reitit's middleware registry, but it didn't work too. Although I could just wrap the entire handler with wrap-session and wrap-anti-forgery, that defeats the reitit's advantage on allowing route-specific middleware.

(ns t.core

 (:require [immutant.web :as web]
           [reitit.ring :as ring]
           [ring.middleware.anti-forgery :refer [wrap-anti-forgery]]
           [ring.middleware.content-type :refer [wrap-content-type]]
           [ring.middleware.params :refer [wrap-params]]
           [ring.middleware.keyword-params :refer [wrap-keyword-params]]
           [ring.middleware.session :refer [wrap-session]]
           [ring.util.anti-forgery :refer [anti-forgery-field]]
           [ring.util.response :as res]))


(defn render-index [_req]
 (res/response (str "<form action='/sign-in' method='post'>"
                    (anti-forgery-field)
                    "<button>Sign In</button></form>")))

(defn sign-in [{:keys [params session]}]
 (println "params: " params
          "session:" session)
 (res/redirect "/index.html"))

(defn wrap-af [handler]
 (-> handler
     wrap-anti-forgery
     wrap-session
     wrap-keyword-params
     wrap-params))

(def app
 (ring/ring-handler
  (ring/router [["/index.html" {:get render-index
                                :middleware [[wrap-content-type]
                                             [wrap-af]]}]
                ["/sign-in"    {:post sign-in
                                :middleware [wrap-af]}]])))

(defn -main [& args]
 (web/run app {:host "localhost" :port 7777}))

Answer 1

It turns out that metosin/reitit creates one session store for each route (refer to issue 205 for more information); in other words, ring-anti-forgery is not working because reitit does not use the same session store for each route.

As of the time of this answer, the maintainer suggests the following (copied from the issue for ease of reference within Stack Overflow):

1. mount the wrap-session outside of the router so there is only one instance of the mw for the whole app. There is :middleware option in ring-handler for this:

(require '[reitit.ring :as ring])
(require '[ring.middleware.session :as session])

(defn handler [{session :session}]
  (let [counter (inc (:counter session 0))]
    {:status 200
     :body {:counter counter}
     :session {:counter counter}}))

(def app
  (ring/ring-handler
    (ring/router
      ["/api"
       ["/ping" handler]
       ["/pong" handler]])
    (ring/create-default-handler)
    ;; the middleware on ring-handler runs before routing
    {:middleware [session/wrap-session]}))

2. create a single session store and use it within the routing table (all instances of the session middleware will share the single store).

(require '[ring.middleware.session.memory :as memory])

;; single instance
(def store (memory/memory-store))

;; inside, with shared store
(def app
  (ring/ring-handler
    (ring/router
      ["/api"
       {:middleware [[session/wrap-session {:store store}]]}
       ["/ping" handler]
       ["/pong" handler]])))

Not shown in this answer is the third option that the maintainer calls for PR.