Authentication and authorization domain: user lifecycle, credentials, sessions/tokens, and MFA flows.
| Namespace | Purpose |
|---|---|
| Pure user-domain business logic |
| Pure MFA setup/verification logic |
| Service-layer orchestration and validation |
| Auth/user HTTP handlers |
# Login
curl -X POST http://localhost:3000/api/auth/login \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com", "password": "secret"}'
# Register
curl -X POST http://localhost:3000/api/auth/register \
-H "Content-Type: application/json" \
-d '{"email": "new@example.com", "password": "secret", "name": "Alice"}'# 1. Start MFA setup
curl -X POST http://localhost:3000/api/auth/mfa/setup \
-H "Authorization: Bearer <token>"
# 2. Enable MFA (verify with TOTP code)
curl -X POST http://localhost:3000/api/auth/mfa/enable \
-H "Authorization: Bearer <token>" \
-d '{"secret": "...", "verificationCode": "123456"}'
# 3. Login with MFA
curl -X POST http://localhost:3000/api/auth/login \
-d '{"email": "user@example.com", "password": "...", "mfaCode": "123456"}'
# Disable MFA
curl -X POST http://localhost:3000/api/auth/mfa/disable \
-H "Authorization: Bearer <token>" \
-d '{"verificationCode": "123456"}'# List active sessions
curl http://localhost:3000/api/auth/sessions \
-H "Authorization: Bearer <token>"
# Revoke a session
curl -X DELETE http://localhost:3000/api/auth/sessions/{session-id} \
-H "Authorization: Bearer <token>"JWT_SECRET must be set (minimum 32 characters)
Internal keys use :password-hash (kebab-case), never :password_hash
Account lockout is enforced after repeated failed logins
JWT_SECRET="dev-secret-32-chars-minimum" clojure -M:test:db/h2 :user
# Update validation snapshots
UPDATE_SNAPSHOTS=true clojure -M:test:db/h2 \
--focus user-validation-snapshot-testCan you improve this documentation?Edit on GitHub
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |