(ns your.namespace)

(clojure.spec.alpha/def ::message
  (trident.util.datomic/ent-keys [:message/text :message/sender]))

(def authorizers
  {[nil ::message]
   (fn [{:keys [uid eid datoms db-before db-after before after]}]
     (not-empty
       (datomic.client.api/q
         '[:find ?e :in $ ?e ?user :where [?e :message/sender ?user]]
         db-after eid [:user/uid uid])))})

Authorizes a transaction `tx` ran by the user `uid`.

Returns transaction data if successful, throws an exception otherwise.
`authorizers` is the fully-qualified symbol of a var containing your
authorization model, e.g. `'your.namespace/authorizers`:
```
(ns your.namespace)

(clojure.spec.alpha/def ::message
  (trident.util.datomic/ent-keys [:message/text :message/sender]))

(def authorizers
  {[nil ::message]
   (fn [{:keys [uid eid datoms db-before db-after before after]}]
     (not-empty
       (datomic.client.api/q
         '[:find ?e :in $ ?e ?user :where [?e :message/sender ?user]]
         db-after eid [:user/uid uid])))})
```
This value of `authorizers` will allow a user to create a message entity as
long as they are listed as the sender of that message.

`authorizers` is a map from entity "signatures" to authorizer functions. The
authorizer function takes information about a single entity that was changed
in the transaction, returning true if the change should be allowed. A
transaction will be authorized only if each entity changed by the transaction
is authorized by at least one authorizor function.

The entity must also match the authorizor function's signature. A signature is
a pair of specs that are matched by a particular entity before and after the
transaction, respectively. `nil` means that the entity does not exist. So in
the example, `[nil ::message]` means that the entity is being created (i.e.
it didn't exist before the transaction) and that it has exactly two keys:
`:message/text` and `:message/sender` (see [[trident.util.datomic/ent-keys]]).

The authorizer function takes the following parameters:

 - `uid`: same as the `uid` passed to `authorize`. It should be the ID of the
   user making the transaction, or `nil` if the user is unauthenticated.

 - `eid`: the ID of the entity being authorized.

 - `datoms`: the datoms in `:tx-data` from the transaction result that belong
   to this entity.

 - `db-before` and `db-after`: same as in the transaction result.

 - `before` and `after`: the results of `pull`ing the entity before and after
   the transaction, respectively; or `nil` if the entity doesn't exist.

Returns true if `ent` matches `spec`.
Entities referenced by `ent` must also match their respective keys' specs.

A ring handler for authorizing and running transactions.

To use `handler`, you must include `:allow [trident.datomic-cloud.txauth/authorize
...]` in your `ion-config.edn` file.

Parameters:
- `conn`: a Datomic connection
- `tx`: a Datomic transaction
- `uid` and `authorizers`: see [[authorize]].
- `allowed`: set of fully-qualified symbols, denoting transaction functions
  that the user is allowed to include in their transaction.

If authorized, returns a ring response with the value of `:tempids` from the
transaction result in the body (as EDN). Returns a 403 response otherwise.

Datomic EIDs in the response are wrapped in a tagged literal, e.g. `123`
becomes `#trident/eid "123"`. See [[trident.datascript/transact!]].
`handler` assumes that any EIDs in `tx` are normal `long`s, not tagged
literals. To this end, you may want to include `{trident/eid
trident.util/parse-int}` in your `data_readers.clj` file.