You can look at some very basic authentication code in the castra-chat demo.
Authentication in Castra is done via annotations on the RPC endpoint functions. These annotations become assertions when the function is called as the endpoint of an RPC call, but not when called from the REPL or from another function. Think of it as a way to inject code into the function only when the function is being called by the client. This architecture has a few benefits:
- Authentication becomes a type of precondition on the RPC functions themselves, but since they're implemented as annotations on the functions they are not coupled to the concerns of the RPC functions.
- Authentication implemented in this way is turing-complete: any authentication scheme that can be imagined can be implemented in your application directly, as a clojure library. Lisp Can Do It (tm). Just believe :)
- You can compose RPC functions without needing to mock state, because only the annotations of the endpoint the client called directly are evaluated.
- You can call RPC endpoints in the REPL or from tests without needing to mock state. Of course, if you wish to test the preconditions that's possible from the REPL also.