Club PA 2.0 has arrived! If you'd like to access some extra PA content and help support the forums, check it out at patreon.com/ClubPA
The image size limit has been raised to 1mb! Anything larger than that should be linked to. This is a HARD limit, please do not abuse it.
Our new Indie Games subforum is now open for business in G&T. Go and check it out, you might land a code for a free game. If you're developing an indie game and want to post about it, follow these directions. If you don't, he'll break your legs! Hahaha! Seriously though.
Our rules have been updated and given their own forum. Go and look at them! They are nice, and there may be new ones that you didn't know about! Hooray for rules! Hooray for The System! Hooray for Conforming!

[Programming] Mirror, mirror, on the wall, show the git diff for them all

19192949697100

Posts

  • Folken FanelFolken Fanel anime af When's KoFRegistered User regular
    OMG IT WORKED

    Fucking fuck, what the hell OS X.

    Thank you pa thread pals.

    Twitter: Folken_fgc Steam: folken_ XBL: flashg03 PSN: folken_PA SFV: folken_
    Dyvim Tvar wrote: »
    Characters I hate:

    Everybody @Folken Fanel plays as.
    LD50ecco the dolphingavindel
  • EchoEcho Moderator mod
    TextEdit: not actually a text editor

    Echo wrote: »
    Let they who have not posted about their balls in the wrong thread cast the first stone.
    InfidelbowenEndTofystedethPolaritieMvrckMonkey Ball WarriorcrimsoncoyoteASimPersontemplewulf
  • InfidelInfidel Heretic Registered User regular
    I learned that the same way I think.

    Open plain text file with TextEdit, save as?

    Not plain text!

    OrokosPA.png
    Play D&D 4e? :: Check out Orokos and upload your Character Builder sheet! :: Orokos Dice Roller
    The PhalLounge :: Chat board for Critical Failures IRC! :: #CriticalFailures and #mafia on irc.slashnet.org
    Folken Fanel
  • Folken FanelFolken Fanel anime af When's KoFRegistered User regular
    Now to the wonderful world of cloud-based computing and "big data."

    Time to measure how good my shit works when data is huge.

    Twitter: Folken_fgc Steam: folken_ XBL: flashg03 PSN: folken_PA SFV: folken_
    Dyvim Tvar wrote: »
    Characters I hate:

    Everybody @Folken Fanel plays as.
  • SpawnbrokerSpawnbroker Registered User regular
    Battle.net: Spawnbroker#1471
    Steam: Spawnbroker
    Final Fantasy XIV: Spawn Broken
    bowenecco the dolphin
  • bowenbowen How you doin'? Registered User regular

    Nice.

    Ladies.
  • GnomeTankGnomeTank Registered User regular
    They need to hurry up with the RTM. A lot of libraries we rely on aren't going to release CoreCLR versions until the RTM hits, so we're in this odd holding pattern.

    Sagroth wrote: »
    Oh c'mon FyreWulff, no one's gonna pay to visit Uranus.
    Steam: Brainling, XBL / PSN: GnomeTank, NintendoID: Brainling, FF14: Zillius Rosh SFV: Brainling
  • urahonkyurahonky Registered User regular
    With Javascript/Django, what's a good way to gather client information? We're working on getting two factor authorization but I'm not quite sure how to determine the difference between clients. I've been logging the IP, but if two devices are used in the same building they'd have the same IP so that can't work.

  • urahonkyurahonky Registered User regular
    Well other than IP that's all I have. Awesome. Especially since nginx seems to be forwarding the Request to Django, and all of the META data for the request is for our dev server and not the actual client.

  • urahonkyurahonky Registered User regular
    So the only thing I can do is generate a token using their IP and then return it to the client. The client stores it in localStorage and sends it every time it logs in.

  • zeenyzeeny Registered User regular
    edited May 2016
    Fix your nginx to correctly forward headers. Like...wtf?
    What you describe is not a 2 factor auth scheme, do you mean something else?
    Don't use localStorage for secrets, and I hope when you say "using their IP" you mean "using their IP + a secret".

    Help us to help you honkey!

    Edit: If any part of this exercise doesn't happen over https, don't bother with it.

    zeeny on
  • urahonkyurahonky Registered User regular
    When running the project locally, Django's HTTPRequest object has request.META on it. In request.META I get a ton of information (computer name/architecture/OS) but whenever I put the same code on our DEV server the information that spits out is for the DEV server and not the actual computer (because nginx is handling the request between front and back end... I think... I'm not really into Sys Admin stuff anymore).

    I want the user to be able to login and me to tell whether or not this is a new device. There's currently no way of me being able to do that from what I can tell... The IP is not enough of a unique identifier to determine uniqueness.

  • LD50LD50 Registered User regular
    Yeah, I would just generate a unique ID. It wouldn't even need to be derived from the IP address.

  • urahonkyurahonky Registered User regular
    LD50 wrote: »
    Yeah, I would just generate a unique ID. It wouldn't even need to be derived from the IP address.

    How do you handle a computer/device that cleared it's cache? That token wouldn't exist in the localStorage.

    But I guess I'm pretty much out of ideas at this point.

  • LD50LD50 Registered User regular
    edited May 2016
    Can you just treat it as a new device, or is that a no-go? (I would think that might actually be desirable behavior. People sometimes clear their cache for a reason.)

    There are some clientside javascript libraries for local storage persistence, but they're kinda skeevy.

    LD50 on
  • gavindelgavindel The reason all your software is brokenRegistered User regular
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.


  • urahonkyurahonky Registered User regular
    LD50 wrote: »
    Can you just treat it as a new device, or is that a no-go? (I would think that might actually be desirable behavior. People sometimes clear their cache for a reason.)

    There are some clientside javascript libraries for local storage persistence, but they're kinda skeevy.

    I guess I could, but how would the client then remove any "authorized" devices if it's impossible for me to differentiate?
    gavindel wrote: »
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    Especially if it's a missing semicolon fix.

  • LD50LD50 Registered User regular
    urahonky wrote: »
    LD50 wrote: »
    Can you just treat it as a new device, or is that a no-go? (I would think that might actually be desirable behavior. People sometimes clear their cache for a reason.)

    There are some clientside javascript libraries for local storage persistence, but they're kinda skeevy.

    I guess I could, but how would the client then remove any "authorized" devices if it's impossible for me to differentiate?
    gavindel wrote: »
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    Especially if it's a missing semicolon fix.

    Ask them to name the device when it's 'new', similarly to how my bank or steam asks me to name my desktop browser.

  • urahonkyurahonky Registered User regular
    LD50 wrote: »
    urahonky wrote: »
    LD50 wrote: »
    Can you just treat it as a new device, or is that a no-go? (I would think that might actually be desirable behavior. People sometimes clear their cache for a reason.)

    There are some clientside javascript libraries for local storage persistence, but they're kinda skeevy.

    I guess I could, but how would the client then remove any "authorized" devices if it's impossible for me to differentiate?
    gavindel wrote: »
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    Especially if it's a missing semicolon fix.

    Ask them to name the device when it's 'new', similarly to how my bank or steam asks me to name my desktop browser.

    Would it be confusing if I displayed a list of "devices" and multiple items are on there that are the same device?

  • admanbadmanb the bored genie Seattle, WARegistered User regular
    gavindel wrote: »
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    If you create a dev task for the fix you should make sure it's a 0.25 hour task just to make them extra sad.

    gavindel
  • LD50LD50 Registered User regular
    urahonky wrote: »
    LD50 wrote: »
    urahonky wrote: »
    LD50 wrote: »
    Can you just treat it as a new device, or is that a no-go? (I would think that might actually be desirable behavior. People sometimes clear their cache for a reason.)

    There are some clientside javascript libraries for local storage persistence, but they're kinda skeevy.

    I guess I could, but how would the client then remove any "authorized" devices if it's impossible for me to differentiate?
    gavindel wrote: »
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    Especially if it's a missing semicolon fix.

    Ask them to name the device when it's 'new', similarly to how my bank or steam asks me to name my desktop browser.

    Would it be confusing if I displayed a list of "devices" and multiple items are on there that are the same device?

    Might be, but it doesn't sound like a part of your service that is going to be used really often so it might be an acceptable edge case. An alternative could be a 'deauthorize all devices' button, so you wouldn't need to fiddle with names and such. Another alternative would be to expire IDs that hadn't been used in a certain period of time. Would cut down on duplicate devices.

    urahonky
  • EchoEcho Moderator mod
    Echo wrote: »
    Let they who have not posted about their balls in the wrong thread cast the first stone.
    TofystedethGilbert0Rendcrimsoncoyote
  • Baron DirigibleBaron Dirigible Registered User regular
    Oh hey, auth talk.

    I'm working on authentication for a basic REST API, and so far my strategy is: when a user authenticates, create a unique token and save it with the user id in a redis store. Return the encrypted token to the client, which saves it in a cookie. On future visits, the token is decrypted, matched against the redis store tokens, and that user id is used to validate API calls.

    Is this terrible? Am I missing some really easy workaround? I'm relying on the assumption that if everything is served over HTTPS, my cookies are set to HTTP-only, and my server is properly set up to handle XSRF, I should be safe unless someone gets physical access to a user's computer, and even then I'm not sure if they could take advantage of anything or if there's a way to defend against that. It seems to me that at some point all authentication relies on something being stored on the client computer and cookies still seem the most secure way of doing that. But if there's a better solution or a gaping hole in my implementation I'd be really happy to know about it.

    (As a side note, for now I'm using a passwordless auth setup where users authenticate by clicking an emailed link with a one-time token that gets sent in lieu of a password. My thinking is that this way I don't have to store any passwords, and I'd have to implement something like this anyway to handle forgotten passwords.)

    Perfection is achieved not when there is nothing more to add, but when there is nothing left to take away.
  • InfidelInfidel Heretic Registered User regular
    Oh hey, auth talk.

    I'm working on authentication for a basic REST API, and so far my strategy is: when a user authenticates, create a unique token and save it with the user id in a redis store. Return the encrypted token to the client, which saves it in a cookie. On future visits, the token is decrypted, matched against the redis store tokens, and that user id is used to validate API calls.

    Is this terrible? Am I missing some really easy workaround? I'm relying on the assumption that if everything is served over HTTPS, my cookies are set to HTTP-only, and my server is properly set up to handle XSRF, I should be safe unless someone gets physical access to a user's computer, and even then I'm not sure if they could take advantage of anything or if there's a way to defend against that. It seems to me that at some point all authentication relies on something being stored on the client computer and cookies still seem the most secure way of doing that. But if there's a better solution or a gaping hole in my implementation I'd be really happy to know about it.

    (As a side note, for now I'm using a passwordless auth setup where users authenticate by clicking an emailed link with a one-time token that gets sent in lieu of a password. My thinking is that this way I don't have to store any passwords, and I'd have to implement something like this anyway to handle forgotten passwords.)

    TERRIBLE!

    Well, a little.

    Use JSON Web Tokens?

    No cookies necessary, so you're immune to XSRF. Credentials must be explicitly passed, which after you get the hang of it is a great security feature.

    Why have a cache at all? All you need is their user ID which is static? You sign a JWT and they send it back to you as proof. Accomplishes the exact same thing you're talking about but without server-side sessions.

    (Which means you can scale easier since you don't need to persist which server is serving up a particular client.)

    OrokosPA.png
    Play D&D 4e? :: Check out Orokos and upload your Character Builder sheet! :: Orokos Dice Roller
    The PhalLounge :: Chat board for Critical Failures IRC! :: #CriticalFailures and #mafia on irc.slashnet.org
    ironsizide
  • InfidelInfidel Heretic Registered User regular
    Oh, unrelated.

    But since I'm licensed as a gaming supplier now, I can do all sorts of things now.

    Apparently I could build and sell my own VLTs if I wanted! :rotate:

    VEGAS HERE WE COME

    OrokosPA.png
    Play D&D 4e? :: Check out Orokos and upload your Character Builder sheet! :: Orokos Dice Roller
    The PhalLounge :: Chat board for Critical Failures IRC! :: #CriticalFailures and #mafia on irc.slashnet.org
    ecco the dolphin
  • bowenbowen How you doin'? Registered User regular
    Infidel wrote: »
    Oh, unrelated.

    But since I'm licensed as a gaming supplier now, I can do all sorts of things now.

    Apparently I could build and sell my own VLTs if I wanted! :rotate:

    VEGAS HERE WE COME

    let me know the backdoor you've put in so I can use it to make like a hundred dollars

    Ladies.
  • InfidelInfidel Heretic Registered User regular
    bowen wrote: »
    Infidel wrote: »
    Oh, unrelated.

    But since I'm licensed as a gaming supplier now, I can do all sorts of things now.

    Apparently I could build and sell my own VLTs if I wanted! :rotate:

    VEGAS HERE WE COME

    let me know the backdoor you've put in so I can use it to make like a hundred dollars

    Weak. You can do better.

    OrokosPA.png
    Play D&D 4e? :: Check out Orokos and upload your Character Builder sheet! :: Orokos Dice Roller
    The PhalLounge :: Chat board for Critical Failures IRC! :: #CriticalFailures and #mafia on irc.slashnet.org
  • bowenbowen How you doin'? Registered User regular
    Ain't no one got time for that!

    Ladies.
  • Baron DirigibleBaron Dirigible Registered User regular
    Infidel wrote: »
    TERRIBLE!

    Well, a little.

    Use JSON Web Tokens?

    No cookies necessary, so you're immune to XSRF. Credentials must be explicitly passed, which after you get the hang of it is a great security feature.

    Why have a cache at all? All you need is their user ID which is static? You sign a JWT and they send it back to you as proof. Accomplishes the exact same thing you're talking about but without server-side sessions.

    (Which means you can scale easier since you don't need to persist which server is serving up a particular client.)
    Is there any recommended reading on JWT? I've heard of it before and your arguments are convincing, but it seems using it still involves saving data to localStorage, which from everything I've read is less secure than cookies.

    Perfection is achieved not when there is nothing more to add, but when there is nothing left to take away.
  • InfidelInfidel Heretic Registered User regular
    Infidel wrote: »
    TERRIBLE!

    Well, a little.

    Use JSON Web Tokens?

    No cookies necessary, so you're immune to XSRF. Credentials must be explicitly passed, which after you get the hang of it is a great security feature.

    Why have a cache at all? All you need is their user ID which is static? You sign a JWT and they send it back to you as proof. Accomplishes the exact same thing you're talking about but without server-side sessions.

    (Which means you can scale easier since you don't need to persist which server is serving up a particular client.)
    Is there any recommended reading on JWT? I've heard of it before and your arguments are convincing, but it seems using it still involves saving data to localStorage, which from everything I've read is less secure than cookies.

    I don't know any material that I fully endorse but you can use JWT with cookies and so you really should use JWT. Just a question of storage.

    Local storage is accessible by Javascript running from your domain. You're vulnerable to XSS (malicious Javascript injected into your site somehow).

    Cookies are not accessible by Javascript if you set them up right, sure, but now you have to deal with XSRF since any triggered connection to your site will pass it along.

    I prefer to tackle XSS because unless I'm running something very custom content heavy, it's pretty trivial / a non-issue to address.

    XSRF on the other hand can be very hard to get right and is way more commonly a problem, in my experience.

    So, especially if you're making an API where you mainly serve requests that change shit, and not content, go with bearer tokens. Also straightforward for other APIs / scripts to integrate.

    OrokosPA.png
    Play D&D 4e? :: Check out Orokos and upload your Character Builder sheet! :: Orokos Dice Roller
    The PhalLounge :: Chat board for Critical Failures IRC! :: #CriticalFailures and #mafia on irc.slashnet.org
    Baron Dirigible
  • InfidelInfidel Heretic Registered User regular
    Also, React stuff:

    We did our first app with Flux. I later did our admin portal / BI using Redux.

    Oh my god, just do yourselves a favour and skip Flux. Redux is all the good stuff with none of the crap, and has a great ecosystem now with router/tools.

    I mean, you get a nice debug frame for all your actions and state changes, with history and replay and persistence for reloads, all with one line of code to tie it in.

    https://chrome.google.com/webstore/detail/redux-devtools/lmhkpmbekcpmknklioeibfkpmmfibljd?hl=en

    So good.

    OrokosPA.png
    Play D&D 4e? :: Check out Orokos and upload your Character Builder sheet! :: Orokos Dice Roller
    The PhalLounge :: Chat board for Critical Failures IRC! :: #CriticalFailures and #mafia on irc.slashnet.org
    ecco the dolphinBaron DirigibleNogsMvrckJimmy King
  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    Part II is up. GDT, TSS, segments and other x86 ancient history that we mostly just ignore today!

    Magic Box
    Academician Prokhor "Phyphor" Zakharov, Chief Scientist of China, Provost of the University of Planet - SE++ Megagame
    ecco the dolphinboweniTunesIsEvilTofystedeth
  • zeenyzeeny Registered User regular
    Infidel wrote: »
    Also, React stuff:

    We did our first app with Flux. I later did our admin portal / BI using Redux.

    Oh my god, just do yourselves a favour and skip Flux. Redux is all the good stuff with none of the crap, and has a great ecosystem now with router/tools.

    I mean, you get a nice debug frame for all your actions and state changes, with history and replay and persistence for reloads, all with one line of code to tie it in.

    https://chrome.google.com/webstore/detail/redux-devtools/lmhkpmbekcpmknklioeibfkpmmfibljd?hl=en

    So good.

    ...and when you get another moment, remember that a *shitload* of the stuff Dan's doing with Redux is heavily inspired by things/ideas in the Clojurescript community. Do yourself another favour and come see how fucking nice writing frontend code in Clojure is. ;o)

  • Baron DirigibleBaron Dirigible Registered User regular
    zeeny wrote: »
    ...and when you get another moment, remember that a *shitload* of the stuff Dan's doing with Redux is heavily inspired by things/ideas in the Clojurescript community. Do yourself another favour and come see how fucking nice writing frontend code in Clojure is. ;o)
    Not Elm?

    I haven't done any work in either, but Elm is next on my list, and gets cited very frequently as the inspiration behind Redux.

    Perfection is achieved not when there is nothing more to add, but when there is nothing left to take away.
  • zeenyzeeny Registered User regular
    zeeny wrote: »
    ...and when you get another moment, remember that a *shitload* of the stuff Dan's doing with Redux is heavily inspired by things/ideas in the Clojurescript community. Do yourself another favour and come see how fucking nice writing frontend code in Clojure is. ;o)
    Not Elm?

    I haven't done any work in either, but Elm is next on my list, and gets cited very frequently as the inspiration behind Redux.

    Elm as well, I was in no way exhaustive!

    Infidel
  • ShivahnShivahn Unaware of her barrel shifter privilege Eastern coastal temptressRegistered User regular
    Hey guys,

    I'm having a bit of an issue finding information on something, so I would like to ask here. The short of it is that I need a way to find out the size of a bytearray in Python 3 WITHOUT any of the overhead that the size functions add on.

    I'm doing some work on an IRC bot I built, which, until now, didn't really need a send buffer because the messages were so short (so it could just fire them off whenever the socket was free). However, with some new functions it has, it might need to split the messages (since it's my understanding that IRC messages aren't supposed to be more than 512 bytes). However, I can't figure out how to tell the size of the bytearray I'm sending, which I kind of need to know in order to figure out if I need to split the message up. Is there an easy way to do this?

    (I'm only going to be sending ASCII characters, so I know that len(message) is going to be the same size as the message in bytes, but I'd prefer to write a more global solution).

  • bowenbowen How you doin'? Registered User regular
    Shivahn wrote: »
    Hey guys,

    I'm having a bit of an issue finding information on something, so I would like to ask here. The short of it is that I need a way to find out the size of a bytearray in Python 3 WITHOUT any of the overhead that the size functions add on.

    I'm doing some work on an IRC bot I built, which, until now, didn't really need a send buffer because the messages were so short (so it could just fire them off whenever the socket was free). However, with some new functions it has, it might need to split the messages (since it's my understanding that IRC messages aren't supposed to be more than 512 bytes). However, I can't figure out how to tell the size of the bytearray I'm sending, which I kind of need to know in order to figure out if I need to split the message up. Is there an easy way to do this?

    (I'm only going to be sending ASCII characters, so I know that len(message) is going to be the same size as the message in bytes, but I'd prefer to write a more global solution).

    foreach with a count? I don't know, I think those implicitly use length.

    I don't see how writing your own would reduce overhead, but I don't know enough about python.

    Ladies.
  • InfidelInfidel Heretic Registered User regular
    Pretty sure that len(bytearray) gives you what you need, it doesn't handle encoding and treats byte for byte since its "an array/sequence of bytes."

    OrokosPA.png
    Play D&D 4e? :: Check out Orokos and upload your Character Builder sheet! :: Orokos Dice Roller
    The PhalLounge :: Chat board for Critical Failures IRC! :: #CriticalFailures and #mafia on irc.slashnet.org
  • ShivahnShivahn Unaware of her barrel shifter privilege Eastern coastal temptressRegistered User regular
    Infidel wrote: »
    Pretty sure that len(bytearray) gives you what you need, it doesn't handle encoding and treats byte for byte since its "an array/sequence of bytes."

    Oh

    d...duh

    Perhaps it is time for sleep, given how obvious this is

    (Bowen, I'm not trying to write my own anything, and overhead is a non-issue because it's not often that you actually have to send something to a server - it's just that the sizeof-type things include the overhead Python needs to have the object, when I am really just interested in the size of the thing that I'm putting in the socket.

    ...phrasing)

This discussion has been closed.