As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

[Programming] Mirror, mirror, on the wall, show the git diff for them all

19192949697100

Posts

  • urahonkyurahonky Registered User regular
    Well other than IP that's all I have. Awesome. Especially since nginx seems to be forwarding the Request to Django, and all of the META data for the request is for our dev server and not the actual client.

  • urahonkyurahonky Registered User regular
    So the only thing I can do is generate a token using their IP and then return it to the client. The client stores it in localStorage and sends it every time it logs in.

  • zeenyzeeny Registered User regular
    edited May 2016
    Fix your nginx to correctly forward headers. Like...wtf?
    What you describe is not a 2 factor auth scheme, do you mean something else?
    Don't use localStorage for secrets, and I hope when you say "using their IP" you mean "using their IP + a secret".

    Help us to help you honkey!

    Edit: If any part of this exercise doesn't happen over https, don't bother with it.

    zeeny on
  • urahonkyurahonky Registered User regular
    When running the project locally, Django's HTTPRequest object has request.META on it. In request.META I get a ton of information (computer name/architecture/OS) but whenever I put the same code on our DEV server the information that spits out is for the DEV server and not the actual computer (because nginx is handling the request between front and back end... I think... I'm not really into Sys Admin stuff anymore).

    I want the user to be able to login and me to tell whether or not this is a new device. There's currently no way of me being able to do that from what I can tell... The IP is not enough of a unique identifier to determine uniqueness.

  • LD50LD50 Registered User regular
    Yeah, I would just generate a unique ID. It wouldn't even need to be derived from the IP address.

  • urahonkyurahonky Registered User regular
    LD50 wrote: »
    Yeah, I would just generate a unique ID. It wouldn't even need to be derived from the IP address.

    How do you handle a computer/device that cleared it's cache? That token wouldn't exist in the localStorage.

    But I guess I'm pretty much out of ideas at this point.

  • LD50LD50 Registered User regular
    edited May 2016
    Can you just treat it as a new device, or is that a no-go? (I would think that might actually be desirable behavior. People sometimes clear their cache for a reason.)

    There are some clientside javascript libraries for local storage persistence, but they're kinda skeevy.

    LD50 on
  • gavindelgavindel The reason all your software is brokenRegistered User regular
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    Book - Royal road - Free! Seraphim === TTRPG - Wuxia - Free! Seln Alora
  • urahonkyurahonky Registered User regular
    LD50 wrote: »
    Can you just treat it as a new device, or is that a no-go? (I would think that might actually be desirable behavior. People sometimes clear their cache for a reason.)

    There are some clientside javascript libraries for local storage persistence, but they're kinda skeevy.

    I guess I could, but how would the client then remove any "authorized" devices if it's impossible for me to differentiate?
    gavindel wrote: »
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    Especially if it's a missing semicolon fix.

  • LD50LD50 Registered User regular
    urahonky wrote: »
    LD50 wrote: »
    Can you just treat it as a new device, or is that a no-go? (I would think that might actually be desirable behavior. People sometimes clear their cache for a reason.)

    There are some clientside javascript libraries for local storage persistence, but they're kinda skeevy.

    I guess I could, but how would the client then remove any "authorized" devices if it's impossible for me to differentiate?
    gavindel wrote: »
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    Especially if it's a missing semicolon fix.

    Ask them to name the device when it's 'new', similarly to how my bank or steam asks me to name my desktop browser.

  • urahonkyurahonky Registered User regular
    LD50 wrote: »
    urahonky wrote: »
    LD50 wrote: »
    Can you just treat it as a new device, or is that a no-go? (I would think that might actually be desirable behavior. People sometimes clear their cache for a reason.)

    There are some clientside javascript libraries for local storage persistence, but they're kinda skeevy.

    I guess I could, but how would the client then remove any "authorized" devices if it's impossible for me to differentiate?
    gavindel wrote: »
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    Especially if it's a missing semicolon fix.

    Ask them to name the device when it's 'new', similarly to how my bank or steam asks me to name my desktop browser.

    Would it be confusing if I displayed a list of "devices" and multiple items are on there that are the same device?

  • admanbadmanb unionize your workplace Seattle, WARegistered User regular
    gavindel wrote: »
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    If you create a dev task for the fix you should make sure it's a 0.25 hour task just to make them extra sad.

  • LD50LD50 Registered User regular
    urahonky wrote: »
    LD50 wrote: »
    urahonky wrote: »
    LD50 wrote: »
    Can you just treat it as a new device, or is that a no-go? (I would think that might actually be desirable behavior. People sometimes clear their cache for a reason.)

    There are some clientside javascript libraries for local storage persistence, but they're kinda skeevy.

    I guess I could, but how would the client then remove any "authorized" devices if it's impossible for me to differentiate?
    gavindel wrote: »
    Woo, I have a bug repro with 82 steps. Somebody must have spent all day building that, screenshots and all, probably cursing me the whole way.

    Especially if it's a missing semicolon fix.

    Ask them to name the device when it's 'new', similarly to how my bank or steam asks me to name my desktop browser.

    Would it be confusing if I displayed a list of "devices" and multiple items are on there that are the same device?

    Might be, but it doesn't sound like a part of your service that is going to be used really often so it might be an acceptable edge case. An alternative could be a 'deauthorize all devices' button, so you wouldn't need to fiddle with names and such. Another alternative would be to expire IDs that hadn't been used in a certain period of time. Would cut down on duplicate devices.

  • Baron DirigibleBaron Dirigible Registered User regular
    Oh hey, auth talk.

    I'm working on authentication for a basic REST API, and so far my strategy is: when a user authenticates, create a unique token and save it with the user id in a redis store. Return the encrypted token to the client, which saves it in a cookie. On future visits, the token is decrypted, matched against the redis store tokens, and that user id is used to validate API calls.

    Is this terrible? Am I missing some really easy workaround? I'm relying on the assumption that if everything is served over HTTPS, my cookies are set to HTTP-only, and my server is properly set up to handle XSRF, I should be safe unless someone gets physical access to a user's computer, and even then I'm not sure if they could take advantage of anything or if there's a way to defend against that. It seems to me that at some point all authentication relies on something being stored on the client computer and cookies still seem the most secure way of doing that. But if there's a better solution or a gaping hole in my implementation I'd be really happy to know about it.

    (As a side note, for now I'm using a passwordless auth setup where users authenticate by clicking an emailed link with a one-time token that gets sent in lieu of a password. My thinking is that this way I don't have to store any passwords, and I'd have to implement something like this anyway to handle forgotten passwords.)

  • InfidelInfidel Heretic Registered User regular
    Oh hey, auth talk.

    I'm working on authentication for a basic REST API, and so far my strategy is: when a user authenticates, create a unique token and save it with the user id in a redis store. Return the encrypted token to the client, which saves it in a cookie. On future visits, the token is decrypted, matched against the redis store tokens, and that user id is used to validate API calls.

    Is this terrible? Am I missing some really easy workaround? I'm relying on the assumption that if everything is served over HTTPS, my cookies are set to HTTP-only, and my server is properly set up to handle XSRF, I should be safe unless someone gets physical access to a user's computer, and even then I'm not sure if they could take advantage of anything or if there's a way to defend against that. It seems to me that at some point all authentication relies on something being stored on the client computer and cookies still seem the most secure way of doing that. But if there's a better solution or a gaping hole in my implementation I'd be really happy to know about it.

    (As a side note, for now I'm using a passwordless auth setup where users authenticate by clicking an emailed link with a one-time token that gets sent in lieu of a password. My thinking is that this way I don't have to store any passwords, and I'd have to implement something like this anyway to handle forgotten passwords.)

    TERRIBLE!

    Well, a little.

    Use JSON Web Tokens?

    No cookies necessary, so you're immune to XSRF. Credentials must be explicitly passed, which after you get the hang of it is a great security feature.

    Why have a cache at all? All you need is their user ID which is static? You sign a JWT and they send it back to you as proof. Accomplishes the exact same thing you're talking about but without server-side sessions.

    (Which means you can scale easier since you don't need to persist which server is serving up a particular client.)

    OrokosPA.png
  • InfidelInfidel Heretic Registered User regular
    Oh, unrelated.

    But since I'm licensed as a gaming supplier now, I can do all sorts of things now.

    Apparently I could build and sell my own VLTs if I wanted! :rotate:

    VEGAS HERE WE COME

    OrokosPA.png
  • bowenbowen How you doin'? Registered User regular
    Infidel wrote: »
    Oh, unrelated.

    But since I'm licensed as a gaming supplier now, I can do all sorts of things now.

    Apparently I could build and sell my own VLTs if I wanted! :rotate:

    VEGAS HERE WE COME

    let me know the backdoor you've put in so I can use it to make like a hundred dollars

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • InfidelInfidel Heretic Registered User regular
    bowen wrote: »
    Infidel wrote: »
    Oh, unrelated.

    But since I'm licensed as a gaming supplier now, I can do all sorts of things now.

    Apparently I could build and sell my own VLTs if I wanted! :rotate:

    VEGAS HERE WE COME

    let me know the backdoor you've put in so I can use it to make like a hundred dollars

    Weak. You can do better.

    OrokosPA.png
  • bowenbowen How you doin'? Registered User regular
    Ain't no one got time for that!

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Baron DirigibleBaron Dirigible Registered User regular
    Infidel wrote: »
    TERRIBLE!

    Well, a little.

    Use JSON Web Tokens?

    No cookies necessary, so you're immune to XSRF. Credentials must be explicitly passed, which after you get the hang of it is a great security feature.

    Why have a cache at all? All you need is their user ID which is static? You sign a JWT and they send it back to you as proof. Accomplishes the exact same thing you're talking about but without server-side sessions.

    (Which means you can scale easier since you don't need to persist which server is serving up a particular client.)
    Is there any recommended reading on JWT? I've heard of it before and your arguments are convincing, but it seems using it still involves saving data to localStorage, which from everything I've read is less secure than cookies.

  • InfidelInfidel Heretic Registered User regular
    Infidel wrote: »
    TERRIBLE!

    Well, a little.

    Use JSON Web Tokens?

    No cookies necessary, so you're immune to XSRF. Credentials must be explicitly passed, which after you get the hang of it is a great security feature.

    Why have a cache at all? All you need is their user ID which is static? You sign a JWT and they send it back to you as proof. Accomplishes the exact same thing you're talking about but without server-side sessions.

    (Which means you can scale easier since you don't need to persist which server is serving up a particular client.)
    Is there any recommended reading on JWT? I've heard of it before and your arguments are convincing, but it seems using it still involves saving data to localStorage, which from everything I've read is less secure than cookies.

    I don't know any material that I fully endorse but you can use JWT with cookies and so you really should use JWT. Just a question of storage.

    Local storage is accessible by Javascript running from your domain. You're vulnerable to XSS (malicious Javascript injected into your site somehow).

    Cookies are not accessible by Javascript if you set them up right, sure, but now you have to deal with XSRF since any triggered connection to your site will pass it along.

    I prefer to tackle XSS because unless I'm running something very custom content heavy, it's pretty trivial / a non-issue to address.

    XSRF on the other hand can be very hard to get right and is way more commonly a problem, in my experience.

    So, especially if you're making an API where you mainly serve requests that change shit, and not content, go with bearer tokens. Also straightforward for other APIs / scripts to integrate.

    OrokosPA.png
  • InfidelInfidel Heretic Registered User regular
    Also, React stuff:

    We did our first app with Flux. I later did our admin portal / BI using Redux.

    Oh my god, just do yourselves a favour and skip Flux. Redux is all the good stuff with none of the crap, and has a great ecosystem now with router/tools.

    I mean, you get a nice debug frame for all your actions and state changes, with history and replay and persistence for reloads, all with one line of code to tie it in.

    https://chrome.google.com/webstore/detail/redux-devtools/lmhkpmbekcpmknklioeibfkpmmfibljd?hl=en

    So good.

    OrokosPA.png
  • PhyphorPhyphor Building Planet Busters Tasting FruitRegistered User regular
    Part II is up. GDT, TSS, segments and other x86 ancient history that we mostly just ignore today!

  • zeenyzeeny Registered User regular
    Infidel wrote: »
    Also, React stuff:

    We did our first app with Flux. I later did our admin portal / BI using Redux.

    Oh my god, just do yourselves a favour and skip Flux. Redux is all the good stuff with none of the crap, and has a great ecosystem now with router/tools.

    I mean, you get a nice debug frame for all your actions and state changes, with history and replay and persistence for reloads, all with one line of code to tie it in.

    https://chrome.google.com/webstore/detail/redux-devtools/lmhkpmbekcpmknklioeibfkpmmfibljd?hl=en

    So good.

    ...and when you get another moment, remember that a *shitload* of the stuff Dan's doing with Redux is heavily inspired by things/ideas in the Clojurescript community. Do yourself another favour and come see how fucking nice writing frontend code in Clojure is. ;o)

  • Baron DirigibleBaron Dirigible Registered User regular
    zeeny wrote: »
    ...and when you get another moment, remember that a *shitload* of the stuff Dan's doing with Redux is heavily inspired by things/ideas in the Clojurescript community. Do yourself another favour and come see how fucking nice writing frontend code in Clojure is. ;o)
    Not Elm?

    I haven't done any work in either, but Elm is next on my list, and gets cited very frequently as the inspiration behind Redux.

  • zeenyzeeny Registered User regular
    zeeny wrote: »
    ...and when you get another moment, remember that a *shitload* of the stuff Dan's doing with Redux is heavily inspired by things/ideas in the Clojurescript community. Do yourself another favour and come see how fucking nice writing frontend code in Clojure is. ;o)
    Not Elm?

    I haven't done any work in either, but Elm is next on my list, and gets cited very frequently as the inspiration behind Redux.

    Elm as well, I was in no way exhaustive!

  • ShivahnShivahn Unaware of her barrel shifter privilege Western coastal temptressRegistered User, Moderator mod
    Hey guys,

    I'm having a bit of an issue finding information on something, so I would like to ask here. The short of it is that I need a way to find out the size of a bytearray in Python 3 WITHOUT any of the overhead that the size functions add on.

    I'm doing some work on an IRC bot I built, which, until now, didn't really need a send buffer because the messages were so short (so it could just fire them off whenever the socket was free). However, with some new functions it has, it might need to split the messages (since it's my understanding that IRC messages aren't supposed to be more than 512 bytes). However, I can't figure out how to tell the size of the bytearray I'm sending, which I kind of need to know in order to figure out if I need to split the message up. Is there an easy way to do this?

    (I'm only going to be sending ASCII characters, so I know that len(message) is going to be the same size as the message in bytes, but I'd prefer to write a more global solution).

  • bowenbowen How you doin'? Registered User regular
    Shivahn wrote: »
    Hey guys,

    I'm having a bit of an issue finding information on something, so I would like to ask here. The short of it is that I need a way to find out the size of a bytearray in Python 3 WITHOUT any of the overhead that the size functions add on.

    I'm doing some work on an IRC bot I built, which, until now, didn't really need a send buffer because the messages were so short (so it could just fire them off whenever the socket was free). However, with some new functions it has, it might need to split the messages (since it's my understanding that IRC messages aren't supposed to be more than 512 bytes). However, I can't figure out how to tell the size of the bytearray I'm sending, which I kind of need to know in order to figure out if I need to split the message up. Is there an easy way to do this?

    (I'm only going to be sending ASCII characters, so I know that len(message) is going to be the same size as the message in bytes, but I'd prefer to write a more global solution).

    foreach with a count? I don't know, I think those implicitly use length.

    I don't see how writing your own would reduce overhead, but I don't know enough about python.

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • bowenbowen How you doin'? Registered User regular
    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • InfidelInfidel Heretic Registered User regular
    Pretty sure that len(bytearray) gives you what you need, it doesn't handle encoding and treats byte for byte since its "an array/sequence of bytes."

    OrokosPA.png
  • ShivahnShivahn Unaware of her barrel shifter privilege Western coastal temptressRegistered User, Moderator mod
    Infidel wrote: »
    Pretty sure that len(bytearray) gives you what you need, it doesn't handle encoding and treats byte for byte since its "an array/sequence of bytes."

    Oh

    d...duh

    Perhaps it is time for sleep, given how obvious this is

    (Bowen, I'm not trying to write my own anything, and overhead is a non-issue because it's not often that you actually have to send something to a server - it's just that the sizeof-type things include the overhead Python needs to have the object, when I am really just interested in the size of the thing that I'm putting in the socket.

    ...phrasing)

  • bowenbowen How you doin'? Registered User regular
    oh yeah I thought you didn't want to use len either. Hm!

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
  • Jimmy KingJimmy King Registered User regular
    Drank tequila, played video games, wrote code.
    Infidel wrote: »
    Also, React stuff:

    We did our first app with Flux. I later did our admin portal / BI using Redux.

    Oh my god, just do yourselves a favour and skip Flux. Redux is all the good stuff with none of the crap, and has a great ecosystem now with router/tools.

    I mean, you get a nice debug frame for all your actions and state changes, with history and replay and persistence for reloads, all with one line of code to tie it in.

    https://chrome.google.com/webstore/detail/redux-devtools/lmhkpmbekcpmknklioeibfkpmmfibljd?hl=en

    So good.
    I've been busy as fuck, so late to the game here, but this is what all of our front end guys have been saying for awhile now. We hired (and kept for awhile, but recently lost) a top notch React guy. While dealing with all of the crap for flux to make it easier he looked at his code on one of our projects and said "Oh, I've recreated Redux. Let's just use that." and that is what our react stuff has been using with great success since then.

  • ShivahnShivahn Unaware of her barrel shifter privilege Western coastal temptressRegistered User, Moderator mod
    edited May 2016
    bowen wrote: »
    oh yeah I thought you didn't want to use len either. Hm!

    Yeah, I misspoke - I said I knew that len(message) would give the right number for ASCII messages because in my head I was running it on the actual message (the normal utf-8 string), not the byte array whose size matters. It didn't occur to me to just check the length of the byte array, rather than asking the size.

    Shivahn on
  • InfidelInfidel Heretic Registered User regular
    Jimmy King wrote: »
    Drank tequila, played video games, wrote code.
    Infidel wrote: »
    Also, React stuff:

    We did our first app with Flux. I later did our admin portal / BI using Redux.

    Oh my god, just do yourselves a favour and skip Flux. Redux is all the good stuff with none of the crap, and has a great ecosystem now with router/tools.

    I mean, you get a nice debug frame for all your actions and state changes, with history and replay and persistence for reloads, all with one line of code to tie it in.

    https://chrome.google.com/webstore/detail/redux-devtools/lmhkpmbekcpmknklioeibfkpmmfibljd?hl=en

    So good.
    I've been busy as fuck, so late to the game here, but this is what all of our front end guys have been saying for awhile now. We hired (and kept for awhile, but recently lost) a top notch React guy. While dealing with all of the crap for flux to make it easier he looked at his code on one of our projects and said "Oh, I've recreated Redux. Let's just use that." and that is what our react stuff has been using with great success since then.

    Yeah, this is exactly what I did.

    Was sitting with my devs and going over things and pointed them at Redux and went "so, you know that shit we did this past week? Yeah, I just made us reinvent redux. :rotate:"

    OrokosPA.png
  • NogsNogs Crap, crap, mega crap. Crap, crap, mega crap.Registered User regular
    Ya Redux is awesome.

    Though MobX is also legit and takes a pretty different approach. Worth looking into, if only for educational reasons.

    rotate.jpg
    PARKER, YOU'RE FIRED! <-- My comic book podcast! Satan look here!
  • zeenyzeeny Registered User regular
    You can start using redux++ today guys! https://github.com/Day8/re-frame ... (which also happens to pre-date redux)

  • KakodaimonosKakodaimonos Code fondler Helping the 1% get richerRegistered User regular
    So....

    Who here knows anything about CUDA asynchronous streams?

  • bowenbowen How you doin'? Registered User regular
    So....

    Who here knows anything about CUDA asynchronous streams?

    I think @ethea knows a bit

    not a doctor, not a lawyer, examples I use may not be fully researched so don't take out of context plz, don't @ me
This discussion has been closed.