The web in a box - a next generation web framework for the Perl programming language

IRC log for #mojo, 2013-12-19

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:15 marty joined #mojo
00:15 marty joined #mojo
01:03 laouji joined #mojo
01:12 marty joined #mojo
01:13 d4rkie joined #mojo
01:30 dvinciguerra joined #mojo
01:44 ka2u joined #mojo
02:10 laouji_ joined #mojo
02:20 TitanOfOld joined #mojo
02:25 nicomen sri: not too bad ;)
02:38 duncanthrax joined #mojo
02:44 laouji joined #mojo
02:44 klapperl joined #mojo
03:12 laouji joined #mojo
03:28 asarch joined #mojo
03:45 sri bpmedley: to_rel generates a relative *URL* not a path
03:45 bpmedley Mmm
03:46 sri which is why the bnf i pasted has more context
03:46 sri relativeURL = net_path | abs_path | rel_path
03:47 sri //mojolicio.us/perldoc *is* a relative URL
03:47 sri relative to http:
03:47 bpmedley Then the change was valid... :)
03:48 sri i'm not kidding when i say that stuff is hard
03:48 bpmedley We're glad you're here.
03:49 * sri chains bpmedley to RFC 3986
03:49 bpmedley lol
03:53 * sri kinda likes the pragmatism of the whatwg url spec... as bad as the format might be http://url.spec.whatwg.org/
03:54 sri "A relative URL is a URL without a scheme. A relative URL must be relative to a base URL."
03:54 sri everything explained, booyah!
03:55 bpmedley Do you think ssinyagin was expecting a path and not a url?
03:58 sri no way to know, he has not been explaining himself very well
03:59 sri going over the whatwg spec again... i think getting rid of to_rel is the right thing to do
03:59 dvinciguerra joined #mojo
03:59 sri to_abs is necessary... to_rel not
04:15 tianon you can definitely argue that to_abs generates completely valid relative URLs :)
04:17 arpadszasz_ joined #mojo
04:28 btyler joined #mojo
04:46 laouji joined #mojo
04:54 ka2u joined #mojo
04:58 preflex_ joined #mojo
05:21 laouji joined #mojo
05:31 btyler joined #mojo
05:31 laouji joined #mojo
05:50 KindOne joined #mojo
05:55 cfedde joined #mojo
06:20 arpadszasz_ joined #mojo
06:34 Vandal joined #mojo
06:59 themage joined #mojo
08:16 abhishekisnot joined #mojo
08:16 KindTwo joined #mojo
08:18 trone joined #mojo
08:22 dod joined #mojo
08:30 Tiger joined #mojo
08:38 dod joined #mojo
08:44 fhelmber_ joined #mojo
08:52 ka2u joined #mojo
08:52 arthas joined #mojo
08:54 dotan joined #mojo
09:06 Dandre Hello,
09:08 Dandre When I use 'controller#action' in a route destination, what should Controller::action method return?
09:10 Dandre I know that to render text I must call respond_to but what shuld be the returned value. Is it used by the framework?
09:22 nic Why does it matter?
09:22 nic cos you want to render nothing?  or want to indicate failure?  or?
09:23 kwa Dandre: In bridges, returning a false value breaks the control flow. In the controller endpoint however, I don't think it matters like nic said.
09:24 kwa By that time you should have built up your response, or it will fall through where ->render is automatically called and makes some assumptions based on the controller/action.
09:26 d4rkie joined #mojo
09:28 d4rkie joined #mojo
09:31 Dandre ok thanks
09:41 d4rkie joined #mojo
09:49 lammel2 joined #mojo
09:53 Tiger guys, can you explain why i got space after value. If i  use only <%=$login_status%> (no spaces in template file) in template and do render with  $self->render(login_status => '1'); i got '1 ' in html body.
10:03 dabudabu You could give use the template file and we'd figure it out. Or try enclosing the expression in <%= and =%>
10:25 Tiger dabudabu:  template file contain only   <%=$login_status%> and nothing more
10:38 dvinciguerra joined #mojo
10:50 Adura There's two spaces before only, there you go.
11:02 d4rkie joined #mojo
11:13 bjoernfan joined #mojo
11:16 fhelmbe__ joined #mojo
11:17 Lucas1 joined #mojo
11:22 dpetrov_ joined #mojo
11:27 maxhq joined #mojo
11:27 KindOne joined #mojo
11:36 Tiger Adura: i checked, i don't have  spaces in template.  two spaces after "only" is  spaces in irc message
11:41 hrupp joined #mojo
12:13 TitanOfO1d joined #mojo
12:20 dsteinbrunner joined #mojo
12:22 Hellyna joined #mojo
12:36 malikai joined #mojo
12:36 russum joined #mojo
12:38 denisboyun joined #mojo
12:49 russum left #mojo
12:50 denis_boyun joined #mojo
13:17 bjakubski joined #mojo
13:18 laouji joined #mojo
13:29 fhelmber_ joined #mojo
13:43 arpadszasz_ joined #mojo
13:48 klapperl_ joined #mojo
13:49 d4rkie joined #mojo
14:10 asarch joined #mojo
14:18 dod joined #mojo
14:21 fhelmber_ joined #mojo
14:25 Dandre is there something similar to $route->to('my-controller#action')  for a mojolicious controller class?
14:31 dod1 joined #mojo
14:49 kanishka joined #mojo
14:50 kanishka left #mojo
14:52 dod joined #mojo
15:25 hummeleBop joined #mojo
15:37 tianon Tiger: isn't there a newline after your %> ?  in HTML, all contiguous whitespace gets eaten into a single space, so any newlines or following tabs would give you a space
15:38 tianon Tiger: you might want to just use %= instead of the tag version
15:38 gryphon joined #mojo
15:53 dod joined #mojo
15:56 * sri wonders if app->secret('foo') should have been app->secret(['foo']) https://github.com/jed/keygrip
15:57 sri rotating keys might be a 5.0 feature
15:59 sri tldr... first key is used for signing new session cookies, all keys are used for verifying them
15:59 marcus sri: can't we support both array and scalar for key?
15:59 marcus for secret
16:00 marcus secret('foo') is prettier if you have just one. then add [] if you have multiple
16:00 sh4 joined #mojo
16:01 sri that would make code break more unexpectedly
16:01 sri as long as you keep using one key it keeps working after 5.0 upgrade... then you want to rotate... and BOOM
16:02 sri better to break consistently for a security feature
16:02 marcus you mean, people will expect secret('foo','bar') to work and it won't?
16:03 sri i'm not following you
16:03 marcus I'm trying to understand how you mean it will break
16:03 marcus But I guess my solution adds complexity regardless.
16:05 marty joined #mojo
16:07 marcus sri: I withdraw my objection,  I think if we want this your way is cleaner and more consistent with the rest of the code base
16:08 sri there might even be a deprecation path
16:08 sri app->secrets()
16:09 marcus mmm
16:11 sri would be quite a bit of breakage http://grep.cpan.me/?q=app%5C-%5C%3Esecret
16:12 sri pretty much every secure app
16:14 sri maybe it just shouldn't be done... too bad we didn't think of it sooner
16:16 marcus sri: How about adding secrets and just not deprecating secret? And just failing if you use both..
16:16 sri only non-breaking solution would be really ugly... app->old_secrets()
16:17 marcus old_secrets seems ugly yes :)
16:17 marcus I'm also not sure this functionality most people would use
16:17 marcus which might not make it worth breaking every app out there..
16:17 sri the price of security
16:18 marcus sri: Why do you need to change the secret tho?
16:18 marcus sri: Except if it's been exposed I mean
16:18 marcus if it's been exposed you probably should revoke it regardless.
16:20 sri to avoid it being brute forced?
16:23 marcus sri: How often should you rotate then? and you'd have to rotate it out too right?
16:24 marcus If we do rotation, I think we should start generating secure digests and autorotate them somehow
16:24 sri how long does it take the nsa to brute force a hmac-sha1 sum currently?
16:24 marcus Probably too little time :-/
16:26 marcus sri: I guess the sha1 is no safer than the secret the user uses
16:26 marcus if we generated a 160char random secret it would be much safer.
16:27 sri when would you generate a 160char random secret?
16:27 marcus http://crypto.stackexchange.com/questions/6750/brute-forcing-an-hmac
16:27 marcus isn't that the length of the hmac-sha1 key?
16:27 marcus 160 bit not chars
16:28 marcus I bet many people use very easily brute forced secrets tho
16:29 tianon mine average about 80 characters or so usually
16:30 sri my point... that's why rotating secrets is a good idea... you can't generate secrets automatically
16:33 sri this is pretty much how mojolicious would look if perl had generators :) http://koajs.com
16:35 Mikey secret = sha(secret . session_id)
16:36 marty joined #mojo
16:36 Mikey do you guys have any idea what the largest mojo-based codebase is and who maintains it?
16:38 marty joined #mojo
17:12 salparad1se joined #mojo
17:45 batman that koajs webpage is beautiful
17:48 batman sri: i like app->secrets(\@secrets)
17:48 batman wouldn't that just work? app->secret() = the first secret from app->secrets()
17:49 batman app->secret($secret) == $app->secrets->[0] = $secret
17:49 batman and then just mark secret() as deprecated for a loooong time :)
17:51 tianon it's something that unless they're doing really funky scary things, only runs once anyhow, so they'll only see the warning once at startup; seems reasonable to me :)
17:52 batman app.use(function *(){ # what's the star..? never seen that before :/
17:55 denisboyun joined #mojo
18:08 DaTa a function named '*'?
18:08 DaTa ah no, need more sleep :)
18:18 adkfjla joined #mojo
18:20 fhelmber_ joined #mojo
18:25 laouji joined #mojo
18:29 sri batman: actually... not a bad idea
18:31 batman sri: haha! not sure if i should be offended or not ;)
18:31 beyondcreed joined #mojo
18:31 batman sri: i think you can even do that now, and then deprecate secret() i 5.0
18:32 sri yes, i just tied it, works
18:32 batman tried..?
18:32 sri i made the feature work and no tests needed to be modified
18:33 batman that's just so beautiful i want to cry :)
18:33 sri clean deprecation warning and everything
18:33 batman sri++ # i really want this feature
18:38 tianon <3
18:38 sri i wonder if the sign/verify api should be exposed somehow... like app->sessions->sign('some value', $secret); app->sessions->verify('some value--12343434242323', @secrets);
18:39 sri guess better testing alone makes that a good idea
18:43 sri oops... almost made a mistake
18:43 sri comparison with multiple secrets would have to be constant time too
18:44 sri or does it?
18:44 sri do i need to calculate all signatures in advance or on demand?
18:46 sri hmmm
18:50 tianon sri++ # thinking of the hard security questions so we don't all have to <3
18:50 * sri worries about the smoke coming out of his ears
18:55 denis_boyun_ joined #mojo
19:02 davido__ joined #mojo
19:09 Mike-PerlRecruiter_ joined #mojo
19:18 denisboyun joined #mojo
19:27 denis_boyun_ joined #mojo
19:30 russum joined #mojo
19:31 batman sri: why do you need to care about constant time here?
19:31 batman i was hoping the hash was good enough at *changing* when input changed...
19:31 russum left #mojo
19:32 sri timing attacks
19:33 sri http://codahale.com/a-lesson-in-timing-attacks/
19:33 batman i cave :(
19:58 mire_ joined #mojo
20:17 good_news_everyone joined #mojo
20:17 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/nFONqQ
20:17 good_news_everyone mojo/master 57e5129 Sebastian Riedel: added support for rotating secrets
20:17 good_news_everyone left #mojo
20:19 batman sri: what about changing the default secret from $self->moniker to rand() or something?
20:19 sri batman: don't make me yell at you
20:20 batman sri: but if i forget to set secret(), then the app will be vulnerable..?
20:20 sri what happens when you start two servers?
20:20 sri BOOOOOM
20:20 batman boom = all sessions are invalid?
20:20 sri randomly invalid
20:21 adkfjla Hellow!!! what is the best mojo tutorial book? (I want to parse facebook) I am beginner
20:21 purl beginner is probably trying to figure out how to do something, comes up with a hack, it works, they move on
20:21 batman right. i think that's better than vulnerable...
20:21 cfedde adkfjla: parse facebook?
20:22 sri because ever attacker knows the moniker of you closed source app?
20:22 sri *+y
20:22 batman sri: if it's open source, like convos :)
20:22 sri you're being silly
20:23 batman maybe i am. don't know why though.
20:23 adkfjla I want to make monitoring for some fb pages
20:23 adkfjla is mojo enought for it?
20:24 cfedde you want to connect to facebook, get some info and report on that?
20:24 batman why does __fallbacks() have two underscores?
20:24 batman Adura: https://metacpan.org/pod/Mojo::Facebook ?
20:25 cfedde adkfjla: what batman said.
20:25 batman oops! wrong nick :P
20:25 adkfjla Good)))
20:25 batman sri: why does __fallbacks() have two underscores? (forgot to add you nick)
20:26 adkfjla and anyway what is the best mojo book for beginners??
20:26 moritz double-private!
20:26 sri batman: double-private
20:27 adkfjla where is the __fallbacks() thet you are tolking about?
20:27 batman adkfjla: no such thing. look at https://metacpan.org/pod/Mojolicious::Lite
20:27 batman moritz, sri: right. but i have no idea why you ever require double private...
20:28 cfedde when one "Keep Out" sign is not enough.
20:29 batman doesn't make any sense. but i'll accept it.
20:29 sri WELCOME TO MY WORLD!
20:29 adkfjla @batman   I will try!!
20:29 adkfjla Thank You!
20:30 batman didn't get adkfjla either...
20:31 sri Mojolicious::Controller gets so heavily subclasses that it doesn't have any imports, private methods are double private to avoid any conflicts in subclasses too
20:31 sri *subclassed
20:31 batman i bet a case of beers that Mojo::Facebook doesn't make any sense to adkfjla :/
20:31 batman oh. that makes sense :)
20:31 batman thanks
20:32 cfedde you have to start somewhere. Right in the middle is often good enough.
20:32 batman :)
20:33 batman crap. forgot to give the mojocasts.com url :(
20:33 batman i wonder why anyone quit irc so fast after getting the answer, only to come back 10 minutes later...
20:34 sri he's using you as an answer bot
20:35 batman it would probably be wiser to ask google :)
20:54 good_news_everyone joined #mojo
20:54 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/nMFL9A
20:54 good_news_everyone mojo/master 444d302 Sebastian Riedel: more conservative names again
20:54 good_news_everyone left #mojo
20:58 gryphon joined #mojo
21:09 good_news_everyone joined #mojo
21:09 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/WW3v-w
21:09 good_news_everyone mojo/master cbcc791 Sebastian Riedel: fixed example typos
21:09 good_news_everyone left #mojo
21:10 russum joined #mojo
21:10 sri marcus: REVIEW!
21:13 batman sri: i like it
21:13 batman i also like the s/__/_/ change :)
21:15 marcus sri: Btw, you can probably delete your csrf branches?
21:16 * sri nods
21:16 good_news_everyone joined #mojo
21:16 good_news_everyone [mojo] kraih deleted csrf_again at 9769dd7: http://git.io/9U8pBg
21:16 good_news_everyone left #mojo
21:16 good_news_everyone joined #mojo
21:16 good_news_everyone [mojo] kraih deleted csrf at 18f4e12: http://git.io/uuqRKg
21:16 good_news_everyone left #mojo
21:16 marty Any suggestions on the best way to render xml in my mojolicious app?
21:17 batman marty: make a template?
21:18 marcus sri: read through it now, looks good to me. Glad we dropped the double privacy :)
21:19 marty I was hoping for something a little more pretty than hand coding xml in a template.  I found this... http://search.cpan.org/~akron/Mojolicious-Plugin-XML-Loy-0.09/lib/Mojolicious/Plugin/XML/Loy.pm
21:19 marty Just not sure if that is the best way
21:20 dotandimet joined #mojo
21:21 batman marty: i think handcrafting xml is just the same as handcrafting html. but that's just me :)
21:22 russum joined #mojo
21:22 marty batman:  handcrafting is also what I have done in the past.   I might end up there again.   :)
21:22 batman :)
21:24 tianon wouldn't mojo's generic "tag" helper work pretty reasonably for most XML?
21:25 tianon if you wanted to be super-crazy, you could use Mojo::DOM to build a tree, too :P
21:25 * tianon preemptively sets himself on fire
21:25 batman i don't use tag helper much. not for html, nor xml
21:25 * sri shrugs
21:26 tianon <3 tag helpers
21:26 batman tianon: i meant the tag() helper...
21:26 tianon oh heh
21:26 marcus why not xslt? :)
22:06 Zoffix joined #mojo
22:12 dvinciguerra joined #mojo
22:17 jberger joined #mojo
22:17 cfedde Why is something that is as cool as xslt so hard to actualy use?
22:18 jberger Why not zoidberg???
22:18 purl (V) (;,,;) (V)
22:18 jberger sri++ rotating secrets
22:20 russum left #mojo
22:20 jberger sri: how will secrets behave if given only one string?
22:20 sri same as now
22:21 batman jberger: it should fail, since it's supposed to hold an array ref
22:21 jberger batman, I meant only one string in the array ref
22:21 batman ah
22:22 batman right. then +1 :)
22:22 jberger sri: so why not then just allow secret to take more than one string? Isn't that cleaner than deprecrations?
22:23 sri see what i said to marcus
22:24 jberger The problem is hot restarting?
22:24 jberger I don't see the boom?
22:26 sri jberger: what would app->secret return?
22:27 batman magical beans.
22:29 jberger damn I forgot the getter
22:29 jberger Ok I relent
22:31 * jberger thinks it should return magical beans
22:33 batman i agree
22:33 good_news_everyone joined #mojo
22:33 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/6YVskA
22:33 good_news_everyone mojo/master 5c8b8d5 Sebastian Riedel: better explanation for rotating secrets
22:33 good_news_everyone left #mojo
22:33 sri you have any idea what magic beans cost? :o
22:33 marcus joined #mojo
22:33 wsri joined #mojo
22:34 jberger marcus is buying! Magic beans for everyone!
22:34 batman sri: a princess..?
22:34 purl a princess is probably in another castle
22:35 * batman is just guessing...
22:35 Adura Do multiple passphrases mean multiple executions?
22:35 Adura Can't be that expensive...
22:36 Adura Millions of passphrases!
22:36 batman passphrases == secrets?
22:38 Adura I was concerned about BREACH when compression sessions, but... a digest isn't vulnerable... is it?
22:38 Adura Would be more complicated coming up with the secret...
22:41 Adura Just sign the non-compressed version for the safest situation, I suppose.
22:42 jberger map {$secret++} 1..1e6
22:47 sri only costs when the signature is invalid
22:48 * sri wonders if it's actually more secure now because it has to go through multiple secrets on failure
22:49 sri (if you rotate)
22:51 marcus Hah, I'm keeping all the magic beans for myself.
22:52 sri cool beans
22:55 sri oh, apparently irccloud now shows gists inline :o http://ow.ly/i/44WJB/original
22:56 dsteinbrunner joined #mojo
22:57 marcus I was planning to do that as well.
22:57 good_news_everyone joined #mojo
22:57 good_news_everyone [mojo] kraih tagged v4.63 at 4e56de0: http://git.io/0d-WgQ
22:57 good_news_everyone left #mojo
23:09 good_news_everyone joined #mojo
23:09 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/a_XnuA
23:09 good_news_everyone mojo/master 501a3aa Sebastian Riedel: documentation tweaks
23:09 good_news_everyone left #mojo
23:09 phillipadsmith sri: Really? I'm using irc cloud and haven't seen that yet
23:09 phillipadsmith someone want to post a gist?
23:09 marcus https://gist.github.com/miyagawa/7281722
23:09 phillipadsmith nada
23:09 phillipadsmith :(
23:09 * phillipadsmith tries a reload
23:10 phillipadsmith Ah, there it is
23:10 marcus phillipadsmith - reloaded
23:11 phillipadsmith That's nify (dashing is pretty nifty too)
23:11 marcus I use dashing on our cantina wall
23:14 rem_lex| joined #mojo
23:21 sri ah, gorillatoolkit has rotating secrets too
23:24 sri and json read/write support for websockets, i like their style :)
23:34 jberger sri: link?
23:34 sri http://www.gorillatoolkit.org/
23:59 marty joined #mojo

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary