The web in a box - a next generation web framework for the Perl programming language

IRC log for #mojo, 2014-03-16

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:17 jberger batman: if I want to display a table of all the threads and each row is going to show the name of the creator, it's going to have to pre-fetch the creator document too, which isn't pleasant
00:17 jberger https://github.com/jberger/MojoForum/blob/master/lib/MojoForum/Threads.pm#L15-L22
00:39 bbery this is probably a stupid question but how would the templating look for a loop as I don't see any docs mentioning it.
00:39 bbery Like in template-toolkit you'd have: [% FOREACH r IN row %]<tr><td>[% r.id %]</td><td>[% r.name %]</td></tr>[% END %]
00:42 go|dfish bbery: http://mojolicio.us/perldoc/Mojolicious/Guides/Rendering#Embedded_Perl
00:48 bbery wow, now that's obfuscated. I think Felix Gallo would really like it.
00:49 bbery nice thing about TT is that it's easy to follow and the docs reflect it.
00:56 bbery so how old is Mojo?
00:59 bbery Actually this worked better for me: https://github.com/kraih/mojo/wiki/Recipes-for-templates  Figured it had to be somewhere
01:43 rich42 left #mojo
01:47 meshl joined #mojo
01:47 meshl has anyone used RedisLabs Memcached with Mojolicious?
01:56 bbery thought that would work but doesn't. Doing: $self->render('listings',@listings) and template has % for my $l (@listings) { <tr><td><%= $l %></td></tr> } but it complains about @listings in template being a global symbol
01:57 bbery well, actually it almost works, much further along than before
02:05 bbery still not sure how you get an array value from the script to the template
02:07 stephan48 try listings => @listings in the render call
02:10 bbery Having (@listings) in loop in template causes: Global symbol "@listings" requires explicit package name at template
02:11 stephan48 does this work? $self->render('listings', listings => @listings)
02:11 bbery no
02:11 good_news_everyone joined #mojo
02:11 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/bo55ng
02:11 good_news_everyone mojo/master 99adfa2 Sebastian Riedel: reuse more code
02:11 good_news_everyone left #mojo
02:11 stephan48 strange
02:12 bbery Even using (@{listings}) in template gives the Global symbol "@listings"
02:17 good_news_everyone joined #mojo
02:17 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/NZjVUw
02:17 good_news_everyone mojo/master fef93ad Sebastian Riedel: fixed support for unknown anchors in documentation browser
02:17 good_news_everyone left #mojo
02:17 stephan48 you could pass it by ref and then use @{stash('listings')}
02:17 jberger you have to pass an array reference
02:17 jberger like \@listings
02:17 jberger and then use @$listings in your template
02:18 stephan48 btw. does the mojo validator works with the file input type? assoon as i add a required check the form validation fails
02:18 jberger the nice thing about Mojo::Template and the ep format is that it is just Perl
02:19 bbery Okay, thanks, now I get data
02:19 bbery Well, ARRAY(0x23903f0), but it's a definite improvement
02:20 bbery bingo
02:20 jberger close, use @$listings to derefence (as I said)
02:20 sri i guess lists vs arrays is something every perl beginner has to stumble over
02:20 jberger yep
02:21 bbery data is much better than errors
02:26 abra_ joined #mojo
02:41 jberger bbery: there was a bug in this btw: https://github.com/kraih/mojo/wiki/Recipes-for-templates#passing-a-scalar-to-the-stash
02:41 jberger core_team: we should really do a wiki purge/update
02:41 jberger I worry that there is probably lots of outdated code on there
02:42 jberger making it a liability rather than an asset
02:48 hesperaux_ joined #mojo
02:51 jack joined #mojo
02:52 jberger for example, this looks out of date: https://github.com/kraih/mojo/wiki/Request-data
02:52 klapperl_ joined #mojo
03:01 priodev joined #mojo
03:07 * jberger fixed all occurrences of render_text in the wiki
03:07 jberger hey its a start
03:07 jberger I love that the wikis are just repos
03:09 * jberger fixed render_json too
03:10 jack joined #mojo
03:17 jberger ... and post_form
03:30 bbery it would be real nice when someone makes a change to also update the wiki and documentation too
03:30 bbery I know often there just isn't enough time but it's a good habit to get into especially with dynamic code
03:30 bbery and it don't get much more dynamic than this
03:37 jberger personally I also think that any time anything gets deprecated, we ought to have a running wiki page of the expected porting and possibly rationale for doing so
03:38 jberger but as always, the problem is maintenance (and time really)
03:38 jberger ok nn all
03:45 ua_ joined #mojo
04:30 sujithm joined #mojo
04:33 d4rkie joined #mojo
05:15 sujithm joined #mojo
05:15 beyondcreed joined #mojo
05:24 Vandal joined #mojo
06:36 rwp joined #mojo
06:42 jack joined #mojo
08:01 punter joined #mojo
08:18 sujithm joined #mojo
08:23 hummeleBop joined #mojo
08:24 sujithm_ joined #mojo
08:26 malikai joined #mojo
08:38 Andy2 joined #mojo
08:41 Andy2 joined #mojo
09:10 chorny joined #mojo
09:36 sh4 joined #mojo
09:38 sujithm joined #mojo
09:40 DaTa bbery: i love you too
10:19 basiliscos joined #mojo
10:41 punter look what I made, especially for you: http://test.perlmodules.net/feed/distro/Mojolicious
10:41 punter A mojolicious site with module updates in RSS form
10:56 jack joined #mojo
11:01 batman jberger: i totally agree about the prefetching
11:02 batman need to think about how to do it though...
11:02 batman and today is not the day... at least not yet :P
11:08 cpan_mojo Mojolicious-Plugin-AssetPack 0.07 by Jan Henning Thorsen - http://metacpan.org/release/JHTHORSEN/Mojolicious-Plugin-AssetPack-0.07
11:09 punter the link says "not found" when clicked
11:10 batman which link?
11:11 punter the one from cpan_mojo, just now
11:11 punter νοw it's ok, sorry
11:11 punter before it wasn't and got worried without reason
11:12 batman :)
11:12 hesperaux_ joined #mojo
11:12 batman got comments about the release?
11:12 punter I'm going to look at it now
11:12 batman sri++ # awesome idea about fetching from web
11:12 batman it's so boring to manually download files
11:13 punter I was wondering about this: is it a good idea to serve static content from within Mojolicious? Isn't nginx much more suited for this job?
11:15 batman what i do is adding a cache infront of my mojo app.
11:15 batman that cache might be nginx
11:15 punter interesting
11:15 batman but serving static assets directly from nginx is so boring
11:16 batman the cache might never expire though, so the mojo app only gets hit once pr fresh static file
11:16 batman that's not bad
11:16 punter excellent
11:16 punter that's the best
11:16 batman i use cloudflare. they use nginx. my mojo apps are directly on internet
11:16 sri \o/
11:16 batman punter: i wrote about it here: http://thorsen.pm/perl/2014/03/09/mojolicious-on-digitalocean.html
11:17 punter I saw that article, but didn't get to that point
11:17 batman the same setup can be done with any server. doesn't need to be digitalocean...
11:17 sri for completeness sake... the github thing is totally bananas... i'm officially worried http://techcrunch.com/2014/03/15/julie-ann-horvath-describes-sexism-and-intimidation-behind-her-github-exit/
11:18 batman punter: look at "step 4" "and Questions and answers"
11:18 batman "github thing" <-- when did that happen?
11:20 * batman is reading now
11:21 sujithm_ joined #mojo
11:22 punter batman: can you "delete" a cached item from cloudflare, like you can delete, say, from memcached?
11:22 batman yes
11:23 punter :+1:
11:23 batman you can delete one file or the whole cache.
11:23 batman you can even disable the cache in periods if you like
11:23 batman cloudflare is so cool
11:24 batman best 20 dollar (recurring) spent ever :)
11:24 punter and, can you get statistics about a particular page, using the cloudflare API?
11:24 batman no idea
11:24 punter :-)
11:24 punter Ok, I'll try it
11:26 batman i mostly use google analytics for stats, even though cloudflare is more accurate
11:26 batman they still don't support websockets though. that sucks :(
11:26 punter I can't place google analytics javascript code inside an RSS feed (I want to cache my site's RSS feeds)
11:27 punter ok
11:27 batman http://home.thorsen.pm/private/raw/notverysecret/cloudflare.png
11:27 batman aha. i see.
11:28 batman i guess you need a script that delete the rss cache from time to time then...
11:29 punter yes (delete whenever it changes)
11:29 batman or you could set cache timeout on cloudflare...
11:30 batman hm... i think cloudflare will refresh the cache if you set the correct headers... i might be wrong :/
11:38 * sri wonders if the menubar offset is handled correctly in the documentation browser http://mojolicio.us/perldoc/Mojo/DOM#ancestors
11:39 sri (the whole when you click on internal links it keeps a 46 pixel distance to the top)
11:39 sri *+thing
11:40 batman sri: that's a really bad article. i hope it's not the complete truth :(
11:40 sri i've also tried just making it hide the menubar for all internal links so no offset it necessary... but scroll events resetting stuff at random times seems to make it almost impossible
11:42 denis_boyun joined #mojo
12:06 punter batman, How do you guys get the appearance of your sites to be good?
12:06 punter do you seek help from designers?
12:07 punter I'm too bored to fix my site on my own
12:07 batman which one? i created thorsen.pm myself, and the only reason it "looks good" is because there's a picture of me on top.
12:08 batman that sounds strange, but adding a nice picture (my friends takes good pictures) of yourself to the webpage gives the illusion of a connection between me and you (the visitor)
12:08 batman so..i'm not saying i'm looking good, just that it gives comfort to the visitor :)
12:09 batman phsycologi kick ass, hehe
12:09 punter :-)
12:09 batman the rest is just shades of gray and the <pre> styling is (mostly) stolen from sri
12:10 meshl joined #mojo
12:10 batman grumpify.com is designed by a friend of mine.
12:11 batman what i also try to do is not invent stuff myself (because i can't). that's why i often start out with bootstrap and http://bootswatch.com/
12:11 punter I see, thanks for the pointers.
12:11 punter I'll try to use bootswatch
12:12 batman and then i steal ideas from other sites by browsing through pages like http://builtwithbootstrap.com/
12:12 batman everything is a remix anyway :)
12:14 batman http://everythingisaremix.info/blog/everything-is-a-remix-the-ted-talk # really cool talk
12:16 batman thanks punter. nice to get feedback.
12:17 batman i think my page is not very good. but i'm reaching for "not awful" and "useful", which i think i think i can master :)
12:17 batman thorsen.pm is open source: https://github.com/jhthorsen/jhthorsen.github.com/tree/batware
12:23 paladinn joined #mojo
12:32 sri batman: that is indeed a great ted talk
12:33 sh3 joined #mojo
12:34 batman :)
12:34 batman my flodhest.net domain will expire now... i hope i've moved all my email logins
12:40 sri jberger++ # cleaning up
12:41 sri bbery: the documentation is *always* updated right away, it's just the wiki that is lagging behind a bit
12:42 jberger certainly that article shows a bad scenario at github
12:43 jberger I'm not so sure that it is really sexual in nature, but management problems
12:43 sri at the very least *serious* management problems
12:43 jberger definitely
12:44 sri to quote myself from #perl "i don't want crazy spouses with no legal obligations to the company to see my customer data"
12:44 jberger and she seems to certainly have been harassed, it just didn't seem to be sexually harassed
12:44 jberger absolutely
12:44 purl Oh my, yes.
12:45 damaya batman, I hate the picture of you drinking coffee right now
12:45 damaya because I am out of coffee
12:45 jberger mmmmm coffee, I should go get some
12:46 damaya Hm, I don't think any coffee shops are open in my vicinity at this point :(
12:47 damaya I had forgotten that I need coffee until I looked at batman's picture :P
12:47 jberger damaya, I think you told us at one point, but where are you?
12:47 batman do i have a coffe picture..?
12:47 damaya on the other hand batman, thank you for pointing me to bootswatch.com
12:47 damaya I think it is coffee. It looks like a delicious cup.
12:47 batman damaya: your welcome
12:48 damaya of coffee that is :D
12:48 damaya jberger, Portland, Oregon, United States
12:48 batman ah! right. there's two images on my page ;)
12:48 batman i had forgotten about that
12:48 jberger when batman is drinking, its probably not just coffee
12:48 batman haha ;)
12:48 jberger Portland, the coffee is aflowing in Portland right now, to be sure
12:49 batman sounds like i've given the impression i drink a lot...
12:49 jberger !
12:50 jberger batman : I tease (but I must have gotten that impression from somewhere)
12:50 batman i think i drink more often than most people though...
12:50 damaya There's a river here in Portland. I imagine it tastes like coffee
12:50 damaya batman, do you have good beers where you're at?
12:50 batman that's why i live in the city: i don't need a car, so i can drink whenever i like :)
12:51 damaya Norway, right?
12:51 batman damaya: yeah, i would say so. but there's also tons of import beer as well, so there's something for everyone
12:51 batman yeah
12:51 damaya yeah, I used to watch a beer review channel on youtube and they were some a couple guys from Norway.
12:52 jberger The river in Chicago might still be green at this point
12:52 batman micro brewing is a big hit now, so "everyone" does it. ten years ago, you could choose between four beers when you went out. now... i can't count that far :)
12:53 damaya what's a good beer from Norway?
12:53 batman (it's not entirely true, but it feels like it)
12:53 batman i would say nøgne ø
12:53 batman http://www.nogne-o.com/
12:53 batman they export more beer to japan than they sell in norway :)
12:54 * jberger looks forward to the Norwegian beers
12:54 batman there's many bars that make their own beer.
12:54 damaya dang, 1,500 different beers and not a single one from Norway... The beer marketplace here now officially sucks.
12:55 batman haha
12:55 damaya Hm, is Mojo Conf official?
12:55 jberger very
12:55 batman damaya: yeah. you can sing up and submit talks :)
12:55 batman damaya: http://mojoconf.org
12:55 damaya Man, now I'd have two reasons to go to Norway
12:55 jberger talk submission closed yesterday, no?
12:56 batman jberger: we extended the limit
12:56 damaya If I gave a talk it would be A) boring, B) uninformative, C) ... it would just be quite bad
12:56 damaya heh
12:56 jberger then in that case: SUBMIT ALL THE THINGS!
12:57 sri that's ok, so will mine ;p
12:57 batman damaya: hehe... come and drink beer then :)
12:57 damaya Yes, hello, welcome and thank you for coming... silence.
12:57 batman damaya: you could submit a lightning talk
12:57 jberger a minimalist talk would be funny
12:57 batman yeah. no slides. JUST LIVE DEMO!
12:58 batman murphy-- # live demo
12:58 sri what are we going to do at the hackathon anyway?
12:58 jberger oh, I could do a lightning talk about the__SUB__ token
12:58 damaya If my work didn't think the latest version of Perl was 5.8.4 and wasn't so averse to upgrading and getting rid of CGI, I might just be able to convince them to pay for my ticket
12:59 batman sri: i will entertain the newbies with balloons and magic
12:59 sri allright then :)
12:59 * sri likes lightning talks
12:59 batman (sorry. i'm not going to.)
12:59 * jberger hands sri a rubber clown nose
12:59 sri :,(
12:59 jberger hahaha
13:00 batman but i hope to give a helping hand to whoever that asks... i really hope people ask :)
13:00 sri :o(
13:01 sri we should hide bugs in mojolicious for people to fix :)
13:01 jberger I just don't think I could live up to mst's __END__ of everything talk
13:01 sri done!
13:02 batman :)
13:02 jberger oh man, "of DOMs and __SUB__s"
13:03 jberger (I don't think I'm allowed to call a talk that)
13:05 damaya is mst presenting?
13:05 jberger not that I know of
13:05 damaya damn
13:05 batman i would be very surprised if he comes
13:06 jberger batman: is he or chromatic registered?
13:06 damaya I figured it'd be a bit strange
13:06 batman http://www.mojoconf.org/mojo2014/search?name=&amp;country=&amp;town=&amp;pm_group=&amp;search=Search#user-list <-- is this public?
13:06 damaya yes
13:06 jberger mst is on the channel often enough
13:06 damaya Well, I can see it.
13:06 jberger and I know that chromatic uses mojo
13:06 batman nice, then you can check yourself who comes :)
13:07 jberger As does brian d foy (at least for the ua)
13:08 jberger freido, really
13:09 jberger that's interesting
13:10 jberger I wonder what he thinks of mango?
13:12 damaya Hm, this is pretty cool. Have you guys heard of light table?
13:13 * jberger likes that with a local convos, he can switch between phone and laptop without changing nick
13:18 batman :)
13:20 jberger who is running the introduction?
13:20 jberger s/instroduction/tutorial/
13:24 ladnaV joined #mojo
13:30 laouji joined #mojo
13:30 damaya Can I get any suggestions on design aesthetics... Something doesn't seem quite right to me, it's a bit ugly I am thinking: http://50.137.153.164:3000/ (login: test/test123)
13:31 damaya If you click Perl -> Chapter1 -> File1 you can see a file loaded, and right click files/folders works now, though none of the actual options work yet.
13:31 damaya I've mostly been working on aesthetics of it today, but it's feeling a bit ugly the more work I put into it :D
13:47 d4rkie joined #mojo
13:59 diego_k joined #mojo
14:23 jberger sri: is there any chance that the file-changed logic used in morbo might be factored into something reusable?
14:25 sri jberger: like?
14:27 malikai might make a good module
14:27 jberger Mojo::IOLoop->file_change( $path => $cb )
14:27 malikai would be cool to send events when stuff changes
14:27 sri i strongly disagree, but would like to hear your argument first
14:27 malikai (without writing the code yourself)
14:27 * malikai steps back
14:28 sri jberger: doesn't work, morbo parent doesn't run an event loop
14:28 sri first you have to solve the parent/child event loop inheritance problem
14:28 sri also, the implementation is pretty shitty for something generic
14:28 jberger there was a SO post (closed because it was just fishing for code) asking how to write a dynamic log viewer, I was trying and found that I need a file-changed notifier
14:29 sri it's only portable, EV for example has something much better
14:29 jberger oh, look at that, sleep 1
14:29 sri anyway... let me step back and say... patches welcome
14:30 jberger well, ok then, I see your point
14:30 sri morbo is only very very portable... not at all efficient
14:30 jberger I was looking at the change detection logic and not the loop itself
14:33 dotan joined #mojo
14:33 sri if you want to work on that code, you will have to make sure that the end result is at least as portable as it is now
14:34 sri as in a gazillion different versions of windows perl
14:35 * jberger would prefer to eat a whole porcupine
14:35 jberger :-)
14:35 * sri too
14:35 jberger no, you are right, I was looking at the wrong part of the code
14:35 purl okay, jberger.
14:36 jberger I might be able to copy the logic, but it wouldn't be a good candidate for morbo
14:37 jberger but in that case, probably the EV watcher is better anyway
14:37 sri certainly is, with inotify/kqueue and stuff
14:38 jberger the only reason I ported AE::Util::fork_call was because it didn't actually depend on AE or EV and the logic was easy to port
14:38 sri i'd love to make morbo use less resources.... but there's a reason morbo is the best restarting server on cpan...
14:39 jberger sure that might be nice, but its a dev tool
14:39 jberger <3 morbo
14:42 jberger sri: looking again, I was seeing the daemon's loop in the worker process
14:43 sri hypnotoad/prefork and morbo specifically don't use the ioloop in the manager process to keep it clean for forking
14:44 sri theoretically it's rather easy to clean up the ioloop automatically on fork, but we depend on the current behavior to set up things when the application is loaded (you know... timers and stuff in startup)
14:44 sri mango and the user agent do automatically clean up their connections on fork for example
14:53 gryphon joined #mojo
14:54 malikai hmm.. that all reminds me
14:55 malikai so, i have a bunch of work i need to do in only one place(thread), that's not possible with hypnotoad is it?
14:56 malikai each of those children it forks is going to be doing everything and independent of each other, right?
14:57 malikai so far i've been using morbo so it's not shown up except for when i'm messing about
14:58 jberger yes, when using a forking server, the worker will not know about the entire global state
15:02 nemux joined #mojo
15:02 nemux Hi all
15:05 jberger o/
15:06 malikai yea.. i suppose i could test a bit with ->workers(1)
15:15 spoot joined #mojo
15:17 malikai mojo::server::daemon looks like the one to go with for singlethread
15:18 malikai inside perlbrew.. because fuck the prison
15:27 AndroUser2 joined #mojo
15:30 spoot joined #mojo
15:33 ua_ joined #mojo
15:37 Curt joined #mojo
15:44 nemux joined #mojo
16:01 nemux joined #mojo
16:19 nemux joined #mojo
17:01 spoot joined #mojo
17:06 sri oh... latest IO::Socket::SSL broke mojolicious
17:08 jack_ joined #mojo
17:09 sri "Cannot determine hostname if peer for verification. Disabling default hostname verification for now. Please specify hostname with SSL_verifycn_name and better set SSL_verifycn_scheme too."
17:16 rem_lex| joined #mojo
17:23 sri if i don't pass SSL_hostname all our tests pass again
17:23 sri somethign is fucked
17:27 sri oh great... seems to be an intentional breaking change
17:28 Adura Time to roll Mojosslicious.
17:28 sri looks like we'll have to bump the IO::Socket::SSL requirement to keep it working
17:32 sri we need 1.84
17:32 mst jberger: what about me being on the channel?
17:39 stephan48 how do you implement browser compatible DELETE rest actions? for api clients like curl i could just use a DELETE action, but is there a way to do the same for browsers without ajax?
17:42 punter I'd think that ajax is the only way to produce DELETE actions on the browser
17:44 good_news_everyone joined #mojo
17:44 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/trq3_w
17:44 good_news_everyone mojo/master 801901a Sebastian Riedel: updated IO::Socket::SSL requirement to 1.84
17:44 good_news_everyone left #mojo
17:51 cpan_mojo MojoX-Log-Declare 0.03 by CHGOVUK - http://metacpan.org/release/CHGOVUK/MojoX-Log-Declare-0.03
17:53 sri for future reference... the breaking change in IO::Socket::SSL happened in version 1.84, where the documentation started mentioning that SSL_hostname will result in a thrown error if SNI is not supported by OpenSSL
17:53 sri before it was undocumented
17:53 sri and it appears it only started actually throwing errors in the latest release
17:54 sri 1.969
17:55 sri before version 1.84 there was *a lot* of ambiguity around SNI
17:55 sri the test for SNI seems to be pretty terrible too... os x OpenSSL does support SNI... but is not detected because the version number is too low
18:02 spoot joined #mojo
18:37 denisboyun joined #mojo
18:41 punter sri, You know, you can track changes to your (very few) required modules with an RSS feed, by logging in to http://test.perlmodules.net/
18:41 punter I'll stop spamming now
18:44 jnbek^dt joined #mojo
18:53 jberger mst: I was just trying to think of big name perlers who might be interested in mojoconf
18:54 jberger punter, how do you get your feed? is it friend feed?
18:56 mst jberger: my rule for smaller conferences is that I only go if somebody sponsors travel+hotel, and given I'm not really a Mojo user I don't think I'd be a cost effective person to send
18:57 mst if people disagree, I'd be happy to brainstorm with whoever's organising about what I could talk about that would make it worthwhile, but I'm defaulting to "you'd be better spending the money on somebody else"
18:58 jberger well I don't speak for the organizers, but I see your point
19:00 punter jberger, no I get it from the API (whenever CPAN's RSS changes)
19:00 punter jberger, the MetaCPAN API
19:00 jberger The only other well-known perler that I know use mojo for real work is chromatic
19:01 jberger and brian d foy for the ua
19:02 jberger punter, do you have to poll it?
19:02 mst one day I'm going to be bored on a weekend and see if I can integrate the Web::Simple dispatcher into Mojo
19:02 jberger that'd be cool
19:03 punter jberger, I do poll it. I've seen your Mojo::FrienFeed module that does long-polling, but requires 5.16 (I have 5.14)
19:03 mst the nested routing in W::S is addictive
19:03 sri no registrations from asian countries yet
19:03 mst and mojo's bridge stuff is a much nicer API than Catalyst's :Chained for many things, but not a more powerful one really
19:04 mst not that that's really a criticism, I'm just really picky about dispatchers because I've been writing them for so many years
19:05 mst ... heh, just remembered my first patch to catalyst was a :Regexp bugfix I supplied by pastebot while originally reading the source
19:05 mst sri: that was too many years ago. please join me in 10 seconds of feeling old ;)
19:14 sri mst: i remember how obsessed you were with xml transformation at the time :)
19:19 stokachu joined #mojo
19:26 cpan_mojo MojoX-Log-Log4perl 0.09 by Breno G. de Oliveira - http://metacpan.org/release/GARU/MojoX-Log-Log4perl-0.09
19:37 mst sri: that's because I was using it as a sort of overly pointy lisp to make macros that generated Maypole apps because mod_perl
19:47 garu sri: do you think it's sane to make Mojo::Log::history() and accessor instead of a getter with a private setter?
19:47 garu s/and accessor/an accessor/
19:48 garu I mean, someone might inadvertedly set it and bork the actual history (which should only be set by logging objects imo)
19:50 Eke- joined #mojo
19:51 garu either way, new MojoX::Log::Log4perl 0.09 supports history() and max_history_size just like Mojo::Log :)
19:52 mattastrophe joined #mojo
20:04 jberger garu: cool
20:05 jberger I could argue both ways about the accessor
20:43 Eke- joined #mojo
20:43 jberger how far back does the CORE:: namespace go?
20:52 spoot joined #mojo
20:55 gryphon joined #mojo
21:22 good_news_everyone joined #mojo
21:22 good_news_everyone [mojo] kraih tagged v4.90 at 7eeb7f5: http://git.io/9hqY6Q
21:22 good_news_everyone left #mojo
21:23 cpan_mojo Mojolicious 4.90 by Sebastian Riedel - http://metacpan.org/release/SRI/Mojolicious-4.90
21:23 meshl joined #mojo
21:27 rem_lex|pivo joined #mojo
21:39 rem_lex joined #mojo
21:41 dnbe joined #mojo
21:42 dnbe Perhaps a dumb question, but by default does mojo sanitize input coming in (e.g. from a form it creates and gets posted to)?
21:43 moritz dnbe: no; what would the sanitization do?
21:44 dnbe moritz: strip/quote things that might lead to injection attacks.
21:44 moritz dnbe: no, that would be the wrong approach; after all there are use cases where you people to enter HTML or SQL into input fields
21:45 jberger dnbe: magic quotes? really?
21:45 moritz dnbe: it does give you very easy ways to escape things in the templates though
21:45 moritz <%= $var %> HTML-escapes $var, you'd need to write <%== $var %> to not escape it
21:45 dnbe moritz: I don't disagree, though I think those cases are likely far fewer than most.
21:45 jberger dnbe: there is a validation system which you can use
21:45 dnbe jberger: yeah, well, sorry.
21:45 moritz so that makes XSS less probably
21:46 moritz erm
21:46 moritz apply grammar fix to line above :-)
21:46 dnbe moritz: cool to note re: the templates
21:46 dnbe jberger: right, I've been messing around with the validation stuff.
21:47 moritz dnbe: and for SQL injection: placeholders exist
21:47 moritz shell commands: you really, really need to be careful
21:47 dnbe jberger: speaking of which, do you know of any good examples of it in use? deriving it from the doc and/or test cases has proven to be a bit more challenging than I expected. I think I've got the hang of it, but I'd love to read code from someone with expertise.
21:48 dnbe moritz: in my case, it is for doing LDAP queries, so I guess it is time to write something to deal with that.
21:49 jberger I'll admit, I haven't used it yet. I haven't found validation to be too difficult from the controller methods. I'm sure my next project will use the XSS capability, but I haven't yet evaluated if I need the other validation logic yet
21:49 * moritz has no idea how LDAP works
21:49 moritz jberger: s/XSS/CSRF/ ?
21:50 dnbe While I have people on the line who know what they are talking about, let me bug you with another naive sounding question:
21:50 jberger oh, right
21:50 jberger hehe
21:50 * moritz has used validations, but the project isn't open source :(
21:50 dnbe if you wanted to avoid people brute forcing/dictionary attacking your app, what would be your general tack to take?
21:50 dnbe moritz: did you use the native stuff or a plugin?
21:51 jberger brute forcing logins?
21:51 moritz dnbe: the native stuff
21:51 jberger use an expensive hash algo
21:51 dnbe jberger: right, I'm in the process of writing a "change your password" web app.
21:51 dnbe jberger: first part is prove you know your old one, want to make sure this doesn't get abused.
21:51 moritz dnbe: my approach so far has been "use Persona for login", that way I don't have to care about that sort of stuff
21:52 jberger https://metacpan.org/pod/Mojolicious::Plugin::Bcrypt
21:52 moritz I don't even store crypted passwords that way
21:52 dnbe moritz: haven't heard of that, pointer?
21:53 dnbe So in my case, the hash algorithm doesn't come into play because the app talks to an LDAP server (and lets the server handle the hashing)
21:53 moritz dnbe: https://login.persona.org/
21:53 dnbe oh, right, the mozilla thing. Cool, I'll check it out for future projects.
21:54 moritz another approach is to rate-limit requests
21:54 dnbe So, what's a clever way to prevent brute forcing. One thing I was thinking about was how to easily implement rate limiting for tries.
21:54 moritz possibly at the webserver level (like apache)
21:54 * dnbe loses
21:54 moritz there's also Plack middleware for rate limits
21:55 dnbe So the basic idea, an IP addres can only make N requests over an hour?
21:55 moritz yes
21:55 rem_lex|pivo joined #mojo
21:55 moritz or s/IP address/range/ for IPv6
21:55 dnbe The tricky thing is all you need is more hosts cooperating.
21:56 moritz "all you need" -- that's far more than most naive brute forcers are willing to do
21:57 moritz if you want perfect security, use SSL certification authentication or so :-)
21:57 Adura Require proof of work.
21:57 moritz Adura: right, let them mine 1 bitcoin for you :-)
21:57 dnbe moritz: I don't disagree, though I do see tons of ssh attacks that are fairly spread out.
21:57 Adura That'd take a while.
21:57 * moritz likes the idea
21:57 moritz Adura: well, maybe not a whole bitcoin :-)
21:57 dnbe Adura: like a stamp or captcha, which one did you have in mind?
21:58 moritz dnbe: but are they coordinated?
21:58 Adura No, like BTC's way.
21:58 Adura Hash of a certain value range.
21:58 dnbe moritz: good question.
21:58 purl Yeah, it is. I'm stumped.
21:59 moritz dnbe: in the end, it really depends on the level of security you need, and on the user experience you're after
21:59 moritz having a phone number and a hotline that authorizes password resets is also an option :-)
21:59 jberger again, the whole point of Bcrypt is that it takes a long time to calculate the hash, so you get effective rate limiting anyway
22:00 dnbe moritz: well, mostly this is supposed to do one thing, which is let someone change their password (it then fans out to change it on N systems). I don't want to make it too hard.
22:00 dnbe moritz: but I'm also aware I'd be hanging out a "come be able to check a username/password pair for free" sign.
22:01 moritz dnbe: huh? changing password should only be allowed for users that are already logged in
22:02 dnbe moritz: logged into what?
22:02 jberger dnbe, just fyi, I would not be likely to use such a service
22:02 moritz dnbe: in the system that the password is for
22:02 moritz dnbe: "password forgotten" should be a totally different system
22:03 moritz ("password forgotten" should be stateful, that is you actually store the reset tokens on the server; and it must have a timeout
22:04 dnbe moritz: ok, so here's more context. We need to have two systems that have completely different auth systems stay in sync. Their password storage scheme is distinct and crypologically incompatible, so we need something to grab plaintext and change passwords on backends.
22:04 moritz during that timeout, no second password reset request will be accepted for that login)
22:04 moritz dnbe: still, require a login before password change
22:05 dnbe Yup, indeed I will. Now the question is how to make sure people aren't using that requirement to brute force the system.
22:05 dnbe i.e. webapp says "provide username and old password" first (a login)
22:06 moritz dnbe: so the real question isn't "how do I secure password reset against brute force", but "how do I secure login against brute force"
22:06 dnbe Yes, that's absolutely correct.
22:07 moritz so, rate limits; possibly require a captcha after the $nth incorrect login attempt
22:07 dnbe both sound good
22:08 moritz beware that rate limits per login (but not per IP) open the doors for DoS
22:08 moritz ie somebody can prevent somebody else from logging in simply by exceeding the rate limit for that account
22:08 dnbe Right, good point.
22:08 moritz (which is why you need to narrow it down to individual IPs)
22:09 dnbe Though for this app if that happens, it isn't too big of a deal if they can't immediately change their password.
22:09 moritz my bank gets that one wrong :-)
22:09 dnbe For rate-limiting, it sounds like plack or web server is the way to implement, anything in the mojo world to do this?
22:10 moritz I'm not aware of anything in mojo land, but that doesn't mean much
22:10 jesteves joined #mojo
22:11 moritz dnbe: https://www.owasp.org/index.php/Authentication_Cheat_Sheet might be of general interest for you
22:11 dnbe moritz: cool! thank you.
22:12 * moritz -> sleep
22:16 sri don't do it in the application server at all... there's rate limit extensions for all common reverse proxies
22:16 dnbe sri: makes sense. I just dig your provided servers, sounds like I should reverse proxy them.
22:17 sri you should reverse proxy *any* application server
22:17 dnbe sri: that sounds like a good tip. Can you say a bit more so I can make sure our reasons match?
22:18 sri security alone should be reason enough
22:18 sri no perl server is battle tested enough, including our own
22:18 dnbe sri: got it
22:19 dnbe sri: do you have any thoughts on other ways to do what we were discussing before, namely preventing brute force attempts on logins?
22:19 sri websockets used to be a reason not to use a reverse proxy, but even that is supported by nginx now... so there is no reason not to use one
22:25 jesteves Can anyone see what I'm missing in this little lite app? (http://pastebin.com/S276sVxN)...  object built upon captured params is not getting them in thie right place...
22:28 sri for starters, don't ever use ->param() in list context
22:28 sri you've got yourself an injection attack right there
22:29 sri http://mojolicio.us/perldoc/Mojolicious/Controller#param
22:33 sri that's the stuff that gets all the big sites hacked all the time
22:36 jesteves sri: got it, thanks a lot...  not intended to use it in production without validation...  just noted of that funny effect of undefined params in a mockup and being curious about it...
22:43 good_news_everyone joined #mojo
22:43 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/4nrTZA
22:43 good_news_everyone mojo/master 248676a Sebastian Riedel: make potential attack more obvious in example
22:43 good_news_everyone left #mojo
22:43 sri hope that brings the point across a little better
22:45 mire__ joined #mojo
22:45 sri hopefully a two line comment is not too TLDR
22:45 sri http://mojolicio.us/perldoc/Mojolicious/Controller#param
23:06 rem_lex| joined #mojo
23:14 good_news_everyone joined #mojo
23:14 good_news_everyone [mojo] kraih pushed 1 new commit to master: http://git.io/bJ28cQ
23:14 good_news_everyone mojo/master ffed10e Sebastian Riedel: mention 10MB limit in warnings
23:14 good_news_everyone left #mojo

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary