The web in a box - a next generation web framework for the Perl programming language

IRC log for #mojo, 2015-04-20

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:38 Zoffix joined #mojo
00:59 Ptolemarch joined #mojo
01:31 klapperl joined #mojo
02:05 noganex_ joined #mojo
02:09 asarch joined #mojo
02:29 inokenty-w joined #mojo
02:32 hshong joined #mojo
02:48 Ptolemarch joined #mojo
02:49 hshong joined #mojo
03:12 memowe joined #mojo
03:28 basic6_ joined #mojo
03:55 irq joined #mojo
04:10 Oleg joined #mojo
04:28 NikitaTropin joined #mojo
04:35 kaare joined #mojo
04:37 Ptolemarch joined #mojo
05:15 melo joined #mojo
05:26 arpadszasz joined #mojo
05:30 stl joined #mojo
05:56 McA joined #mojo
05:58 berov joined #mojo
06:11 arpadszasz joined #mojo
06:15 misty_g3ar joined #mojo
06:18 bramirez joined #mojo
06:25 Ptolemarch joined #mojo
06:52 bramirez joined #mojo
06:56 trone joined #mojo
07:03 jantore joined #mojo
07:04 eseyman joined #mojo
07:11 batman isn't this a duplicate? https://groups.google.com/forum/?utm_source=digest&utm_medium=email#!topic/mojolicious/cdomqZD5jRI
07:20 jantore I'm pondering whether it would make sense to have Mojo::Content be more lenient in accepting broken multipart boundaries, similarly to this: https://code.google.com/p/chromium/issues/detail?id=5786
07:22 jantore I.e. in cases where the server reports boundary=--somestring in its Content-Type, when it should have said boundary=somestring.
07:22 jantore So mostly useful when using Mojo::UserAgent.
07:35 cpan_mojo Mojolicious-Plugin-AssetPack-0.5201 by JHTHORSEN https://metacpan.org/release/JHTHORSEN/Mojolicious-Plugin-AssetPack-0.5201
07:36 dp_ joined #mojo
07:36 ace joined #mojo
07:38 ace I want to display the binary image via $self->render( 'data' => $res->body, format => 'jpg' );
07:38 ace But I got "net::ERR_CONTENT_LENGTH_MISMATCH" on GoogleChrome. Do I need to set the Content-Length?
07:39 melo joined #mojo
07:54 odc joined #mojo
08:05 camelo joined #mojo
08:05 * camelo OI
08:14 Ptolemarch joined #mojo
08:17 chorny joined #mojo
08:19 irq joined #mojo
08:19 Vandal joined #mojo
08:19 Shaeto joined #mojo
08:26 mudler joined #mojo
08:29 mudler joined #mojo
08:33 ashimema whats the current feeling/approach to using one of the json::xs (probably the cpanel one) over Mojo::JSON?
08:33 ashimema any recommendations.
08:35 cpan_mojo Mojolicious-Plugin-XML-Loy-0.13 by AKRON https://metacpan.org/release/AKRON/Mojolicious-Plugin-XML-Loy-0.13
09:02 bramirez joined #mojo
09:03 bramirez1 joined #mojo
09:09 lb joined #mojo
09:23 bramirez joined #mojo
09:38 bramirez joined #mojo
09:46 odc ashimema, i think this is the recommended module : https://metacpan.org/pod/Mojo::JSON::MaybeXS
09:48 gatitskiy joined #mojo
09:51 bramirez joined #mojo
09:59 bramirez joined #mojo
10:03 Ptolemarch joined #mojo
10:08 punter joined #mojo
10:33 bramirez joined #mojo
10:59 mudler joined #mojo
11:19 bramirez joined #mojo
11:30 bramirez joined #mojo
11:37 Shaeto left #mojo
11:52 Ptolemarch joined #mojo
11:53 bramirez joined #mojo
12:03 neilhwatson joined #mojo
12:18 Kripton joined #mojo
12:59 bramirez joined #mojo
13:01 ZoffixWork joined #mojo
13:08 ZoffixWork Scraping one of our vendors' site and came across this little gem of comedy: http://i.imgur.com/LJoPjck.png
13:11 ZoffixWork Even the result is shocking: spot which of these are links: http://i.imgur.com/uHTJGME.png
13:17 mudler joined #mojo
13:23 jberger well, none of them I suppose
13:24 ZoffixWork :) Half of them are. You just have to hover over them to find out. It's the web developer's edition of 'Where Is Waldo'
13:25 bwf joined #mojo
13:41 Ptolemarch joined #mojo
13:58 gryphon joined #mojo
14:05 jb360 joined #mojo
14:10 batman anyone know of a module that removes the "at foo.om line 25" part of a die() message?
14:11 jberger batman: is it your own error message?
14:11 batman no.
14:11 jberger ok nm then
14:11 batman were you thinking about using an exception object instead?
14:11 jberger or even adding a newline
14:11 batman i see
14:12 Adura Change the die sig sub?
14:12 purl Adura: that doesn't look right
14:12 Adura Perhaps...
14:12 purl then again, perhaps not
14:12 AndrewIsh joined #mojo
14:14 howitdo joined #mojo
14:17 batman i'll just use my naive $error =~ s!(.*) at .*!$1!s; .... :/
14:20 mst batman: at .*? line \d+$
14:21 batman mst: does it change relative to locales?
14:22 mst batman: wut
14:22 batman i18n. LC_ALL, ...
14:22 mst (1) I would assume not (2) if it did, surely yours would be broken too
14:22 batman (2) i'm aware ;)
14:22 ZoffixWork joined #mojo
14:22 mst try and avoid imagining extra problems that don't exist - programming is hard enough when you only have to deal with the real ones.
14:23 batman i just see some cpan testers results where $! is localized...
14:23 ZoffixWork You could trap an empty die and remove what you get :)
14:23 jberger $! comes from the system directly
14:24 jberger $@ is from perl
14:24 batman jberger: i'm aware. just explaining why i was "imagining" things.
14:24 jberger ah
14:24 batman thanks :)
14:24 jberger mst: is there any hope of ever getting exception objects by default
14:24 jberger ?
14:24 jberger you might be closer to those discussions than the rest of us
14:25 melo joined #mojo
14:25 asarch joined #mojo
14:25 mst batman: yeah, it's possible to get errstr() localized at the libc level
14:25 mst batman: OTOH anybody who turns that on gets to keep both havles
14:25 batman hehe
14:26 genio s/at \S+ line \d+$//; # just because I hate .* -lazy or not
14:27 mst genio: congratulations, now if your module path has a space in it, your code is broken
14:27 mst that was clever
14:27 mst (I used .* intentionally)
14:27 mst [^\n]+? might've been better
14:28 mst but \S+ is obviously wrong
14:28 genio ah, crap.  (spaces in paths)-- and me-- and .*-- still
14:28 ZoffixWork It can also read "at -e line " or "at (eval 1)"
14:28 marcus the at (eval ones are my favorites
14:28 mst .* means 'anything except a newline' normally
14:29 mst s/at .*? line \d+\Z//;
14:29 mst should work fine
14:29 ZoffixWork yeah
14:29 mst genio: nothing wrong with .* so long as you know what it matches
14:29 mst if you prefer [^\n] for clarity, go ahead, though
14:29 mst I wouldn't complain at either
14:29 genio yes.  I know.  My hatred of it comes from years of seeing terrible expressions from people doing bad things like   if ( $foo =~ /.*bar.*/ )
14:30 batman mst: what if you have newline in the filename? ;)
14:30 * batman runs away from the flames
14:30 mst genio: that's morally equivalent to refusing to use perl because FormMail.PL exists
14:30 mst batman: then you deserve everything you get
14:32 batman :)
14:34 genio The only sad thing is that I still see .* used poorly everywhere, advancing my (sometimes senseless) hate for the Kleene star.
14:34 jberger FormMail.PL still exists?!
14:34 * jberger goes back to python
14:36 Grinnz lol
14:36 camelo lol
14:36 Ptolemarch joined #mojo
14:38 ZoffixWork batman++ # for sprites
14:38 ZoffixWork Works great. I'm glad I won't have to pack using Stitches a gazillion times over and over again :)
14:39 * jberger thinks the best JWT implementation is Acme::JWT :/
14:39 batman ZoffixWork: it does? awesome :)
14:39 jberger *best CPAN JWT implementation
14:39 batman ZoffixWork: did you look at the PR?
14:40 ZoffixWork batman, um... which one?
14:41 batman the one for sprites https://github.com/jhthorsen/mojolicious-plugin-assetpack/pull/48
14:44 ZoffixWork Looks like you now have handlers. Neat.
14:44 ZoffixWork I'd add .gif to this too: https://github.com/jhthorsen/mojolicious-plugin-assetpack/pull/48/files#diff-b6b5029ec1bdafeb92ab87ecf55216acR62
14:45 ZoffixWork .oO( ...maybe I'm the only weirdo who still uses .gif sometimes... )
14:47 ZoffixWork I guess it doesn't matter, since it will be spritified into a PNG. I only saved them as .gif when .gif was smaller than .png.
14:48 Lee joined #mojo
14:48 batman i was considering it, but.... nah...
14:48 batman i'll take a pr for gif though
14:51 ZoffixWork You can now make your own handlers too... Awesome. batman++
14:51 batman ZoffixWork: yeah.... though that is superduperexperimental
14:56 batman ZoffixWork: i haven't figured out the API for the handlers yet.
14:57 batman considering getting rid of ::Preprocessors and just move the code into ::AssetPack... If not, I think I have to make a ::Handlers class as well...which i'm not sure if i want to
14:59 sri batman: this one seems to work reasonably well https://github.com/kraih/mojo/blob/master/lib/Mojo/Exception.pm#L80
15:00 sri re the exception regex thong earlier
15:00 sri s/o/in/
15:00 batman sri: thanks :)
15:00 ryozi joined #mojo
15:01 sri it's even pretty well tested
15:02 sri although, we might only be testing it with perl syntax errors
15:12 marcus jberger: Why is it named Acme:: ?
15:13 jberger thus my :/ face
15:13 marcus http://jwt.io/ seems like it's well supported in every other language out there.
15:17 btyler joined #mojo
15:17 batman new feature added to mojopaste: https://ssl.thorsen.pm/paste/46b4381daf6a/chart :)
15:19 jberger batman++
15:20 odc very nice @ batman
15:21 jberger marcus: there are a few purpose built implementations on CPAN
15:21 jberger and JSON::WebToken is a little over-engineered/under-complete
15:24 batman It takes json and csv as input.
15:25 batman It's been a while since I've felt this stupid :/
15:25 batman https://metacpan.org/release/JHTHORSEN/App-mojopaste-0.13
15:25 batman (Changes)
15:26 batman Feel like digging a hole.
15:27 batman Thanks ZoffixWork for letting me know.
15:27 trone is it possibile put colon ":" in mojo app url?
15:28 batman trone: What is "mojo app url"?
15:28 trone batman: in a route.
15:30 batman trone: Have a look at the different placeholder types
15:30 batman mojolicio.us/perldoc/Mojolicious/Guides/Routing
15:30 purl mojolicio.us/perldoc/Mojolicious/Guides/Routing is the best reference on how routing works in Mojolicious.
15:31 jberger batman: I'm assuming he means using : without using it as a placeholder
15:31 jberger trone ^^ ?
15:31 trone I can't do a sort of: $r->get('some\:thing/:param') ?
15:31 riche joined #mojo
15:32 ZoffixWork batman, happens to the best of us :)
15:32 jberger riche lives!
15:32 sh4 joined #mojo
15:32 riche barely
15:33 trone jberger: not necessarily
15:34 trone probably I'm looking for an escape inside the route definition
15:34 Vertig0 joined #mojo
15:37 batman ZoffixWork: That kind of embarrass the makes me question everything :(
15:37 ZoffixWork trone, wouldn't using %3A Just Work(tm)?
15:37 batman +ment
15:38 batman Autocorrect--
15:38 * jberger hands batman a beer and a candy bar
15:39 batman jberger: Going to lay low on the alcohol...
15:40 lb yes, it IS 420 after all
15:41 trone ZoffixWork: it doesnt work.
15:41 purl That's because you're a moron.
15:42 * ZoffixWork stifles a giggle
15:43 trone the url to parse is  /api/v1/object/<id>/attribute:<param>
15:49 trone I dunno how build a route to parse that url.
15:50 ZoffixWork trone, how come /api/v1/object/<id>/attribute:param  doesn't suit you?
15:50 ZoffixWork trone, what's <param>? A literal string or are you capturing "param"?
15:50 trone ZoffixWork: because I want 'attribute' string and 'param' joined with a colon.
15:51 trone ZoffixWork: in mojo route a sort of  /api/v1/object/:id/attribute\::param
15:51 trone ZoffixWork: so I'm capturing param
15:52 ZoffixWork trone, well, just strip the leading ':' from the capture
15:52 trone ZoffixWork: yep, so I have to capture all and after strip. yep, is an idea. thx.
15:52 Grinnz_ why not attribute/param ?
15:53 Grinnz_ attribute/:param rather
15:54 trone Grinnz_: that is how is builded now, but spec could to change. Furthermore, the "/" as separator have a meaning taht we don't want use with attribute. It's a sort of semantic constraint. :)
15:55 Grinnz_ trone: colons simply aren't often used in URL paths.
15:56 Grinnz_ if you have control over the spec i would suggest avoiding problematic things ;)
15:56 trone Grinnz_: as in mailto: :D
15:56 Grinnz_ that's a protocol
15:57 trone Grinnz_: yep, maybe we can avoid it, or we'll do as ZoffixWork suggests. I was looking for an eventual solution (with escaping or using a raw regex , dunno)
15:58 trone however thanks all for the hints ;-)
16:00 jberger it does seem like there ought to be a solution, but I don't know what it would be
16:04 Dandre joined #mojo
16:07 camelo on a list context $c->param, no longer returns the parameter list?
16:07 ZoffixWork Correct.
16:08 ZoffixWork It was to address a possible security issue when people use the value directly in stuff like hash assignment
16:08 ZoffixWork Updated in 5.43, IIRC.
16:08 camelo ok...
16:09 camelo so I've to change some things
16:09 Grinnz_ https://github.com/kraih/mojo/wiki/Upgrading
16:09 camelo thanks ZoffixWork
16:09 Oleg joined #mojo
16:09 ZoffixWork 5.48... I was close enough  :)
16:09 camelo I had missed that Grinnz_, but thanks
16:10 camelo I also have to make more/better tests
16:10 camelo I've updated weeks ago
16:10 camelo and I've only noticed it today
16:18 ZoffixWork trone, jberger probably a way is to use ->pattern on a route and override ->placeholder_start for Mojolicious::Routes::Pattern
16:18 ZoffixWork I've only ever played with ::Lite, so I dunno how to test that theory with a proper Mojolicious App lol :)
16:19 jberger ZoffixWork: a ::Lite app is a proper app
16:19 jberger :-P
16:21 ZoffixWork I mean I don't know how to modify the ::Route object :P from ::Lite
16:24 jberger app->routes?
16:30 jberger sri: thoughts on Mojo::Date overloading 0+ by sub { shift->epoch } ?
16:31 jberger lets you do math comparison directly
16:32 sri jberger: dunno
16:35 Grinnz_ makes sense to me, but adding ->epoch to each isnt too difficult either :P
16:36 sri i'm kinda -1-ish on all new overloads... considering how horribly wrong it went last time
16:37 jberger sri: hmmm, indeed
16:37 jberger probably at least should get mst's blessing first at least :-P
16:38 Grinnz_ what went horribly wrong?! i'm intrigued
16:40 jberger we changed the truthiness of Mojo::Collection to be "does it have elements" which made sense to me (especially using python at work at the time)
16:41 jberger but it turns out that that isn't very perly, objects are always true
16:41 jberger so we changed it back
16:42 jberger so a bunch of changes for naught (and with pain associated on each change)
16:43 Grinnz_ ahh
16:43 Grinnz_ yeah, the perly way is more to do @$collection
16:44 Grinnz_ which does work too, right?
16:44 jberger yes
16:44 jberger indeed that was essentially the overload
16:45 jberger sub { !! @{shift()} }
16:49 sri that happened at mojoconf last year -.-
16:53 ZoffixWork *sigh* well... I've tried everything I could think of, to the point that word "route" has lost its meaning... I give up lol
16:53 Grinnz_ did you route the route routes?
16:54 ZoffixWork Only routly
16:55 ZoffixWork Well, I'll be damned..
16:55 ZoffixWork Figured it out.
16:56 ZoffixWork trone, jberger figured it out: http://fpaste.scsys.co.uk/473077   This gives param without the leading ':'
16:57 ZoffixWork .oO( and it only took half an hour )
16:58 ZoffixWork Now I can conscientiously do some proper work
17:05 berov joined #mojo
17:06 trone ZoffixWork: :-) ++
17:06 trone ZoffixWork: I have to try if I can do this "per single route", maybe with a sort of reset
17:08 marty joined #mojo
17:14 batman ZoffixWork: btw: let me know if you have any ideas how the assetpack handler api could look like.
17:15 ZoffixWork Will do.
17:15 Vertig0 joined #mojo
17:19 punter joined #mojo
17:21 sri ZoffixWork: you want to call $r->route too though
17:21 ZoffixWork sri, instead of ->parse?
17:21 sri yes
17:22 sri you're modifying the root
17:22 sri which is a Mojolicious::Routes object
17:22 sri it works of course, but it will be a prefix for all your routes this way
17:23 ZoffixWork sri, yeah, but if I change it to ->route, then the new placeholder_start isn't working.
17:23 ZoffixWork I tried that in my quest to the solution... wasn't sure why it wasn't working
17:24 ZoffixWork So I looked in the sauce and saw ->parse, so I figured I have to set the placeholder first and then tell it to parse using changed placeholder
17:25 sri i bet you got the order wrong
17:26 sri you need to change the token *before* parsing the pattern
17:26 sri perl -Mojo -E 'my $r = get({inline => q{%= param("bar") ? "captured" : "not captured" }}); $r->pattern->placeholder_start("|"); $r->parse("/foo:bar"); app->start' get /foo:bar
17:27 ZoffixWork oh, ok, so you still need to call ->parse, right?
17:27 sri so you do my $special = $r->route; $special->pattern->placeholder_start('|'); $special->parse("/|foo")
17:27 sri you do
17:27 ZoffixWork Alright.
17:28 sri if you pass a pattern to ->route(...) it calls ->parse(...) for you
17:28 ZoffixWork This should apply new placeholder_start just to that route: http://fpaste.scsys.co.uk/473082
17:28 ZoffixWork And there's no need to specify the pattern twice.. ->route; is fine.
17:30 sri it's funny that in all those years, nobody has ever asked for this
17:30 ZoffixWork :D
17:30 sri i've considered an escape character a few times, but nobody ever asked
17:33 sri btw. today is the last day you can get early bird mojoconf tickets
17:42 howitdo joined #mojo
18:09 trone With an add_shortcut I can create an elegant solution. Thx again Zoffix (and sri)
18:14 ToApolytoXaos joined #mojo
18:23 ajr_ joined #mojo
18:38 jberger my current implementation: https://github.com/jberger/Mojo-JWT/blob/master/lib/Mojo/JWT.pm
18:38 jberger of course no doc or tests yet
18:38 jberger but should be getting pretty close
18:42 noganex joined #mojo
18:56 ilbot2 joined #mojo
18:56 Topic for #mojo is now ???? cheers | http://mojolicio.us | http://irclog.perlgeek.de/mojo/today
18:56 jberger me too
18:57 batman ok
18:57 Dandre joined #mojo
18:57 jberger server restarted?
18:57 batman anyway... jberger: i think it's a bit confusing that secret() can be either come as an input and as different types.
18:57 murre joined #mojo
18:57 batman how about $secret ||= $self->secret; instead?
18:57 bobkare joined #mojo
18:57 jberger you might need to use a per-issuer secret
18:58 fhelmber_ joined #mojo
18:58 batman that's fine. but why can't the attribute hold a code ref?
18:58 danejx_ joined #mojo
18:58 jberger I suppose it could ...
18:58 tinita joined #mojo
18:58 jberger I wanted the attribute to only hold the secret that was actually used
18:59 jberger but I did debate this
18:59 howitdo joined #mojo
18:59 batman aha! that's actually more consistent with the rest of the code.
18:59 batman sorry. i missed out on line 46
19:00 batman 46: $self->secret($secret);
19:00 jberger yes, that's important
19:00 McA2 joined #mojo
19:00 Vertig0 joined #mojo
19:00 jberger it will make more sense with some doc
19:00 batman i think i have the same issue as with M::Validatation, but i've come around :)
19:01 batman after all... the api provides candy
19:01 jberger the non-obvious thing is that the same class is being used for encoding and decoding JWTs
19:01 linagee joined #mojo
19:01 bzero joined #mojo
19:01 batman why isn't that obvious?
19:02 jberger non-obvious how the two phases interact
19:02 jberger which is what I've been trying to smooth over
19:02 batman ok.
19:02 bjoernfan joined #mojo
19:02 Andreas joined #mojo
19:02 batman why do you have $cdata and claims() ?
19:02 batman i mean, how does the names fit together?
19:02 jberger those probably should be renamed the other way around
19:02 jberger but currently
19:03 Snelius joined #mojo
19:03 ToApolytoXaos joined #mojo
19:03 jberger $cdata is the data structure and $claims is b64 json encoded string
19:04 jberger ->claims is also the data structure (which is why I should probably rename my variables
19:04 jberger ) # ocd
19:04 Zx3 joined #mojo
19:04 batman thanks. it will make the code easier to read
19:04 throughnothing joined #mojo
19:04 jberger yeah, I'll do that now
19:05 batman does the sign_xxx and verify_xxx methods need to be public?
19:05 batman and why isn't token() an attribute?
19:05 gabiruh joined #mojo
19:06 absolut_todd joined #mojo
19:06 batman looking forward to the end result. i wonder if i can scrap my whole OAuth2 initiative @work with it...
19:06 dustinm joined #mojo
19:06 dave joined #mojo
19:07 panzana` joined #mojo
19:07 mattp joined #mojo
19:07 batman i wonder how long it will take before i regret this: https://metacpan.org/pod/release/JHTHORSEN/Mad-Mapper-0.01/lib/Mad/Mapper.pm
19:07 batman hopefully a looong time :)
19:10 preaction joined #mojo
19:10 moritz joined #mojo
19:10 Onigiri joined #mojo
19:10 jberger batman: hmmmm, no they probably don't need to be public
19:10 jberger I have pushed a rename
19:11 jberger and its not an attribute for the reason I was saying before, to keep the phases distinct
19:11 batman jberger: i just have this idea that i don't make any methods public until they have to be.
19:11 mikegrb joined #mojo
19:11 jberger the only way to set token is to use decode/encode which ensures the consistency of the other attributes
19:12 batman ok. i take your word for it :-)
19:12 KindOne joined #mojo
19:12 jberger what if I set token directly, then change a claim?
19:12 riche joined #mojo
19:13 d4rkie joined #mojo
19:14 jberger if there is a reason for those methods to be public, its for subclassing
19:14 shadowpaste joined #mojo
19:14 Bender joined #mojo
19:15 jbob joined #mojo
19:15 Rallias joined #mojo
19:15 lb joined #mojo
19:15 Grinnz joined #mojo
19:15 Vandal joined #mojo
19:15 gatitskiy joined #mojo
19:16 ssm joined #mojo
19:16 hernan604 joined #mojo
19:16 s1037989 joined #mojo
19:16 espen joined #mojo
19:16 Grinnz_ joined #mojo
19:17 gatitski_ joined #mojo
19:18 jberger one more small typo fix pushed
19:18 * jberger needs to write some tests soon
19:21 jberger one thing might make this more clear
19:21 jberger I'm going to need to both encode and decode these
19:21 jberger I'm not building this for transport to google (though that will be useful)
19:22 jberger I'm building this for transport between services that cannot be otherwise linked
19:22 Phil21 joined #mojo
19:22 lb joined #mojo
19:23 Rallias joined #mojo
19:23 shadowpaste joined #mojo
19:23 ladnaV joined #mojo
19:23 Jonis joined #mojo
19:24 crab joined #mojo
19:26 hernan604 joined #mojo
19:26 mst joined #mojo
19:26 espen joined #mojo
19:26 ssm joined #mojo
19:30 Vandal joined #mojo
19:30 Ptolemarch joined #mojo
19:33 irq joined #mojo
19:33 s1037989 joined #mojo
19:33 nicomen joined #mojo
19:33 Vandal joined #mojo
19:33 crab joined #mojo
19:33 Jonis joined #mojo
19:33 Rallias joined #mojo
19:33 shadowpaste joined #mojo
19:33 mst_ joined #mojo
19:34 mst joined #mojo
19:47 amon joined #mojo
20:02 marty joined #mojo
20:03 disputin joined #mojo
20:05 trone joined #mojo
20:07 disputin joined #mojo
20:08 gatitskiy joined #mojo
20:10 gatitsk__ joined #mojo
20:15 gatitskiy joined #mojo
20:27 Ptolemarch joined #mojo
20:27 jberger hmmmmm, this is interesting: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
20:38 jberger that's a really funny attack actually
20:38 jberger (the first one is obvious, the second one I mean)
20:49 Zoffix ¯\_(ツ)_/¯
20:50 Zoffix I don't get how it works... -_-
20:51 jberger say a JWT is signed with a private key
20:51 jberger then clearly it is to be evaluated with a public key
20:51 jberger assume that the evildoer has the public key
20:53 jberger the evildoer can submit any data and use a symmetric algorithm with that public key as the secret
20:54 jberger if a naive library lets you use a public key in a symmetric algorithm then its like leaving the key in the lock
20:56 Zoffix k, I think I get it.
20:56 jberger say you give me your public key
20:57 jberger and batman has it too, but, he's going to use it for evil (maybe the greater good, but, you know)
20:57 Zoffix :)
20:57 jberger when I get a message and I see its from you, I look up your public key
20:58 jberger but the message claims that it is using HMAC rather than RSA
20:58 jberger so my naive decoding library takes your public key and rather uses it as the secret in HMAC, since, the message requested HMAC
20:58 jberger but batman had really taken your public key and built a malicious message and signed it in HMAC with your public key as the secret
20:59 jberger so the naive library says "I have this secret and I'm going to use it as HMAC" and it passes
20:59 jberger except that you and I both know that you only gave me a public key!
21:00 jberger but the library is too trusting of the message's own description of the signing algorithm
21:01 jberger if I can tell the library that this is a public key, it should no not to use it as an HMAC signature even if the message requests it
21:02 Zoffix Alright. Thanks for explaining.
21:03 jberger as to fixing my library
21:03 jberger hmmmm
21:03 jberger the common thing to do is to have an argument to decode to specify an algorithm
21:04 jberger I could do that, I could add an attribute "assymmetric_only" or some such
21:07 batman jberger: i would disable every feature that makes it insecure.
21:08 batman just tell the user that anything else than assymmetric_only is not supported.
21:08 jberger funny thing, you can't do that
21:08 jberger HMAC 256 is a required algorithm
21:08 batman you're not making a protocol. you're making a library.
21:09 jberger ok, a different thing, I was going to use HMAC
21:09 jberger still am
21:09 batman just a friendly advice ^^^
21:09 melo joined #mojo
21:09 jberger if I give a symmetric key, it works
21:10 Ptolemarch joined #mojo
21:10 jberger the only fear is that I would give a public key and the evildoer would claim that their message is using symmetric algo
21:10 batman i have to go now... but please document all the "unsafe" defaults if you can't die() on them.
21:10 batman or at least warn() like default $app->sessions->secret()
21:11 jberger I'm also thinking about making it dual channel
21:11 jberger like you specify ->public if you mean to use a public key
21:11 jberger and ->secret if you mean to use a symmetric algo
21:12 jberger then there's no ambiguity
21:23 jberger hmmmm, I think I might do that
21:24 sri opinions? https://github.com/kraih/mojo/pull/785
21:24 jberger I haven't commented yet because I'm trying to decide if I think that is a breaking change
21:25 jberger if we don't consider it a breaking change, then I'm ok with it
21:25 sri then i'll wait for more feedback and let the vote decide (was ready to accept)
21:26 jberger but I do imagine that there are people who test content that the content type is and the like
21:27 jberger $t->header_is('Content Type', 'application/json')
21:27 * sri doesn't care enough to risk people getting upset
21:27 jberger well, I'll copy my portion of this onto the PR
21:29 sri for the record, github and twitter apis do send a charset
21:31 jberger how does that change affect content negotiation via accept header?
21:32 sri not at all
21:32 jberger I always use the extension type so I wasn't sure
21:32 jberger commented
21:33 sri you don't know your http!
21:33 sri http://mojolicio.us/perldoc/Mojo/Headers#accept_charset
21:34 jberger no, I know that, I just hadn't tried adding a charset to the type definition
21:35 Ptolemarch joined #mojo
21:35 jberger I guess txt has it
21:35 jberger so it must be handled correctly
21:37 sri you could also argue "application/json;charset=UTF-8" vs "application/json; charset=UTF-8"
21:37 sri and an update of the other types
21:37 sri if the goal is to hit the lowest common denominator
21:53 Grinnz_ our app requires the charset to be set, not just for IE, i don't recall exactly why
21:54 Grinnz_ which is why i just set it in the Types object in startup
22:04 jberger back to JWT, I have added a "public" attribute which is required to decode a JWT with asymmetric algorithms
22:05 jberger I have reduced the handling for handling per-issuer secrets/keys to simply this: https://github.com/jberger/Mojo-JWT/blob/master/lib/Mojo/JWT.pm#L36
22:05 jberger I'm calling it the "peek" callback
22:06 jberger you can use it to set the secret or public attributes having peeked at the claims
22:14 jzawodn joined #mojo
22:22 bobkare joined #mojo
22:31 punter joined #mojo
22:50 * sri notes that marcus still owes him a rematch!
23:56 HtbaaPi joined #mojo

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary