The web in a box - a next generation web framework for the Perl programming language

IRC log for #mojo, 2017-03-12

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:19 asarch joined #mojo
01:18 aborazmeh joined #mojo
02:21 sugar_ joined #mojo
03:42 noganex joined #mojo
04:56 jberger This kinda supports our position of utf8 only
04:56 jberger https://irssi.org/2017/03/12/poll-non-utf8-discontinuation/
05:04 dboehmer joined #mojo
07:18 perlpilot joined #mojo
07:52 dod joined #mojo
07:57 dod joined #mojo
08:01 ashimema joined #mojo
08:09 michael joined #mojo
10:34 rshadow joined #mojo
10:41 rshadow joined #mojo
10:42 someguy joined #mojo
10:42 sugar_ joined #mojo
10:43 someguy are routes sure to be set up by the time my plugin is ->register'ed or do i need to set a hook?
10:55 dod joined #mojo
11:18 dotan_convos joined #mojo
11:35 someguy joined #mojo
11:52 rshadow joined #mojo
12:15 good_news_everyon joined #mojo
12:15 good_news_everyon [mojo] kraih pushed 1 new commit to master: https://git.io/vyK45
12:15 good_news_everyon mojo/master 528bfd9 Sebastian Riedel: add support for overriding configuration files in applications tested with Test::Mojo
12:15 good_news_everyon left #mojo
12:16 sri jberger: as discussed :)
12:16 sri of course the config value name is up for discussion, but config_override seemed appropriate
12:17 * sri has also just released a new Mojo::Pg with support for search_path in the postgres://... connection string, so you can see where i'm going with this ;)
12:19 sri kinda funny how we already had the perfect test case
12:20 sugar_ joined #mojo
12:21 sri and for anyone wondering why we don't just go all rails and recommend using a myapp.test.conf... that's why fricking rails apps take hours to run their tests
12:22 sri with per test configuration overrides you can easily run your tests parallel
12:24 rshadow joined #mojo
12:38 good_news_everyon joined #mojo
12:38 good_news_everyon [mojo] kraih pushed 1 new commit to master: https://git.io/vyKB7
12:38 good_news_everyon mojo/master 8ef1dfb Sebastian Riedel: use the same example Mojo::config uses
12:38 good_news_everyon left #mojo
12:43 sri really annoying that nobody makes a hdmi 2.0 to displayport 1.2 adapter :S
12:46 aborazmeh joined #mojo
13:17 sugar_ joined #mojo
13:39 polettix joined #mojo
14:51 stryx` joined #mojo
15:16 coolo is there a size limit on websocket messages? I'm using the websocket for a progress notification - to send the rendered HTML as last message
15:16 coolo but for larger pages this frame does not appear :(
15:17 coolo hmm. I wonder if this is a limit in apache's mod_proxy_ws
15:39 chansen utf8 only?
15:47 khfeng joined #mojo
15:59 zivester joined #mojo
17:21 polettix joined #mojo
17:54 PryMar56 joined #mojo
18:04 jberger sri I especially like the idea of search path in the url
18:04 jberger I might try to use this to simplify the testing stuff I wrote at work a few months ago
18:05 jberger Remember them that my problem was that any connections made before the search path was set could go back into the connection pool and spoil the test
18:06 jberger But if the url comes in via overrided conf on instantiation then there is no opportunity for that to happen
19:13 irqq_ joined #mojo
19:22 rshadow joined #mojo
19:25 rshadow joined #mojo
19:58 rshadow joined #mojo
20:49 irqq_ joined #mojo
21:23 zach hey jberger
21:23 purl i think jberger is http://i.imgur.com/UPfFmXF.jpg or Foreman
21:23 zach jberger: when you use JWT, is there a guarantee of uniqueness of the token?
21:24 zach ie, could I store it in a column in postgres that has a unique constraint to track tokens used by people over time to for security auditing
21:33 preaction zach: you could put something unique inside, like a username combined with an expiration date. but that doesn't sound like it'd be useful to track, at all
21:39 zach preaction: wouldn't it be good for accounting reasons to say, this client logged in as this user and performed this action and then for security accounting user logs in and says, hey I don't have that client and I've never been there and so all these actions done here are not me?
21:39 preaction why do you need to specifically log the entire JWT to achieve that, though?
21:39 zach I just meant the hash
21:39 zach the token itself
21:40 preaction the hash is so you can verify that the contents weren't modified. put something in there (session id) and keep that. if you add something unique to the token, the token will be unique
21:41 preaction but remember that hashes are necessarily lossy, so i would not expect them to be unique forever
21:42 zach I just want a good way to have a security audit of user actions for many users
21:42 zach and I think tracking based on sessions
21:43 preaction a uuid is going to be a lot smaller
21:43 zach a uuid?
21:43 purl a uuid is universally unique identifier, see data::uuid or at http://en.wikipedia.org/wiki/Universally_Unique_Identifier
21:43 preaction your database probably even stores them natively
21:44 preaction half the size, a uuid will be, of (from what i can see) all the algorithms used to hash jwt
21:45 zach would I tie the uuid only to the backend or have the client track and submit it as well?
21:46 zach I had though with the session token being part of the payload all the time that it would be easy to tie it to a user and session
21:46 preaction you would put the uuid in the jwt, signed, so they can't forge it
21:46 zach ah, ok
21:48 preaction the jwt hash is just for protecting the data from tampering. they can see the data, but they can't forge the hash, so they can't modify the data. but that's also why you put an expiration date in there
21:49 zach I was thinking 1 hour expiration
21:50 preaction and that's fine. that means that if anyone sniffs, they've got less than an hour of usefulness. also, what are you securing here?
21:51 zach the session token
21:52 preaction what possible consequences would arise if some malicious user got hold of Alice's session token?
21:52 zach and maybe a get route
21:53 zach I want most of the API to require auth
21:53 preaction that's not an answer to my question
21:53 preaction if Eve steals Alice's credentials, what could Eve do to Alice?
21:54 zach change settings in Alice's account or get content that only Alice should
21:54 purl zach: that doesn't look right
21:54 preaction if Eve could kill Alice with this information, why is it on the Internet? if Eve could read Alice's banking information, this is not enough security at all. if Eve can learn Alice's PII, then what risk would that expose Alice to?
21:55 preaction (this is all assuming you're not using https, of course)
21:56 preaction but the higher the risk for Alice, the more security you need. if the risks aren't that high, this is perfectly fine
21:57 zach only PII relevant to the account
21:58 zach Minimal banking information might be exposed, like last 4 digits of account and bank name
21:58 preaction right. so if you really need to take an extra bump in security, 2-factor auth is kind of the way to go. but it's a major hassle for you and your users.
21:58 preaction you're storing credit card info? then you must be PCI compliant and you need to stop listening to me and start listening to your compliance officer
21:59 zach Well, I would like to do 2fa ultimately, but I still though a token to track each session's actions would be good
21:59 zach I didn't say credit card
21:59 zach I said bank
22:00 preaction my point remains that you need to be talking to an actual professional
22:01 zach well I'm the only user right now, so I can worry about that later
22:01 preaction why are you storing bank account information at all when you can use payment gateways?
22:02 zach and who would store the information?
22:02 preaction the payment gateway, which is the biggest benefit you get
22:02 preaction you don't have to worry about security compliance
22:03 zach there would be a payment of people to me, but there would also be a lot of me paying other people through it
22:03 zach would that still even make sense?
22:03 preaction so you need to go and do some research then
22:03 preaction but, especially when security is concerned, the very last thing you should ever do is do it yourself
22:04 zach I'm sure I could do use stripe or something, but that's not the point
22:04 zach that's a bridge to cross when there's a potential of a single cent going in or out
22:04 preaction so you need to go and do some research then
22:04 zach there's plenty of API to implement before it's even relevant
22:05 zach and all that API, in my head, depended on the session token
22:05 zach which you're saying should be a data::uuid in a jwt
22:06 preaction to protect against session hijacking, which is basically impossible with a uuid anyway
22:08 zach well, it's not all concrete yet, but yeah
22:25 stryx` joined #mojo
22:42 iamb joined #mojo

| Channels | #mojo index | Today | | Search | Google Search | Plain-Text | summary