|
Am I correct in assuming that there is no way to implement an oauth login with only client side scripting? As in, any implementation of that will always be vulnerable to a hacker forging some request - by manually editing his session storage, or faking a referer etc - and be able to log in as another user. I had a look around the internet and did find a few Youtubes and stuff that do implement it in only Javascript, but they all had really obvious security holes 
|
#
?
Jan 16, 2017 00:35
|
|
|
|
| # ? May 31, 2024 19:39 |
|
|
peak debt posted:Am I correct in assuming that there is no way to implement an oauth login with only client side scripting? As in, any implementation of that will always be vulnerable to a hacker forging some request - by manually editing his session storage, or faking a referer etc - and be able to log in as another user. It depends on what you're doing with it. If you're using oauth to interact with someone else's service, you can do that in the client just fine. The server you're logging into gives you a token, which you include in all your other requests to indicate who you're logged in as. It's impossible to guess a valid token for a different user, so it's not possible for an attacker to impersonate someone else. (And even if it was, it would be the oauth provider's problem, not anything to do with your app) If you're using oauth to authenticate the user for your own purposes, then yeah, obviously you're going to need to check stuff on your own server instead of trusting the client to not lie about anything.
|
|
#
?
Jan 16, 2017 01:08
|
|
|
edit: Answered on irc. Thanks everybody!
RoflcopterPilot fucked around with this message at 08:54 on Jan 20, 2017 |
|
#
?
Jan 20, 2017 08:35
|
|
|
Speaking of MongoDB, does anyone have any experience using Elasticsearch as your primary data store? We are trying to ship application generated json messages from a networking appliance that is processing 40Gbps and generating about 14GBs of data per day. We have found that Elasticsearch becomes unresponsive after a few days of querying it and requires a process restart. I expect our application data to grow 4x when it starts pushing 40Gbps and am worried that this DB isn't up to snuff. We're using fluentd to send the logs and it's built in retry logic is causing it to insert duplicate data when it does get in that stuck state which sucks but whatever. We also have a similar amount of data being sent to a Postgres database running on the same host and while that has been more reliable the tables aren't partitioned on anything so it just grows forever and the maintenance of it is a bigger hassle than ES automatically created daily indexes. I want to consolidate our data into a single DB to make things easier and not have 2 applications fighting over disk I/O. So I'm trying to find the right solution moving forward. We're trying to keep the above system working on a single host that has a 16 core 2.4GHZ processor, 64GB of RAM and 1TB of SSD storage. Pros for ES: Backing up and restoring data is very easy with the ES data since it automatically creates indexes for every day. It can scale in cluster mode when this server eventually needs to grow, but I'm sceptical that this will actually work. Kibana is great for making dashboards! With Postgres it feels like I have a lot more work to do to get the same results, and I don't know if it's really meant to deal with this much data continually streaming into it. Any recommendations?
|
|
#
?
Jan 20, 2017 18:20
|
|
|
Janitor Prime posted:Speaking of MongoDB, does anyone have any experience using Elasticsearch as your primary data store? We are trying to ship application generated json messages from a networking appliance that is processing 40Gbps and generating about 14GBs of data per day. We have found that Elasticsearch becomes unresponsive after a few days of querying it and requires a process restart. I expect our application data to grow 4x when it starts pushing 40Gbps and am worried that this DB isn't up to snuff. We're using fluentd to send the logs and it's built in retry logic is causing it to insert duplicate data when it does get in that stuck state which sucks but whatever. In my experience, Elastisearch is horrendously expensive to run at scale, doesn't scale well, and Kibana is less than fun and easy to work with as soon as you need to do anything remotely complicated with it.
|
|
#
?
Jan 20, 2017 18:39
|
|
|
I wouldn't say that I'm necessarily a huge fan of Elasticsearch, and generally wouldn't trust it as a primary system of record (though I haven't tried using it as such, and have not experienced data loss). However, a few years ago I more or less single-handedly set up a (smallish, single digit nodes) Elasticsearch cluster that handles roughly ~10x the data you mentioned, and it's been humming along fine for the duration. Not saying it's appropriate for your use case, but it's definitely not difficult to scale it to much more data than you're currently ingesting.
|
|
#
?
Jan 20, 2017 21:58
|
|
|
Steve French posted:I wouldn't say that I'm necessarily a huge fan of Elasticsearch, and generally wouldn't trust it as a primary system of record (though I haven't tried using it as such, and have not experienced data loss). You stored 140 Gigabytes a day in Elastisearch? On what kind of hardware with what kind of retention?
|
|
#
?
Jan 20, 2017 22:47
|
|
|
baquerd posted:You stored 140 Gigabytes a day in Elastisearch? On what kind of hardware with what kind of retention? Roughly double that right now, actually. 10 day retention with 2x replication. Data nodes are 10x r3.xlarge instances on EC2 (I guess I was wrong about single digit nodes, it's grown a bit). I can't make an argument that it is the cheapest or best solution in terms of ongoing cost, but in terms of developer time required it's been pretty minimal.
|
|
#
?
Jan 20, 2017 23:40
|
|
|
Does anyone know of good articles relating to chat servers/clients? Just looking to read about different ideas regarding storing messages (or not to), clients that poll for new messages, servers that push messages to clients, scaling multiple servers, both chat directly between two users and channels/rooms... Like at what point does a message forum or email system 'become' a chat program?
|
|
#
?
Jan 23, 2017 22:01
|
|
|
Bob Morales posted:Does anyone know of good articles relating to chat servers/clients? Sure, check out the RFCs for IRC or XMPP. Or god help you SIP.
|
|
#
?
Jan 24, 2017 00:13
|
|
|
leper khan posted:Sure, check out the RFCs for IRC or XMPP. Or god help you SIP. I was thinking more implementation-wise. I thought StackExchange did a good blog post about their chat setup but I couldn't find the one I was remembering
|
|
#
?
Jan 24, 2017 20:06
|
|
|
Bob Morales posted:Does anyone know of good articles relating to chat servers/clients? I don't have any specific recommendations, but I know that I've seen tons of projects/tutorials/articles talking about using websockets for chat thingies, so maybe google around for "websocket chat". I think the last one I read was in the docs for django-channels.
|
|
#
?
Jan 24, 2017 20:51
|
|
|
Bob Morales posted:Does anyone know of good articles relating to chat servers/clients? I'd say that a messaging system becomes "chat" when a message is delivered and displayed to online and subscribed clients within 1 second (+ network latency) of it being sent, without the recipient(s) having to actively do any refresh. Writing a simple IRC client/bot or server from scratch might be a decent exercise? You can generally get away with ignoring lots of details.
|
|
#
?
Jan 24, 2017 21:04
|
|
|
I'm trying to make a Pokemon Trading Card Game webapp. Eventually I'll have thousands of cards with diverse, but simple-to-code, effects. I think I wanna store the cards as individual Javascript files and import the small number required for each game before the game starts. Is this a terrible idea? Is this the right thing to do? Does the answer change if they're only imported as your opponent reveals their deck to you?
|
|
#
?
Jan 26, 2017 03:43
|
|
|
it is posted:I'm trying to make a Pokemon Trading Card Game webapp. Eventually I'll have thousands of cards with diverse, but simple-to-code, effects. Focus on the rules engine.
|
|
#
?
Jan 26, 2017 03:47
|
|
|
it is posted:I'm trying to make a Pokemon Trading Card Game webapp. Eventually I'll have thousands of cards with diverse, but simple-to-code, effects. Write out one of these cards with all of the properties you expect it to have, then add a bunch of properties you don't expect just in case, then copy and paste all of the rules data you have for that card a couple of thousand times. Save that file, gzip it, and see how big it is -- it'll almost certainly come out far under a megabyte and take almost no time to transfer if you put it all in one big file. If you want to write them as separate files for your own productivity then you can certainly do that and have your build script concatenate it all in to one file, which is probably the best way to go.
|
|
#
?
Jan 26, 2017 04:35
|
|
|
piratepilates posted:Write out one of these cards with all of the properties you expect it to have, then add a bunch of properties you don't expect just in case, then copy and paste all of the rules data you have for that card a couple of thousand times. Save that file, gzip it, and see how big it is -- it'll almost certainly come out far under a megabyte and take almost no time to transfer if you put it all in one big file. Whoa I really like this. There are even javascript libraries to unzip gzip files. Also in case I wasn't clear, I'm talking about implementing an existing game that's had almost 20 years to amass thousands of cards.
|
|
#
?
Jan 26, 2017 06:57
|
|
|
it is posted:Whoa I really like this. There are even javascript libraries to unzip gzip files. I brought up gzip because it's defined in the HTTP specs already. Don't do anything with gzip yourself, just make sure the server that the browsers will connect to has gzip compression enabled over HTTP and don't worry about it. 20 years and thousands of cards may sound like much but create fake data and test it yourself. Unless it actually ends up being so much data that loading the page with the one big concatenated .js file takes like 30 seconds you shouldn't worry about it and just opt for the easy route of "one big js file" that popular toolchains already embrace.
|
|
#
?
Jan 26, 2017 07:02
|
|
|
Yeah, I do some stuff that works on a data set of every card ever printed in magic the gathering, and that poo poo is super small. Also, I think the same text copy pasted a few thousand times probably gzips a lot better than the actual thing. But, it will probably still be under a meg. MTG JSON, which is what I'm using, zips to just under a meg. The only thing you should need to download as required is card images. It'll probably end up being slower if you have to make an http request for every single card file. Also, Pokemon cards may feel like they're simple, but there's some very tricky effects in there. You could get 95% of cards implemented in a snap once you have the basic rules set up, but those few remaining cards will end up making this a massive undertaking, especially once you realize that those cards also happen to be the ones that people want to play with.
|
|
#
?
Jan 26, 2017 07:38
|
|
|
I hope this is a good place to start and get some pointers. For the last ~7 years I have mostly worked on existing applications and extended those, but somehow we lost our other most senior developer so that role falls to me now and now we want to build something new. Since all the old stuff we have is terrible designed with no clear philosophies behind it we are starting mostly from scratch and I need some advice about a good tech stack and even some right terms to research. We are going to build a mobile app that should at least run on Android and iOS, mobile Windows devices would be a huge plus. The big caveat is that we want to make an app that is highly modular with exchangeable behaviours since we have dozens of customers that have very specific workflows. The idea is that we have a default application, that can for example process orders by showing information about them, starting an order, requesting information about that order from the user and finishing that order. Now one customer might need additional information (i.e. delivered amount of X) and calculations based on those. This specific change to the general process should be somehow modular and not require an update of the original app. Today we all those extra features for specific customers are programmed into the main app and activated by setting hundreds of different parameters. This often leads to breaking features when seemingly unrelated features are modified. My abstract idea is that every action in the main application fires events and those modules that we somehow get into the app, when activated, listen to those events and execute their own code before continuing with the main application (or completely replacing the original event). The problem is that I have no idea about a sane tech stack for such an application and neither do I know the right terms I even need to google for this kind of modular programming. Since afaik iOS is rather squeamish about loading librarys/installing apps on the fly, I assume that those modules need to be scripted, so probably written in some kind of JS. So if anyone can give me advice if this approach seems like a sane idea, if there are some terms or frameworks I should google, and maybe what compontents should go into building such an app, that help would be much appreciated. Or if this is too specific and I should look into another thread.
|
|
#
?
Jan 28, 2017 00:56
|
|
|
cybertier posted:I hope this is a good place to start and get some pointers. Just throw things at the backend and modularize things there. JS sounds like a supremely bad idea for business logic. Nothing is going to stop you from writing highly coupled systems that break when changing other things if that's what the people working on the system build.
|
|
#
?
Jan 28, 2017 01:16
|
|
|
The first thing that comes to my mind is that it sounds like you need an app maker, not an app. Can you make something that takes in whatever specification and spits out a buildable project for your platform of choice? It sounds like there's lots of room for reusing code here, but twiddling knobs in one monolithic project didn't turn out so well last time. Consider making the different parts you need and then combine them specially for each customer. Maybe JavaScript is how you tie the pieces together into a whole, idk, that seems like a more concrete concern once you work out what you're actually building. It'll probably be more work up front, but it might survive a bit longer.
|
|
#
?
Jan 28, 2017 05:17
|
|
|
i have a question regarding the api/backend of twitter. i have zero experience with it. i'm in a slack group that uses twitter for slack. it always, always, always gets tweets faster than i do on my phone or in my tweetdeck. we follow this one user, and i'm configured to receive mobile notifications for this same user, yet the bot gets notifications 5-10s before they hit my phone, and 8-12s before they hit my tweetdeck. why? furthermore, if i created something using the api, would i be able to get those tweets as fast as twitter for slack does? the api seems relatively nice to use, but wanted to know your guys' experience with it before digging in. regardless, there has to be some way to get tweets faster on my phone and tweetdeck if twitter for slack always does. i would just use twitter for slack in a separate channel, but it's unreliable.
|
|
#
?
Jan 28, 2017 17:00
|
|
|
You're not the first person to come up with the idea of using buttloads of XML to configure pluggable modules. The problem is you can't escape the fact that programming is programming, whether or not you push the program into a set of configuration files rather than explicitly in code. In many ways debugging configuration can actually be harder than regular code because it's not designed to be debugged. I'm not going to say that what you have isn't an ugly hack, and by all means it may make sense to pull some of the frequently-used stuff out into a common form that you can twiddle some settings on, but at the end of the day you will still have to verify that the workflows for each of your customers works right. What you actually need is automated testing that walks through each of your workflows and make sure it does what you think it does, and you can do that right now before you initiate a massive app rewrite. Unless you're just pushing that off entirely on your customers, in which case congratulations, you're the proud father of a new GUI toolkit.
|
|
#
?
Jan 29, 2017 05:07
|
|
|
piratepilates posted:I brought up gzip because it's defined in the HTTP specs already. Don't do anything with gzip yourself, just make sure the server that the browsers will connect to has gzip compression enabled over HTTP and don't worry about it. Dr. Stab posted:Yeah, I do some stuff that works on a data set of every card ever printed in magic the gathering, and that poo poo is super small. Thanks for the suggestions guys, I'm pretty sure I know where I'm going with this. And actually Pokemon cards pretty much all have very simple effects. This is probably the card with the highest density of weird special-case effects in Standard; if this were an MtG card, this would be a creature with a free activated ability "discard all cards attached to this creature. It becomes an Aura enchantment with with 'Enchanted Pokemon has protection from Mega Evolution Pokemon. Discard this enchantment at your opponent's end step.'" 
|
|
#
?
Jan 31, 2017 21:50
|
|
|
Playing around with C#/ASP.NET and I'm curious about DRY and LINQ queries. Say I have something like this repeated many times throughout a project: code:
|
|
#
?
Feb 1, 2017 18:07
|
|
|
it is posted:Thanks for the suggestions guys, I'm pretty sure I know where I'm going with this. There's still cards like ninja boy or even garbodor that are trickier than you may think to in a modular way.
|
|
#
?
Feb 1, 2017 18:18
|
|
|
kloa posted:Playing around with C#/ASP.NET and I'm curious about DRY and LINQ queries. You can write an extension method that encapsulates that, sure. Might make more sense to establish a repository layer you can stick related functionality in (and then it becomes injectable for testing). Are there no foreign keys linking form and form_fields or form_fields and attachments? You should be able to get attachments from eg. form_fields.Attachments if there are and you're using Entity Framework. Otherwise, your DB schema is probably janky.
|
|
#
?
Feb 1, 2017 18:27
|
|
|
Munkeymon posted:You can write an extension method that encapsulates that, sure. Might make more sense to establish a repository layer you can stick related functionality in (and then it becomes injectable for testing). I've only put in PK on the database so far, since I keep modifying the table structures as I add/modify functionality  I'll add some FKs and read into querying tables more.
|
|
#
?
Feb 1, 2017 18:38
|
|
|
Can anyone help me with a UML diagram? I've never done one and I am supposed to do one for this assignment. We have literally never covered it. The program is super simple, two files. Even the search results confuse me.
|
|
#
?
Feb 2, 2017 01:47
|
|
|
UML is a very broad thing. It's a standard for drawing a large number of kinds of diagrams for specifying software. You'll have to be a bit more specific. I'm assuming they want you to draw a class diagram, but I'm not sure.
|
|
#
?
Feb 2, 2017 01:58
|
|
|
Yeah its a class diagram. I think I have it figured out probably. Can I post the code and the image I have here? Don't make fun of my coding I'm not l33t yet. Does this look right? Am I way off?  code:ButtWolf fucked around with this message at 02:08 on Feb 2, 2017 |
|
#
?
Feb 2, 2017 02:04
|
|
|
That looks exactly right.
|
|
#
?
Feb 2, 2017 02:22
|
|
|
Dr. Stab posted:That looks exactly right. Awesome. Thanks for reassurance.
|
|
#
?
Feb 2, 2017 02:24
|
|
|
Let's say I have server A, living behind a firewall exposing an HTTPS interface. Server B lives on the internets outside the firewall. A makes an outbound secure websocket connection to B. I then want to have a client make an HTTPS call on B which then forwards the request to B over the websocket, waits for the response and then returns the response to the client. In practice there would be multiples of A connected and the url would be used to specify which A the client was talking to .Does this architecture have a name? Searching for 'websocket http proxy' brings up a lot of unrelated hits. Both servers are going to be running node+express so if there is something already written which does that that' be great.
|
|
#
?
Feb 2, 2017 17:40
|
|
|
Sort of a math question, but in JavaScript: I remember someone telling me before a few years ago how to make a simple oscillator function without using sine. I think it just uses addition and subtraction. Anyone know what this is?
|
|
#
?
Feb 2, 2017 18:24
|
|
|
LP0 ON FIRE posted:Sort of a math question, but in java script: I remember someone telling me before a few years ago how to make a simple oscillator function without using sine. I think it just uses addition and subtraction. Anyone know what this is? Probably uses the Taylor series for sin(x): sin(x) = x - x^3/3! + x^5/5! - x^7/7! + x^9/9! - ... + (-1)^(n-1)*x^(2n-1)/(2n-1) ...which is good enough after x^7/7! for most purposes. X is in radians and usually clamped between Pi/2.
|
|
#
?
Feb 2, 2017 19:19
|
|
|
Why do you want this? If it's for "speed" I recommend sticking to sine unless you can prove that's what's slowing you down.
|
|
#
?
Feb 2, 2017 19:20
|
|
|
LP0 ON FIRE posted:Sort of a math question, but in java script: I remember someone telling me before a few years ago how to make a simple oscillator function without using sine. I think it just uses addition and subtraction. Anyone know what this is? Check out the equations in the section titled "Block Behavior in Discrete Mode": https://www.mathworks.com/help/simulink/slref/sinewave.html
|
|
#
?
Feb 2, 2017 19:23
|
|
|
|
| # ? May 31, 2024 19:39 |
|
LP0 ON FIRE posted:Sort of a math question, but in java script: I remember someone telling me before a few years ago how to make a simple oscillator function without using sine. I think it just uses addition and subtraction. Anyone know what this is? It's got to be the Taylor series , as mentioned. P.S: how do you think sin() is implemented under the hood?
|
|
|
#
?
Feb 2, 2017 19:32
|
|