Skip Navigation

InitialsDiceBearhttps://github.com/dicebear/dicebearhttps://creativecommons.org/publicdomain/zero/1.0/„Initials” (https://github.com/dicebear/dicebear) by „DiceBear”, licensed under „CC0 1.0” (https://creativecommons.org/publicdomain/zero/1.0/)P

pe1uca

@ pe1uca @lemmy.pe1uca.dev

Posts
55
Comments
320
Joined
3 yr. ago

  • Deleted

    Matrix Synapse, Caddy and Cloudflare

    Jump

  • Probably the federation is still trying to access matrix.example.com instead of just example.com to get the .well-known configuration.I'm not sure how to make this work in general, you need a way for the federated instances to ask your instance for the configuration in the host you want.

  • Hey @mozilla, how can I have this page as RSS?

    Jump

  • I think they're talking about the link in their post, not the lemmy community.

  • Google Podcasts shutting down in 2024 for YouTube Music

    Jump

  • Glad I already switched to podverse

  • How to store user's access tokens/API keys without hashing them?

    Jump

  • Thanks for all the information and advises!

    So in theory basic auth is enough when sent through HTTPS, right?If this is the case then the user would need to handle their password and my API can keep storing just the hash.

    In another comment JWT was suggested, maybe this could also be a solution?I'm thinking the user can worry about generating and signing the token and we could only be storing the public key , which requires less strictness when handling it, this way we can validate the token has been signed by who we expect and the user will worry about the private key.

  • How to store user's access tokens/API keys without hashing them?

    Jump

  • Oh I've only used JWTs with OIDC so I didn't thought about using them directly.It could be a good solution since the user can generate them on their own and we can validate them with the correct information (secret or public key).

    About the issue of long lived or not expiring JWT, maybe a custom restriction of valid tokens with lifespans of more than X amount of minutes are rejected?Yeah, the token could be a valid one but we could say the payload is invalid for our API.

  • How to store user's access tokens/API keys without hashing them?

    Jump

  • Completely agree with you, I made that comment, but most people agreed with the client '-.-

  • How to store user's access tokens/API keys without hashing them?

    Jump

  • I agree, the token has a lifespan of some hours so it could be generated after that amount of time, which for a ~400ms call is not that much, but I was overruled .-.

    The only thing I control is the API, the client's implementation is outside of my control (although I know is a backend service).

  • How to store user's access tokens/API keys without hashing them?

    Jump

  • Someone want's me to implement a way to access a resource without having to make the extra HTTP calls required by OAuth, WSSE is a possibility since I saw it had some standards to send the credentials in a secure way.I have been reading about WSSE for less than a week '-

    Yeah, the idea would be the tokens used to generate the digest WSSE requires will live in our secure environment, and that's the question: how is a secure environment created to store tokens/API keys of users which will be used to authenticate them into my API?I haven't implemented this kind of stuff so I don't know what are the best practices to store this kind of sensitive data.So, I'd need to research password vaults to store my user's secrets so I can use them to authenticate them?

    I went into WSSE since sending a client id + secret seems just rewording of basic authentication and well, sending the credentials in plain text seems more insecure than sending a hash.

  • How to store user's access tokens/API keys without hashing them?

    Jump

  • Well, an "extra HTTP call" is any call besides the one required for the client to access my API, in this case is an extra call to generate an access token.Why does it matter? In words of the client: "making a call to generate a token is slow"

  • How to store user's access tokens/API keys without hashing them?

    Jump

  • Based on the title you're right, I asked about how to do X when probably I need to do Y, but the first and last paragraphs mention what's my requirement: a for of authentication which doesn't require to make an extra HTTP call to generate a token.

    And what I mean by this is OAuth specifies the client needs to request an access token and an optional refresh token to the authorization server, afterwards the access token can be sent to the resource server (in this case my API), if the token expires the client can make another request to the authorization server with the refresh token.Each call to the authorization server is that "extra http call" I mentioned.

    Currently the only solution I found which seemed somewhat secure was WSSE, but again, I've only worked with OAuth2 and hashing passwords (or even better, using a dedicated service like keycloak), so I'm not sure what's the best option to store the data it requires or if there's a better solution.

    I don't know how to be more clear, is there a way to authenticate a client to the resource server (my API) without making the client call endpoints to generate the tokens? Is there a way for the client to generate their own tokens and for me to validate them?

  • Fediverse RemindMe Bot

    Jump

  • I remember there was an update to the [redacted]'s one to avoid spam, I don't know how it worked but it was in the lines of after some "here's your reminder" comments it stopped itslef from commenting and only sent PMs to the people commenting.Just mentioning it in case it's also a desired improvement for this one.

  • How should I wash dishes/surfaces in contact with raw chicken?

    Jump

  • The thing the others mentioned plus maybe it's easier to hide imperfections in the raw chicken once cooked?

  • Lemmy Instance with no IP address logging!

    Jump

  • If you have an account and a session you have a cookie or some other sort of "tracking" to know you're logged in.I put it in quotes because the tracking via cookies people is usually worried about is the one used to identify and use your behaviour, but tracking if you're logged in or not is usually fine.

    As for the IP logging, I'm not sure but AFAIK IP addresses given by ISPs are dynamic, so every now and then you'll have a new IP anyways.If you're sill paranoid, why not use a VPN or a proxy?Still, those services can track your original IP so we end up in the beginning and we need to go into another rabbit hole.Again the same as with the cookie, usually the problem with IP logging is if it's to identify your behaviour and aggregate it to sell it in some way, but the one done by software like lemmy is to prevent spammers and bad actors, so it's a necessary evil.

    You're right tho, 12 months of IP log is a lot, not sure where you read that, I haven't looked at all the code in lemmy to know how easy is to identify the IPs of each user.

  • Custom voice input service

    Jump

  • Thanks for reminding me these exist, I also tried them some time ago and couldn't make them work, but somehow now I was able to deploy my own server to work with them!

    I'll clean up my code and publish it later :D

  • Plex will be blocking access from at least one VPS provider

    Jump

  • I never understood this, it's your selfhosted server but you kind of don't own it and depend on them, so you just have an application which depends on a their service which means plex isn't 100% selfhostable, correct?

  • People who struggled with procrastination and now stopped, what made you stop procrastinating?

    Jump

  • Damn, I wanted to answer with that joke...

    I'd say I still procrastinate but less. The main factor is it make me feel anxious of not finishing stuff so I wanted a solution.The way I'm improving is to look at big tasks into smaller steps which are easier and quicker to accomplish, this way I feel better since there's something I finished even when the big task might be still a long way of being finished.

    I remember something about 2 minute tasks or something like that, but also I saw this from my job, splitting projects into epics and each epic into tasks and even then you could split them into sub tasks (taken from the Jira types at my job)

  • just to be sure, when setting up nextcould i need to purchase a domain name?

    Jump

  • I'm not sure how nextcloud handles it, but as long as you can resolve the domain then you can put whatever you want.You usually purchase a domain so it appears in the internet with the major DNS', but if you only have the site in your internal network then you can put whatever you want as long as you update your internal DNS.

    Usually you can do this by manually updating the hosts file in your machines.But a better way is to have something like PiHole, in which you can set your local DNS to resolve to your own IP.After that the only annoyance are the SSL certificates which will be selfsigned since browsers show a warning but some services don't have a way to work with them.

  • Google: Haven't provided your phone number? It'd be a shame if something happened to your email...

    Jump

  • Is it really encrypted?

    I'm guessing it's only for the account recovery to reset your password which should be hashed.

  • does anyone else find that deoderant/antiperspirant makes them sweat more?

    Jump

  • Yeah, most people buy whatever product they see first or smell nice but they most probably are buying a deodorant.When I noticed this and started looking for antiperspirants, it was a game changer, my days were more comfortable.