#social 2017-09-14

2017-09-14 UTC
KevinMarks, cdchapman, xmpp-social, KevinMarks_ and ben_thatmustbeme joined the channel
# 12:45 
xmpp-social [suesserboy] hello
KevinMarks and KevinMarks_ joined the channel
# 13:44 
puckipedia time to build a web client for Kroeg
KevinMarks joined the channel
# 13:55 
puckipedia (using a stateless template language, and a small custom web framework hehe)
# 14:15 
xmpp-social [suesserboy] hello my friend
tantek and KevinMarks joined the channel
# 15:02 
cwebber go puckipedia !
# 15:16 
puckipedia welp a stack overflow. and it's going to be really difficult to debug
# 15:19 
puckipedia randomly guesses
# 15:22 
puckipedia okay so I found where the stakc overflow iis, kinda? hmm. it's a weird self-referential object
# 15:24 
puckipedia oh no it's the publicKey
# 15:25 
puckipedia .. I think?
# 15:26 
puckipedia oh no I made a real big mistake lol
# 15:35 
jaywink it's stackoverflow.com. you're welcome
# 15:45 
puckipedia I now have two headers and I don't know where they come from
# 15:52 
puckipedia firefox doesn't seem to use my accept header when checking OPTIONS
# 16:02 
puckipedia woo, my JS renderer is now feature-complete compared to my C# one
# 16:11 
puckipedia (next step is to, instead of rendering into a string, render it into a div managed by a "Renderer", which dynamically updates based on data store updates)
# 16:35 
cwebber jaywink, so helpful
# 16:35 
cwebber puckipedia: oh hey nice!
cdchapman, KevinMarks_ and KevinMarks joined the channel
# 19:03 
cwebber hey Gargron
# 19:03 
cwebber you include the Digest http header in your http signatures support/implementation it looks like, which is good
# 19:03 
cwebber https://github.com/tootsuite/mastodon/blob/72bb3e03fdf4d8c886d41f3459000b336a3a362b/app/controllers/concerns/signature_verification.rb#L5
# 19:04 
cwebber but it seems to me that there isn't any "requirement" in here that there be a digest, and a check that the digest actually matches the body, is there?
# 19:04 
cwebber it seems like you'd want to do that to consistently check that the body is verified through the signature?
KevinMarks joined the channel
# 19:09 
puckipedia cwebber: currently I I do verify that the *header* is correctly signed, but I don't check the value
# 19:09 
puckipedia going to add that as a middleware before anything else\
# 19:10 
cwebber puckipedia: I'm not sure what you mean by "check the value"
# 19:10 
puckipedia like, if you sign the digest header, I will check the signature to be valid
# 19:10 
cwebber puckipedia: you mean that the digest is present and matches?
# 19:10 
cwebber puckipedia: gotcha, right
# 19:11 
cwebber puckipedia: it seems like in the cases where http sigs are important, not forgetting to make sure it's both there and matches is important
# 19:11 
cwebber otherwise you can always swap out the body's content
# 19:11 
cwebber which would be... not the best :)
KevinMarks_ and KevinMarks joined the channel