Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Jan 26 17:28
    wayjake opened #1307
  • Jan 26 17:05
    wayjake commented #1305
  • Jan 26 06:34
    atom06 commented #1305
  • Jan 26 01:56
    amark commented #1302
  • Jan 26 01:46
    tcurdt commented #1302
  • Jan 26 01:00
    amark commented #1302
  • Jan 25 16:09
    atjn commented #1297
  • Jan 24 23:55
    amark commented #1299
  • Jan 24 23:53

    amark on master

    Allow Dockerfile to auto-update… (compare)

  • Jan 24 23:53
    amark closed #1303
  • Jan 24 23:53
    amark commented #1303
  • Jan 24 23:51

    amark on master

    rad fixed dup text, perf, read … (compare)

  • Jan 24 08:17
    rex4539 synchronize #1299
  • Jan 23 16:45
    wayjake commented #1305
  • Jan 22 23:34
    draeder closed #1306
  • Jan 22 23:34
    draeder commented #1306
  • Jan 22 22:49
    draeder edited #1306
  • Jan 22 22:48
    draeder opened #1306
  • Jan 22 21:52
    atjn commented #1297
  • Jan 22 17:41
    atjn closed #1305
Roman
@romanzy313
Hello, I am having a bit of trouble using SEA functionality of gun, the gun.user. I am getting the following message in the console: IDENTIFI HAS HIJACKED SEA's SIGNING FOR SECURITY REASONS! Everything seems to work fine, but it is concerning. Where can I post the code?
Mark Nadal
@amark
@romanzy313 it sounds like you have the Iris or Party browser extension!
Mark Nadal
@amark
@benpreiss:matrix.org I'm not sure if you mean a graph node or if you mean a hosting node. We call machines (whether phones, browsers, or nodejs, etc.) that are running GUN on them "peers". This is different than a node, which is a node in a graph that has data. Which is different than a User, which is a pub/priv keypair. AXE already throttles updates to the same key at 2X 60fps. I have plans for other throttling rules but have been focused on improving perf until I can hit 100M/mo/users first.
@worldpeaceenginelabs I know people want those features, but I'm trying to encourage people in the opposite direction: combine together into a large DHT so we all can reuse each other's spare bandwidth/compute.
Mark Nadal
@amark
@ahg:it-dengler.de ^ if anyone does build app-specific rate limiting, please sell it as an enterprise service and then donate money back to me :P
Mark Nadal
@amark
@VittorioParagallo does that dart package even work? :/
@Fella1990 relays do fly-by-caching, but that is different than permanent storage. Most relays run on $0 cloud machines that wipe drives when they refresh or idle. You will want to deploy your own, then follow the instructions to add it to permanent storage (automatic if on your own hardware like a rasbpi or dedicated server with dedicated space, or any S3-compatible API - search for s3 in the docs).
@worldpeaceenginelabs want to try running gun on bun?
@yokowasis I'm guessing that is the broken AXE version that a lot of relays picked up, make sure its running ...39? go to /gun/package.json to check.
1 reply
Mark Nadal
@amark
@benpreiss:matrix.org @worldpeaceenginelabs incorrect. GUN only syncs what you query.
@davay42 :clap: :clap: :fire: :fire: I love your components!!! Have new videos I can RT? (also, make sure you upgrade to lastest ...39 version cause bad bug in AXE that cut off multi-property sync :( in prev versions.)
:clap: @Lexi:matrix.org
:clap: @draeder
@ahg:it-dengler.de in map() do you mean new as in changed, or new as in not previously in the set? I think map().once() mostly gives you what you want, however right, it doesn't do "deletes" ... I assume you mean that as a node that is unlinked from the set, regardless of whether it is replaced with another, nulled out, etc. (?) there's special logic in the chain that catches that and sends it to map().on( so I think it'd be hard to ignore inbetween edits via API combo versus just having an if statement at top of your listener that only checks for new vs unlinked. Write a unit test that saves 5 new nodes to the table over 5 seconds, then 2 seconds edits a node, then 2 second later removes a node, and check with the callbacks print as. Especially.on(function(data, key, message, event) parts give extra info.
@benpreiss:matrix.org check out my original Bluesky proposal https://hackernoon.com/twitter-bluesky-a-decentralized-protocol-proposal-hi193337 it explains how to use Friend-of-Friend scoring to do p2p moderation, then I did a very detailed podcast if you want to listen to on http://media.era.eco
@worldpeaceenginelabs nice :) salt explainer, did you see the Cartoon Cryptography? https://gun.eco/docs/Cartoon-Cryptography ? Then Natnael added 3FA (3factor friend authentication) for lost password/account recovery. https://twitter.com/marknadal/status/1427715775838572545
@atjn @ahg:it-dengler.de gun.get('list').get(IDofElementToRemove).put(null)
@chalamministries
Mark Nadal
@amark
hmm, gitter isn't loading sub-threads. I'm gonna assume others already helped people out if there is a subthread (I can'tsee tho), simply because so many people here are so friendly & helpful :D :D :)
Mark Nadal
@amark
@chalamministries 10K isn't that massive, GUN syncs that in about 1 second on a decade old low end device !!! (run npm install gun mocha && cd node_modules/gun && mocha test/panic/chat.js & follow onscreen prompts to see how fast on your machien!)
@ahg:it-dengler.de :clap: will you add that to awesome-gun?
@solcryptic does this super basic chat app example help? https://github.com/amark/gun/blob/master/examples/basic/chat.html IDK react tho.
@jahs0nb_twitter @jamesnewportbeach var next = gun.get('next').put(data); gun.get('index').get('hadOldThing').put(next);
@deadlyicon possibly WSS issue? Custom relays IDK, if you just run the npm start one in a machine it should work, other than certs, which you can pass it as ENV params when you get them. I haven't seen that IndexedDB error before, was it easy to replicate? @tayelno . @nikhiljha I think gunjs peer got nuked with Salesforce Heroku free wipe.
@atjn yeah that is an approach, you'd have to log out & then in. Other approaches use the 4th part of the Cartoon Explainer videos to do shared secrets, but this requires more ACL tables. Iris has encrypted chat, @connor-davis has encrypted chat, oshu-gun has encrypted chat, Natnael has another, there are a loooooot of encrytped chat apps try so just keep asking here. I plan on writing a tutorial myself once SecureRender working.
@notnotrealreal_twitter oh :/ maybe new version doesn't work with s3 cause that module needs to be upgraded? I forget? Anyone?
@jahs0nb_twitter @nikhilvashisht @Zevenstreity_gitlab you covered??
speaking of Secure Render!!
@aethiop just got realtime encrypted chess working last night!!! Full thing, from scratch. All the graphics are powered by open source tech built by us all, and all the infrastructure is built open source by us all. First complete 100% full stack p2p encrypted app!!!
Mark Nadal
@amark
grrr it won't let me download the video, but he'll be posting another one soon that is linkable, will send. Super exciting.
Mark Nadal
@amark
yay he posted, here's the demo: https://twitter.com/marknadal/status/1618437322499833856 RT!
Bo
@worldpeaceengine:matrix.org
[m]

@amark:

AXE already throttles updates to the same key at 2X 60fps. I have plans for other throttling rules but have been focused on improving perf until I can hit 100M/mo/users first.

Could you make available the setting of the value inside Gun apps? Like a value that we could decide ourselfs. throttlerelaytorelay = 2x60fps, throttlepeertorelay = (games: 2x60fps, string: 1fps, media: 1-30fps, individual setting for something: 0,1-10fps)

want to try running gun on bun?

yes of course. i will try later. thought you try paralell with me on your machine ;) npm, link, run

incorrect. GUN only syncs what you query.

Is this different to what i said? "gun stupidly syncs everything you .put(), your app code is the filter" πŸ€”

Bo
@worldpeaceengine:matrix.org
[m]

@amark:

if anyone does build app-specific rate limiting, please sell it as an enterprise service and then donate money back to me πŸ˜›

is this a coveted thing? πŸ˜… i think i will integrate rate-limiting in my DAuth repo. Fits well together with DAuth's authentication and user session management.

Andre
@ahg:it-dengler.de
[m]
@amark: I looked into as.js code, but not sure how it handles loops / lists of items. # is replaced with map(), but how do you fill all the key => value pairs related to one item / node? Tried to get the "parent soul" to know which list entry the key value pair is related to, but failed to get the parent soul
@amark: My wrapper need some improvements first. Aber ich hΓ€nge ein wenig an paar Details und teils auch der async / await bascis (need to await created pair, but can't just delay). So feedback and hints are welcome to improve my code.
Bo
@worldpeaceenginelabs

@Lexi:matrix.org the thread has problems opening...

It would be pretty easy to do on the "client" through your app code but then that can be easily circumvented by sending requests manually without the restrictions of your app's code.

Actually, i would implement the schema client-side in my app, and whitelist my webapp's domain relay-side.
Can this be circumvented by sending requests manually in the way you mentioned? if yes, how? f12 console or something like this https://chrome.google.com/webstore/detail/console-injector/abdfbnapkafgcheofcijaieahcbjnpkd maybe?

1 reply
Bo
@worldpeaceenginelabs

@benpreiss:matrix.org

even though @Lexi:matrix.org is right with the user-space strategy, relays having IDs would come in handy for many strategies in general.

Relays could have a onetime execution on the first install of the relay on a server, desktop, etc.

// onetime execution on relay at first install (nanoid or uuid libs are having a good anti-collision, the hash even strengthen this)

let Γ¬d = randomGenerator();
const fixedIdFiletoStorage = hash(id)

This way every relay gets an ID from the start.

PS: nanoid (https://github.com/ai/nanoid) uses unpredictable hardware randomness, crypto instead of math.random(), and is only 130 bytes.

Bo
@worldpeaceenginelabs

@amark

I know people want those features, but I'm trying to encourage people in the opposite direction: combine together into a large DHT so we all can reuse each other's spare bandwidth/compute.

we both are still on the same train. but i feel the need for an intermediate hybrid solution.
this "plateau" will sure allow me to see the way for the full decentralization (spinning up gun relays that belong to humanity only, but auth/security/spam full covered)

nice :) salt explainer, did you see the Cartoon Cryptography? https://gun.eco/docs/Cartoon-Cryptography ? Then Natnael added 3FA (3factor friend authentication) for lost password/account recovery. https://twitter.com/marknadal/status/1427715775838572545

I am super new to encryption and hash concepts (didn't even know the difference 4 days ago) πŸ˜…

But i watched your crypto cartoon last weekend(and know your 3FA πŸ”₯πŸ™), which brang me to salt, which brang me to hash and salt and pepper, which brang me to this fireship video https://youtu.be/NuyzuNBFWxQ (after watching it you will be like "i know kung-fu")

And this two from Computerphile: https://youtu.be/8ZtInClXe1Q (How NOT to Store Passwords!) and https://youtu.be/b4b8ktEV4Bg (Hashing Algorithms and Security) Somehow 9 years old, but from reading other articles still actual.

PBKDF2 seems to be out of date today btw.
One weakness of PBKDF2 is that while its number of iterations can be adjusted to make it take an arbitrarily large amount of computing time, it can be implemented with a small circuit and very little RAM, which makes brute-force attacks using application-specific integrated circuits or graphics processing units relatively cheap.[12] The bcrypt password hashing function requires a larger amount of RAM (but still not tunable separately, i.e. fixed for a given amount of CPU time) and is slightly stronger against such attacks,[13] while the more modern scrypt key derivation function can use arbitrarily large amounts of memory and is therefore more resistant to ASIC and GPU attacks.[12]

In 2013, the Password Hashing Competition (PHC) was held to develop a more resistant approach. On 20 July 2015 Argon2 was selected as the final PHC winner, with special recognition given to four other password hashing schemes: Catena, Lyra2, yescrypt and Makwa.[14] Another alternative is Balloon hashing, which is recommended in NIST password guidelines.[15]

So my stack will be rather argon2, salt and pepper (does someone know a in the browser working repo btw?
I wanted to go for SHA-3 first(https://github.com/emn178/js-sha3), but i read its not good for passwords compared to Argon2.
https://github.com/antelle/argon2-browser is based on wasm which collides with my vite bundler (known issue)😭

Bo
@worldpeaceenginelabs
Another one could be this (for SHA3) but seems deprecated. https://github.com/emn178/js-sha3
Actually all the crypto api and libs seem depricated (last commit years ago) is there a reason i'm having a hard time finding a nice and actual "cryptography in browser lib"?
@amark DAuth is definitly inspired by your video https://youtu.be/ccKThyaDR30
Bo
@worldpeaceenginelabs

@amark

https://github.com/worldpeaceenginelabs/GUNJS-Starterkit

This is a collection of tools. The code is vanilla JS btw. (not even Typescript) in a Svelte environment.
You can just copy paste the JS parts if you like to re-use them.

I am 24/7 occupied with DAuth (it really thrives me) but i will publish a GunJS Quickstart Guide asap. (many changes of concept so far, i dont want to spam the wiki so i will publish when i am 100% done and sure it became a "GunJS for Dummies")

Pretty much a clone of https://gun.eco/docs/Introduction and https://gun.eco/docs/API, but a bit easier to approach (and get that deprecated stuff out of the way)

Bo
@worldpeaceenginelabs

Hi everybody!

Not sure if this is off-topic (i made it for our Gun apps because i am to lazy to learn how to SEA for now(i know i have to in the near future, because of encrypting every single file in case someone hacks the credentials of a user))
But i like to know if this concept is feasible anyway?

image.png
benpreiss
@benpreiss:matrix.org
[m]

So many answers! ❀️

Aaaand I have some more questions haha:

  1. Do chained .get().get()commands only retrieve that very specific requested piece of data or also the intermediate data?
  2. I am reading about different spaces in gun (user space etc.). I wonder how encryption can protect against some user writing to another users space? Because as far as I understand it, encrypted data can still be overwritten, right?
  3. My question about peer ID's remains. How can I identify certain peers and disconnect from them? I would especially need to identify from which peer I got which changes in my graph (.get().on() should also deliver the id of the peer that distributed the event)
  4. What happens in public space if some peer want's to null data that I don't want to null? What change gets merged? Can I decide to not merge that change?
  5. What about DELETE permissions? Can I give a user WRITE permissions but no DELETE permissions?
9 replies
Phyo Pyae Sone Han
@phyohan18
image.png
Hello I am facing this problem with NextJS . Does anyone know how to solve it?
Sharlon Balbalosa
@sbalbalosa_twitter

How to write a certificate policy that only allows write to 'deeper' key? I highlighted what I mean in the screenshot.

image.png

3 replies
Bo
@worldpeaceenginelabs

@benpreiss:matrix.org
@Lexi@matrix.org
@amark

I started to look into the auth/spam issue from ground up, but this time more visually.
Plus I had some nice cryptography geek discussion on discord today.

The following slide is the actual state that every developer will face at some point when starting with GunJS (Github, Cloudflare, ENV's, are exchangeable with your providers/methods)

I invite everybody to wrap your head around the slide, to find the best balance between...

Authorized and unauthorized user (which share a red flag!)

  • deny unauthorized user to post at all (red flag)
  • authorized user spams or even wants to spam (red flag)
  • authorized user posting to much or bs (yellow flag)
  • authorized user posting (green flag)

...and how to measure, identify and regulate them.

Slide (duplicate to modify) https://docs.google.com/presentation/d/1xb6l41eqt6OYxNwtZJSh1wC_rTMrIEyExcsCBdhRIxo/edit?usp=sharing

I copy pasted the top slide to the bottom, made the ME card a user, and pretended to just lock the whole system. So i exchanged the red conditions with new green conditions.

Notice from the color change:

WE CANT FULLY SECURE THE APP BECAUSE THE CODE IS MODIFIABLE

  • someone modifying your app's code seems always to be an issue, even if you basicly unplug your server.

WE CANT FULLY SECURE THE RELAY EITHER, BECAUSE THE ADDRESS CAN BE KNOWN

  • Your app isn't even necessary, someone can just inject .put/.get on your infrastructures IPs/adresses. (Inject where? he will know from your sourcecode, the F12 console or some other tool) And be sure every peer, relay, home- cloud- or edge- server address can basically traced back by someone who really wants it. (this points us to using proxies to make it even harder to find our infrastructure!)

THE FORMER POINTS US STRONGLY ON SECURING THE DATA ITSELF, THE HANDLING OF .get/.put (API)

Measurement No 1: ENCRYPTION (for data with audience less then absolute everybody)
In case of even someone legit or someone sneaking in, they only find garbage.
hash, padding, encryption: ECDSA-SALT-RSA or SHA-3, SHA256, AES

Measurement No 2: VALIDATION/SIGNING
Sign and validate all data with keypairs (transfer/post/message)
hash, padding, encryption: ECDSA-SALT-RSA, or HMAC, PBKDF2

Measurement No 3: RESTRICT/LIMIT/BALANCE ACCESS TO .get/.put (API)

  • AUTH
  • Common-Sense Request Limitations:
    for instance, a couchsurf host can only offer 1 stay (send one hosting post) each day max...(common-sense)
  • Requests in a timeframe (request-rate):
    ...While a couch searcher can message to different hosts with a rate of
    RULE-1:"not more than one per second" (=a few short messages in a row, but not spamming the other user(s)),
    but RULE-2:"not more than 15 messages in 60seconds" (limits rule 1 about 75%)"(request-rate))

Measurement No 4: - AUTH

  • creating identities: keypairs = hash, padding, encryption: ECDSA-SALT-RSA
  • Identities(created & existing): authorized, unauthorized, spammer/attacker, bot, multiple accounts, identity theft
  • who is who (identity + request-rate + block/delete)

You can start to see some patterns coming up from playing with red,yellow and green, kind of a puzzle...

I will start by locking the whole system up and myself out, and then start open it a bit, look what happens, maybe unlock it a bit further... You'll get the point...

Bo
@worldpeaceenginelabs
image.png
Bo
@worldpeaceenginelabs

@amark

I know people want those features, but I'm trying to encourage people in the opposite direction: combine together into a large DHT so we all can reuse each other's spare bandwidth/compute.

i made thoughts into your direction, and if this usecase dependant relay strategies (slide under this post) were integrated into Gun, that would be awesome!
Maybe an extension of AXE? You'll find a wayπŸ”₯πŸ”₯πŸ”₯

Incentivise API consumers with high bandwidth needs, and in turn grow the whole Gun Ecosystem

How does it work?
After the first 24 hours of a relay relaying data to and from multiple dapps/applications from different sources, it generates a list (just for the sake of explaining, same with Google, Fortnite, Dtube) which gets updated every 24h or less.

This list would look basically like this:

24h USAGE:

  • hans blog: 100mb
  • peters travel blog: 500 mb
  • toms videochat: 1000mb
  • dtube: 10000mb
  • fortnite: 100000mb
  • google maps 1000000mb

From here could the AXE extension do the following:

Group the request sources by bandwidth usage and sowith grant access to only relays to dapps/apps with similar bandwidth need.

  • So hans and peter in group A( low-level dapps)
  • tom and dtube in group B (intermediate-level dapps)
  • fortnite and google maps in group C (intensive dapps)

Group C could be incentiviced to create more Gun relay infrastructure for the whole Gun Ecosystem (they have the money, so why not?)

  • the AXE extension limits the bandwidth of the highest consumer to the median of all consumers. Same with the second highest bandwitdth consumer and so on. Continously till a level is reached, were the group C bandwidth consumers do not slow down group A and B consumers using the same relay.
    (if efficiency < 75% => balance mediate)
  • this means for intensive consumers (group C) like Google or Fortine, that they MUST invest in the infrastructure(more relays), to raise that median. else they cant run their service, because the bandwidth will not be enough.
  • but at the same time, its an investion into the whole Gun Ecosystem. So ABC.

PS: more groups A,B,C,D... for a finer grain are possible of course, this is just for the sake of explaining

image.png
BrendanDN
@BrendanDN
How would I go about push notifications using gun?
12 replies
rcookie777
@rcookie777
Hi, i was wondering if i can use webauthn within gun. Thanks?
rococtz
@rococtz:matrix.org
[m]
@rcookie777: You can use whatever auth you want as long as you implement it. As far as Gun cares, you only need to have a private/public key pair and that's it. But definitely not out of the box
rcookie777
@rcookie777
Cool thanks
Bo
@worldpeaceenginelabs

https://github.com/worldpeaceenginelabs/1-MEGABYTE-STORE

Hey everybody!

Found a cool logic for our user-databases. 1MB doesnt matter what πŸ”₯πŸ”₯πŸ”₯
Very short readme! πŸ˜…

I just did this woking up, I will try it myself later, but maybe someone can write a script?

Bo
@worldpeaceenginelabs
@amark
AXE + Incentivise API consumers with high bandwidth needs + 1-Megabyte-Store = Three seperate routing concepts. But combined: πŸ”₯πŸ”₯πŸ”₯
oryve
@oryve_app_twitter
Hi, it's possible to share, for example, my profile in the web, that a not gun using recipient can see it? Also can a not gun user collaborate (e.g. tasks) with me over the web? If yes, how does it work?
1 reply
udbhav-s
@udbhav-s
image.png
Hey all, I'm trying to use gun for a project and am getting this in the console sometimes. Does anyone know what this means?
Architect
@luciferianink:matrix.org
[m]
I need One person.
1 reply
Architect
@luciferianink:matrix.org
[m]
Bo
@worldpeaceenginelabs
btw: i asked chatgpt for fun "code a viable AI with GunJS and Brain.js" and this was his answer! 🀯
1 reply
image.png