These are chat archives for canjs/canjs

28th
Dec 2016
Nico R.
@nriesco
Dec 28 2016 00:20
Any recommended drag and drop library you would recommend that works good with canjs/ donejs?
Thomas Sieverding
@Bajix
Dec 28 2016 00:21
@nriesco jQueryPP or HammerJS
Nico R.
@nriesco
Dec 28 2016 00:29
@Bajix thanks they both look great even in mobile devices
Thomas Sieverding
@Bajix
Dec 28 2016 00:30
What’re you using it for?
Nico R.
@nriesco
Dec 28 2016 00:50
A kanban board
and list sorting (rearrange)
Thomas Sieverding
@Bajix
Dec 28 2016 01:52
List sorting is pretty straight foward using jQuery UI
Gira Minus
@gKreator
Dec 28 2016 01:52
Yeah jQueryUI is one of the easiest to use... but as far as I remember it is one of the heaviest
You only need to require in the one piece anyway
Gira Minus
@gKreator
Dec 28 2016 01:53
yup
But this is a nice example that should make it onto the canjs website :D
Thomas Sieverding
@Bajix
Dec 28 2016 01:54
For sure
Nico R.
@nriesco
Dec 28 2016 02:25
@Bajix thanks again!
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:23
I want to use JWT authentication in canjs SPA, I saw resources in the internet that store the token on localstorage, I wonder if is ok to store it in the application state viewmodel instead?
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:23
in general the only usefull places are cookis
as they get send by the header on http request
if the jwt is for a single url endpoint only
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:24
yes cookies need to be encrypted
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:24
no they don't need
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:24
single url endpoint
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:24
the JWT Token logic needs to be right
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:24
????
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:24
is it API Consuming?
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:24
yes the API may be used for mobile APP too
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:24
so you want to host a Api endpoint and use that via a frontend application?
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:25
yes
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:25
you need diffrent methods normaly for your own applications and external once like mobile applications
thats why you see for example on facebook a nice leveled jwt system
with Application short time long time tookens
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:25
the API has one auth method JWT
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:25
as user tokens
ya and JWT has many control flows
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:26
mobile have'nt cookies
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:26
good example for a standart oauth flow
so you request and send multible tokens
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:27
ok I have simple JWT
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:27
then you can use simple basic http password auth also
:D
as you see the concepts of JWT depend on stuff like diffrent token clases and states
else it is not secure or anything
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:28
ok thanks
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:28
but if you want to implament it only for prove of concept
you can store the token where ever you want
and one time verify it on the api endpoint
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:28
ok cool thank you :)
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:28
you can simply attach the token via for example url get parmeters
/?token=my0972349ujasfjijsdh
then in your node js app you only need to look if that token matches the one you have registered
thats it
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:29
yes
My question is about the storage in the frontend
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:30
in frontend you normaly can store it where ever you like
in real world
you would request live with your credentials a request token
and so on
as you don't plan that flow and want to use a fixed value you can store it anywhere
and apply it to your call to the api/?token=parm
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:31
thank you
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:31
you can use localstorage or database or what ever you like
your welcome
Nico R.
@nriesco
Dec 28 2016 11:31
Local storage seems to work fine both in desktop and mobile
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:32
@nriesco yeah thanks :)
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:32
@nriesco i don't know i use couchbase in mobile and web apps
Nico R.
@nriesco
Dec 28 2016 11:34
@cherifGsoul are you looking not to use local storage? Is that your goal?
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:34
@nriesco no it was a general question
i think its solved
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:35
@nriesco I wonder if I put it in the app state is ok for security reasons
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:35
@cherifGsoul for security reason the whole concept is not valid
:D
there is no place where you can store it secure
as its a javascript application using http and network stack
it will soon or later send the information and it will be see able by the app user
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:36
@frank-dspeed is not general and not a real problem is about best practices and is secure because in encrypted with a secret key on the server
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:36
via network monitoring
that all dosn't matters
you can then get the crypted tooken that the server will encrypt and so on
i am security sepcialist i can tell you that clear
There is no way to store credentials save on client side
not for C applications and not for Javascript Applications as also not for PHP or any other language
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:37
credentials are not saved in the client
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:38
so whats your flow credentials get send to server -> he returns token right?
Nico R.
@nriesco
Dec 28 2016 11:38
@cherifGsoul I guess it's not a good practice because exposing the token can make someone use it and imperson you
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:38
then you want to store and use token client side
?
Nico R.
@nriesco
Dec 28 2016 11:39
They cannot decrypt it though
But they can reuse it
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:39
@cherifGsoul yes thats right
now it depends on how long this token is valid
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:39
@nriesco Ok I will digg more about the subject
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:39
to say if its secure or not
for example if it is 5 min valid
and then renews that token then it is secure
if this token is valid for longer its less secure
The method is secure as you send credentials via https
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:41
yes :)
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:41
but you need to make sure that it renews and saves the new token every 5 min
so that if some one catches the token he cant reuse it for long
and to make it all more complex
you should let your client side apps also generate some extra headers with some extra code
based on time and uniq values
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:42
yes
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:42
so that some one who only finds the token can't reuse it so easy
he needs to put in a lot of more effort
to have all the parts
thats why 2 way auth is so successfull
also putting auth on totally diffrent and maybe changing domains is used on cia level
that makes it even more hard to util and guess storage and that
I think this article summerize how to use it securely @frank-dspeed
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:45
yes if you use all that
its save to store that token in the appview model
:D
as its temporary
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:45
yes
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:45
and gets replaced on app restart or more early
the most easy security is realy to renew credentials and verification often
because then you can have security holes
but still no one can brake in
:D
Mohamed Cherif Bouchelaghem
@cherifGsoul
Dec 28 2016 11:47
thanks
Frank Lemanschik
@frank-dspeed
Dec 28 2016 11:47
because even if you implament security correct you know most time nothing about the rest of infrastructure
for example app users connect to public wlan and that
you most time simply can't control the full environment your app is running in
so you can only make secure it with renew fast
or let your app connect via vpn to your servers
thats also a method