These are chat archives for feroult/yawp

2nd
Sep 2016
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 07:08
Good morning!
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 12:24
So
I investigated on that unique-wildcard thing I wanted to do
It seems
I initially found no way or a method to get the origin
Until I inspected the network log and remembered the Origin header haha
I will try it now
And if it works I will push it
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 12:31
I mean open a PR
Oh yes!
It woooooorks
:D
Time to :shipit:
Fernando Ultremare
@feroult
Sep 02 2016 13:45
nice!
already merged into master :)
next yawp release will have it
do you need it fast?
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:46
Nope
I already use it
From local compiled copy
It works like a charm :sparkles:
Fernando Ultremare
@feroult
Sep 02 2016 13:48
:)
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:48
Right now
I got this for authentication
like the controls for authentication
The session cookie itself, the allowed tokens list, and the expiry date of the JWT, in the respective order of verification
You think that's enough?
Fernando Ultremare
@feroult
Sep 02 2016 13:50
i would check the validity of the JWT token first
before the allowed tokens list
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:50
oh I forgot
It also checks the signature
So 4 control points actually
Fernando Ultremare
@feroult
Sep 02 2016 13:50
btw, what are the valid tokens?
allowed
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:51
I mean
Fernando Ultremare
@feroult
Sep 02 2016 13:51
are they permissions?
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:51
No
Fernando Ultremare
@feroult
Sep 02 2016 13:51
inside your app?
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:51
Let me explain
Basically, on each account
There is a list of allowed tokens
Each time you log in
That generated JWT
Gets added to the list
But the purpose of it is like this
If you get hacked someday
You can just go and revoke all tokens
Or technically clear the allowed tokens list
and it will invalidate the otherwise valid JWT
Got it?
Fernando Ultremare
@feroult
Sep 02 2016 13:53
yeah
but since tokens expire
I think this is not required
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:53
Well
Fernando Ultremare
@feroult
Sep 02 2016 13:53
plus its kinda expensive to verify this list
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:53
What if the user wants to invalidate it immediately?
Fernando Ultremare
@feroult
Sep 02 2016 13:54
and it gets more expensive as the number of users grow
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:54
Yeah
Well
Here's another idea
Fernando Ultremare
@feroult
Sep 02 2016 13:54
i think this is not commom
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:55
but it would only leave the user to invalidate all tokens
Basically we will have a temp token
In each account
And if a user gets hacked
We can just change it
and on each time we verify the JWT
We can see if it matches the temp one
Fernando Ultremare
@feroult
Sep 02 2016 13:55
yeah, u could have a secret world inside the token
that u change
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:55
Yeah
I guess it's way better
Fernando Ultremare
@feroult
Sep 02 2016 13:56
word
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:56
Cause anyways the user wouldn't distinguish between JWTs
Fernando Ultremare
@feroult
Sep 02 2016 13:56
yeah, but still
i would think about it after other requirements
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:56
This feature IS common
Fernando Ultremare
@feroult
Sep 02 2016 13:56
if you have time
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:56
Yeah
Fernando Ultremare
@feroult
Sep 02 2016 13:56
go for it :)
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:56
I already implemented it haha
I will just change it now a bit
Fernando Ultremare
@feroult
Sep 02 2016 13:56
what u have
about revoking is the permanent OAuth access token
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:57
List of allowed tokens, I will just switch it to a secret id or token
Fernando Ultremare
@feroult
Sep 02 2016 13:57
but they don't expire
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:57
Ah no I am talking about user JWTs
I want to achieve
Fernando Ultremare
@feroult
Sep 02 2016 13:57
when u allow a third party app to have access to your twitter account
for instance
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:58
Kind of like when you change a password in FaceBook and choose the option to log out from all devices
;)
Fernando Ultremare
@feroult
Sep 02 2016 13:58
i got
it
yeah
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:58
Also
Fernando Ultremare
@feroult
Sep 02 2016 13:58
u could generate a UUID inside the token
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:58
Will memcached improve performance?
Fernando Ultremare
@feroult
Sep 02 2016 13:58
sure
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:58
And how do I go to use it?
Fernando Ultremare
@feroult
Sep 02 2016 13:58
u save this UUID inside the Account
also, right in every request you are fetching the Account from database, right?
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 13:59
Yeah
Fernando Ultremare
@feroult
Sep 02 2016 13:59
ok
u could use memcache
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 14:00
I know how to do that, I was talking about memcache
How do I use that?
Fernando Ultremare
@feroult
Sep 02 2016 14:00
MemcacheServiceFactory.getMemcacheService();
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 14:00
And?
Fernando Ultremare
@feroult
Sep 02 2016 14:00
it works like a Map
add a item by key
and get the item back by key
objects need to be serializable
just it
so, the workflow: request >> try to get the account from memcache by a key >> if it is not in memcache get it from database and add it to memcache
got it?
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 14:02
Hmmm yeah
And what methods would I need to use?
for that case, I think get/put
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 14:04
alright :D
brb
Fernando Ultremare
@feroult
Sep 02 2016 14:04
to understand some good practices of memcache
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 14:06
back
let me read that..
Hmm
So for example when I put
I can do put(some_id, account) where some_id is some unique id, probably the account id and account is the Account instance
Then I can retrieve it with get right?
Fernando Ultremare
@feroult
Sep 02 2016 14:15
yeah
it needs to be something that you can extract fro the JWT token
the key
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 14:15
yeah
Hmmm
I guess
I can use the id?
Fernando Ultremare
@feroult
Sep 02 2016 14:29
yeah
going to lunch
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 14:31
Okay
But first
How do I access the put/get methods
Fernando Ultremare
@feroult
Sep 02 2016 14:32
x = MemcacacheServiceFactory.getMemcacheService();
x.get
x.put
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 14:32
Ohhhh
Alright thank you!
Fernando Ultremare
@feroult
Sep 02 2016 14:32
;D
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 14:33
Bon appetit!
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 15:10
Well
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 15:18
I have a problem
It says it can't accept class as entity
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 15:27
Oh
I fixed it
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 16:17
:D
All goood now
Fernando Ultremare
@feroult
Sep 02 2016 16:26
serialisable?
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 16:29
yeah
I had to add it
to the implementation
using implements
Fernando Ultremare
@feroult
Sep 02 2016 16:56
great
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 17:13
Now it works awesome
Fernando Ultremare
@feroult
Sep 02 2016 17:28
nice... now u have a modern auth system :)
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 17:30
Yeah 😁
I also added an option
In the logout action
To change that secret
Or basically log out all other devices (or sessions therefore)
Fernando Ultremare
@feroult
Sep 02 2016 17:36
nice
could be a good tutorial :P
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 17:36
Oh I forgt
Forgot&
About guides
I will make text guide later
Fernando Ultremare
@feroult
Sep 02 2016 17:37
don't worry.. go with your app
its getting better!
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 17:37
But don't you think making a video series as a guide would be great?
Wo
As I also want to start a channel haha
W
Well I did but no vids yet
I made an interesting channel intro tho wanna see it? 😂
Fernando Ultremare
@feroult
Sep 02 2016 17:47
sure
Walid Nawfal Sabihi
@LvlAndFarm
Sep 02 2016 17:47
Shoot me a private message
I'll give it to you there