Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Sep 03 2017 05:02
    @scottleibrand banned @Prosulpump_twitter
dvdv
@dvdv_gitlab
"eventType" : "Temp Basal" for example
Sulka Haro
@sulkaharo
@dabear Not other than there's so much database layer code in the existing system that refactoring it to use date objects and writing the migration code to fix existing databases would be a huge effort. If you want to have a stab, please :)
@dvdv_gitlab yup all insulin dosing and carbs are in Treatments
dvdv
@dvdv_gitlab
Is the structure documented anywhere?
api-docs.html did not list the "Temp Basal" type anywhere
Same for bolus calculator entries btw
Sulka Haro
@sulkaharo
Check the data types created by the Careportal system in Nightscout
If you have the energy to jot down notes, I'd be happy to take in a PR with improved docs
Sulka Haro
@sulkaharo
To comment on the much earlier question - all dates in Nightscout are supposed to be in ISO 8601 format. I recommend using a ready made parser that supports the format and not even attempting to implement parsing. Javascript Date and Moment.js will happily ingest the dates from Nightscout and I'm sure there's libraries for other languages as well
Pete Schwamb
@ps2
So I’m working on a NS feature for Loop that requires uploading some more settings. They’re not particularly sensitive, but they are user’s data. Nearly everyone using NS has a world-readable site, as that’s the default. I’m guessing this would come as a surprise to many people, as health data is usually an area where privacy is very strongly expected. -10 points for the first person to mention that the urls are not published.
Pete Schwamb
@ps2
When we were at the FDA earlier this year, we were pulled aside by some federal device cybersecurity folks who showed us a security database listing a few accessible nightscout sites. It was confusing what exactly the site was showing, and whether there was anything actionable, as we didn’t see actual URLs and you had to pay to access the site. It was weird, and we told them that open NS sites is quite common and is readonly. They seemed to be confused by that response. But again, it underscores the expectation that this data is private.
John Weston
@unsoluble
I understand the concerns, but I think that world-readable-by-default is a feature, not a bug; ease-of-use is pretty high on the list. Anyone who's concerned about this can always enable auth roles from the outset.
Eric
@ecc1
@unsoluble I would rather see secure-by-default, with an easy way to add others to a whitelist. We'd certainly expect that from any commercial service. (Speaking as someone with a world-readable NS site, of course :-)
John Weston
@unsoluble
If we could make it super easy out-of-the-box? Absolutely. Just need engineering effort there.
(And coordination with all of the app ecosystem that views/reads to handle a change like that.)
Sulka Haro
@sulkaharo
Eric can you elaborate what you mean by secure in this context? Nightscout defaults to world readable but requires permission to write. The basic principle here stems from the safety of the person being monitored, where it’s more likely having access to the data in Nightcout is needed in hurry with no access details than someone getting access to the data and misusing it in a manner that creates a dangerous situation.
Having world readable access is potentially problematic from privacy perspective, but the abuse scenarios are all debatable. From actual cyber security perspective, there’s a lot more work to be done than just defaulting to private more if we wanted the software to be fully secure from know problem scenarios
Sulka Haro
@sulkaharo
So @ps2 too - I think the one actionable thing we can do right away is make installation instructions / docs more clear on the privacy implications for having a public site
I also think the privacy expectation Nightscout is setting right now is actually good in many respects. I bet if we defaulted to private, people would not be sharing their Nightscout screen captures and stats nearly as much as they do. And the amount of issues people would have with schools / daycare losing access and having trouble getting back to deal with a kid would skyrocket, which would then be a patient safety issue.
Incidentally the "private URL" mechanism is what a lot of services use for data sharing; the access key is in the URL. This covers basically all of Google and Apple services & other. What they do do differently is enforce the access key (the URL) to be hard to guess and they're more transparent around telling users that anyone with the URL can view the data being shared
Sulka Haro
@sulkaharo
Nightscout does support passing the access key in the URL, so if we defaulted to private, I expect we'd have to make Nightscout sharing more like the Google model and make it easy to pass on the URL with the key, so people who expect to have access would actually bookmark an URL that included the whole access credentials. I'd assume for half (or more?) of the threat scenarios that's basically equivalent to sharing the URL and the key separately
Pete Schwamb
@ps2
So @sulkaharo gets the -10 points. ;) Passing a short lived token on an invite is much different than exposing long lived url. Making sure users understand what data (their bg and all their settings) is public by default, and providing instructions on how to secure it would be a great first step. While I agree that the openness is nice for several reasons, I also think that convenience and privacy support are not mutually exclusive, but it takes significant development work to make that combination possible.
Jon Cluck
@cluckj
how about some kind of password auth (to get read access, like exists for write access)? would that be a good way to better balance convenience/privacy?
James Babcock
@jimrandomh
Am currently working on modifying Nightwatch so it supports API secrets. Currently it only works with public Nightscout sites.
xDrip+ appears to have the same problem. Looking at the previous dicussion here--while there's a reasonable argument to be had about whether to encourage people to make their Nightscouts public, the status quo appears to be that parts of the ecosystem outright don't support authentication, and that's not okay.
James Babcock
@jimrandomh
Yesssss, finally got a Nightscout display on my watch.
Sulka Haro
@sulkaharo
@jimrandomh xDrip totally supports the API secret, where did you get the idea it doesn't?
dvdv
@dvdv_gitlab
Perhaps he confused them, because IIRC xDrip doesn't support tokens
Sulka Haro
@sulkaharo
Ah yes, the API SECRET and tokens is a bit different
Martin Haeberli
@mhaeberli
URGENT - how do I do a curl query through the NightScout API to see changes to the basal rate set by Loop or by OpenAPS?
Eric
@ecc1
curl -g 'https://your-ns-site/api/v1/treatments.json | jq .
at least for openaps, not sure about Loop
Martin Haeberli
@mhaeberli
Thx
Martin Haeberli
@mhaeberli
And ... for bonus - where would SMBs show up? - @ecc1 - this got - some- results, but surprisingly un-recent ones, and thus I don’t think this was showing the Loop ones...
another way of looking at it - OpenAPS observes basal changes made by Loop, and they show in the NightScout interface, but are not being directly logged by Loop at the moment. It’s complicated...
dvdv
@dvdv_gitlab
@sulkaharo There will be a v3 API?
And if so, is there a v2 API?
Sulka Haro
@sulkaharo
@dvdv_gitlab Yup, check /api/v2/properties
dvdv
@dvdv_gitlab
@sulkaharo But no docs, right?
also, what's the big change between v1, v2, v3?
Sulka Haro
@sulkaharo
v2 is 100% different from v1; it's sort of badly named
v2 basically exposes the internal runtime state over REST
v3 is a redesigned version of v1 that fixes a lot of the semantics of v1 and is documented in the branch
dvdv
@dvdv_gitlab
in what branch?
Sulka Haro
@sulkaharo
dvdv
@dvdv_gitlab
so - it is in no branch of the main repo. currently, it only exists as a pull request.
also ... I've been running 0.11.1 here. 0.12 introduced date normalization. does this affect the dates stored in mongodb?
dvdv
@dvdv_gitlab
I mean, is the normalization done purely in the client, and does not affect at all how timestamps are stored?
I don't really want to trash my DB :)
Dave2526
@Dave2526
Hello, has anyone nightscout behind a apache reverse proxy and can send me the configuration? With proxypass and ProxyPassReverse it only show "loading the client"... Thank you!