Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Christopher Davenport
@ChristopherDavenport
Place key in database somewhere?
Haris Khan
@tyrantkhan
we use vault and load these keys in as environment variables at work.
Andrew Sim
@andrewsim
cool~ will give it a go
lgirard
@laurentgir
Hey guys!
I'v made some docs about Http4s-Tsec service composition here. I'd like to know if that's something you'd like to add in the project's documentation?
Christopher Davenport
@ChristopherDavenport
Absolutely!
lgirard
@laurentgir
Great! I'll make a PR tomorrow then.
It needs a bit of rework (typos, tut integration, etc)
Ryan Zeigler
@rzeigler
I was looking at tsec for jwt verification. Specifically I am working with the auth0 asymmetrical mode with certificates. There doesn't seem to be any documentation relating. Is it possible to do with tsec or not yet?
Christopher Davenport
@ChristopherDavenport
I believe so, I use it for that purpose with a different cypher. But if it's missing should be easy to introduce that.
lgirard
@laurentgir
The Http4s-Tsec service composition documentation : #235
Ryan Zeigler
@rzeigler
honestly, I'm not even sure if i'm looking in the right place for the place to load a public certificate. The SHA256withRSA doesn't seem to have a provision for loading a certificate, only producing something from the modulo and seed
My existing solution is just to use java.security to load the certificate, which is fine, but i would need a way of getting the public key into the validation phase which was also not clear to me how to do
lgirard
@laurentgir
Hey guys, anyone for a review of #235 ?
Anton Semenov
@J0kerPanda
Hi, everyone!
Apologies for possibly obvious question, but is it somehow possible to implement JWT auth with tsec without requiring identity storages or a jti field in payload? My case is really simple - I just need to decode a case class from a JWT with a user id in it, so I don't actually need to identify tokens in any way. Besides that, I'm not the one who is creating the tokens.
If there are any books/articles/documentation parts suggestions to read up on the material, I would appreciate it.
Christopher Davenport
@ChristopherDavenport
Is that up to the standard? Not 100%
Anton Semenov
@J0kerPanda
@ChristopherDavenport, what do you mean?
Loránd Szakács
@lorandszakacs
not a scala-steward PR :joy:
jmcardon/tsec#244
Ronan Michaux
@ronan_michaux_twitter
Hi,
for symmetric encryption/decryption with secret passphrase,
what's the best practice to store the encrypted message, nonce and key ?
Does it exist a kind of "container" for this datas ?
Jimin Hsieh
@jiminhsieh

I have a question about the current JDK version of the project. What’s your expectation of JDK version we should support?
I saw we used JDK 8 at Travis CI.
However, I got this exception.

[info]   UnsupportedClassVersionError was thrown during property evaluation.
[info]     Message: tsec/internal/CirceShim has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0

55.0 is Java 11. I guess someone published 0.2.0-M2 with Java 11.

V. Lukoyanov
@lukoyanov
Hi, I've got a question about embedding a custom claim into a jwt token via tsec. As far as I got from docs in order to create a token one must call authenticator.create(user.id), but the only information i can pass there is UserId type, so the question is how can I add some custom claim to a token?
I've found this closed issue: jmcardon/tsec#76 , but code in a linked PR works with some internal classes, it seems that the feature is not exposed to http4s integration layer, is that correct?
Ender Tunc
@endertunc_gitlab
Hey all, what is the suggested way to only accept certain values for claims and reject otherwise. Lets say I always expect audience=white-listed-audience or issuer=white-listed-issuer otherwise I am not interested in and I wan to reject that token. (For the context I am interested in PartialStatelessJWTAuth with Http4s but I assume it applies to others as well)
Ender Tunc
@endertunc_gitlab
I am still new to the typelevel stack but I assume one possible solution would be creating an other middleware that wraps the actual routes and rejects the request if token does not match the criteria?
Something like that should be possible I assume (even-though I dont know how to do it yet) jwtMiddleware(makeSureIssuerIsCorrectMiddleware(routes)). Is my assumption correct?
Ender Tunc
@endertunc_gitlab
^ something like this should do the work I assume. (I haven't test it tho)
  type AuthService = TSecAuthService[User, AugmentedJWT[HMACSHA256, Int], IO]
  def myMiddle(
      service: AuthService
  ): Kleisli[OptionT[IO, *], SecuredRequest[IO, User, AugmentedJWT[HMACSHA256, Int]], Response[IO]] =
    Kleisli[OptionT[IO, ?], SecuredRequest[IO, User, AugmentedJWT[HMACSHA256, Int]], Response[IO]] {
      req: SecuredRequest[IO, User, AugmentedJWT[HMACSHA256, Int]] =>
        val response: OptionT[IO, Response[IO]] = req.authenticator.jwt.body.subject match {
          case Some(value) if value.equalsIgnoreCase("white-listed-subject") =>
            service(req)
          case None => OptionT.liftF(Forbidden())
        }
        response
    }
Ender Tunc
@endertunc_gitlab
Does anyone know what happened to jmcardon/tsec#176 I would say it is pretty common use case.
Wojtek Pituła
@Krever
Hey, Im trying to use tsec-http4s and has one initial question: How to set the auth mechanism (jwt token in my case) for the first time (so in successful login request)?
Otto Chrons
@ochrons
how is tsec not compatible with Windows? Are there some parts that can be used also on Windows, while some others not?
Christopher Davenport
@ChristopherDavenport
Yes. There are some components however that do not work with windows.
I believe particularly its tsec.common.ManagedRandom, jmcardon/tsec#271
Otto Chrons
@ochrons
ok, good to know
Otto Chrons
@ochrons
even though we run on Linux in production, developers are working also on Mac and Win :)
Christopher Davenport
@ChristopherDavenport
As I’m basically the only maintainer presently, if theres is a nice way I’m open to it. I know we use that as our source of randomness and NativePRNGNonBlocking is unix specific. A lot of these get very complicated attempting to support multi-platform so this was initially designed linux specific to not bring that complication in to the library which was focusing on unix support.
Alex Henning Johannessen
@ahjohannessen
@ChristopherDavenport can you cut a release for 0.21? :)
Christopher Davenport
@ChristopherDavenport
Will try to get it this evening. Not at computer.
Alex Henning Johannessen
@ahjohannessen
@ChristopherDavenport thanks :)
Christopher Davenport
@ChristopherDavenport
0.2.0 on its way to central
Ivano Pagano
@ivanopagano
Hello here, I got a couple of dumb questions:
  1. is the libsodium c lib required to use tsec in general, or only if you use things based on libsodium-jna?
  2. is tsec a sort of "collector" wrapping existing libs, specifically, when scrypt is mentioned, is it exactly the iohk scala library, or something different?
Ivano Pagano
@ivanopagano
ok, just answered myself on 2, looking at the deps
Christopher Davenport
@ChristopherDavenport
Only for that section for 1
Ivano Pagano
@ivanopagano
thank you @ChristopherDavenport I hoped so
James Cosford
@jamescosford

Excerpt from tsec.passwordhashers.PasswordHashAPI.scala

 /** Hash a password in a char array
  * then clear the data in the password original
  * array, as well as the byte encoding change,
  * but in a pure fashion because
  * side effects suck butt.
  *
  */
  def hashpw[F[_]](p: Array[Char])(implicit P: PasswordHasher[F, A]): F[PasswordHash[A]] = P.hashpw(p)

lost a couple of hours figuring out why my test was failing... The irony of having this code clearing the password data during my registration step so that the login step failed was too delicious to ignore. Side effects do suck butt.

Ryan Zeigler
@rzeigler
Does tsec support jdk8? I am seeing java.lang.UnsupportedClassVersionError: tsec/internal/CirceShim ... (class file version 55.0),...
But, this is only during tests, other bits appear to work fine
Jimin Hsieh
@jiminhsieh
@rzeigler I met the same situation before. You can checkout the meesage I left. I don’t know does it fix or not.
https://gitter.im/tsecc/Lobby?at=5dd24c7a50010612b2dc108b
Ender Tunc
@endertunc_gitlab
@rzeigler I remember I also had the same issue. I just updated to JDK11.
Ryan Zeigler
@rzeigler
ah
Christopher Davenport
@ChristopherDavenport
Hmm, I think it released on jdk11 so used whatever the new approach was which is very rarely incompatible.
I can see if we can instead release on jdk8 instead.
Ryan Zeigler
@rzeigler
that would be appreciated
Jacob Shao
@realradical
does anyone know what is partially stateless jwt auth?