Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • Oct 15 11:27
    scala-steward opened #254
  • Oct 15 11:26
    scala-steward opened #253
  • Oct 14 23:28
    Pucilowski starred jmcardon/tsec
  • Oct 14 15:31

    ChristopherDavenport on gh-pages

    Deploy jmcardon/tsec to github.… (compare)

  • Oct 14 15:19

    ChristopherDavenport on v0.2.0-M2

    (compare)

  • Oct 14 15:19

    ChristopherDavenport on master

    Setting version to 0.2.0-M2 Setting version to 0.2.0-SNAPSH… (compare)

  • Oct 11 16:59
    backuitist starred jmcardon/tsec
  • Oct 11 03:53

    ChristopherDavenport on gh-pages

    Deploy jmcardon/tsec to github.… (compare)

  • Oct 11 03:38

    ChristopherDavenport on master

    Update Versions Merge pull request #252 from Ch… (compare)

  • Oct 11 03:38
    ChristopherDavenport closed #252
  • Oct 10 19:53
    ChristopherDavenport closed #251
  • Oct 10 19:53
    ChristopherDavenport closed #250
  • Oct 10 19:53
    ChristopherDavenport closed #249
  • Oct 10 19:53
    ChristopherDavenport closed #248
  • Oct 10 19:53
    ChristopherDavenport closed #247
  • Oct 10 19:53
    ChristopherDavenport closed #246
  • Oct 10 19:53
    ChristopherDavenport closed #245
  • Oct 10 19:53
    ChristopherDavenport closed #243
  • Oct 10 19:53
    ChristopherDavenport closed #242
  • Oct 10 19:53
    ChristopherDavenport closed #240
Jose C
@jmcardon
I think
one thing we can do
oh wait
I take it back, all you need to do is
not include IAT
it's just an extra sec check really.
expiry is the most important one so
Loránd Szakács
@lorandszakacs
besides fs2 is anything blocking a cross-build to scala 2.13?
Christopher Davenport
@ChristopherDavenport
http4s, working on the dep chain for that.
Ramon Marco L. Navarro
@ramonmaruko
Is it by design that JWTClaims' sub is serialized to JSON twice when the id is a string?
Zak Patterson
@zakpatterson
Woo 2.13: #231
Arnau Abella
@monadplus
Nice :)
Zak Patterson
@zakpatterson
2.13 release this weekend maybe?
Christopher Davenport
@ChristopherDavenport
Might be able to get it Monday.
Zak Patterson
@zakpatterson
:+1:
Zak Patterson
@zakpatterson
#231 :point_left: just a poke about the 2.13 release. I know we're busy.
Zak Patterson
@zakpatterson
yay thanks for merging @ChristopherDavenport
Christopher Davenport
@ChristopherDavenport
0.2.0-M1 on its way to central.
@zakpatterson ^^
Haris Khan
@tyrantkhan
Is there a way to set the domain on the cooke set my tsec's csrf middleware ?
as wellas the path?
my usecase is that my frontend and my backend live on slightly different fqdn.
Christopher Davenport
@ChristopherDavenport
Cookie if set less secure should apply to the greatest domain segment set for.
Haris Khan
@tyrantkhan
sorry do you mean if i alter the cookie domain i should set it to the closes I can get aka api.dev.mywebsite.com & app.dev.mywebsite.com in this scenario it's preferable to set it to .dev.mywebsite.com ?
Upon further investigation into the code , I'm not sure if tsec's middleware for csrf will allow me to do this, but it seems like http4s would. tsec's seemed a bit easier to setup (the nice example code helped!) , but I guess I will have to put a lil more effort in and get the http4s version figured out. I guess this gives me an excuse to write up some documentation when I do get it working.
Christopher Davenport
@ChristopherDavenport
I'd love some documentation, please contribute what you find for either tsec or http4s depending on where you solution leads you.
Jose C
@jmcardon
@tyrantkhan late message, sorry, but actuially http4s' csrf middleware is more up to date
with a few extra defenses
IIRC
like origin checking
Haris Khan
@tyrantkhan
np :) and thanks for letting me know! I should actually have some documentation ready for the http4s CSRF mechanism if work isn't too brutal tomorrow!
Nick
@gurinderu
Hey, everyone. Could someone say me why libsodium not supported now?
Andrew Sim
@andrewsim

was going through tsec's http4s + jwt documentation https://jmcardon.github.io/tsec/docs/http4s/auth-jwt.html and I came across this line:

val signingKey: MacSigningKey[HMACSHA256] = HMACSHA256.generateKey[Id]

correct me if i'm wrong, but in an actual use case the generated key should be persisted so it doesn't change across restart/instances? if yes, any best practise around doing this?

Christopher Davenport
@ChristopherDavenport
Place key in database somewhere?
Haris Khan
@tyrantkhan
we use vault and load these keys in as environment variables at work.
Andrew Sim
@andrewsim
cool~ will give it a go
lgirard
@laurentgir
Hey guys!
I'v made some docs about Http4s-Tsec service composition here. I'd like to know if that's something you'd like to add in the project's documentation?
Christopher Davenport
@ChristopherDavenport
Absolutely!
lgirard
@laurentgir
Great! I'll make a PR tomorrow then.
It needs a bit of rework (typos, tut integration, etc)
Ryan Zeigler
@rzeigler
I was looking at tsec for jwt verification. Specifically I am working with the auth0 asymmetrical mode with certificates. There doesn't seem to be any documentation relating. Is it possible to do with tsec or not yet?
Christopher Davenport
@ChristopherDavenport
I believe so, I use it for that purpose with a different cypher. But if it's missing should be easy to introduce that.
lgirard
@laurentgir
The Http4s-Tsec service composition documentation : #235
Ryan Zeigler
@rzeigler
honestly, I'm not even sure if i'm looking in the right place for the place to load a public certificate. The SHA256withRSA doesn't seem to have a provision for loading a certificate, only producing something from the modulo and seed
My existing solution is just to use java.security to load the certificate, which is fine, but i would need a way of getting the public key into the validation phase which was also not clear to me how to do
lgirard
@laurentgir
Hey guys, anyone for a review of #235 ?
Anton Semenov
@J0kerPanda
Hi, everyone!
Apologies for possibly obvious question, but is it somehow possible to implement JWT auth with tsec without requiring identity storages or a jti field in payload? My case is really simple - I just need to decode a case class from a JWT with a user id in it, so I don't actually need to identify tokens in any way. Besides that, I'm not the one who is creating the tokens.
If there are any books/articles/documentation parts suggestions to read up on the material, I would appreciate it.
Christopher Davenport
@ChristopherDavenport
Is that up to the standard? Not 100%
Anton Semenov
@J0kerPanda
@ChristopherDavenport, what do you mean?
Loránd Szakács
@lorandszakacs
not a scala-steward PR :joy:
jmcardon/tsec#244