This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2018-04-03
Channels
- # aws (5)
- # beginners (67)
- # boot (30)
- # cider (55)
- # clara (7)
- # cljs-dev (6)
- # cljsjs (6)
- # cljsrn (1)
- # clojure (136)
- # clojure-brasil (2)
- # clojure-dusseldorf (14)
- # clojure-finland (9)
- # clojure-italy (49)
- # clojure-nl (1)
- # clojure-romania (6)
- # clojure-russia (4)
- # clojure-uk (16)
- # clojurescript (136)
- # core-async (1)
- # cursive (21)
- # datomic (64)
- # fulcro (26)
- # hoplon (25)
- # jobs-discuss (53)
- # keechma (3)
- # leiningen (6)
- # luminus (11)
- # lumo (2)
- # off-topic (351)
- # om (1)
- # onyx (11)
- # parinfer (32)
- # portkey (9)
- # re-frame (45)
- # reagent (38)
- # shadow-cljs (60)
- # specter (9)
- # vim (8)
- # yada (22)
@zentrope In your home directory, under .cljs/.aot_cache/<compiler-version>/<hash>/<ns-path>[.js|.js.map|.cljs|.cljs.cache.json]
@serge https://anmonteiro.com/2017/03/requiring-node-js-modules-from-clojurescript-namespaces/
I heard multiple times it’s only working easy with shadow-cljs, https://github.com/thheller/shadow-cljs
I think the last time I used Clojurescript was about 3 years ago. IIRC the emacs CIDER repl was by far the nicest repl shell for live programming, is that still the case?
@kzeidler yes, but some people use Cursive as well
there's other options, including Atom
getting npm modules work with cljs still seems to be hard. I know about npm-deps
, but that doesn't work for all npm modules. I still stick to http://blob.tomerweller.com/reagent-import-react-components-from-npm . However, whenever I change :optimizations
to something that is not none
, that methods seems to fail (due to React being undefined)... Am I missing something here? (How to make optimizations work when importing react components from npm using the tomerweller approach?)
@kurt-o-sys I use the same technique. You'll need to set window.React
... looks like I misread your question
where do you set window.React, and how it used? From Reagent?
you mean this:
window.deps = {
'react' : require('react'),
'react-dom' : require('react-dom'),
'react-player' : require('react-player'),
};
window.React = window.deps['react'];
window.ReactDOM = window.deps['react-dom'];
in src/js/main.js
(it all works with :optimizations :none
)
so if you open the compiled result in chrome, do you see window.React
from the devtools?
that's the first thing to check
oh, not sure... I do get an undefined where React should be 😛. Let me try the devtools thing in chrome.
hmmm, I really must be missing something: in devtools, my app.js looks different than the actual app.js
file (even when using optimizations none):
actual file (using a file browser)
var CLOSURE_UNCOMPILED_DEFINES = {};
var CLOSURE_NO_DEPS = true;
if(typeof goog == "undefined") document.write('<script src="/js/out/goog/base.js"></script>');
document.write('<script src="/js/out/goog/deps.js"></script>');
document.write('<script src="/js/out/cljs_deps.js"></script>');
document.write('<script>if (typeof goog == "undefined") console.warn("ClojureScript could not load :main, did you forget to specify :asset-path?");</script>');
document.write('<script>goog.require("process.env");</script>');
document.write('<script>goog.require("ui_app.prod");</script>');
fetched file (using devtools)
if(typeof Math.imul == "undefined" || (Math.imul(0xffffffff,5) == 0)) {
Math.imul = function (a, b) {
var ah = (a >>> 16) & 0xffff;
var al = a & 0xffff;
var bh = (b >>> 16) & 0xffff;
var bl = b & 0xffff;
// the shift by 0 fixes the sign on the high part
// the final |0 converts the unsigned value into a signed value
return ((al * bl) + (((ah * bl + al * bh) << 16) >>> 0)|0);
}
}
!function(e){var t={} ...
(also after clearing browser cache)
But that boils it down to: it does work in dev, not in prod, no matter how I set optimizations...
• rule out caching issues by trying a different browser
:cljsbuild {:builds ...
:app {:source-paths ["src/cljs" "src/cljc" "env/dev/cljs"]
:figwheel {:on-jsload ui-app.core/mount-root}
:compiler {:main ui-app.dev
:asset-path "/js/out"
:output-to "target/cljsbuild/public/js/app.js"
:output-dir "target/cljsbuild/public/js/out"
:source-map true
:optimizations :none
:foreign-libs [{:file "public/js/bundle.js"
:provides ["cljsjs.react" "cljsjs.react.dom" "webpack.bundle"]}]
:pretty-print true}}
...
:hosted {:source-paths ["src/cljs" "src/cljc" "env/prod/cljs"]
:compiler {:main ui-app.prod
:asset-path "/js/out"
:output-to "resources/public/js/app.js"
:output-dir "resources/public/js/out"
:source-map true
:optimizations :none
:foreign-libs [{:file "public/js/bundle.js"
:provides ["cljsjs.react" "cljsjs.react.dom" "webpack.bundle"]}]
:pretty-print true}}
• deep clean all your state (remove target
etc.)
• check the files loaded in your network tab and verify you're getting the right ones (does your index.html point to the right files?)
deep clean: done right files: yes
(well, it points to the right url 🙂 )
oh... sh*t, this is something rather unexpected. Seems to work fine with https, but not with http. Will dive deeper into it - http should redirect to https anyway.
nginx/apache config issue?
guess so... it's a hosted service, so I have to check whether with them.
thx for just walking me through - things can be pretty weird from time to time 😛
np, everyone goes through this type of stuff
pro trip: try tracing the request with curl -i
I need a recommendation on best practice/library for encrypting something client side and then decrypting it server side (Clojure) so the data is encrypted on the wire even in absence of SSL
My situation is more complicated than just "use SSL" but I assumed there were some good tools for cross platform client-server encryption, maybe not.
I wouldn’t feel comfortable with client side encryption (not being an expert in cryptography)
@ajs what's the use case?
(there are some libs doing encryption, but I don't think any of them beats SSL)
@kurt-o-sys its about a non SSL served page that also has a socket to a localhost server. Setting up SSL locally is a bit complex, especially with distribution, I've need reading about that headache all week, so if the hosted page is non SSL that at least allows the connection. Data between the page and local host never leaves the users machine, so perhaps worrying about encryption is not necessary. And the page could still do Ajax over SSL to its remote server. But I though to be safe, encryption to localhost would be wise too.
if people are getting into your machine, you have a problem and having your localhost calls encrypted is the last of your concerns, imho.
I don't know about your setup, but I let a webserver handle the encryption, I keep internal calls non-encrypted.
internal = on the same machine
in the same network: webservers handling ssl
I assume that a remote page that communicates with local host never sends data over network? That would make sense. And a non SSL page that hits SSL Ajax URI still encrypts over network?
@ajs you can only do client side encryption if you get the "secret" there securely. it is pretty much impossible to do this on the client.
a remote page can't communicate with localhost (or well, localhost would be the local machine 🙂 ). A remote page communicates with an 'external' server, and you can setup a webserver (nginx/apache) to connect to, handling ssl. The webserver just dispatches the request to an internal application listening on localhost:xxxx.
A remote page can communicate with a socket hosted on local host. But that wire is still entirely local between the page (in the browser) and local host, the page's remote server is not involved, right?
right: if it's all local, no ssl, if it's remote, put a webserver in between handling ssl
the issue with HTTP is that someone can change what the client receives. so if someone were to inject some JS that just replaces the WebSocket class and echos everything to a second server your entire encryption is bypassed.
You mean injecting JS into my remote page so that sends to a different websocket server? Is that a non SSL risk, or also one that can happen on SSL too?
it only matters if the page that loads your JS is insecure. if so other JS can be injected that messes with your security.
So JS injection is one of the risks specifically associated with non-SSL browser apps? Hadn't considered that, was more thinking just about raw data flow along the wire.
It's very hard to deploy a local app that serves a socket over SSL, because of all the cert issues. I've been reading all the things people do to make that an easy user install, it's quite complicated.
It's not a piece of cake to set that up automatically as part of app installation for any arbitrary user.
Which leaves me with local server serving insecure socket to a remote page, which must then also be insecure as a result, since SSL pages will not connect to insecure sockets
One option I considered is to have the client send stuff first to remote server over SSL which encrypts and sends back. Then client sends to local server, which decrypts.
crypto is really really hard to do correctly and its pretty much impossible if you start within an untrusted insecure context
it is painful to work with yes but assuming you are secure when you are not is more painful
Just wish there were good out of box tools for easily generating local self signed certs as invisible part of user installation process and getting that setup.
problem really is that everything relies on DNS which you typically don't have for local dev setups
In reading up in this, it seems that even serving a local socket for development purposes can be risky since it is exposed to any web page running remotely, which if it knows the port you are using, can hit your local socket. Checking request origins doesn't help too much since that can be faked.
So if I write something and run it in my machine and only access it myself via localhost URLs, it is still available to the world
CORS doesn't help if a web server sends its request as coming from localhost since servers get to send whatever they want for that
nothing should be able to hit your local socket except your browser. which is secured by CORS. other servers should not be able to access your dev stuff.
But if you have your local socket served while you hit a random web site out there, it can access your socket, even if you check its request origin server
Right, but that means you can't really keep any local websocket server from getting hit when you surf the web
If I check the server origin before handling socket data, and only allow "http://localhost...", I thought that's not enough because the request can have any server name regardless of what is actually hitting it.
yeah you can't really secure a websocket this way. will need to transmit some kind of token that only the "secure" client would know
I'm trying to set up re-frame-10x diagnostics on a fresh project, but here's the thing: the "ctrl-H" shortcut to show the tools is hardwired. Unfortunately macOS basically hardwires that combo to "hide window." So I'm at a bit of an impasse https://github.com/Day8/re-frame-10x
Ctrl H, not Cmd H
Cmd H hides in macOS, 10x uses Ctrl H
@danielcompton d'oh, of course. Huh. In that case I guess the shortcut just isn't working for me yet :man-shrugging:
Drop by in #re-frame if you can’t figure it out
is there any way to determine if advanced compilations are on? i know about js/COMPILED
but that is true when compiling with :simple as well
What's the idiomatic way to instantiate a Javascript object that ordinarily gets constructed with 'new'? e.g. "var sphere = new THREE.SphereGeometry(3,3,3);"
@sekao Why would you want to know about that at runtime?
You probably have a good reason, just curious
What I'd do is set some goog.define to different values in the different lein profiles
i'm making two separate versions of paren-soup, one built with :simple and one with :advanced, and i want to make the first one's instarepl just eval directly, and the second one use a web worker for eval. so i need to make a conditional that determines what to do. i figured i could set some flag myself, i was just hoping there was some kind of constant already somewhere
gotcha (don't know of any constant, sorry)
is there any particular reason to use the dot-form constructor instead of just using new
I think only one, it's nicer
I have a question about npm-deps
: If I pull in a library that requires react as a peerDependency, but that’s installed already by f.e. reagent, what’s the best way to resolve the resulting Error: Can't resolve 'react'
error?
@mattly Reagent doesn't provide npm React so you need to install the npm package yourself (npm-deps or package.json). And excluding the cljsjs package is bad idea, because you will still need the React externs)
And exclusion is not required because npm-deps (node_modules folder) has precedence over foreign-libs from cljsjs packages.
Is there a way to pull in different versions of a lib at runtime? I have a separate cljs project that contains the business logic and would like to be able to pull in older versions so we can dark launch and rollback changes to the business logic.
(require [graphql-voyager])
results in an Undefined nameToPath for graphql_voyager
error
@mattly Is is possible there is there is some problem with using that package, but it shouldn't be due to the hyphen, react-dom
definitely works
is there a difference between destructuring in a function signature versus in a let statement at the top level of the form? i'm assuming (defn foo [{:keys [ ....
gets turned into just a let at the top of the function?