Fork me on GitHub
#hoplon
<
2016-01-27
>
levitanong06:01:15

Hi all. I have a castra question: I’ve been looking at the demos for castra-chat and castra-notify-chat, and I’m seeing these use *session* for keeping track of a user’s session. Given that *session* lives on the server, doesn’t changing that value change it for everyone?

levitanong06:01:49

Or maybe another way of approaching this question: how is the *session* var supposed to be used?

puzzler07:01:40

Can castra be used independently of hoplon?

laforge4913:01:33

And here I thought session was passed as a cookie.

alandipert13:01:47

@puzzler: yes, altho it has a dependency on javelin

laforge4913:01:37

@levitangon session data is per user, regardless of implementation.

laforge4913:01:50

@alandipert: Could you explain that dependency? It is exactly what I thought too, but I don't see it in castra build.boot https://raw.githubusercontent.com/hoplon/castra/master/build.boot

laforge4913:01:18

But then, it uses merge-env, which is an unknown to me.

laforge4913:01:42

Hmm. I also do not see javelin in any of the castra src namespaces.

alandipert13:01:25

oh, i didn't realize - the dependency isn't explicit

alandipert13:01:40

mkremote takes cell arguments but never constructs a cell, only calls reset! on existing ones

alandipert13:01:55

which is kind of cool because that means you could pass it atoms also

dm313:01:16

I'm getting an

clojure.lang.Compiler$CompilerException: java.lang.RuntimeException: No such var: ana/empty-state, compiling:(hoplon/boot_hoplon/refer.clj:22:9)
             java.lang.RuntimeException: No such var: ana/empty-state
using hoplon 6-alpha11, boot-cljs 1.7.228-1 and clojure 1.7. Seems that some wrong tools.analyzer version is pulled. Is that a known issue?

dm313:01:32

didn't explicitly set clojurescript version, so an old one got pulled by some lib

leontalbot15:01:31

Hello! I have a problem with this @% in form elements in IE.

leontalbot15:01:05

The radio buttons works because I do not need to use @% in click events. I can use @itemof a loop. But with a select, I seems I can't put click event on option element, so i can't use @selection.

leontalbot15:01:48

Context : the select must update a cell.

leontalbot15:01:54

How can I achieve this?

leontalbot15:01:04

much thanks in advance!

leontalbot15:01:56

In short, this doesn't work in IE

(select
      :change #(reset! cell @%) ...)

raywillig15:01:26

@leontalbot: you could probably use jquery methods in your change handler to get the value and update your cell

raywillig15:01:10

smth like (.val (js/jQuery "#id_of_select"))

raywillig15:01:35

or whatever is appropriate for a select. that might be more for a text input

leontalbot15:01:04

YES! I did

:change (fn [e] (reset! cell (.val (js/jQuery (.-target e)))))
and it works perfectly!

leontalbot15:01:18

@alandipert and @micha be aware that according to my tests on IE, this

:change #(reset! cell @%) ...) 
doesn't work

leontalbot15:01:34

and good old

:change (fn [e] (reset! cell (.val (js/jQuery (.-target e))))) 
does 😉

micha15:01:02

@leontalbot: which version of IE?

leontalbot15:01:43

I use http://www.browserstack.com and so far i've tested with IE 12, 11, and 9

micha15:01:18

very weird

leontalbot15:01:47

Or my code in really bad, but still works with chrome, safari and ff 😉

leontalbot15:01:38

This time, I didn't get any IDeref error that i got with my checkboxes thing (on click events on aelement)

leontalbot16:01:33

But the cell wouldn't update...

levitanong16:01:20

Thanks, @alandipert! That’s all I needed to know.

alandipert16:01:50

@leontalbot: which version of ie btw?

leontalbot16:01:03

I use http://www.browserstack.com and so far i've tested with IE 12, 11, and 9

alandipert16:01:02

that stinks 😦

levitanong17:01:44

How does {:rpc/pre} work? I can't find documentation on it. :( I tried looking at the source, but I'm still a newbie, and I'm not too familiar with macros yet.

alandipert18:01:37

@levitanong: it's a place to define code that sohuld be run when the function is being called remotely

alandipert18:01:43

as opposed to in the repl

alandipert18:01:54

usually it's where we put authentication checks

alandipert18:01:14

that way calls are authenticated in the wild, but in the repl we can call directly without mocking auth

levitanong18:01:37

@alandipert: I see! and I'm guessing you don't want to deal with auth in the repl because of external stuff like session?

alandipert18:01:42

@levitanong: exactly right. you might have other logic in there like, "needs to be over https" or something that's not applicable in repl also

levitanong18:01:53

@alandipert: hurrah! Enlightenment. Thanks for the explanation, man!

puzzler20:01:45

Does Castra do any sort of obfuscating or have any security measures to make it harder for people to decompile or analyze the traffic to figure out how to access the server functions? I'm not really sure what the standard level of security for RPC is, but I just want to understand what sorts of things are "safe" to do with Castra. Thanks.

dm320:01:26

first time I hear about such a thing simple_smile you have a single HTTP endpoint on the serverside

dm320:01:31

with Castra

dm320:01:50

do you mean obfuscating the data that gets sent from/to the client?

alandipert20:01:48

@puzzler: it's safe to do anything over castra you'd do with http (or https)

micha20:01:40

@puzzler: the client can only call functions that are explicitly added to the castra middleware

micha20:01:11

that's the same as a mvc type application where a REST request results in a function being called

puzzler20:01:58

@dm3 I'm thinking, for example, about a game client reporting a high score to the server. I'm not aware of any hack-proof technique, but there are ways you can obfuscate the payload that would be hard to figure out short of decompiling the source to reveal the obfuscation technique.

puzzler20:01:20

@dm3 The goal would be to make it hard for someone to submit to the server a falsified high score.

dm320:01:59

if that's your goal you need encryption and signing

dm320:01:02

not obfuscation

puzzler20:01:21

@dm3 Or imagine tracking a user's actions on a client and storing them in a database for later analysis. You want to prevent the user from spamming the database with false data.

dm320:01:42

any obfuscation technique will be broken at some point

puzzler20:01:04

@dm3 Encryption and signing would have to be done with a private key on the client side, which can be easily uncovered, wouldn't it?

dm320:01:20

there are many ways to encrypt

dm320:01:51

depends on your circumstances

puzzler20:01:56

@dm3 This isn't so much about verifying WHO it is coming from, it's about making sure the data originates truly from the client, and not some other program mimicking the client, and I don't know of any way to do that.

puzzler20:01:53

@dm3 I agree that obfuscation is not a real solution.

dm320:01:54

so you cannot put any trust into the client?

dm320:01:18

but still associate some sort of identity with it?

puzzler20:01:07

I'm thinking that user accounts vs anonymous is not the real issue (and standard security can solve that). For me, it's about making sure the data comes from the program I've put in the webpage, rather than another program. Mainly because I want to store that data in a database, and especially if I use something like Datomic that stores stuff forever, I don't want un-genuine data or denial-of-service-level-quantities of data stored in the database.

puzzler20:01:27

I'm not even sure if what I want is possible. But like I said, I can think of some ways that at least make it hard for people to figure out how to fake the incoming data.

dm320:01:04

then your data must carry the verifiable identity of its source

dm320:01:25

which must be unforgeable

dm321:01:24

I don't think you can have an authenticating signature without a public/private key scheme

dm321:01:38

or some sort of one-time tokens issued by the server

dm321:01:09

so it would have to be tied to the users, not the client

dm321:01:57

something that you can tie the identity to (IP, user, MAC, browser fingerprint)

dm321:01:07

still the server needs to share some sort of secret first

dm321:01:20

@puzzler - hope that was of marginal help simple_smile

puzzler21:01:30

@dm3 Thanks. I'll read that.

puzzler21:01:08

I guess since Hoplon is written/used at Adzerk, I could rephrase my question in terms of advertising (although I know little about that subject). Is there some standard technique to ensure that users don't falsify information that is tracked about ad clicks?

micha21:01:42

we cryptographically sign the impression info

micha21:01:20

we do this in the adserver

puzzler21:01:15

What is protected by signing the info server-side. Transmission between server and database? Does that solve the problem of a client sending false info?

micha22:01:08

we generate the impression data when the ad request is made, we sign it, and return it to the client

micha22:01:35

the client generates the impression pixel which hits our server again with the impression data attached to the pixel url

micha22:01:20

the process that receives the impression pixel request needs to tust that the data originated with our own adserver from an ad request

micha22:01:28

that's why the adserver signs it

micha22:01:01

so a malicious client can't change the impression data, or we'll be able to detect it and ignore

laforge4922:01:38

So, should I move this to the hoplon demos? https://github.com/aatree/aademos

laforge4922:01:38

--I've noticed that you do not yet have a demo for javelin lenses.