Overview
Examples
Screenshots
Comparisons
Applications
Download
Documentation
Tutorials
Bazaar
Status & Roadmap
FAQ
Authors & License
Forums
Funding Ultimate++
Search on this site
Search in forums












SourceForge.net Logo
Home » U++ Library support » Skylark » Skylark : GetIdentity alternative way of working
Skylark : GetIdentity alternative way of working [message #53780] Thu, 30 April 2020 00:10 Go to next message
Xemuth is currently offline  Xemuth
Messages: 375
Registered: August 2018
Location: France
Senior Member
Hello,

Today I tried to setup a form using $post_identity() to prevent CSRF attacks. However for a strange reason, the example provided by Upp (Skylark06) work perfectly but when using on my own app, the
String GetIdentity(const Renderer *r)

function always return "zd" since the key/value named __identity__ is not on first position in the http->var vectorMap<String,Value>.

to fix my problem I changed a bit the function :
String GetIdentity(const Renderer *r)
{
	Http *http = const_cast<Http *>(dynamic_cast<const Http *>(r));
	if(!http)
		throw Exc("invalid POST identity call");
	
	//New
	bool find = false;
	Upp::String s;
	for(const Upp::String& key : http->var.GetKeys()){
		if(key.Find("__identity__") != -1){
			s = http->var.Get(key).ToString();
			find = true;
			break;
		}
	}
	if(find)
		return s;
	s = AsString(Uuid::Create());
	http->SessionSet0("__identity__", s);
	http->var[0] = s;
	return s;
}


What you think about it ?


Re: Skylark : GetIdentity alternative way of working [message #53797 is a reply to message #53780] Fri, 01 May 2020 15:59 Go to previous messageGo to next message
mirek is currently offline  mirek
Messages: 13639
Registered: November 2005
Ultimate Member
Well, uhm. I say we need independent group working on Skylark Smile

Seriously, I have developed it 10 years ago mostly as proof of concept. Dolik used it past then for some time, but then the interest was nil. Right now, I think the concepts are sound, but I personally am not using it for anything....

Re: Skylark : GetIdentity alternative way of working [message #53798 is a reply to message #53780] Sat, 02 May 2020 02:35 Go to previous messageGo to next message
Xemuth is currently offline  Xemuth
Messages: 375
Registered: August 2018
Location: France
Senior Member
I'm using it to developpe my own website and except this little trick about __identity__ everythings work perfectly, Skylark + Upp Core is so pleasant to use. I feel like it can have potential. Congratulation for it

Re: Skylark : GetIdentity alternative way of working [message #53800 is a reply to message #53798] Sat, 02 May 2020 10:21 Go to previous messageGo to next message
koldo is currently offline  koldo
Messages: 3268
Registered: August 2008
Senior Veteran
Is there any Skylark website now online to test it?

Best regards
Iñaki
Re: Skylark : GetIdentity alternative way of working [message #53802 is a reply to message #53780] Sat, 02 May 2020 16:11 Go to previous messageGo to next message
Xemuth is currently offline  Xemuth
Messages: 375
Registered: August 2018
Location: France
Senior Member
I can share mine but it is still under developpement, he got a secret route allowing me to connect to it and do many things like upload file :
https://ultimateopengl.ovh

PS: the main purpose of this website was to convert Upp documentation to html and print it in real time allowing me to update and create documentation, push it to github then via a cron retrieve it on my website and dynamicly adding it to the website content


[Updated on: Mon, 04 May 2020 16:04]

Report message to a moderator

Re: Skylark : GetIdentity alternative way of working [message #57564 is a reply to message #53802] Sat, 25 September 2021 22:42 Go to previous messageGo to next message
Klugier is currently offline  Klugier
Messages: 953
Registered: September 2012
Location: Poland, Kraków
Experienced Contributor
Hello Xemuth,

I saw your recent message. I think you should just create PR into Mirek's repository and code could be review there. This should also speed the time when changes will be present on master/main branch of Skylark.

However, I have a questions to the current solution (in context of framework improvement we need to think more globally rather than locally (how to fix my problem only)):
- What if there will be more than one identity (is this reasonable scenario)? Could we call several post_identity in one witz file?
- Backwards compatibility - does it break something?

You could simplify your solution
	//New
	for(const Upp::String& key : http->var.GetKeys()){
		if(key.Find("__identity__") != -1){
			return http->var.Get(key).ToString();
		}
	}
        auto s = AsString(Uuid::Create());


Also extract this ""__identity__" (magic string problem) into constexpr variable (example):
constexpr const char* IDENITY = "__identity__";


Klugier


Ultimate++ - one framework to rule them all.

[Updated on: Sat, 25 September 2021 22:44]

Report message to a moderator

Re: Skylark : GetIdentity alternative way of working [message #57565 is a reply to message #57564] Sun, 26 September 2021 01:16 Go to previous message
Xemuth is currently offline  Xemuth
Messages: 375
Registered: August 2018
Location: France
Senior Member
Hello Klugier, I will create a pull request.

Quote:
What if there will be more than one identity (is this reasonable scenario)? Could we call several post_identity in one witz file?


we can call as many post_identity we want in witz file:

	<form action=$Auth2 onSubmit="return prepareData()" method="post" accept-charset="utf-8" enctype="multipart/form-data">
		<div class="row">
			$post_identity()
			$post_identity()
			$post_identity()
			<div class="col-md-1 col-md-offset-3">
				<div class="RightText">Login:</div>

https://i.imgur.com/XaShdHw.png
having it multiple time in witz don't affect the way __identity__ work. Same goes for __js_identity__.

Quote:
Backwards compatibility - does it break something?


Here is the old code :
String GetIdentity(const Renderer *r)
{
	// This ugly hack expects that __identity__ is always present in r->var
	Http *http = const_cast<Http *>(dynamic_cast<const Http *>(r));
	if(!http)
		throw Exc("invalid POST identity call");
	String s = http->var[0];
	if(s.GetCount())
		return s;
	s = AsString(Uuid::Create());
	http->SessionSet0("__identity__", s);
	http->var[0] = s;
	return s;
}

it expect to have __identity__ at index 0. It's not always true (expectially when we use external libs to send data via Javascript).
the new code do the same think but lookup for it. I don't think regression could occure



Previous Topic: stable
Next Topic: Proposition: Adding a way to send huge file via stream in skylark
Goto Forum:
  


Current Time: Wed Jun 29 11:41:14 CEST 2022

Total time taken to generate the page: 0.03618 seconds