arturovm / epitome Goto Github PK

Wouldn't it be a good idea to run UpdateArticles() on startup so you get the newest stuff at the beginning, without waiting for the cron? I've been using it only for development and it never run the two hours I had as my refresh time, it was just today that I researched how it works and why I haven't had any new articles in it for more then one week.

When fetching new articles, it would be wise to check if the server responds with 304, in case no additional processing is necessary.

Check out this Atom feed: http://caseorganic.com/notes.atom it has HTML in its <content> tags like:

<content type="xhtml" xml:base="http://caseorganic.com/notes/2014/02/11/1/" xml:space="preserve">
  <div xmlns="http://www.w3.org/1999/xhtml"> 
    <p>Sony sells its waterproof mp3 player inside a bottle of water. 
      <a href="http://thenextweb.com/shareables/2014/02/11/sony-sells-waterproof-mp3-player-inside-bottle-water/">
        thenextweb.com/shareables/2014/02/11/sony-sells-waterproof-mp3-player-inside-bottle-water/
      </a>
    </p> 
  </div>
</content>

But after parsing it bodyNodes[0].Content() in https://github.com/ArturoVM/pond/blob/master/articles_download.go#L169 returns just the text without the HTML. I'm not sure why this is happening and it doesn't happen to all the atom feeds, but to this one it happens.

All other servers send normal not escaped HTML in the JSON, like:

{
    "content": "<a href=\"http://example.com\">Example</a>"
}

But Pond escapes it before sending:

{
    "content": "\u0026lt;a href=\u0026#34;http://example.com/\u0026#34;\u0026gt;Example\u0026lt;/a\u0026gt;"
}

Which in my opinion is not necessary and unconventional.

Btw. what is the text type and how do you distinguish xhtml and html?

Sometimes I just want to reset the database. I tried to just remove the db.db file so it would create a new one and it does. But then when I go to /api/setup it says I have insufficient privileges to create a admin user. This does not happen if I clone the project to some other directory.

Btw. I have to delete the user cookie manually because if the db changes I can not log out anymore.

It would be nice if you told the app that it is sending the wrong Content-Type, otherwise people like me will wonder why even though they send username and password they get the error that there are not enough arguments to log them in :)

I stumbled over (your) Pond in the Go Advent article, but a project by that name already exists.
https://pond.imperialviolet.org/
It's written by Adam Langley, main author of the Go TLS implementation.
Normally not a problem, but both projects are communication and crypto focussed and written in Go.

In the Article Object there is subscription_id, it would make things much easier for feed reader developers if you would add the subscription name too there, or perhaps even the whole Subscription Object. It doesn't take much space but would allow to show every feed item without making another request to the server.

I had to implement a workaround for it in my reader for ownCloud News already so I will do that here too, but please consider this.

A combination of TLS/SSL+Hawk is a strong first candidate for the final authentication scheme.
Support for a token mechanism is convenient for rapid development and prototyping and it will be added alongside the Hawk mechanism, but it is strongly discouraged for production–stage clients. The Hawk scheme is much more secure and should be used instead.

I've installed the dependencies:

➜ jeena@Lala pond (master) go get -u github.com/bmizerany/pat
➜ jeena@Lala pond (master) go get -u github.com/mattn/go-sqlite3
➜ jeena@Lala pond (master) go get -u github.com/robfig/cron
➜ jeena@Lala pond (master) go get -u code.google.com/p/go.crypto/bcrypt

But when I try to build I get this error:

➜ jeena@Lala pond (master) go build -o pond *.go
articles_download.go:6:2: cannot find package "github.com/moovweb/gokogiri" in any of:
    /usr/local/Cellar/go/1.2/libexec/src/pkg/github.com/moovweb/gokogiri (from $GOROOT)
    /Users/jeena/go/src/github.com/moovweb/gokogiri (from $GOPATH)
articles_download.go:7:2: cannot find package "github.com/moovweb/gokogiri/xml" in any of:
    /usr/local/Cellar/go/1.2/libexec/src/pkg/github.com/moovweb/gokogiri/xml (from $GOROOT)
    /Users/jeena/go/src/github.com/moovweb/gokogiri/xml (from $GOPATH)

In the documentation it says that to set a article to read/unread you should do a PUT on /subscriptions/:subscription_id/articles/:article_id?status=read but the RFC states that it should work like POST and the content should be send in the body, not in a query (at least that is how I interpret it). In fact if you add a query like ?status=read to the URL it is a different resource. It took me a while to find out why my articles weren't marked as read/unread.

It would be cool if one could use a --verbose mode to see what requests are coming in into pond for development.

When adding a new subscription I suspect it to show up immediately in my client, not first after the next run of the cronjob.

After I changed to "Only administrators can create new accounts" there is still the link: "First time here? Run the first–time setup." on the login page, this should be removed if you're not allowed to run it anyway.

Please mention and add a link to https://github.com/ArturoVM/pond/blob/master/api_doc.md somewhere in the description. I would never found it on my own if you haven't pointed it out on Twitter.

I don't know a lot about crypto,, but based on what I've read in the api doc, it seems to me that pond is vulnerable to replay attacks. Anyone who intercepts a user's MD5 hash will be able to login as that user. The protocol should be amended to implement a mechanism which prevents such an attack.

Why do you use the X-Session-Token: TOKEN instead of Authentication: Basic TOKEN?