https://community.remotestorage.io/t/making-remotestorage-scopes-more-descriptive-for-end-users/301

Will likely need additional exposed APIs in iron-router

• Keats/jsonwebtoken#7

Other issues reported: inejge/pwhash#2

This will make our code look much nicer:

https://bluss.github.io/maplit/doc/maplit/index.html

https://github.com/bluss/maplit

It would be super useful if we could get a Deploy to Heroku button which would enable users to easily deploy your software to a Heroku instance without ever leaving the web browser. And with just a little configuration on the users end they'll have something running almost instantly. I propose the button because it is ideal for communities who need to make decisions quickly with the flexibility of something like Heroku.

It's very simple to do, just make sure that an app.json file is located in the repo root directory. More about Heroku deploy buttons here.

sunng87/handlebars-rust#52

DaGenix/rust-crypto#335

We use rust-crypto's bcrypt implementation directly to hash passwords manually. As mentioned in #39, rust-crypto is not audited in any way, so we should probably look for alternatives.

• NaCl/libsodium/sodiumoxide have utilities to generate password hashes. This requires linking against another C library which the user has to install manually, which is really unfortunate.
• ring only provides pbkdf2, see https://www.reddit.com/r/rust/comments/46s75m/rustcrypto_apparently_abandonned_alternatives/d0952sp

I am trying to put a rancher load balancer in front of mysteryshack.

The load balancer does the SSL termination and reverse proxy to the mysteryshack container port (which is not exposed to the outside world). When I go to https://mysteryshackdomain/ I see the login page normally but after I enter my credentials, I get CSRF detected.. Any advice on resolving this? 📲

sunng87/handlebars-iron#39

Hey,
So I'm having a problem, even after adding ./target/release to path, when I run mysteryshack serve it gives os error 2, but if I run inside the release directory works.
Failed to parse config: No such file or directory (os error 2)

My idea is that mysteryshack doesn't find the configuration file, wouldn't be better to have the config file in some common place (like ~/.mysteryshack) ou add a flag to load the file
mysterysharck serve -c path/to/config

Current way to hardcode tokens everywhere is very inflexible

Blocked by sunng87/handlebars-rust#49

I thought I'd save duplicated params this way, but it's actually ridiculous.

Unfortunately there doesn't seem to be a good prompting library available for Rust.

remotestorage/api-test-suite#31

When mysteryshack is started, but the directory stated by data_path, doesn't exist, it fails with the error:

Failed to parse config: No such file or directory (os error 2)

mysteryshack should create the directory if it doesn't exist.

To reproduce

1. Edit config and set "data_path = hello"
2. Run ./mysteryshack serve

Perhaps it's sensible to expire app tokens after they haven't been used for a month?

During the build process, this eventually happens...

running: "cc" "-O3" "-ffunction-sections" "-fdata-sections" "-m64" "-fPIC" "-o" "/Users/njenning/code/projects/mysteryshack/target/release/build/openssl-sys-f0bee5fb97afc90d/out/src/openssl_shim.o" "-c" "src/openssl_shim.c"
ExitStatus(Code(1))


command did not execute successfully, got: exit code: 1



--- stderr
src/openssl_shim.c:1:10: fatal error: 'openssl/hmac.h' file not found
#include <openssl/hmac.h>
         ^
1 error generated.
thread '<main>' panicked at 'explicit panic', /Users/njenning/.cargo/registry/src/github.com-0a35038f75765ae4/gcc-0.3.19/src/lib.rs:771

https://github.com/maidsafe/rust_sodium

Statically linked libsodium!!!

• urlencoded -- iron/urlencoded#62
• iron-error-router
• iron-login -- untitaker/iron-login#7
• handlebars-iron -- sunng87/handlebars-iron#38
• router
• persistent -- iron/persistent#53
• mount -- https://github.com/iron/mount

Also major refactor for nicer syntax.

• Show app icons
• Show identicons per token obsolete with signed tokens
• Group tokens by app obsolete with signed tokens
• Ability to reject all tokens for app
• Show used scopes

• Login with valid username and invalid password: Long response time
• Login with invalid username: Short response time

https://cryptocoding.net/index.php/Coding_rules#Avoid_branchings_controlled_by_secret_data

The question is, do we care?

Hi! Thanks for doing mysteryshack. I was trying to use it on my server, installed it behind a Nginx proxy, set up the proxy headers, and then tried to use it with Laverna.

When I enter my email identifier and then click Connect (in Laverna), I get to the redirection page from Mysteryshack, and I seem to hit two errors:

• nothing appears on screen. In the server logs, I see the following:

Server error: IronError { error: RenderError(RenderError { desc: "Helper not defined: \"block\"", template_name: Some("layout"), line_no: Some(8), column_no: Some(13) }), response: HTTP/1.1 500 Internal Server Error
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self';frame-ancestors 'none'
 }

• the client (browser developers console) logs show the following:

Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://url”). Source: 
            html { display: none; }
   ....  dashboard:20
 Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://url”). Source: 
            if(self == top) {
         ....  dashboard:23
 Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://url”). Source: 
:root #content > #right > .dose > .dose....  dashboard:1
 Content Security Policy: The page’s settings blocked the loading of a resource at self (“default-src https://url”). Source: call to eval() or related function blocked by CSP.

Does it ring a bell? Can I get some help, please? Please let me know if you need more logs, or I should run some debugging code or anything.

Cheers!

the output
Server error: IronError { error: NoRoute, response: HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Content-Length: 1559
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Content-Security-Policy: default-src 'self';frame-ancestors 'none'

}

see hyperium/hyper#673

remotestorage/spec#124

Basically the situation is unclear. And as we don't support Content-Range PUT, we should explicitly reject that header instead of writing a mangled file.

Iron's defaults are only reasonable at large scale.

Goal is to avoid having single routes accessible without login.

Currently we just spawn one worker. We should use something like lockfile in Python.

https://tools.ietf.org/html/rfc6749#section-10.13

Ideally we'd implement both JS framebreaker and X-Frame-Options.

Sandboxed iframes allow the attacker to disable all JS (which means disabling framebreakers). Mitigations:

• Assume that sandbox-supporting browsers also support X-Frame-Options
• Require JS on web UI, intentionally break if JS is disabled.

• sunng87/handlebars-iron#18

• Figure out a way to build static linux bin
• Signed binaries, built locally