07:36 <ocdtrekkie> mrdomino: strugee: Just FYI, kentonv may or may not respond much this week.

07:37 <ocdtrekkie> FWIW, strugee, every page of Sandstorm code says it is copyright "Sandstorm Development Group, Inc. and contributors"

07:38 <ocdtrekkie> The Collections app just says copyright "Sandstorm Development Group, Inc."

07:39 <ocdtrekkie> I would guess there is a strong evidence in that to say the company owns the copyright of code written by employees. Although since all of it is published under permissive open source licenses, it's debateable how relevant that fact is from a practical sense.

16:48 <TimMc> That just changes relicensing, but given they don't require a contributer's copyright agreement... yeah, probably not too relevant.

17:39 <TimMc> I want to change the port I advertise my sandstorm server on. Just changing the BASE_URL and WILDCARD_HOST doesn't seem to cause redirects.

17:40 <TimMc> I have both 6443 (the old port) and 443 (the new port) routed to sandstorm's HTTPS listen port.

17:40 <TimMc> Is there some other bit of config I need to change to get sandstorm to issue redirects like it would for a domain change?

17:52 <dwrensha> TimMc: Does your sandstorm.conf have a PORT variable?

17:54 <dwrensha> I think HTTPS_PORT can also be set

18:01 <TimMc> dwrensha: Current config: https://paste.debian.net/plainh/1b4033d1

18:02 <TimMc> BASE_URL and WILDCARD_HOST used to end with :6443, because I had the router set to pass 6443 on the inet side to 6443 on sandstorm.

18:03 <TimMc> I've changed the router to *also* pass 443 external to 6443 on sandstorm, and I was hoping that sandstorm would just issue redirects when called with a URL bearing the old 6443 port.

18:22 <TimMc> On another note -- it makes me a little nervous that the email token signup flow allows the client to control the URL sent out in the login email.

18:23 <dwrensha> I think it used to at one point, but we fixed that

18:23 <TimMc> Still does.

18:24 <TimMc> I noticed because my server is listening on two ports, and signing in on one port vs. the other generates different URLs.

18:25 <TimMc> *Could* be wrong, I can check more...

18:25 <dwrensha> oh, I was thinking about the share-by-email form

18:26 <dwrensha> ... where the email goes to a different person

18:27 <dwrensha> what you describe sounds weird, but I'm not sure there's anything serious to be nervous about

18:27 <TimMc> Mildly nervous. :-P

18:27 <dwrensha> you can send yourself an email that points to an arbitrary URL? does not sound too dangerous

18:28 <dwrensha> you can cause login emails to get sent to other people, but presumably they will be ignored as spam

18:30 <TimMc> You can send someone else what looks like a login email to a sandstorm server, but actually goes to your server. Then you harvest the login token and use it. (Or does it need to be combined with a cookie?)

18:31 <TimMc> (Nope, it doesn't.)

18:31 <dwrensha> hm interesting

18:33 <dwrensha> TimMc: do you want to submit a pull request to fix this?

18:34 <dwrensha> it should be easy to detemine the correct rootUrl on the server side without getting it from the client

18:34 <TimMc> Can't, even though it's probably a one-liner. Have to get back to work, and I've never built sandstorm. :-/

18:35 <TimMc> could file an issue

18:36 <TimMc> Hmm... maybe you *did* fix this, and it just ignores port! https://github.com/sandstorm-io/sandstorm/blob/cabe6b1f90ea2b9101a1d9cc5645336f442ec821/shell/server/accounts/email-token/token-server.js#L224

18:37 <dwrensha> hah

23:12 <mnutt_> https://github.com/posativ/isso/ looks like it might make for a good comments server and complement to the statically published wordpress app