kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things sandstorm.io. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev
<isd> ocdtrekkie, abliss : re the baby app/csrf problem: sandstorm blocks referer entirely.
<isd> I don't know if it's going to be possible to get django's stock csrf protection to work in that context.
<abliss> we shoudl be able to just turn it off though right?
<abliss> where it = django's csrf protection
<isd> that would work, yes.
<abliss> i'm trying that now
<isd> It would also obviously defeat the protection mechanism
<abliss> yeah but i'm guessing sandstorm probably has some protection htat makes it irrelevant
<isd> We should avoid guessing :P
<isd> Let me dig up a thing, hang on
<abliss> i'm pretty confused why it doesn't repro inside `vagrant-spk dev` though.
<isd> We should do some investigation and merge something similar to that
<isd> (though that pr itself is too bitrotten to salvage -- the code it touches has been rewritten in C++)
<abliss> yeah, i was just toying with that code earlier today, looking at CORS issues with riot/matrix
<abliss> i don't think the null-origin issue is the problem here though?
<isd> No, the problem is just that the app isn't seeing the headers it wants
<isd> But if we could solve that it would probably be safe to just say "disable it" since we'd be doing the protection ourselves, and as long as the app doesn't abuse GET requests to have side effects, it'd be fine.
<isd> That's weird that it works in dev mode though.
<abliss> Ian Denhardt: is it normal that whenever i touch gateway.c++ I have to re-run the giant "building meteor frontend" step?
<isd> Yeah. It'd be nice if we could tweak the build to avoid that.
<abliss> how long does it take on your box?
<isd> Not that long. haven't actually measured. Long enough to notice, but not looking at my watch
<abliss> still slowly downloading an entire buster box in order to test it
<isd> I spent a big chunk of last year working on designing and my own programming language. Hacking on that was such a breath of fresh air: no bloated VMs, no shuffling data between incompatible APIs, just actually working on the interesting problem.
<isd> *and implementing
<isd> (I haven't dropped the project completely, but it's taking a back seat to sandstorm)
shachaf has left #sandstorm [#sandstorm]
<abliss> i see it as a kind of schwartzschild radius for programmers. once the brain capacity gets beyond a certain number, the programmer tends to begin inventing their own programming language and/or OS and/or instruction set, and thereafter never produces anything worthwhile to the outside universe. glad you've managed to return from that event horizon.
<isd> Hah.
<abliss> e.g.: lars bak, rob pike
<isd> I happen to think there's value in PL/systems work. But I think it's the nature of stuff further down the stack that that value is more abstract.
<isd> Funny you should throw pike in there, after all the complaining about build times.
<isd> Working on sandstorm core makes me really miss Go's toolchain.
<ocdtrekkie> isd: I am not sure how current it is, but these suggestions claimed that commenting out that middleware wasn't enough: https://stackoverflow.com/questions/16458166/how-to-disable-djangos-csrf-validation
<ocdtrekkie> It includes some tips including a short custom middleware to do it, which might be useful for abliss.
<ocdtrekkie> If Django does this by default and it breaks apps in Sandstorm, we should probably definitely build a stack or document the fix thoroughly.
<isd> It seems like the remaining csrf checking shouldn't be a problem though, as I think it should still work
<isd> We're not blocking the csrf token, just the referer header
<isd> So that's actually better, since it means we're not ripping out the security entirely, just the bit that breaks the app
<isd> +1 to having a django stack that sorts all this out for the developer.
ocdtrekkie has quit [Read error: Connection reset by peer]
keturn has joined #sandstorm
ogres has joined #sandstorm
frigginglorious has quit [Ping timeout: 272 seconds]
ocdtrekkie has joined #sandstorm
ogres has quit [Quit: Connection closed for inactivity]
kawaiipunk has quit [Quit: Leaving this Club]
kawaiipunk has joined #sandstorm
<abliss> having a weird vagrant-spk problem. /tmp/ is not a tmpfs, just a directory on /, which is mounted read-only, so nothing works. anyone seen this?
<abliss> ah, nevermind, halting-restarting the vm seems to have fixed it
<abliss> is there some easy/quick way to check out the repo for someone's sandstorm app which uses vagrant-spk, and build my own spk of it? with gitweb i ended up spending several hours chasing crypto keys around, surely because i was doing something wrong
<abliss> alternately, has anyone gotten vagrant-spk's sandstorm instance to do SSL? I know i went halfway(?) down that rabbit hole a while back
<abliss> and ended up giving up and fallng back to spk, which does not seem like an option now since babybuddy requires pipenv which doesn't even seem to exist on my distro
frigginglorious has joined #sandstorm
ocdtr_web has joined #sandstorm
<ocdtr_web> abliss: Why were you chasing crypto keys around?
frigginglorious has quit [Read error: Connection reset by peer]
<ocdtr_web> For one, you can vagrant-spk keygen to rekey the app: https://docs.sandstorm.io/en/latest/developing/publishing-apps/#double-check-your-app-id
<ocdtr_web> The pgp-signature and all is completely optional, so you should be able to clear those out entirely.
<ocdtr_web> Is it possible to include with Sandstorm's dev mode option the ability to set up HTTPS with a self-signed localhost certificate? That we could then have vagrant-spk export out to the host machine and let you choose to trust in your browser?
codecowboy has joined #sandstorm
<abliss> it's definitely possible, just needs someone to glue it all together
<ocdtr_web> I'd want support for self-signing to come from Sandstorm's side, we don't want vagrant-spk having to setup a Nginx server or something. (And ideally we need to move further away from depending on people establishing reverse proxies for common things, it's a huge configuration pain point.)
<ocdtr_web> There's also plausibly the discussion that an internal corporate environment might be fine with a self-signed cert that can be trusted by their internal domain. But for now, I would mostly just think if we do a -d install with dev accounts, we should self-sign localhost.
frigginglorious has joined #sandstorm
<abliss> yeah, curretnly i think sandstorm's built-in support for terminating SSL may be hardwired to only support sandcats. but it shouldn't be too hard to do self-signed (or bring-your-own-cert)
<ocdtr_web> I recall functionality added to rewire a custom cert into it, but it never got any UI.
<ocdtr_web> I'll look for it.
<abliss> if sandstorm allows you to inject a custom cert, then the vagrant-spk wrapper can handle the self-signing, which might be a faster way to get off the ground
<ocdtr_web> I can't find it, but I recall there being a way to do so.
<ocdtr_web> It was something hacky like injecting it into the mongodb.
<ocdtr_web> Found!
<ocdtr_web> https://groups.google.com/forum/#!searchin/sandstorm-dev/https$20mongo%7Csort:date/sandstorm-dev/Nu1QetSgvj4/rKnGR8-sBAAJ
<ocdtr_web> I'm going to open an issue for creating a UI for it.
<ocdtr_web> I think it also qualifies as a bite-size issue, because the technical functionality is already there.
frigginglorious has quit [Read error: Connection reset by peer]
frigginglorious has joined #sandstorm
<abliss> general Q about the vagrant-spk flow. Assuming a python app which needs a bunch of pip/venv/virtualenv stuff, but no actual compiling once code is changed, shouldn't the setup.sh have the downloading-dependency stuff, and the build.sh be essentially empty? babybuddy has it all in build.sh and each run of 'vagrant-spk dev' seems to take forever
<ocdtr_web> Maybe ask why he moved it, there is a commit where he did.
<ocdtr_web> The general difference between setup.sh and build.sh, is short of running vagrant-spk vm provision, which reruns global-setup and setup, setup.sh only ever runs once.
<ocdtr_web> Presumably your installs of dependencies could/should happen in setup.sh, but if you wanted to update those dependencies when you're working on the app, you might want to update them in build.sh.
<abliss> (nice job finding the mongo commands to setup custom SSL . should be pretty easy to have vagrant-spk set that up, assuming thre's some easy way for the vagrant python to talk to the mongodb inside the vm. otherwise, we'll have to add a UI, like parsing out filenames from sandstorm.conf)
<ocdtr_web> I feel we should probably prioritize some UI for that, reverse proxy setups probably count as a significant pain point.
<abliss> agreed
<ocdtr_web> And I'd still ideally have Sandstorm configure the localhost cert on a -d install. Presumably the scripting for doing this from vagrant-spk would be kludgey.
<abliss> you're right that it should be bite-sized. maybe i can try to tackle it (no need to learn meteor for this one)
<ocdtr_web> I mean, presumably you can more or less copy some other admin panel setting as an example of how to do it within the Meteor framework.
<abliss> hallelujah! at long last i've managed to get the CSRF issue reproducing over SSL in a dev enviroment. just in time, it seems, for it to have already been solved. (i'm still very perplexed why it works on http and fails on https)
<ocdtr_web> abliss: It's a design choice on Django's part.
<ocdtr_web> They feel the protection is meaningless if you can MITM anyways.
<ocdtr_web> "vagrant-spk ssh sandstorm mongo db.insert" should basically be possible, but it'd be all the same issues described in Kenton's issue, we'd likely have to assign variables and such to bypass the mongo command's length limits.
<abliss> do you have a link to that rationale? it sounds crazy to me.
<ocdtr_web> (FYI, I do not understand nine-tenths of this topic, I have just spent a bunch of time digging around for links.)
<abliss> Thanks. I was missing this detail: " a cookie set on HTTP by the domain can also be read by HTTPS on the same domain"
<abliss> i guess in this case the "Cross-Site" request forgery just means crossing from the HTTP site to the HTTPS site
<ocdtr_web> Well, this has at least been a very fun exercise in "what pain points should we address for app developers".
<ocdtr_web> And hopefully we'll have a fixed version of the SPK soon. :D
<abliss> if i'm grasping it right, and assuming https sandstorm installs set the HSTS flag, it should be fine to bypass/deactivate the check (i think)
prompt-laser has quit [Quit: Connection closed for inactivity]
<abliss> chris points out that https://pypi.org/project/django-sandstorm/ is out of date. any volunteers to get in touch with the maintainer there ? Lyre Calliope maybe?
<ocdtr_web> Answers the question of if any Sandstorm apps use Django.
<ocdtr_web> Contact Otter did.
<ocdtr_web> I know phildini dropped support for Sandstorm on it quite a ways ago. My guess is he wouldn't mind someone taking that package over?
<ocdtr_web> I sent a private toot his way.
<ocdtr_web> If people are using old VMs and then try to follow the tutorial, they may run into an issue, but I think the answer there is to tell people to 'upgradevm' as it is, which will fix this and other bitrot simultaneously.
<ocdtr_web> Ultimately, this is one of those changes that "the sooner we do it the less people will run into an issue from it" I think. But we should probably try to get more messaging into vagrant-spk dev itself that tells you what port it's on. I think that might need to be done in SPK actually.
<ocdtr_web> Issue for that is here: https://github.com/sandstorm-io/sandstorm/issues/3215
xet7 has quit [Remote host closed the connection]
xet7 has joined #sandstorm
codecowboy has quit [Quit: Textual IRC Client: www.textualapp.com]
prompt-laser has joined #sandstorm
_whitelogger has joined #sandstorm
<CaptainCalliope> > chris points out that https://pypi.org/project/django-sandstorm/ is out of date. any volunteers to get in touch with the maintainer there ? Lyre Calliope maybe?
<CaptainCalliope> @abliss:matrix.org What's the ask?
<ocdtr_web> I tooted phildini already.
<CaptainCalliope> Oh! What's your Mastodon?
<ocdtr_web> @ocdtrekkie@mastodon.social
<ocdtr_web> I am not super active on Mastodon at present, but phildini is an instance admin in the fediverse world so it's a good place to get a hold of him. :)
ocdtr_web has quit [Remote host closed the connection]
frigginglorious has quit [Ping timeout: 272 seconds]