I have a method. The language for this question unimportant, but here are the stubs in Java and Python so people have something to relate to:
Token getToken(long seconds){
...
}
def get_token(seconds):
...
The documentation for this method reads:
Get the current token, or a new one.
Guarantees that the returned token will be valid for at least the given amount of seconds.
Since I am not a native english speaker, the two things are puzzling me.
I would like to name the argument for my method something more saying than seconds, but it should not be too long.
I have considered the following (Python styled):
timeout_seconds
minimum_timeout_seconds
minimum_timeout
required_timeout
required_timeout_seconds
I don't think any of them are spot on, and the two of them are a bit long for my taste.
What do people prefer?
Is there a word that can express the purpose better than the ones I have used?
Secondly, the documentation for the argument reads:
The number of seconds there should at least be left until the current token expires.
If there is less than this number of seconds left until expiration, the token will be renewed automatically.
I don't feel the wording here is right. Any thoughts?
As you are dealing with tokens I'd Take the JSON Web Token (JWT) RFC as inspiration. Hence I would use
expires_in_seconds
as the variable name if keeping with Python styling.
The word "timeout" is more commonly used when an operation ceases to try to succeed in whatever it is trying to do, whereas "expires" indicates that the subject (in this case a token) is coming to the end of its period of validity.
As for the documentation I'd rather:
The number of seconds for which the token is valid.
However it does feel like the code you are using maybe trying to create it's own web token standard, which is something I would warn against! e.g. "If there is less than this number of seconds left until expiration, the token will be renewed automatically" seems odd.
Related
A vendor I use packages their software with AssemblyScript. They provide some infrastructure and I build on top of it.
Accidentally, I changed my double equal signs ("==") to triple equal signs ("===") in a function that performs equality checks on hexadecimal strings. I spent hours ensuring that the values checked are indeed equal and have the same case sensitivity, but nothing could make the if statement enter the branch I was expecting it to enter, except for going back to "==".
And so I ended up here, asking for help. How is "===" different to "==" in AssemblyScript? Is it some quirk of the language itself or the vendor's parser?
Yes. In AssemblyScript tripple equal ("===") compare raw references and skip overloading operator ("=="). See docs.
There are have proposal avoid this non-standard for TypeScript behaviour. You could check and upvote this issue
I'm trying to verify a server's certificate before obtaining data from it using https. I'm assuming that after curl_easy_perform I should use:
long out = -1;
curl_easy_getinfo(curl, CURLINFO_SSL_VERIFYRESULT, &out)
I cannot find any documentation explaining the meaning of the value out is set to, except for an example on https://curl.haxx.se/libcurl/c/CURLINFO_SSL_VERIFYRESULT.html, which seems to be wrong (or at least contradicts my experiments).
This example suggests that the value 0 means verification failure, while any other value signifies success.
I found that 0 is actually set every time I get a response body and a sensible HTTP code (obtained using CURLINFO_RESPONSE_CODE), whereas other values I've received (1 and 19) always went together with HTTP code 0 and empty body.
Am I missing something obvious or is there no documentation for CURLINFO_SSL_VERIFYRESULT?
It seems the documentation is missing that indeed. Issue filed: https://github.com/curl/curl/issues/2400
The value depends on the TLS backend used (OpenSSL, GnuTLS, etc).
It doesn't seem to work for Windows SCHANNEL at all.
I have implemented this http://jacob.jkrall.net/totp/ in vbscript.
My code given the same hex gives the right 6-digit otp, so that part is working.
I've also verified the HMAC-SHA-1. encoding against an online generator, http://www.freeformatter.com/hmac-generator.html#ad-output, same input gives same output.
My time is the same as http://www.currenttimestamp.com/
I've generated a qrcode at http://www.qr-koder.dk/ with the string otpauth://totp/$LABEL?secret=$SECRET and the google authenticator app reads the code and starts outputting the 6 digit code changing every 30 seconds.
BUT THE CODES FROM THE APP DOES NOT MATCH THE 6-DIGIT CODE THE VBSCRIPT GENERATES!
I've even tried trunc(time/30) +/-7500 steps to see if it was a timezone/daylight saving problem, to no avail.
As the other parts of the routine to generate the 6 digits seem to work I've come to the conclusion I don't understand this:
the url on the qr-code is
otpauth://totp/$LABEL?secret=$SECRET
with the explanation
LABEL can be used to describe the key in your app, while SECRET is the
16-character base32-encoded shared secret, which is now known to both
the client and the server.
So when I calculate HMAC-SHA-1(SECRET, time()/30)
should the SECRET be the same string given to both the app and the calculation?
If I select a secret of 1234567890, the base32 is GEZDGNBVGY3TQOJQ according to http://emn178.github.io/online-tools/base32_encode.html.
Should I then take
HMAC-SHA-1("1234567890", time()/30)
or
HMAC-SHA-1("GEZDGNBVGY3TQOJQ", time()/30)
?
I believe I've tried both, and neither works.
The system unix time is correct.
I guess the problem might be with the secret in your HMAC-SHA-1 function. It very much depends on what the HMAC-SHA-1 expects.
Your string "123456790" might be a binary string. Is it an ascii representation or utf8? I.e. is this string 10 bytes or 20 bytes long?
I recommend getting the input string in your VBScript right.
On the other hand, instead of writing your own VBScript, you can also use a ready made solution like the privacyIDEA authentication server, which is open source and also comes with TOTP.
Imagine you have a function that converts ints to roman string:
public String roman(int)
Only numbers from 1 to 3999 (inclusive) are valid for conversion.
So what do you do if someone passes 4000 in any OO language?
raise an exception
return “” or some other special string
write an assert
…
Number 1: raise an exception. That's what ArgumentOutOfRangeException is for (at least in .NET):
if (intToConvert >= 4000)
{
throw new ArgumentOutOfRangeException("intToConvert ", "Only numbers 1-3000 are valid for conversion.");
}
I find the validation topic very interesting in general. In my opinion option 2 (returning a special value) is not a good one, since you are forcing the client to do if/case to check for the returned value and that code must be repeated everywhere. Also, unlike exceptions that propagate through the calling stack, in this scenario the caller is almost always the one that has to handle that special value.
In the context of OOP raising an exception or having an assertion is, IMO, a more elegant way to cope with it. However i find that inlining verification code in every method doesn't scale well for some reasons:
Many times your validation logic ends up being greater than the method logic itself, so you end up cluttering your code with things that are not entirely relevant to it.
There is no proper validation code reuse (e.g. range validation, e-mail validation, etc).
This one depends on your tastes, but you will be doing defensive programming.
Some years ago I attended to a talk about validators (a similar talk slide's are here. The document explaining it used to be in http://www.caesarsystems.com/resources/caesarsystems/files/Extreme_Validation.pdf but now its a 404 :( ) and totally like the concept. IMHO having a validation framework that adopts the OO philosophy is the way to go. In case you want to read about it I've written a couple of posts about it here and here (disclaimer: the posts are part of the blog of the company I work for).
HTH
My problem is that the message passed to yyerror is already formatted (i.e. it is actually an English explanation what went wrong), and what I would like to get is just the current token (i.e. the one before the error pseudo-token).
So how to get it?
I use gplex/gppg which are lex/yacc implementations in C#.
I am sorry for not being 100% precise -- what I need is token (symbol) not the body (text) which was matched (by the token).
Let's say I have a rule [A-Za-z0-9_]+ constitutes an ID. So I would like to get token ID not a foobar.
Found this in an old project of mine, with a redefined yyerror:
int yyerror (char *msg) {
printf("oha, %s: '%s' in line %d\n", msg, yytext, yylineno);
return 0;
}
This was a c++-project using flex/bison, and the interesting thing i think you can find in yytext.
There's no standard, but bison and most versions of yacc store the current token in yychar. Unfortunately, this is generally a local variable (of yyparse), so you can't access it in other functions (such as yyerror), only in parser actions.
It might be helpful if you say WHY you want the current token -- its not generally a useful peice of information. You mention the error pseudo-token, which makes no sense as that is associated with error recovery, not errors as such -- by the time it comes into the picture normally a bunch of tokens from the input have been discarded.