Had to call up the property manager again today, and spoke to Freya - I notified them on the 1st of February that the previous repair to the outdoor blind had proven ineffective, and I noticed today that they still haven't done anything about it. We've now put the blinds up, so hopefully the wind won't damage it any further.
While I had their attention though, I thought to bring up two issues: the heater fan makes a rattling noise, like something's loose in it, and the foundation has shifted making the sliding door no longer square, leaving a rather large gap in the bottom corner of it. Would be nice to have both of those things fixed before winter gets here.
Out to Portland, VIC for my first job in a long time - luckily this one was pretty profitable, as there wasn't much driving at all apart from actually getting there and back. Super long day though - start at 6am, work until 2am, few hours nap, then work again until midnight.
I had to apply for a "Port Pass", which was a surprisingly easy process. I sat the "induction" online, which consisted of four videos ranging from five minutes to fifteen minutes each, and a short quiz after each one. The quiz was seriously brain-dead, only one question required memorizing anything and most of them are more or less common sense questions. There was one gotcha question, where it contains "all of the above" (which is usually a safe answer for induction multiple-choice questions, when presented), but part of the "all of the above" is "do nothing".
Since I'd already done the induction, getting the pass amounted to going in, paying $90, and waiting for it to be printed.
A couple of days ago I started signing my git commits (at least, the ones I make on my laptop), but it started to get old pretty quick. I've been signing with my primary Keybase key, which requires a really long password to be entered every single time. That's sub-optimal in two ways: a) I'm signing with the main key, which if it's stolen I have no way to bootstrap re-authenticating myself and b) copy+pasting a really long password sucks.
So I created a sub-key under the main key, and pushed it to Keybase (while I was at it, I pushed the updated keyring with my email address in it as well). I then threw away the secret for the main key so that I only had my git commit signing key present on the laptop (and uninstalled keybase so I don't accidentally clobber it).
I then spent far longer than I reasonably should have trying to get
gpg-agent working with .xsession, before learning that once I'd added the stuff to
~/.gnupg/gpg-agent.conf on my Debian machine, all I had to do was re-login and the agent would be running for me (that's handy).
I experimented with several GPG pinentry programs, none of which would function correctly and let me paste the secret in, but I probably don't want to be using my Keybase passphrase anyway, so I replaced it with one that I can remember, and I can just type it into the pinentry window when it pops up (I could also add it to the gnome keyring so it's unlocked when I log in, but I'm not sure if I want to go that far, I am still pretty paranoid).
I spent way too long working this out. I'm almost ashamed it took so long.
I've been hacking on a project called murmur-rest, as it's basically a head start on what I was going to do when I rebuilt the old MumbleDog stack to open source it: abstract away the braindeadedness of Ice so that commodity PHP hosts can be used to run admin panels and such. It even uses Flask, just like I was going to! (I really like Flask)
I've committed a few pieces of low-hanging fruit, and then started on a CVP patch (which is in gross need of refactoring, but does work, for the most part). Then I moved on to actual provisioning and such, writing a WHMCS module as I went, and got stuck trying to make it auth. We're using Digest authentication, and despite the fact everything was correct (countless hours of debug
printf()s, and nothing to show for it), it wasn't working!
I ended up taking the thing to my Linux VM, and chopping everything down to about 20 lines of Python and using
curl from the command line trying to work out where the bug was. Authentication works fine via the browser, what the heck is going on?
curl --digest -u 'admin:password2' http://localhost:5000/stats/
I eventually turned on the -v flag so I could get extra output and noticed that even though we're not actually using any of the session stuff in Flask, it's trying to set a cookie anyway. On a whim I gave it a shot:
curl --digest -u 'admin:password2' -c cookies http://localhost:5000/stats/
Success! You can even do it with
-c /dev/null, as we don't need to keep the cookies around permanently, we just need to send them back for the digest auth to work correctly. I'm not entirely sure why we need to send them back, I'm thinking it might be a bug (or just weird logic) in Flask as from checking StackOverflow and many other websites it looks like digest auth is supposed to work without cookies. Maybe it's the only way Flask can prevent credential re-use or something? No idea.
I'm suspecting that if the client-side session/cookie stuff that Flask uses is the reason it didn't work, that that might be a security concern - maybe it's just the fact that I'm half asleep, but what's to stop someone from simply replaying the entire request, cookie and all? That's not a problem for me, because I'd serve the API stuff over HTTPS, but it seems like an excellent way for other end-users to shoot their own foot off.
Anyway, it even works inside PHP as well:
curl_setopt($ch, CURLOPT_COOKIEJAR, "/dev/null");
And suddenly the WHMCS module is off and running! Unfortunately, I'm now way too tired to continue. I'll worry about the security implications tomorrow.
Update: It looks like my earlier suspicions were correct, the session cookies are used by Flask in it's default configuration to track nonces - and it's not a great idea, security wise. Since I don't want to run a database to track the sessions, and since HTTPS will basically be required, I'm considering just downgrading to Basic authentication anyway.