digitalmars.D.announce - OneDrive Client written in D
- skilion (4/4) Sep 22 2015 I've been waiting for a good sync client for OneDrive (15 GB for
- Rikki Cattermole (5/9) Sep 22 2015 You probably should not be exposing developer information for
- skilion (12/16) Sep 23 2015 I think you are referreing to the the fields client_id and
- Rory McGuire via Digitalmars-d-announce (7/23) Sep 23 2015 Problem is right now anyone can make an app and pretend its your app, an...
- Nick Sabalausky (3/8) Sep 23 2015 Isn't oauth/openid just kindof a big bundle of such phishing problems
- Rory McGuire via Digitalmars-d-announce (15/26) Sep 23 2015 I can't think of a way to do phishing with oauth2, doesn't mean it can't...
- Rory McGuire via Digitalmars-d-announce (9/38) Sep 23 2015 I think this should be on reddit either way. Perhaps someone will sugges...
- Charles (6/19) Sep 23 2015 I don't know to much about oauth2, but could we in theory add a
- Rory McGuire via Digitalmars-d-announce (7/24) Sep 23 2015 The client id is generated on oauth server when setting up credentials f...
- frieder (10/22) May 21 2016 ... good work. I appreciate it very much.
- Suliman (3/7) Sep 24 2015 What this string in config.d do?
- skilion (4/7) Sep 25 2015 It matches this pattern:
- Dmitry Olshansky (8/16) Sep 25 2015 Removing anonymous groups and using raw-literal:
- skilion (6/11) Sep 25 2015 Good advice, thanks.
- Dmitry Olshansky (7/18) Sep 26 2015 I hope that was ([^"]*)
- Dmitry Olshansky (4/23) Sep 26 2015 i.e. `"(?:[^"]+|\\")*"` to defeat regex escaping.
- skilion (3/4) Sep 26 2015 Right. I should not post anything without testing it first.
I've been waiting for a good sync client for OneDrive (15 GB for free!) on Linux, but Microsoft seems to have other plans... So I've decided to write my own, using D. Take a look: http://skilion.github.io/onedrive/
Sep 22 2015
On 23/09/15 8:43 AM, skilion wrote:I've been waiting for a good sync client for OneDrive (15 GB for free!) on Linux, but Microsoft seems to have other plans... So I've decided to write my own, using D. Take a look: http://skilion.github.io/onedrive/You probably should not be exposing developer information for authentication. You need to get the authentication fixed. Users should login via user/pass. Once that is done, get that on Reddit! It is awesome!
Sep 22 2015
On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole wrote:You probably should not be exposing developer information for authentication. You need to get the authentication fixed. Users should login via user/pass.I think you are referreing to the the fields client_id and client_secret in the config file. As I understand it, if a service is using OAtuh2, it is exactly to allow its users to use third party apps without leaking the username and password. My app is registered as a desktop application, so it should be assumed that the client "secret" can't be really kept secret like in a web app. Knowing the client secret allows you to produce API calls under my app name, but you still need to get a permission from the user to access their data.
Sep 23 2015
Problem is right now anyone can make an app and pretend its your app, and then ... If the user gives your keys access to their stuff so does anyone else who has your keys, if they can get the oauth2 redirect to redirect to a matching url at least. On Wed, Sep 23, 2015 at 10:38 AM, skilion via Digitalmars-d-announce < digitalmars-d-announce puremagic.com> wrote:On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole wrote:You probably should not be exposing developer information for authentication. You need to get the authentication fixed. Users should login via user/pass.I think you are referreing to the the fields client_id and client_secret in the config file. As I understand it, if a service is using OAtuh2, it is exactly to allow its users to use third party apps without leaking the username and password. My app is registered as a desktop application, so it should be assumed that the client "secret" can't be really kept secret like in a web app. Knowing the client secret allows you to produce API calls under my app name, but you still need to get a permission from the user to access their data.
Sep 23 2015
On 09/23/2015 08:38 AM, Rory McGuire via Digitalmars-d-announce wrote:Problem is right now anyone can make an app and pretend its your app, and then ... If the user gives your keys access to their stuff so does anyone else who has your keys, if they can get the oauth2 redirect to redirect to a matching url at least.Isn't oauth/openid just kindof a big bundle of such phishing problems anyway?
Sep 23 2015
I can't think of a way to do phishing with oauth2, doesn't mean it can't be done somehow :) Basically because you have to configure the redirect when you setup the client_secret the server will only ever send the browser to that redirect, a mismatch of requested redirect will just cause an error on Google Apps for example. Lets say this app has a redirect to localhost:1234/oauth set up during credentials creation on the oauth server. Then if you could get some malicious code to run at that host:port then you could get the access token that the oauth server would think it is sending to this app. So yes letting everyone know your client_secret is dodgy, but actually getting hacked because of it seems highly unlikely. On Wed, Sep 23, 2015 at 4:51 PM, Nick Sabalausky via Digitalmars-d-announce <digitalmars-d-announce puremagic.com> wrote:On 09/23/2015 08:38 AM, Rory McGuire via Digitalmars-d-announce wrote:Problem is right now anyone can make an app and pretend its your app, and then ... If the user gives your keys access to their stuff so does anyone else who has your keys, if they can get the oauth2 redirect to redirect to a matching url at least.Isn't oauth/openid just kindof a big bundle of such phishing problems anyway?
Sep 23 2015
I think this should be on reddit either way. Perhaps someone will suggest a way around the oauth2 limitation. Having to generate new client secrets just to use an app that already exists seems like a mission, so providing a default set that work and the user can just make sure they get the original app seems more practical. i.e. download binary from a reputable place i.e. your distributions repos. Also you are doing the same way everyone else does it; by prompting at the command line sooo.... On Wed, Sep 23, 2015 at 2:38 PM, Rory McGuire <rjmcguire gmail.com> wrote:Problem is right now anyone can make an app and pretend its your app, and then ... If the user gives your keys access to their stuff so does anyone else who has your keys, if they can get the oauth2 redirect to redirect to a matching url at least. On Wed, Sep 23, 2015 at 10:38 AM, skilion via Digitalmars-d-announce < digitalmars-d-announce puremagic.com> wrote:On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole wrote:You probably should not be exposing developer information for authentication. You need to get the authentication fixed. Users should login via user/pass.I think you are referreing to the the fields client_id and client_secret in the config file. As I understand it, if a service is using OAtuh2, it is exactly to allow its users to use third party apps without leaking the username and password. My app is registered as a desktop application, so it should be assumed that the client "secret" can't be really kept secret like in a web app. Knowing the client secret allows you to produce API calls under my app name, but you still need to get a permission from the user to access their data.
Sep 23 2015
On Wednesday, 23 September 2015 at 13:01:54 UTC, Rory McGuire wrote:I think this should be on reddit either way. Perhaps someone will suggest a way around the oauth2 limitation. Having to generate new client secrets just to use an app that already exists seems like a mission, so providing a default set that work and the user can just make sure they get the original app seems more practical. i.e. download binary from a reputable place i.e. your distributions repos. Also you are doing the same way everyone else does it; by prompting at the command line sooo....I don't know to much about oauth2, but could we in theory add a layer of security by only allowing some client id that has a sort of checksum based on the source code of the application? I don't know how client ids are generated, but its just a thought.
Sep 23 2015
The client id is generated on oauth server when setting up credentials for an app / webservice. You could never trust an app checksum because you would never know if it was fake. (Also this would only be something you could consider if you were implementing an oauth server or you had some intermediate server) On Thu, Sep 24, 2015 at 2:53 AM, Charles via Digitalmars-d-announce < digitalmars-d-announce puremagic.com> wrote:On Wednesday, 23 September 2015 at 13:01:54 UTC, Rory McGuire wrote:I think this should be on reddit either way. Perhaps someone will suggest a way around the oauth2 limitation. Having to generate new client secrets just to use an app that already exists seems like a mission, so providing a default set that work and the user can just make sure they get the original app seems more practical. i.e. download binary from a reputable place i.e. your distributions repos. Also you are doing the same way everyone else does it; by prompting at the command line sooo....I don't know to much about oauth2, but could we in theory add a layer of security by only allowing some client id that has a sort of checksum based on the source code of the application? I don't know how client ids are generated, but its just a thought.
Sep 23 2015
On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole wrote:On 23/09/15 8:43 AM, skilion wrote:... good work. I appreciate it very much. Just one note systemd: systemctl --user enable onedrive systemctl --user start one drive requires libpam-systemd This is not in all Debian Jessie distributions! Otherwise you will get a "Failed to get D-Bus connection - Connection refused" Regards FriederI've been waiting for a good sync client for OneDrive (15 GB for free!) on Linux, but Microsoft seems to have other plans... So I've decided to write my own, using D. Take a look: http://skilion.github.io/onedrive/You probably should not be exposing developer information for authentication. You need to get the authentication fixed. Users should login via user/pass. Once that is done, get that on Reddit! It is awesome!
May 21 2016
On Tuesday, 22 September 2015 at 20:43:32 UTC, skilion wrote:I've been waiting for a good sync client for OneDrive (15 GB for free!) on Linux, but Microsoft seems to have other plans... So I've decided to write my own, using D. Take a look: http://skilion.github.io/onedrive/What this string in config.d do? auto r = regex("(?:^\\s*)(\\w+)(?:\\s*=\\s*\")(.*)(?:\"\\s*$)");
Sep 24 2015
On Thursday, 24 September 2015 at 13:22:32 UTC, Suliman wrote:What this string in config.d do? auto r = regex("(?:^\\s*)(\\w+)(?:\\s*=\\s*\")(.*)(?:\"\\s*$)");It matches this pattern: key = "value" skipping any blank characters.
Sep 25 2015
On 24-Sep-2015 16:22, Suliman wrote:On Tuesday, 22 September 2015 at 20:43:32 UTC, skilion wrote:Removing anonymous groups and using raw-literal: regex(`^\s*(\w+)\s*=\s*"(.*)"\s*$`) Looks simpler I guess. Though if key="value" is expected I'd suggest to use lazy .* - `"(.*?)"` to stop on first " if any. -- Dmitry OlshanskyI've been waiting for a good sync client for OneDrive (15 GB for free!) on Linux, but Microsoft seems to have other plans... So I've decided to write my own, using D. Take a look: http://skilion.github.io/onedrive/What this string in config.d do? auto r = regex("(?:^\\s*)(\\w+)(?:\\s*=\\s*\")(.*)(?:\"\\s*$)");
Sep 25 2015
On Friday, 25 September 2015 at 07:40:18 UTC, Dmitry Olshansky wrote:Removing anonymous groups and using raw-literal: regex(`^\s*(\w+)\s*=\s*"(.*)"\s*$`) Looks simpler I guess.Good advice, thanks.Though if key="value" is expected I'd suggest to use lazy .* - `"(.*?)"` to stop on first " if any.After playing a bit with it, I realized that it doesn't work in this case (a="a"a" still match). The right solution would be "(.[^"])"
Sep 25 2015
On 25-Sep-2015 22:37, skilion wrote:On Friday, 25 September 2015 at 07:40:18 UTC, Dmitry Olshansky wrote:I hope that was ([^"]*) Yeah, .*? won't work because of '$' at the end of the pattern. Anyway to allow classical escapes in string literal I'd go for: `"(?:[^"]+|\")*"` -- Dmitry OlshanskyRemoving anonymous groups and using raw-literal: regex(`^\s*(\w+)\s*=\s*"(.*)"\s*$`) Looks simpler I guess.Good advice, thanks.Though if key="value" is expected I'd suggest to use lazy .* - `"(.*?)"` to stop on first " if any.After playing a bit with it, I realized that it doesn't work in this case (a="a"a" still match). The right solution would be "(.[^"])"
Sep 26 2015
On 26-Sep-2015 11:31, Dmitry Olshansky wrote:On 25-Sep-2015 22:37, skilion wrote:i.e. `"(?:[^"]+|\\")*"` to defeat regex escaping. -- Dmitry OlshanskyOn Friday, 25 September 2015 at 07:40:18 UTC, Dmitry Olshansky wrote:I hope that was ([^"]*) Yeah, .*? won't work because of '$' at the end of the pattern. Anyway to allow classical escapes in string literal I'd go for: `"(?:[^"]+|\")*"`Removing anonymous groups and using raw-literal: regex(`^\s*(\w+)\s*=\s*"(.*)"\s*$`) Looks simpler I guess.Good advice, thanks.Though if key="value" is expected I'd suggest to use lazy .* - `"(.*?)"` to stop on first " if any.After playing a bit with it, I realized that it doesn't work in this case (a="a"a" still match). The right solution would be "(.[^"])"
Sep 26 2015
On Saturday, 26 September 2015 at 08:31:02 UTC, Dmitry Olshansky wrote:I hope that was ([^"]*)Right. I should not post anything without testing it first.
Sep 26 2015