First step towards implementing #JWT in #swad done, just committed a good 1000 LOC and now my #poser lib can do #JSON 馃槑
https://github.com/Zirias/poser/commit/7f1772e85c869d544f8a12099ed6545e163dc163
@Tutanota
饾柎饾棄 饾棈饾棃 饾柦饾棃饾棎饾棁, 饾梾饾柧饾柨饾棈 饾棈饾棃 饾棆饾梻饾梹饾梺饾棈:
#DeepL; #VivaldiWebmail #Calendar; #Brave_Search/ #DuckDuckGo_Search; #ProtonPass; #Session; #VivaldiBrowser; #OnlyOffice; #Aurora_Store/ #FDroid; #e_OS (饾櫍饾櫎饾櫓 饾櫘饾櫄饾櫓); #Ente_Photo; #Logseq; #Heliboard; #ProtonMail/ #VivaldiWebmail/ #TutaMail; #MiroTalk_SFU; #Ente_Auth; #ProtonDrive/ #filen_io; #LibreTube; #OsmAnd
I now decided I'll at least aim for some middle grounds: Rework #swad so it only needs a (server-side) #session once a user is #authenticated!
This does have some implications, e.g. passing a redirect argument to the authentication endpoint won't work any more. But experimentation shows a workaround would be to use an "internal redirect" to the login endpoint in #nginx.
We'll see where I end up. Having sessions only for authenticated users should reduce the need for server-side RAM significantly, so I hope 馃槈
More #poser improvements:
* Use arc4random() if available, avoids excessive syscalls just to get high-quality random data
* Add a "resolver" to do #reverse#DNS lookups in a batch, remove the reverse lookup stuff from the connection which was often useless anyways, when a short-lived connection was deleted before resolving could finish 馃檲
As a result, #swad can now reliably log requests with reverse lookups enabled 馃コ
About the #random thingie ... I need random data in #swad to generate unpredictable #session IDs.
I previously had an implementation trying the #Linux-originating #getrandom if available, with a fallback to a stupid internal #xorshift#PRNG, which could be disabled because it's obviously NOT cryptographically secure, and WAS disabled for the generation of session IDs.
Then I learned #arc4random is available on many systems nowadays (#FreeBSD, #NetBSD, even Linux with a recent-enough glibc), so I decided to add a compile check for it and replace the whole mess with nothing but an arc4random call IF it is available.
arc4random originates from #OpenBSD and provides the only sane way to get cryptographically secure random data. It automatically and transparently (re-)seeds from OS entropy sources, but uses an internal CSPRNG most of the time (nowadays typically #ChaCha20, so it's a misnomer, but hey ...). It never fails, it never blocks. It just works. Awesome.