H3lp

Ethan · December 07, 2016, 16:37

Quote from: TheFoxman on December 07, 2016, 10:44
If viky can make a signature that shows 17/17 will be great

for people who actually have 17/17, sure, itd be great.... but since you dont, why ask for it?

TheFoxman · December 07, 2016, 21:36

Quote from: Ethan on December 07, 2016, 16:37
Quote from: TheFoxman on December 07, 2016, 10:44
If viky can make a signature that shows 17/17 will be great
for people who actually have 17/17, sure, itd be great.... but since you dont, why ask for it?

Well u dont have 17 or 57 but it shows that u have 57 so i want only 17

Deff · December 08, 2016, 22:45

Thanks for the explanation Joshy

Fixed that way.

TheFoxman · December 08, 2016, 22:52

Quote from: Deff on December 08, 2016, 22:45
Thanks for the explanation Joshy
Fixed that way.

Not surprised

Ethan · December 09, 2016, 01:29

yeah, for some odd reason my profile picture I chose changed to some random thing.. I had to change it... maybe becasue of Viky updated it?

Deff · December 09, 2016, 06:23

Quote from: Ethan on December 09, 2016, 01:29
yeah, for some odd reason my profile picture I chose changed to some random thing.. I had to change it... maybe becasue of Viky updated it?

Oh its public, anyone can make signature for anyone. But I have disabled it now. Those who have already made, it will work for them, no one can make/edit signatures now, this can't be authenticated as of now, hence disabled.

Joshy · December 09, 2016, 19:36

Quote from: Deff on December 09, 2016, 06:23
Quote from: Ethan on December 09, 2016, 01:29
yeah, for some odd reason my profile picture I chose changed to some random thing.. I had to change it... maybe becasue of Viky updated it?

Oh its public, anyone can make signature for anyone. But I have disabled it now. Those who have already made, it will work for them, no one can make/edit signatures now, this can't be authenticated as of now, hence disabled.

That's quite unfortunate, it was good to see the API being used by someone other than Mick (CT Android app).

You should suggest API authentication (OAuth2 or something), Django REST framework probably has it built in.

As a short term workaround you could send people unique URLs that only work for their profile via PM, that way in order to make a signature they'll have to PM you and then you make them a URL / token for their account. Idk if it's worth the effort though.

edit: here's how I would do this in PHP (it's been a while since I wrote any PHP, C# ftw) (~~also this is totally untested~~) (it's probably not bulletproof and/or cryptographically secure but who cares lol ¯\_(ツ)_/¯):

const SECRET_KEY = "some secret constant string here";

function generate_token($username) {
   return hash_hmac("sha256", $username, SECRET_KEY);
}

// function which is able to verify a MAC for a given username
function verify_token($username, $token) {
    // basically you re-create the MAC for a given username and then verify it against the passed in MAC
    return hash_equals(generate_mac($username), $token); // interesting fact: hash_equals isn't susceptible to timing attacks, however "==" is
}

// to verify a URL
$username = isset($_GET["username"]) ? $_GET["username"] : NULL;
$token = isset($_GET["token"]) ? $_GET["token"] : NULL;

if (empty($username) || empty($token)) {
    echo "kek nice try...";
    return;
}

$isActuallyTheUser = verify_token($username, $token);

if ($isActuallyTheUser) {
    // Do signature stuff
} else {
    // Firewall the user's IP address into oblivion
}

////////////////

// for giving out URLs (put this behind a password or something)
const BASE_URI = "http://cvt.is-great.net/signature/";
// URL generation
function generate_url_with_token($username) {
    $token = generate_token($username);
    return BASE_URI . "?" . http_build_query(array("username" => $username, "token" => $token));
}

$username = isset($_GET["username"]) ? $_GET["username"] : NULL;
if (empty($username)) {
    echo "Good joke viky... srsly";
    return;
}
echo generate_url_with_token($username);

The result I got with that "secret" key and my username is http://cvt.is-great.net/signature/?username=Joshy&token=44939cf6f335a44a6a7acdc09566691d7c5f7bec3c1b321f13dc6f9e64d80ea2

You can use the code at https://repl.it/EmJm/3 to test your environment to make sure it works properly (some web hosting disable hash_hmac for "security" - klol).

Deff · December 10, 2016, 18:47

Thanks alot joshy! Did it that way.
Now everyone will have a unique URL for editing/making the signature. To get this, they will need to PM me on forum.

TheFoxman · December 11, 2016, 11:56

Quote from: Joshy on December 09, 2016, 19:36
Quote from: Deff on December 09, 2016, 06:23
Quote from: Ethan on December 09, 2016, 01:29
yeah, for some odd reason my profile picture I chose changed to some random thing.. I had to change it... maybe becasue of Viky updated it?

Oh its public, anyone can make signature for anyone. But I have disabled it now. Those who have already made, it will work for them, no one can make/edit signatures now, this can't be authenticated as of now, hence disabled.
That's quite unfortunate, it was good to see the API being used by someone other than Mick (CT Android app).

You should suggest API authentication (OAuth2 or something), Django REST framework probably has it built in.

As a short term workaround you could send people unique URLs that only work for their profile via PM, that way in order to make a signature they'll have to PM you and then you make them a URL / token for their account. Idk if it's worth the effort though.

edit: here's how I would do this in PHP (it's been a while since I wrote any PHP, C# ftw) (~~also this is totally untested~~) (it's probably not bulletproof and/or cryptographically secure but who cares lol ¯\_(ツ)_/¯):

const SECRET_KEY = "some secret constant string here";

function generate_token($username) {
   return hash_hmac("sha256", $username, SECRET_KEY);
}

// function which is able to verify a MAC for a given username
function verify_token($username, $token) {
    // basically you re-create the MAC for a given username and then verify it against the passed in MAC
    return hash_equals(generate_mac($username), $token); // interesting fact: hash_equals isn't susceptible to timing attacks, however "==" is
}

// to verify a URL
$username = isset($_GET["username"]) ? $_GET["username"] : NULL;
$token = isset($_GET["token"]) ? $_GET["token"] : NULL;

if (empty($username) || empty($token)) {
    echo "kek nice try...";
    return;
}

$isActuallyTheUser = verify_token($username, $token);

if ($isActuallyTheUser) {
    // Do signature stuff
} else {
    // Firewall the user's IP address into oblivion
}

////////////////

// for giving out URLs (put this behind a password or something)
const BASE_URI = "http://cvt.is-great.net/signature/";
// URL generation
function generate_url_with_token($username) {
    $token = generate_token($username);
    return BASE_URI . "?" . http_build_query(array("username" => $username, "token" => $token));
}

$username = isset($_GET["username"]) ? $_GET["username"] : NULL;
if (empty($username)) {
    echo "Good joke viky... srsly";
    return;
}
echo generate_url_with_token($username);

The result I got with that "secret" key and my username is http://cvt.is-great.net/signature/?username=Joshy&token=44939cf6f335a44a6a7acdc09566691d7c5f7bec3c1b321f13dc6f9e64d80ea2

You can use the code at https://repl.it/EmJm/3 to test your environment to make sure it works properly (some web hosting disable hash_hmac for "security" - klol).

Still dont know who created the coding that doesnt make sence at all

Convoy Trucking

News:

H3lp

Ethan

TheFoxman

Deff

TheFoxman

Ethan

Deff

Joshy

Deff

TheFoxman