Re: OneDrive Client written in D

[frieder via Digitalmars-d-announce]

On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole 
wrote:

On 23/09/15 8:43 AM, skilion wrote:
I've been waiting for a good sync client for OneDrive (15 GB 
for free!)

on Linux, but Microsoft seems to have other plans...
So I've decided to write my own, using D. Take a look:

   http://skilion.github.io/onedrive/


You probably should not be exposing developer information for 
authentication.
You need to get the authentication fixed. Users should login 
via user/pass.


Once that is done, get that on Reddit! It is awesome!



... good work. I appreciate it very much.

Just one note systemd:

systemctl --user enable onedrive
systemctl --user start one drive

requires libpam-systemd

This is not in all Debian Jessie distributions! Otherwise you 
will get a "Failed to get D-Bus connection - Connection refused"



Regards Frieder

Re: OneDrive Client written in D

[Dmitry Olshansky via Digitalmars-d-announce]

On 26-Sep-2015 11:31, Dmitry Olshansky wrote:

On 25-Sep-2015 22:37, skilion wrote:

On Friday, 25 September 2015 at 07:40:18 UTC, Dmitry Olshansky wrote:

Removing anonymous groups and using raw-literal:

regex(`^\s*(\w+)\s*=\s*"(.*)"\s*$`)

Looks simpler I guess.


Good advice, thanks.


Though if key="value" is expected I'd suggest to use lazy .* -
`"(.*?)"` to stop on first " if any.


After playing a bit with it, I realized that it doesn't work in this
case (a="a"a" still match). The right solution would be "(.[^"])"


I hope that was ([^"]*)

Yeah, .*? won't work because of '$' at the end of the pattern.
Anyway to allow classical escapes in string literal I'd go for:

`"(?:[^"]+|\")*"`



i.e. `"(?:[^"]+|\\")*"` to defeat regex escaping.

--
Dmitry Olshansky

Re: OneDrive Client written in D

[Dmitry Olshansky via Digitalmars-d-announce]

On 25-Sep-2015 22:37, skilion wrote:

On Friday, 25 September 2015 at 07:40:18 UTC, Dmitry Olshansky wrote:

Removing anonymous groups and using raw-literal:

regex(`^\s*(\w+)\s*=\s*"(.*)"\s*$`)

Looks simpler I guess.


Good advice, thanks.


Though if key="value" is expected I'd suggest to use lazy .* -
`"(.*?)"` to stop on first " if any.


After playing a bit with it, I realized that it doesn't work in this
case (a="a"a" still match). The right solution would be "(.[^"])"


I hope that was ([^"]*)

Yeah, .*? won't work because of '$' at the end of the pattern.
Anyway to allow classical escapes in string literal I'd go for:

`"(?:[^"]+|\")*"`

--
Dmitry Olshansky

Re: OneDrive Client written in D

[skilion via Digitalmars-d-announce]

On Saturday, 26 September 2015 at 08:31:02 UTC, Dmitry Olshansky 
wrote:


I hope that was ([^"]*)


Right. I should not post anything without testing it first.

Re: OneDrive Client written in D

[skilion via Digitalmars-d-announce]

On Friday, 25 September 2015 at 07:40:18 UTC, Dmitry Olshansky 
wrote:

Removing anonymous groups and using raw-literal:

regex(`^\s*(\w+)\s*=\s*"(.*)"\s*$`)

Looks simpler I guess.


Good advice, thanks.

Though if key="value" is expected I'd suggest to use lazy .* - 
`"(.*?)"` to stop on first " if any.


After playing a bit with it, I realized that it doesn't work in 
this case (a="a"a" still match). The right solution would be 
"(.[^"])"

Re: OneDrive Client written in D

[skilion via Digitalmars-d-announce]

On Thursday, 24 September 2015 at 13:22:32 UTC, Suliman wrote:

What this string in config.d do?
 auto r = 
regex("(?:^\\s*)(\\w+)(?:\\s*=\\s*\")(.*)(?:\"\\s*$)");


It matches this pattern:

key = "value"

skipping any blank characters.

Re: OneDrive Client written in D

[Dmitry Olshansky via Digitalmars-d-announce]

On 24-Sep-2015 16:22, Suliman wrote:

On Tuesday, 22 September 2015 at 20:43:32 UTC, skilion wrote:

I've been waiting for a good sync client for OneDrive (15 GB for
free!) on Linux, but Microsoft seems to have other plans...
So I've decided to write my own, using D. Take a look:

  http://skilion.github.io/onedrive/



What this string in config.d do?
  auto r = regex("(?:^\\s*)(\\w+)(?:\\s*=\\s*\")(.*)(?:\"\\s*$)");




Removing anonymous groups and using raw-literal:

regex(`^\s*(\w+)\s*=\s*"(.*)"\s*$`)

Looks simpler I guess.

Though if key="value" is expected I'd suggest to use lazy .* - `"(.*?)"` 
to stop on first " if any.


--
Dmitry Olshansky

Re: OneDrive Client written in D

[Suliman via Digitalmars-d-announce]

On Tuesday, 22 September 2015 at 20:43:32 UTC, skilion wrote:
I've been waiting for a good sync client for OneDrive (15 GB 
for free!) on Linux, but Microsoft seems to have other plans...

So I've decided to write my own, using D. Take a look:

  http://skilion.github.io/onedrive/



What this string in config.d do?
 auto r = regex("(?:^\\s*)(\\w+)(?:\\s*=\\s*\")(.*)(?:\"\\s*$)");

Re: OneDrive Client written in D

[Rory McGuire via Digitalmars-d-announce]

Problem is right now anyone can make an app and pretend its your app, and
then ...

If the user gives your keys access to their stuff so does anyone else who
has your keys, if they can get the oauth2 redirect to redirect to a
matching url at least.

On Wed, Sep 23, 2015 at 10:38 AM, skilion via Digitalmars-d-announce <
digitalmars-d-announce@puremagic.com> wrote:

> On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole wrote:
>
>> You probably should not be exposing developer information for
>> authentication.
>> You need to get the authentication fixed. Users should login via
>> user/pass.
>>
>
> I think you are referreing to the the fields client_id and client_secret
> in the config file.
>
> As I understand it, if a service is using OAtuh2, it is exactly to allow
> its users to use third party apps without leaking the username and
> password. My app is registered as a desktop application, so it should be
> assumed that the client "secret" can't be really kept secret like in a web
> app.
>
> Knowing the client secret allows you to produce API calls under my app
> name, but you still need to get a permission from the user to access their
> data.
>
>

Re: OneDrive Client written in D

[Rory McGuire via Digitalmars-d-announce]

I think this should be on reddit either way. Perhaps someone will suggest a
way around the oauth2 limitation.
Having to generate new client secrets just to use an app that already
exists seems like a mission, so providing a default set that work and the
user can just make sure they get the original app seems more practical.
i.e. download binary from a reputable place i.e. your distributions repos.

Also you are doing the same way everyone else does it; by prompting at the
command line sooo




On Wed, Sep 23, 2015 at 2:38 PM, Rory McGuire  wrote:

> Problem is right now anyone can make an app and pretend its your app, and
> then ...
>
> If the user gives your keys access to their stuff so does anyone else who
> has your keys, if they can get the oauth2 redirect to redirect to a
> matching url at least.
>
> On Wed, Sep 23, 2015 at 10:38 AM, skilion via Digitalmars-d-announce <
> digitalmars-d-announce@puremagic.com> wrote:
>
>> On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole wrote:
>>
>>> You probably should not be exposing developer information for
>>> authentication.
>>> You need to get the authentication fixed. Users should login via
>>> user/pass.
>>>
>>
>> I think you are referreing to the the fields client_id and client_secret
>> in the config file.
>>
>> As I understand it, if a service is using OAtuh2, it is exactly to allow
>> its users to use third party apps without leaking the username and
>> password. My app is registered as a desktop application, so it should be
>> assumed that the client "secret" can't be really kept secret like in a web
>> app.
>>
>> Knowing the client secret allows you to produce API calls under my app
>> name, but you still need to get a permission from the user to access their
>> data.
>>
>>
>

Re: OneDrive Client written in D

[Nick Sabalausky via Digitalmars-d-announce]

On 09/23/2015 08:38 AM, Rory McGuire via Digitalmars-d-announce wrote:

Problem is right now anyone can make an app and pretend its your app, and
then ...

If the user gives your keys access to their stuff so does anyone else who
has your keys, if they can get the oauth2 redirect to redirect to a
matching url at least.



Isn't oauth/openid just kindof a big bundle of such phishing problems 
anyway?

Re: OneDrive Client written in D

[skilion via Digitalmars-d-announce]

On Wednesday, 23 September 2015 at 04:30:23 UTC, Rikki Cattermole 
wrote:
You probably should not be exposing developer information for 
authentication.
You need to get the authentication fixed. Users should login 
via user/pass.


I think you are referreing to the the fields client_id and 
client_secret in the config file.


As I understand it, if a service is using OAtuh2, it is exactly 
to allow its users to use third party apps without leaking the 
username and password. My app is registered as a desktop 
application, so it should be assumed that the client "secret" 
can't be really kept secret like in a web app.


Knowing the client secret allows you to produce API calls under 
my app name, but you still need to get a permission from the user 
to access their data.

Re: OneDrive Client written in D

[Rory McGuire via Digitalmars-d-announce]

I can't think of a way to do phishing with oauth2, doesn't mean it can't be
done somehow :)

Basically because you have to configure the redirect when you setup the
client_secret the server will only ever send the browser to that redirect,
a mismatch of requested redirect will just cause an error on Google Apps
for example.

Lets say this app has a redirect to localhost:1234/oauth set up during
credentials creation on the oauth server.
Then if you could get some malicious code to run at that host:port then you
could get the access token that the oauth server would think it is sending
to this app.

So yes letting everyone know your client_secret is dodgy, but actually
getting hacked because of it seems highly unlikely.


On Wed, Sep 23, 2015 at 4:51 PM, Nick Sabalausky via Digitalmars-d-announce
 wrote:

> On 09/23/2015 08:38 AM, Rory McGuire via Digitalmars-d-announce wrote:
>
>> Problem is right now anyone can make an app and pretend its your app, and
>> then ...
>>
>> If the user gives your keys access to their stuff so does anyone else who
>> has your keys, if they can get the oauth2 redirect to redirect to a
>> matching url at least.
>>
>>
> Isn't oauth/openid just kindof a big bundle of such phishing problems
> anyway?
>
>

Re: OneDrive Client written in D

[Rory McGuire via Digitalmars-d-announce]

The client id is generated on oauth server when setting up credentials for
an app / webservice.

You could never trust an app checksum because you would never know if it
was fake. (Also this would only be something you could consider if you were
implementing an oauth server or you had some intermediate server)

On Thu, Sep 24, 2015 at 2:53 AM, Charles via Digitalmars-d-announce <
digitalmars-d-announce@puremagic.com> wrote:

> On Wednesday, 23 September 2015 at 13:01:54 UTC, Rory McGuire wrote:
>
>> I think this should be on reddit either way. Perhaps someone will suggest
>> a
>> way around the oauth2 limitation.
>> Having to generate new client secrets just to use an app that already
>> exists seems like a mission, so providing a default set that work and the
>> user can just make sure they get the original app seems more practical.
>> i.e. download binary from a reputable place i.e. your distributions repos.
>>
>> Also you are doing the same way everyone else does it; by prompting at
>> the command line sooo
>>
>>
>
> I don't know to much about oauth2, but could we in theory add a layer of
> security by only allowing some client id that has a sort of checksum based
> on the source code of the application? I don't know how client ids are
> generated, but its just a thought.
>
>

Re: OneDrive Client written in D

[Charles via Digitalmars-d-announce]

On Wednesday, 23 September 2015 at 13:01:54 UTC, Rory McGuire 
wrote:
I think this should be on reddit either way. Perhaps someone 
will suggest a

way around the oauth2 limitation.
Having to generate new client secrets just to use an app that 
already
exists seems like a mission, so providing a default set that 
work and the
user can just make sure they get the original app seems more 
practical.
i.e. download binary from a reputable place i.e. your 
distributions repos.


Also you are doing the same way everyone else does it; by 
prompting at the command line sooo





I don't know to much about oauth2, but could we in theory add a 
layer of security by only allowing some client id that has a sort 
of checksum based on the source code of the application? I don't 
know how client ids are generated, but its just a thought.

OneDrive Client written in D

[skilion via Digitalmars-d-announce]

I've been waiting for a good sync client for OneDrive (15 GB for 
free!) on Linux, but Microsoft seems to have other plans...

So I've decided to write my own, using D. Take a look:

  http://skilion.github.io/onedrive/

Re: OneDrive Client written in D

[Rikki Cattermole via Digitalmars-d-announce]

On 23/09/15 8:43 AM, skilion wrote:

I've been waiting for a good sync client for OneDrive (15 GB for free!)
on Linux, but Microsoft seems to have other plans...
So I've decided to write my own, using D. Take a look:

   http://skilion.github.io/onedrive/


You probably should not be exposing developer information for 
authentication.

You need to get the authentication fixed. Users should login via user/pass.

Once that is done, get that on Reddit! It is awesome!