It’s been a while since I wrote anything here, and probably longer since I actually made any real progress on Nuubz. As was the case in 2017, life has been kind of hectic thanks to my day job. (Example, I spent roughly 2 months out of town for work out of the last 3.5 months of the year.) Well, over the last 10 days or so, I’ve made some pretty good progress.
First and foremost, I got back to work on the OAuth2 system, and I’ve managed to actually receive usable account data from both Google and Facebook with it. I have received some limited user account data from Twitch, which may just be an issue of expectations, but I’m also reconsidering Twitter support. (Up until now, I’ve thought that the lack of email or real user information in their responses made supporting Twitter pointless, but as long as an account ID is supplied, I guess it’s enough to identify a particular Twitter account.) I have updated the publicly available open source versions of these OAuth classes I implemented over at GitHub.
What I’m working on at this precise moment is encryption support. Up until now, I’ve been using mcrypt to encrypt email addresses and other important tidbits, but as of PHP 7.2, that’s deprecated. Yes, you can fight to get it installed as a PECL extension, but if you’re using the IUS version of PHP, that is exceptionally difficult to do since they don’t include a PECL binary. (I’ve done it on this server, but I can’t remember precisely how I accomplished it to tell anyone else or repeat it for my own development server.) So, I’m switching over to use Sodium, the [current] new wave of the future. In general, there are fewer commands to use to accomplish good encryption, however, it’s also more tedious because if you actually want to decrypt something you encrypted with it, you not only have to have the key, but you also have to have the nonce that was used. Which means you need to store both somewhere. There’s a trade off between security and practicality that has to be made as a result. A site I read while implementing this literally said “never use the same key and nonce twice” but how can you encrypt important data on a website without using them twice or more? That I haven’t figured out yet.
Once I get the new encryption working, I can officially implement the OAuth2 registration and login paths; I am hesitant to store the OAuth2 provider’s access key, client ID, and client secret in the database unencrypted. While I could do that on disk in the configuration file, I’m trying to minimize the important data that’s present there for fear of misconfigured web servers or clever exploits of the code I’m writing. I’m trying to be as mindful as possible of potential exploits as I write Nuubz, but there’s always something that you overlook as a programmer, and always potential and actual bugs in the software that yours depends on. Of course, once an attacker has access to the database, it’s all over. That could come from SQL injection (hopefully a path eliminated by proper use of PHP’s PDO database abstraction which I’ve used for years), some sort of cross site exploit that might elevate privileges, or a shell script of some sort that gives them access to the files on the server as if the user running the server. (Usually “apache”, “httpd”, or “www”.) Nonetheless, security is on my mind as I code.
Finally, for this update at least, I’m looking for some comic strips to post as a demo once I get that far. I really wanted to steal… ahem, borrow some strips from comics I read (Grrl Power Comic, Least I Could Do, LFG, TMI Comic, Megatokyo) to for the demo, but I think it’s better if I get some creator/writer/artist to volunteer some of their work or at least give me permission to go through their stuff. It doesn’t even have to be a real comic or part of a regular series, I just need something to showcase for Nuubz. Eventually. I’m hoping this will be the year that I have something usable to demonstrate, and not just a bunch of code tests. If you’d like to help out, drop me a line with the form below.
Beyond that, happy New Year!