Philip McGrath writes: > My understanding is that continuation URIs are not intended to be > secret/protected by default, just as a URI like > https://example.com/comment/confirm?post-id=12345&body=My+great+comment > doesn't include any security measures. The main way to add security to the > URIs, as I understand it, it through the "stuffer" interface. Using > `HMAC-SHA1-stuffer` ( > http://docs.racket-lang.org/web-server/stateless.html#%28def._%28%28lib._web-server%2Fstuffers%2Fhmac-sha1..rkt%29._.H.M.A.C-.S.H.A1-stuffer%29%29) > signs the continuation URI to prevent tampering with the contents of the > represented continuation, and functions like `hash-stuffer` could be used > to create a stuffer that prevents end-users from inspecting the contents, > though I haven't needed to do this.
Ah! OK, I hadn't seen this. This seems like a good solution. > I haven't tried to use "stuffers" to enforce authentication or > authorization requirements, though it might be a good idea. When I've > needed authentication, I've taken inspiration from the > web-server/dispatchers/dispatch-passwords module ( > http://docs.racket-lang.org/web-server-internal/dispatch-passwords.html), > which implements HTTP basic authentication with a function that wraps a > dispatcher. Because the UX for basic auth is not great for end-users, I've > made somewhat analogous dispatcher-wrappers based on the > web-server/http/id-cookie library ( > http://docs.racket-lang.org/web-server/http.html#%28part._id-cookie%29). > > I am very eager to hear other people's approaches, though, or flaws in what > I've been doing! I've used #lang web-server in several projects, most > extensively Digital Ricoeur (https://digitalricoeur.org/), and I've found > it an absolute delight to work with, especially coming from a CGI > background and having spent way too much time doing what I now realize was > manually serializing continuations. Really the only drawback is that the > community is small, which at times makes it hard to get a sense of best > practices. Most of my #lang web-server code isn't public yet, but I'd love > to factor out reusable parts and try to lower the barriers to entry for > others. > > -Philip Cool. Thanks for your feedback. I'm happy to hear you had such a good experience. Racket's web server tools do seem indeed quite cool. It looks like the flexibility of the manager/stuffer systems are probably good enough that I can achieve what I want while keeping it secure enough (well, within the range of what's possible given the leakiness of security on the modern web). -- You received this message because you are subscribed to the Google Groups "Racket Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to racket-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
