Hacker News new | past | comments | ask | show | jobs | submit login
Show HN: CMS Server written in Go (alpha) (bytengine.com)
61 points by wilsonfiifi on June 1, 2013 | hide | past | favorite | 33 comments



> Password must be composed of only alpha-numeric characters.

Okay, why?

This caught my eye so i had a look through auth.go. Passwords are salted sha1... okay, but why not bcrypt? No PBKDF2? No field for hash format versioning if you want to backwards-compatible upgrade to bcrypt in future? Guess you could always go by the salt length or something.

It looks like your code to hash the password and salt is copy-pasted and appears twice, don't do that.

Your salts are 16 random bytes, okay.. but why base64 encode the salt before hashing? Now some structure of the content is known that might expose a weakness.


:-) put me on the spot! thanks for going through the code though.

security layer definitely needs more work. my choices were mostly limited by my haste to get a working prototype and not very well thought through.


No problem, thanks for sharing your project with everyone! Just people definitely like to use symbols in passwords.

Your fundamentals are fine, i don't think those are very serious problems compared to the average custom web app in the wild (most of which probably use plaintext passwords with no concern for sqli or xss...)


Haven't done much golang and don't have it installed on this laptop, but are string comparisons constant time?

If not, I think there is potential for a timing attack here?

if usr == _admin_usr && pw == _admin_pw { return RootMode, nil }


Go does not have constant time string comparisons by default. The crypto/subtle package supplies constant time comparisons.


Thanks for pointing that out. Will look into it


I'm having trouble understanding the motivation or use case. The documentation gives examples of logging in, creating filesystem-like structures, and uploading files. How is this an improvement upon a regular filesystem and scp/sftp? I do like the web console though.


Well, from the docs:

--

Therefore, instead of dealing with key-values, objects ids and primary keys, you can access your data using file paths just as you would with a regular file system. Bytengine’s file system is modelled on the linux file system where you have a root directory ‘/’ and file paths separated by a forward slash ‘/’. Bytengine stores your content in Files that can further be organised in Directories.

--

So there you have it! Wait...


Appart from being able to access your content as you would a regular file system, you can also query and modify your content metadata.

So you could upload pictures, tag them in JSON and later run live queries based on the tags from your client app (to sort them based on location for example).

I'll be adding more/better docs in the coming days.

cheers


How is this an improvement upon a regular filesystem and scp/sftp

scp/sftp is great, but if you've ever had to deal with large numbers of users trying to properly manage ssh key pairs you will know it's not an approach that will work at scale.


mongodb + redis instead of sql? ...because?


... because it is what the cool kids use instead of what the boring enterprise guys are using.


... because it's web scale.


because i don't care for errors on `random(x)/2` occasions.


IMO Mongodb makes it easier to add and query file metadata and Redis is really just for session info.


Don't get it. You already have a Mongo, why also use Redis just for that? I mean your Mongo is in-memory too. Or do you anticipate a larger-than-RAM dataset for the MongoDB?


expiring keys makes session timeout easier. also array access in mongodb isn't as versatile as with redis.



Thanks for the link. I'm of the view though that redis offers better and more convenient implementation.

cheers


Interesting, thanks!


Weird headers

The main page is active in the browser but the header says 404 Not Found, maybe it's a bug?

  ~$ curl -IL http://www.bytengine.com/    
  HTTP/1.1 404 Not Found
  Server: nginx/1.1.19

    
  ~$ curl -IL http://www.bytengine.com/should_404    
  HTTP/1.1 404 Not Found
  Server: nginx/1.1.19


must probably be an issue with my nginx config and the proxying. will have a look at it. thanks


Yeah, just thought I'd point it out because it will cause issues with spiders.


actually nginx config is fine. I wasn't properly using "github.com/gorilla/mux". Sorting it out now. cheers


Still needs quite a bit more documentation, code comments, architecture revisions etc... your suggestions/comments/feedback are most welcome.

cheers


what's wrong with webdav?


I think that all that's wrong with alternatives to this kind of projects is that they are not written by the author. It's ok actually, many people and many great technologies started as pet projects; it just means that asking questions like this makes no sense :)


can you elaborate further


I read the domain as 'By tengine'. Does it has anything to do with tengine web server?


I read it as ByteEngine at first glance. Maybe it shares an E?


yes the e from byte & engine are fused :-)


neat. is this a bug?

server.newuser

line[1]: expected string in New User; got EOF


Hi! please run: 'help server.newuser' to check the syntax.

cheers




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: