

Show HN: CMS Server written in Go (alpha) - wilsonfiifi
http://www.bytengine.com

======
mappu
> _Password must be composed of only alpha-numeric characters._

Okay, why?

This caught my eye so i had a look through auth.go. Passwords are salted
sha1... okay, but why not bcrypt? No PBKDF2? No field for hash format
versioning if you want to backwards-compatible upgrade to bcrypt in future?
Guess you could always go by the salt length or something.

It looks like your code to hash the password and salt is copy-pasted and
appears twice, don't do that.

Your salts are 16 random bytes, okay.. but why base64 encode the salt before
hashing? Now some structure of the content is known that might expose a
weakness.

~~~
wilsonfiifi
:-) put me on the spot! thanks for going through the code though.

security layer definitely needs more work. my choices were mostly limited by
my haste to get a working prototype and not very well thought through.

~~~
mappu
No problem, thanks for sharing your project with everyone! Just people
definitely like to use symbols in passwords.

Your fundamentals are fine, i don't think those are very serious problems
compared to the average custom web app in the wild (most of which probably use
plaintext passwords with no concern for sqli or xss...)

~~~
ryalfalpha
Haven't done much golang and don't have it installed on this laptop, but are
string comparisons constant time?

If not, I think there is potential for a timing attack here?

if usr == _admin_usr && pw == _admin_pw { return RootMode, nil }

~~~
omra
Go does not have constant time string comparisons by default. The
crypto/subtle package supplies constant time comparisons.

------
reedlaw
I'm having trouble understanding the motivation or use case. The documentation
gives examples of logging in, creating filesystem-like structures, and
uploading files. How is this an improvement upon a regular filesystem and
scp/sftp? I do like the web console though.

~~~
dualogy
Well, from the docs:

\--

 _Therefore, instead of dealing with key-values, objects ids and primary keys,
you can access your data using file paths just as you would with a regular
file system. Bytengine’s file system is modelled on the linux file system
where you have a root directory ‘/’ and file paths separated by a forward
slash ‘/’. Bytengine stores your content in Files that can further be
organised in Directories._

\--

So there you have it! _Wait..._

------
shadowmint
mongodb + redis instead of sql? ...because?

~~~
wilsonfiifi
IMO Mongodb makes it easier to add and query file metadata and Redis is really
just for session info.

~~~
dualogy
Don't get it. You already have a Mongo, why also use Redis just for that? I
mean your Mongo is in-memory too. Or do you anticipate a larger-than-RAM
dataset for the MongoDB?

~~~
wilsonfiifi
expiring keys makes session timeout easier. also array access in mongodb isn't
as versatile as with redis.

~~~
hendzen
FYI: <http://docs.mongodb.org/manual/tutorial/expire-data/>

~~~
wilsonfiifi
Thanks for the link. I'm of the view though that redis offers better and more
convenient implementation.

cheers

------
xSwag
Weird headers

The main page is active in the browser but the header says 404 Not Found,
maybe it's a bug?

    
    
      ~$ curl -IL http://www.bytengine.com/    
      HTTP/1.1 404 Not Found
      Server: nginx/1.1.19
    
        
      ~$ curl -IL http://www.bytengine.com/should_404    
      HTTP/1.1 404 Not Found
      Server: nginx/1.1.19

~~~
wilsonfiifi
must probably be an issue with my nginx config and the proxying. will have a
look at it. thanks

~~~
xSwag
Yeah, just thought I'd point it out because it will cause issues with spiders.

~~~
wilsonfiifi
actually nginx config is fine. I wasn't properly using
"github.com/gorilla/mux". Sorting it out now. cheers

------
wilsonfiifi
Still needs quite a bit more documentation, code comments, architecture
revisions etc... your suggestions/comments/feedback are most welcome.

cheers

------
garysweaver
neat. is this a bug?

server.newuser

line[1]: expected string in New User; got EOF

~~~
wilsonfiifi
Hi! please run: 'help server.newuser' to check the syntax.

cheers

------
the1
what's wrong with webdav?

~~~
klibertp
I think that all that's wrong with alternatives to this kind of projects is
that they are not written by the author. It's ok actually, many people and
many great technologies started as pet projects; it just means that asking
questions like this makes no sense :)

------
tuananh
I read the domain as 'By tengine'. Does it has anything to do with tengine web
server?

~~~
ConceitedCode
I read it as ByteEngine at first glance. Maybe it shares an E?

~~~
wilsonfiifi
yes the e from byte & engine are fused :-)

