Favorite part of the project: trying out Phoenix's built in pub sub + live view (the live view subscribes to a data/:id topic, which the api write endpoint publishes to) to get that nice instant update on write if you have the data open in the browser without polling.
It's also fun to see how fast it syncs multiple browser windows watching the same data when you edit it in one window. That's not useful, but I give it 1 "neat".
There's a few Phoenix episodes out currently, but none are using Live View yet. It would be really fun to talk about how someone is using it in production.
If you do, head over to https://runninginproduction.com/ and click the "become a guest" button on the top right to get the ball rolling.
> Note that IP addresses can be shared behind NAT devices, so limiting by IP address should be used judiciously.
That would let us serve stuff like version information and links to the latest version, without the fear that somebody is going to reverse engineer our app and replace the data with something malicious.
We, as the app author, would have the full key, so we could read and write, whereas users would have nothing but the hash.
Security only through obscurity is no security at all. The argument was generally made in the context of secret, proprietary encryption algorithms. In this context, it was frequently true - security reduced to reverse engineering.
But security isn't a thing. It is a property of a system. And many secure systems strategically employ obscurity for multiple purposes.
Reciting a mantra is a poor substitute for carefully considering your problem domain.
Where the "obscurity" aspect comes in, as an example, can be through the mechanism used to generate and validate that key.
Let's say you decide you don't want to or can't store the keys, and don't want a full pki system (public/private keys or certificates), so go with: sha256(clientid + userid + "hardcoded secret"). Your security now 100% relies on no one knowing that algorithm. If someone figures it out, you need to release a new version of your software, invalidate ALL API keys, and for that effort you still haven't done anything to prevent the same thing happening again.
A good test of this is: if someone has your source code, can they break your security mechanism? If yes, you're probably relying on security though obscurity. By contrast, if you're using asymmetric encryption to generate keys, it doesn't matter if someone knows that: if they don't have the private key, they can't do anything. (This leaves aside the issue of storing your private key or other secrets in source code, but I'd describe that as an operational failure rather than a fundamental design problem).
In fact, the reason the best security mechanisms used today are so robust is specifically because they are made public in the first place.
"write only link here"?
I really wanna keep the basic information visible and am not sure about about adding another line
but you're right it can be discovered
A handy substitute for mqtt since it doesn't allow a simple http get/post method to set and query keys - something very useful with iot stuff!
I love the idea of Hashing and read/write keys mentioned in this comment: https://news.ycombinator.com/user?id=miki123211
I also like the idea of batch requests so you can pul multiple keys at once, or set multiple keys at once. It seems better for everyone.
My only concern is that a small portion of users will undoubtedly try to abuse this with high volumes or large objects, or both.
Have you published any limits on value key size, value size, read/write limits for keys etc? It might be worth thinking about now before you have to shutdown users or shutdown the service due to cost.
The setting of multiple keys I'd have to think about, as it's already so easy to acquire multiple keys -- ie I don't think I'd be saving or making anything much faster by special handling for it. Pulling multiple keys is likewise, you're free to do it in an async all.
I love these small services, but I still don't have an idea how they can be scaled up: If you want to use them for anything serious you probably have to prevent abuse and comply to all kinds of regulations.
BTW, the front page's HTML seems to have a <head> and <body> inside another <body>.
Yeah I'm not sure why it's doing that, v annoying though
1) It's a bit easier to read for longer text sources
2) It makes writing/reading JSON/YAML/other data sources much easier
3) lists are much easier to parse
Now it could just trawl Twitter for addresses at https://textdb.dev, and throw the contents through bash, post the result back to textdb, and tweet a new link... :]
I usually star things instead of bookmarking and others probably do too.
"There currently isn't, but it is intended for small amounts of data. Today or tomorrow I'll probably put a cap at 500Kb or so, which is still a heckload of data."
So far it's doing a great job too, CPU is at 2%, 1Gb free ram of the 4Gb available, and a pretty constant 1Mbps outward, on the 20$/m digital ocean droplet. I may have jinxed it by saying this though.
It's useful if you set up bash aliases like "push" and "pull" so you can quickly move snippets of text across servers.
Your link is a message service that self destructs.
OPs link is a storage service