pe1uca

@pe1uca@lemmy.pe1uca.dev

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨Are there any good self hosted software that can create subtitles for videos?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Here’s one I’ve been playing with github.com/jhj0517/Whisper-WebUI
The small model of fast Whisper has been amazing for the 3 options it gives (files, YT, or recording), tho I have in mind the limitations and I’ve only used it with somewhat clear audio.
⁨Comment⁩ on ⁨I am considering installing TikTok. Any suggestion on how to make it less privacy-invasive?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I saw this project github.com/pablouser1/ProxiTok
Haven’t been able to selfhost it (not sure what I’m doing wrong yet), but the public instances are working fine.
⁨Comment⁩ on ⁨[deleted]⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Probably the federation is still trying to access matrix.example.com instead of just example.com to get the .well-known configuration.
I’m not sure how to make this work in general, you need a way for the federated instances to ask your instance for the configuration in the host you want.
⁨Comment⁩ on ⁨How to store user's access tokens/API keys without hashing them?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Thanks for all the information and advises!

So in theory basic auth is enough when sent through HTTPS, right?
If this is the case then the user would need to handle their password and my API can keep storing just the hash.

In another comment JWT was suggested, maybe this could also be a solution?
I’m thinking the user can worry about generating and signing the token and we could only be storing the public key , which requires less strictness when handling it, this way we can validate the token has been signed by who we expect and the user will worry about the private key.
⁨Comment⁩ on ⁨How to store user's access tokens/API keys without hashing them?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Oh I’ve only used JWTs with OIDC so I didn’t thought about using them directly.
It could be a good solution since the user can generate them on their own and we can validate them with the correct information (secret or public key).

About the issue of long lived or not expiring JWT, maybe a custom restriction of valid tokens with lifespans of more than X amount of minutes are rejected?
Yeah, the token could be a valid one but we could say the payload is invalid for our API.
⁨Comment⁩ on ⁨How to store user's access tokens/API keys without hashing them?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Completely agree with you, I made that comment, but most people agreed with the client '-.-
⁨Comment⁩ on ⁨How to store user's access tokens/API keys without hashing them?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I agree, the token has a lifespan of some hours so it could be generated after that amount of time, which for a ~400ms call is not that much, but I was overruled .-.

The only thing I control is the API, the client’s implementation is outside of my control (although I know is a backend service).
⁨Comment⁩ on ⁨How to store user's access tokens/API keys without hashing them?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Someone want’s me to implement a way to access a resource without having to make the extra HTTP calls required by OAuth, WSSE is a possibility since I saw it had some standards to send the credentials in a secure way.
I have been reading about WSSE for less than a week '^-^

Yeah, the idea would be the tokens used to generate the digest WSSE requires will live in our secure environment, and that’s the question: how is a secure environment created to store tokens/API keys of users which will be used to authenticate them into my API?
I haven’t implemented this kind of stuff so I don’t know what are the best practices to store this kind of sensitive data.
So, I’d need to research password vaults to store my user’s secrets so I can use them to authenticate them?

I went into WSSE since sending a client id + secret seems just rewording of basic authentication and well, sending the credentials in plain text seems more insecure than sending a hash.
⁨Comment⁩ on ⁨How to store user's access tokens/API keys without hashing them?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Well, an “extra HTTP call” is any call besides the one required for the client to access my API, in this case is an extra call to generate an access token.
Why does it matter? In words of the client: “making a call to generate a token is slow”
⁨Comment⁩ on ⁨How to store user's access tokens/API keys without hashing them?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Based on the title you’re right, I asked about how to do X when probably I need to do Y, but the first and last paragraphs mention what’s my requirement: a for of authentication which doesn’t require to make an extra HTTP call to generate a token.

And what I mean by this is OAuth specifies the client needs to request an access token and an optional refresh token to the authorization server, afterwards the access token can be sent to the resource server (in this case my API), if the token expires the client can make another request to the authorization server with the refresh token.
Each call to the authorization server is that “extra http call” I mentioned.

Currently the only solution I found which seemed somewhat secure was WSSE, but again, I’ve only worked with OAuth2 and hashing passwords (or even better, using a dedicated service like keycloak), so I’m not sure what’s the best option to store the data it requires or if there’s a better solution.

I don’t know how to be more clear, is there a way to authenticate a client to the resource server (my API) without making the client call endpoints to generate the tokens? Is there a way for the client to generate their own tokens and for me to validate them?
How to store user's access tokens/API keys without hashing them?
Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ to ⁨programming@programming.dev⁩ | ⁨24⁩ ⁨comments⁩
⁨Comment⁩ on ⁨Fediverse RemindMe Bot⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I remember there was an update to the [redacted]'s one to avoid spam, I don’t know how it worked but it was in the lines of after some “here’s your reminder” comments it stopped itslef from commenting and only sent PMs to the people commenting.
Just mentioning it in case it’s also a desired improvement for this one.
⁨Comment⁩ on ⁨How should I wash dishes/surfaces in contact with raw chicken?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
The thing the others mentioned plus maybe it’s easier to hide imperfections in the raw chicken once cooked?
How should I wash dishes/surfaces in contact with raw chicken?
Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ to ⁨nostupidquestions@lemmy.world⁩ | ⁨22⁩ ⁨comments⁩
Is my ZFS partition properly setup?
Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨8⁩ ⁨comments⁩
⁨Comment⁩ on ⁨Plex will be blocking access from at least VPS provider⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I never understood this, it’s your selfhosted server but you kind of don’t own it and depend on them, so you just have an application which depends on a their service which means plex isn’t 100% selfhostable, correct?
⁨Comment⁩ on ⁨just to be sure, when setting up nextcould i need to purchase a domain name?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I’m not sure how nextcloud handles it, but as long as you can resolve the domain then you can put whatever you want.
You usually purchase a domain so it appears in the internet with the major DNS’, but if you only have the site in your internal network then you can put whatever you want as long as you update your internal DNS.

Usually you can do this by manually updating the hosts file in your machines.
But a better way is to have something like PiHole, in which you can set your local DNS to resolve to your own IP.
After that the only annoyance are the SSL certificates which will be selfsigned since browsers show a warning but some services don’t have a way to work with them.
⁨Comment⁩ on ⁨It's Hard to Stay Motivated⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I thought this too, I hated docker because it was supposed to be the solution of “works on my machine” and the only thing that did for me was force me to learn more configurations besides the configuration of the service you wanted to install.
And as you said, plus the hassle of having to run some Linux distro.
But little by little I had to get deeper into docker and Linux, mainly because of my work, and now I can easily deploy any service in the VPS I have or test it with WSL. I even started dockerizing some of my own flows like building and deploying my own projects with docker.

Believe me, it’s worth all the time to learn docker and linux.
Start small, few lines or keywords each day, you won’t have everything you want to deploy in a day or two if you don’t already know all the technologies.
And remember, if you don’t easily find something you can always come to ask in a post and we can try to help you!
⁨Comment⁩ on ⁨How can I restrict visiting a service through a domain to VPN-connected devices?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
About the DNS, you can use an internal DNS and find some way for your VPN to configure it in all the machines connected to it.
DNS usually has a fall back if the name is not found, so you can always have your custom DNS on and it’ll first check its own records then check for some level up (I’m basing this off of my experience with with pihole docs.pi-hole.net/ftldns/ )

About your ports question: you just need to change the ip to the VPN one.
For example, I have a VPS which has a public IP and I have tailscale installed.
If I were to make my service listen to all interfaces I could use 1.2.3.4:1194 or 100.100.100.100:1194 (this being the tailscale ip)
But I usually only configure them to listen to tailscale0, so I can no longer reach them with 1.2.3.4:1194, only with the tailscale ip.
In your DNS you need to configure this new IP to be served.

I’m guessing you can also do some configuration with a firewall.
Probably ufw add allow from 10.0.0.0/8 could work if this was the IP range of your VPN, then any one can still use your public IP and only your VPN will be able to connect (But don’t quote me on this, I haven’t done it).
(Just be sure to check the configuration of your service, docker can bypass ufw :/ )
⁨Comment⁩ on ⁨How can I restrict visiting a service through a domain to VPN-connected devices?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
Probably they have the service configured to only listen into the interface of the VPN.
⁨Comment⁩ on ⁨Fully local nameservice⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I use caddy with PiHole. The Caddyfile is easy to set up with your hostname which will be automatically redirected to HTTPS.
The issue will be the annoying (but useful) alert of a selfsigned certificate if you don’t own the domain.
So I have a cheap domain for my local network and configure caddy to do the acme challenge via DNS instead of HTTP.

I can give you more details tomorrow.
⁨Comment⁩ on ⁨Do posts from instances that don't allow downvotes have an unfair advantage?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
IIRC the removal of the upvote is also federated.
When you change it to a downvote you first need to remove the upvote, that’s why it changed from 11 to 9.
So, in instances B and C you’ll end up with 10 score.
⁨Comment⁩ on ⁨how do you use tailscale/zerotier?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
You can partially use Tailscale but yes, to use it you need to install it in all your devices.

At first I had it installed and just had a few use cases (mainly PiHole with MagicDNS which requires installing it in all your machines). But I still connected to ssh with the ip of the machine.
After I finished that initial set up then I closed all the ports and only allowed ssh from the tailnet.

I think you can get away with installing it just in your reverse proxy and in the machine you want to point to if you have solved the issue of the DNS.
One thing to have in mind with this approach is that you won’t benefit from the routing of wireguard, since all your traffic needs to pass through the reverse proxy, a better approach would be to have each service with its own tailnet ip.

The only issue I’ve found is if you have a container in a machine with tailscale, the container doesn’t know about the tailnet unless you have host network type or some other way to share a network which actually knows about tailscale.
⁨Comment⁩ on ⁨Help making munin work in ubuntu with lighttpd⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
You’re right, I thought giving 777 would be enough, I had to change the owner and group of the files to the ones of lighttpd.
Help making munin work in ubuntu with lighttpd
Submitted ⁨⁨1⁩ ⁨year⁩ ago⁩ to ⁨selfhosted@lemmy.world⁩ | ⁨2⁩ ⁨comments⁩
⁨Comment⁩ on ⁨What thematic instances are there, and what others do you wish there were?⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I’m not sure if there’s any language exchange or language learning focused instance.
Probably it could also work if each regional instance had a focused language learning community.
⁨Comment⁩ on ⁨Firefox cookie delete exceptions and cross-site cookies (question)⁩ ⁨⁨1⁩ ⁨year⁩ ago⁩:
I saw that notice yesterday and just clicked on the ‘X’, not sure if that was enough, I’ll check it today.