search

publiclab / spectral-workbench

Web-based tools for collecting, analyzing, and sharing data from a DIY spectrometer
http://spectralworkbench.org
GNU General Public License v3.0
126 stars 158 forks source link

store image captured and additional details in localstorage in offline mode #43

Open jywarren opened 9 years ago

jywarren commented 9 years ago

offer to upload when reconnected. @Sreyanth - I remember you had some part of this working, right?

Sreyanth commented 9 years ago

I implemented the storage (saving and deleting) in localstorage here: https://github.com/Sreyanth/OfflineSWB/blob/master/js/spectrumstorage.js

Haven't implemented the upload when reconnect part as it needs a new controller to be written on the backend to receive this data, check for validity and authenticate the user, and then store the data into our database appropriately.

jywarren commented 9 years ago

Do you think we could re-integrate your js code into this codebase? we could then rely on whether you're logged in in this system, then access the localstorage stuff via your code, and upload under the current username.

On Wed, Feb 11, 2015 at 1:21 AM, Sreyanth notifications@github.com wrote:

I implemented the storage (saving and deleting) in localstorage here: https://github.com/Sreyanth/OfflineSWB/blob/master/js/spectrumstorage.js

Haven't implemented the upload when reconnect part as it needs a new controller to be written on the backend to receive this data, check for validity and authenticate the user, and then store the data into our database appropriately.

— Reply to this email directly or view it on GitHub https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73838792 .

Sreyanth commented 9 years ago

Yes. That can be done. Also, we should verify the validity of the data that is being posted to the URL controller because there might be some attackers who could possibly mess up with the data and create spam.

jywarren commented 9 years ago

Most post requests require a login and CSRF token ( http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf); are you worried about real users, or anonymous ones?

On Wed, Feb 11, 2015 at 11:05 AM, Sreyanth notifications@github.com wrote:

Yes. That can be done. Also, we should verify the validity of the data that is being posted to the URL controller because there might be some attackers who could possibly mess up with the data and create spam.

— Reply to this email directly or view it on GitHub https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73907136 .

Sreyanth commented 9 years ago

Yes. CSRF is a must for POST requests in RoR and Django. So I have my plans.

First sending a GET request to get the CSRF and then immediately send a POST. This way even expired CSRF token issue will also be taken care of. What do you think?

I am assuming that if you want to upload, you need to be logged in. So an account is compulsory. But given an OPEN ID integration, spamming won't be that difficult. On Feb 11, 2015 10:49 PM, "Jeffrey Warren" notifications@github.com wrote:

Most post requests require a login and CSRF token ( http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf ); are you worried about real users, or anonymous ones?

On Wed, Feb 11, 2015 at 11:05 AM, Sreyanth notifications@github.com wrote:

Yes. That can be done. Also, we should verify the validity of the data that is being posted to the URL controller because there might be some attackers who could possibly mess up with the data and create spam.

— Reply to this email directly or view it on GitHub < https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73907136

.

— Reply to this email directly or view it on GitHub https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73922292 .

jywarren commented 9 years ago

If a version of this script is loaded by default when you access spectralworkbench.org/capture (in offline or online mode) then the issue is that you're probably looking at a cached version because of our offline functionality via /index.manifest. So yes, good idea; you'll have to retrieve a CSRF token via ajax. This is probably also when you can check if you're online -- look for a 200 "success" response code. If you don't get 200, don't offer the user the ability to upload your saved spectra.

On Wed, Feb 11, 2015 at 12:24 PM, Sreyanth notifications@github.com wrote:

Yes. CSRF is a must for POST requests in RoR and Django. So I have my plans.

First sending a GET request to get the CSRF and then immediately send a POST. This way even expired CSRF token issue will also be taken care of. What do you think?

I am assuming that if you want to upload, you need to be logged in. So an account is compulsory. But given an OPEN ID integration, spamming won't be that difficult.

On Feb 11, 2015 10:49 PM, "Jeffrey Warren" notifications@github.com wrote:

Most post requests require a login and CSRF token (

http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf ); are you worried about real users, or anonymous ones?

On Wed, Feb 11, 2015 at 11:05 AM, Sreyanth notifications@github.com wrote:

Yes. That can be done. Also, we should verify the validity of the data that is being posted to the URL controller because there might be some attackers who could possibly mess up with the data and create spam.

— Reply to this email directly or view it on GitHub <

https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73907136

.

— Reply to this email directly or view it on GitHub < https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73922292

.

— Reply to this email directly or view it on GitHub https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73923353 .

Sreyanth commented 9 years ago

Yup. Sounds good. But I think there should be a better way of checking if the user is connected to the internet than to keep pinging the main server to get a 200. That would simply burden the browser activity.

A more robust solution is to use var online = navigator.onLine;

See the related API section mentioned here http://www.w3.org/TR/offline-webapps/

jywarren commented 9 years ago

Oh cool, yeah. Still, to check if the user is logged in and to get a token, we may have to make a request anyways.

On Wed, Feb 11, 2015 at 12:55 PM, Sreyanth notifications@github.com wrote:

Yup. Sounds good. But I think there should be a better way of checking if the user is connected to the internet than to keep pinging the main server to get a 200. That would simply burden the browser activity.

A more robust solution is to use var online = navigator.onLine;

See the related API section mentioned here http://www.w3.org/TR/offline-webapps/

If a version of this script is loaded by default when you access spectralworkbench.org/capture (in offline or online mode) then the issue is that you're probably looking at a cached version because of our offline functionality via /index.manifest. So yes, good idea; you'll have to retrieve a CSRF token via ajax. This is probably also when you can check if you're online -- look for a 200 "success" response code. If you don't get 200, don't offer the user the ability to upload your saved spectra.

On Wed, Feb 11, 2015 at 12:24 PM, Sreyanth notifications@github.com wrote:

Yes. CSRF is a must for POST requests in RoR and Django. So I have my plans.

First sending a GET request to get the CSRF and then immediately send a POST. This way even expired CSRF token issue will also be taken care of. What do you think?

I am assuming that if you want to upload, you need to be logged in. So an account is compulsory. But given an OPEN ID integration, spamming won't be that difficult.

On Feb 11, 2015 10:49 PM, "Jeffrey Warren" notifications@github.com wrote:

Most post requests require a login and CSRF token (

http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf

); are you worried about real users, or anonymous ones?

On Wed, Feb 11, 2015 at 11:05 AM, Sreyanth notifications@github.com wrote:

Yes. That can be done. Also, we should verify the validity of the data that is being posted to the URL controller because there might be some attackers who could possibly mess up with the data and create spam.

— Reply to this email directly or view it on GitHub <

https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73907136

.

— Reply to this email directly or view it on GitHub <

https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73922292

.

— Reply to this email directly or view it on GitHub <

https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73923353

.

— Reply to this email directly or view it on GitHub < https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73925728

.

— Reply to this email directly or view it on GitHub https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73929287 .

Sreyanth commented 9 years ago

Yep! We only need to send one request to get the token, eliminating unnecessary burden on the server. On Feb 11, 2015 11:35 PM, "Jeffrey Warren" notifications@github.com wrote:

Oh cool, yeah. Still, to check if the user is logged in and to get a token, we may have to make a request anyways.

On Wed, Feb 11, 2015 at 12:55 PM, Sreyanth notifications@github.com wrote:

Yup. Sounds good. But I think there should be a better way of checking if the user is connected to the internet than to keep pinging the main server to get a 200. That would simply burden the browser activity.

A more robust solution is to use var online = navigator.onLine;

See the related API section mentioned here http://www.w3.org/TR/offline-webapps/

If a version of this script is loaded by default when you access spectralworkbench.org/capture (in offline or online mode) then the issue is that you're probably looking at a cached version because of our offline functionality via /index.manifest. So yes, good idea; you'll have to retrieve a CSRF token via ajax. This is probably also when you can check if you're online -- look for a 200 "success" response code. If you don't get 200, don't offer the user the ability to upload your saved spectra.

On Wed, Feb 11, 2015 at 12:24 PM, Sreyanth notifications@github.com wrote:

Yes. CSRF is a must for POST requests in RoR and Django. So I have my plans.

First sending a GET request to get the CSRF and then immediately send a POST. This way even expired CSRF token issue will also be taken care of. What do you think?

I am assuming that if you want to upload, you need to be logged in. So an account is compulsory. But given an OPEN ID integration, spamming won't be that difficult.

On Feb 11, 2015 10:49 PM, "Jeffrey Warren" notifications@github.com wrote:

Most post requests require a login and CSRF token (

http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf

); are you worried about real users, or anonymous ones?

On Wed, Feb 11, 2015 at 11:05 AM, Sreyanth <notifications@github.com

wrote:

Yes. That can be done. Also, we should verify the validity of the data that is being posted to the URL controller because there might be some attackers who could possibly mess up with the data and create spam.

— Reply to this email directly or view it on GitHub <

https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73907136

.

— Reply to this email directly or view it on GitHub <

https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73922292

.

— Reply to this email directly or view it on GitHub <

https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73923353

.

— Reply to this email directly or view it on GitHub <

https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73925728

.

— Reply to this email directly or view it on GitHub < https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73929287

.

— Reply to this email directly or view it on GitHub https://github.com/publiclab/spectral-workbench/issues/43#issuecomment-73931218 .