#development

where i live in nobody gives two shits about your data, they jsut want the device

so they can sell it

they wiped it, but i'd declared it stolen immediately, they then tried to resell it in a CEX which checks the list of IMEIs that are stolen devices

how do they get a list of that

if your phones stolen give your network your IMEI

that phone is then completely useless worldwide

unless the theft lock is removed

they basically block the IMEI on every network on the planet

yeah but 99% of phone users dont know their phones IMEI

and dont have it written down anywhere

shops etc can pay a subscription for access to an api for it, ebay and amazon etc do it too

no, this is just lazy behaviour, its given to you on the box! and when you sign up for a contract

if its a contract phone, you can directly just ring them up and THEY know the IMEI

99% of phone users are technologically illiterate

they have no idea what it means

still, you ring up your provider and tell them its stolen

they have this info

they do it for you

possible

i dont have such a contract

mine is pre-paid credits

even pay as you go, you can in theory do it

if you have a receipt or any record of your last purchase

because every interaction on the mobile network is associated with the imei and the sim id

so the network has it, like an ip

yeah its possible

too many dont do it

its a removable sim card

but because of this i got my phone back

and they didnt even wipe properly, they just wiped the OS partition

so it had my photos still on it

but they couldnt unlock it, was locked by fingerprint

nice

yeah these days i also have the fingerprint thing on my phone

i was still lucky, because if theyd sold it to a friend and not gone to whats basically a pawn shop, their friend would have tried to use it

and then it wouldnt work

and theyd proably throw it out

i had my laptop stolen once

it had no password of any kind

i had a work laptop stolen once like 20 years ago, from me, in person, threatened with a baseball bat

nothing bad ever happened because of it

none of my accounts were ever accessed

i just gave it them, and got in trouble for not defending work propety with my life, fuck that

yeah thats bullcrap

Using nextjs v14 app router

This is one of my server action files fetchData.ts where I make API calls to my other web server with an API key. I want to ensure whether or not what I am doing here is secure, and whether or not these API keys will be exposed to the client?

fetchData.ts: https://gist.github.com/fronkdev/11abb26f9a9610edaa21ba2b0804a240
Client Side implementation:

import { fetchMutualAndExcludedServers } from "@/components/Actions/fetchData";

export default function MyProfilePage({ user }: { user: GuildsUser }) {
  const [mutualGuilds, setMutualGuilds] = useState<RESTAPIPartialCurrentUserGuild[]>();
  const [excludedGuilds, setExcludedGuilds] = useState<RESTAPIPartialCurrentUserGuild[]>();

  useEffect(() => {
    (async () => {
      const guilds = await fetchMutualAndExcludedServers({ userId: user.discordId });
      setMutualGuilds(guilds.mutual);
      setExcludedGuilds(guilds.excluded);
    })();
  }, [user.discordId])```

If this isn't safe or secure, what would be a better way to do this? I will eventually have additional functions which would send data to my other web server to update database models etc

arent most stolen phones shipped to china and sold as parts

is better-sqlite3 reliable for public project?

its probably the best option if you wanna use sqlite

okee thanks

i had issues with it when i was giving it a lot of writes though it just completely froze the app

Hey, server actions are always server sided.
You're also using things that are entirely server sided only too.

process.env.API_ENDPOINT
Is something a client can never see anyway

For example, my .env
Test="hi"

"use client";

export default function Home() {
  console.log("log test: ", process.env.Test);

  return <main className="">Hi ^_^</main>;
}

It's only because i saw this next.js blog and im doing exactly what they called 'idiomatic'
https://nextjs.org/blog/security-nextjs-server-components-actions#component-level-data-access

All it means is that anyone can make a call to it, at least thats my understanding.

Any server action, any user(even non logged in users) can send an http request to your server requesting to run that action.

ah okay

If you're still concerned, I'd just start sending requests via postman or something and see if you can cause it to expose anything you dont want it to.

if i was to make an api endpoint

// app/api/servers/search -> route.ts
import "server only";

export async function GET(query: string) {
    const response = await fetch(process.env.API_ENDPOINT + '/servers/search?query=' + encodeURIComponent(query.trim()), {
        headers: {
            authorization: process.env.API_KEY
        },
    });

    if (!response.ok) return [];

    const data = await response.json();
    if (typeof data === 'undefined' || !Array.isArray(data)) return [];

    return Response.json(data)
}```
how would i call this from the client?

did you use WAL mode and synchronous=off?

or just default settings?

from the same server?

you can use absolute local url

like

/api/blblbla

/ refers to the domain's root

You'd probably want to use this instead in their case.

https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations#client-components

i used wal but idk about synchronous

oh no

that import path

With synchronous OFF (0), SQLite continues without syncing as soon as it has handed data off to the operating system. If the application running SQLite crashes, the data will be safe, but the database might become corrupted if the operating system crashes or the computer loses power before that data has been written to the disk surface. On the other hand, commits can be orders of magnitude faster with synchronous OFF.

its good for write-heavy, even if a bit unsafe

i wasn't sure if I had to make a fetch call or if there was any functions to make it easier.
I was looking at top.gg's network tab on developer tools and saw that their api endpoint was https://top.gg/_next/data/3ef2d87-prod/en/search.json?q=f. How could I obfuscate my server action or api route to include additional security? It obvisouly wouldn't do much but its an additional implementation

with being unsafe would it then not just be easier to run a more scalable db

like postgres or mysql

protecting website-only endpoints is done through session cookies

Top.gg is using old versions of nextjs, server actions were not available the same way on that version.

how Top.gg does it, and how its handled now isnt quite the same way.

well, the only safety concern is the OS itself crashing, which is very unlikely in a production environment, but otherwise yeah, a more scalable db is preferred for handling massive amounts of queries

you can use a middleware to block all non-exposed routes that are coming from a different origin
at least - that's how i did it

with my luck if its possible itll happen

origin can be spoofed tho, so its not very reliable

but its an option

unfortunate

unfortunately idk much about security, sorry

i only know how to break your browser

ah okay.
last thing, when you view-source on some nextjs websites, only some of the html code is shown such as head, scripts and the body (without children). I'm wondering if this is only because they render the children conditionally so that they aren't displayed on that page?

Ah okay, that's something I will probably implement as well

probably it hasn't loaded in yet

there's the static generation stage where the html is delivered first for contentful paint

then hydration stage where afterwards javascript downloads, runs, and takes over the page and make it interactive

happens that in the first stage, there is nothing

if you don't pre-render anything in SSR configuration, you will see an empty page, which might explain the empty body

Honestly, sounds like they needed a suspense boundary 👀

I'd avoid replicating that behavior

my knowledge only extends to nextjs 13

it's possible that they have such feature in nextjs 14+

i make a manual loading screen then use XHR to load in the assets

https://nextjs.org/docs/app/building-your-application/routing/loading-ui-and-streaming#example

yeah do not rely on origin at all its user controlled

Is there a viable way to implement a constant connection to a mongodb instance using serverless or are my only options:

• call to api
• serverful

?

serverless, by definition only exists while a request is made

so theres no direct way to have a constant connection in serverless itself

i thought as much, thought i'd confirm tho

thanks

it depends on what you use for serverless

AWS for example has an api for dynamodb you can call anytime in serverless functions

for the self hosted serverless software called supabase you have a long lived postgresql connection serverless functions can call to get/write data

serverless rarely sticks to being purely serverless otherwise it tends to be a bit useless

mann i tried to sell my mac. Listed it for 600$ which is hella cheap for a m2 in my opinion.. how am i still getting bids and offers for 200-300$

mannn staphh 😭

do 900$

so the bids are 600$

Stonks

btw ill buy it for 20$ + free shipping

ill eat my mac for 200$ rather than selling it to that mf

good deal trust

ill keep you in mind

deal is almost too good to resist

ye

sounds like you havent done bidding before

it will always start from a low price

it will build up as people outbid each other

at least if im thinking where youre selling is what i think it is

Nah

This is a diff type bidding

The bids are like, “do you accept my price of ..”

It’s more an offer

Gotta be fb marketplace

fb aint got shit on this

How much would your computer be retail

will god have mercy

the hell is INSTR

also wtf are u trying to achieve there

im extracting the version from an api path

findindex

https://www.sqlitetutorial.net/sqlite-replace-function/ ffs use this

I dont think that will make it significantly smaller

oh nvm, it doesnt accept regex

yeah

regex would also be pretty sub-optimal for this

since it literally needs to do this on every row

doesn't matter much, it'd compile only once

only cost would be the regex search itself

i wouldnt do queries like that on databases

regex and stuff like that basically eliminate any chance of using the indexes

Does sqlite have built in json parsing

Like it has date parsing but no date column

postgres has i think

it depends on the database engine

oh sqlite

it does apparently

but just because you can doesnt mean you should

Well I'm thinking it would be smarter to add a property that already has the information parsed in json

Looks like something you'd see in Excel/Google sheets

stop abusing sqlite smh

uhmmmmm

for some reason github runners

doesnt feel like cloning my org's private repo

Do you hear the word "private"

yes

i added the with token secrets.github_shit

Does the runner have proper perms

and still neu

and are you 100% sure the link its fetching from is correct

is that the correct link

yes

ctrl click goes right to it

Is the token valid?

It didnt expire?

doesnt it get set my github themself?

I dont think so

Ah right runners are different

hm im not sure

Is the repo in an org?

Where are you cloning it

repo is in an org

action is run in the same repo

Peculiar

yuck

forgot contents: read

guys

could i talk to reviewers ?

they are now testing my bot and there is something they need to know about it

You will have to wait until after

hi

Reviewer note

how do i make a vote tracker chat (i just need a message in my private server who voted for my bot)

You can use third party service for this such as https://webhook-topgg.com/

or, you know, use the topgg api directly?

I agree.

Recommending my site is great, but we really should push for people to do it themselves first.
Or at least make it the first recommendation.

I dont like the idea of developers missing out on learning how a webhook actually works because they took the easy approach.

You can recommend both but 9 times out of 10 they still choose the easy route

Yeah, sadly thats true.

Even though both are easy

A vote tracking system would take you 30 minutes to an hour to do

:O its your site? awesome

Just wait until I add Webhook to websocket for top.gg

The backend has been done for a long time, and it includes reminder events and all the API access a dev could want.

I just got stuck on how to make sure everything actually works reliably with bots that go down and whatnot and got busy with IRL.

Now I'm just frustrated with React again :/
Trying to make my autocomplete component work better

"use client";
import { Input } from "@/components/ui/input";
import React, { forwardRef } from "react";

type CombinedInputAttributes = Omit<React.InputHTMLAttributes<HTMLInputElement>, "autoComplete"> &
  Omit<React.TextareaHTMLAttributes<HTMLTextAreaElement>, "autoComplete"> & {
    someInput?: string;
  };

interface InputProps extends CombinedInputAttributes {
  inputProps?: React.InputHTMLAttributes<HTMLInputElement>;
}

const SomeInput = forwardRef<HTMLInputElement, InputProps>(function AutoComplete(
  { ...inputProps },
  ref
): React.JSX.Element {
  console.log(ref);
  return (
    <>
      <Input {...inputProps} placeholder="shadcn" ref={ref} />
      {/* in the real example this is would be an autocomplete item that could be clicked and set the value of input */}
      <div
        className="bg-slate-200"
        onClick={() => {
          {
            /* This is logging a function, not the initilized ref >:( */
          }
          console.log(typeof ref); 
        }}
      >
        hi!
      </div>
    </>
  );
});

export default SomeInput;

I apparently dont understand ref, or forwarded refs.

i dont understand react, so im worse off than you

:^)

😄

At least theres one thing I know more than you

Someone will pass by and understand whats wrong I'm sure

i really dont miss all of the react boilerplate

ref is just an instance of the actual rendered element in the DOM

Yeah, but ref is being set and isn't initialized in my onClick

im not quite sure what you are doing in your forwardRef

its a tiny bit cursed

what are you trying to achieve with this

im sure theres a simpler way

@green kestrel
Is there any I can extends the dpp::cluster?

#include <dpp/dpp.h>  // Include the appropriate D++ header

// Define the extended class
class MyCluster : public dpp::cluster {
public:
    // Constructor that takes a token and an extra parameter
    MyCluster(const std::string& token, const std::string& extra_info)
        : dpp::cluster(token), extra_info(extra_info) {}

    // Getter for the extra_info
    std::string get_extra_info() const {
        return extra_info;
    }

    // Setter for the extra_info
    void set_extra_info(const std::string& info) {
        extra_info = info;
    }

private:
    // New property
    std::string extra_info;
};

Does this look good enough for you?
(I'm new to cpp and dpp)

you should test it first and see if it works

but it looks fine from a quick view

Its my autocomplete system.
Or well the non minimum example is.

What way is it cursed?
Isn't that the intended purpose of a forward ref?

    <div className="relative">
      {textArea ? (
        <Textarea
          {...(textareaProps as React.InputHTMLAttributes<HTMLTextAreaElement>)}
          className="w-full"
          autoComplete="off"
          onChange={(e) => {
            _onChange(e);
            onChange?.(e);
          }}
          onKeyDown={handleKeyDown}
        />
      ) : (
        <Input
          {...(inputProps as React.InputHTMLAttributes<HTMLInputElement>)}
          className="w-full"
          autoComplete="off"
          onChange={(e) => {
            _onChange(e);
            onChange?.(e);
          }}
          onKeyDown={handleKeyDown}
        />
      )}
      <ul
        className={`absolute z-10 w-full bg-black shadow-md`}
        style={{ display: showSuggestions ? "block" : "none" }}
        {...ulProps}
      >
        {filteredSuggestions.map((suggestion, index) => (
          <AutoCompleteItem
            key={suggestion.value}
            label={suggestion.value}
            example={suggestion.example}
            selected={selectedSuggestion === index}
            onClick={(e) => {
              setShowSuggestions(false);

              console.log(ref); // isnt intilized
            }}
          />
        ))}
      </ul>
    </div>

I want the onClick function in autoCompleteItem to set my value; the ref to my Input or TextArea is being properly passed(and used) by the parent.
Its just the sibling cant see it as its initialized state.

I'm not entirely sure why though, nothing mentions sibling interactions of a forwardRef ref

You have to set the initial value yourself

unless im misunderstanding you

also iirc ref isn't initialized until the component is rendered fully

So it could be null/undefined

The field is controlled by a parent controller

is the parent rendered when passing in ref

I'm about to eat, but I'll show the issue when I get a chance

So, I can navigate, click and handle autocomplete using my keyboard and enter.
But I have to support clicking the thing I want to click too(mobile users)

Everything works, values are set.
I just need to be able to refer to a sibling ref,

{...(inputProps as React.InputHTMLAttributes<HTMLInputElement>)}

inputProps includes ref, its being set, because everything is handled through the ref, otherwise nothing would work.

The question i think is really, how does forward ref work with siblings.

Ref is being set properly, it's visible from the parent, but not to its siblings.

I really just need to start learning react a bit more traditionally/normally.

According to https://react.dev/learn/referencing-values-with-refs and https://react.dev/reference/react/forwardRef
I'm using these how they're expected but I'm doing something wrong, or I'm misunderstanding.

hm

Interesting

Yea im not really certain myself. React is something I never understood much about myself aha, I know very basic stuff.

My only guess is for some reason its not actually passing the ref down to the children.

How are the components setup?

Heres the minimum code to replicate the issue.

https://gist.github.com/Team-Woo/df59181b8ea6f394630a691a3f2a7863

you can, and it'll work however this isn't modern c++ it's more like javaisms

also the constructor you made throws away other optional parameters of cluster constructor like being able to set cache policy

or set shard id, cluster id etc

btw

the more idomatic C++ way is to make a class and have a cluster in it, rather than inheriting cluster

e.g.

class bot {
    dpp::cluster* cl{nullptr};
public:
    bot(std::string token) {
        cl = new cluster(token);
    }
    ~bot() {
        delete cl;
    }
}

btw dont do it exactly like this, raw pointers are ew

but you get the idea

but the key takeaway: composition over inheritence

time to do it exactly like that

tbh it isnt evil

but shared ptr is nicer

it auto deletes itself

raw pointers are the main reason the rust community wants to overthrow c++

in reality you can write perfectly safe c++ you just dont have a compiler that nags you about it

indeed

that code above is perfectly safe

its just easy for a newbie to forget to e.g. put the dtor in

but thats because newbies were raised on java

and are handheld by JVM

First language i learned was java 😡

Nothing wrong with that

just bringing java practicies to c++ is not always well advised

Ngl you are right

you can tell the people who bring java to c++, they make one class per file and everything is a class, inheritance models 50 classes deep, interfaces, factories...

when c++ isn't an OOP language it's a multi paradigm language

damn the djs devs must of been java devs then

Cause I swear one class has like 50 other classes relying on it

and those classes rely on another class relying on it

💀

At the end of it you have a class that has 10 class deep inheritance

Same I made some shitty Minecraft plugins back when I was 13-14

https://dpp.dev/structdpp_1_1json__interface__inherit__graph.svg

this is all...

just about everything has a dpp::json_interface<T>

I mean thats fair

but djs makes 1 class, and then another class that inherits it

and then 50 classes that inhert some class that inherits from that new class

Its inheritence goes deep

I advise against doing this.

It can be seen as advertisement

oh

sorry

may the top.gg java experts assemble

i have an obfuscated JAR and i need to bypass a check the application does

Ok

ok

does anyone know of any java debuggers similar to GDB?

shut up

Damn

asks for help

then tells us to shut up

ok i go to sleep

u insult me to sleep

i am aware i likely wont be able to see any real java code but ive read java bytecode before and its not too bad

you can use jdb

its oracles version of gdb

You can open in intellij

or that

It'll do its best to make it readable

IntelliJ my beloved

i tried to use the intellij debugger but it only shows the library code and wont show me any app code

no bytecode either

not sure if i did it correctly though

I did try recaf which decompiles the JAR file but since its obfuscated i sort of have to debug it and trace the calls to find the function im looking for

strings are encrypted also

Make a new project, add the jar as dependency and call its entrypoint

Put a debugger where you call it

If it's a runnable jar it will have a main method somewhere

yeah i found the main method already so ill give that a shot

darn coffee cup language

Didn't work?

trying it now

i just wanted to insult java for no reason as usual

i assume i just do "add as library" the jar

Well, yeah

okok the import and calling the main function worked

now just need to see if it will debug it

think this is a good sign

yea

its a bit broken but at least i can see where something is running at the moment

would be great if i could see the actual bytecode if it cant decompile it fully

seeing the parameters also gives me a hint of what the function is

can start mapping it out in recaf

the amount of threads doesnt help either

but i can see which threads resume running on events im interested in

oh this is extremely helpful a memory viewer

kuuhaku to the rescue once again

Intellij is underrated

Most of these can be ignored

Also you can see the bytecode, I just don't remember how to get to it in intellij

Waffle did it once

i'll try to have a look

i think im getting somewhere

being able to see the stack trace helps

im going to try to change this bytecode to bypass the wait loop

the return of bottom Zac9 seems to lead to where i want

i think changing this to IFEQ will make the condition be if (this.ZW) and since ZW is 0 it will bypass this function and call Zac9 which is what i want

enough of decompiling obfuscated java for today

yep it reflected the change as well

now the program crashes, amazing

guess thats not it

What even are you trying to do

Like why are you decompiling a java program

to bypass a check the application does

isn't locking on the current instance bad practice

can't believe they would do that!

It's a valid case when you don't want 2 threads going into a block at the same time

Same as doing public synchronized void smth()

huh

in c# it's considered bad practice afaik cause something else could be locking that instance as well

you'd just typically have a field like object lock = new object();

It'd achieve the same thing

Since the object is a single instance too

well yeah but if lock is private only you can lock on it

whereas anyone could lock on your instance

Oi

Crazy, I can't connect to my mongodb database anymore on my server

But locally it works

Help please!

im doing this for fun (more learning if anything)

honestly ive done the exact same thing with binary programs and i have to say its easier

mainly because its more difficult to obfuscate things

youre limited to how much you can obfuscate

here you have the JVM in the middle of things

not in java, only the lock holder can release it

oh, right, lock on it

in java at least locks are per-block/method, rather than global

so in either case the result would be the same

figured it out, you can do it with intellij by going into view > bytecode

but if you want it to be side by side with your code and to split it based on methods you need an extension

that’s why i host my own mongodb server

Thankyou, I got it now.

Btw I have one more question, what is the ideal way to handle command?

Like in javascript, they usually store in the HashMap the command execute function and then when there is a slashcommand, you get the command name and find it from the HashMap and execute the function from that index property

you can do it that way

using std::map

pretty much every lang has maps in a way or another

it just depends on if you are able to store the execute method in said map

with js you can store functions in maps, but idk about c++

raw pointers are great

You can store functions in maps via function pointers

Pretty sure you can also use std::function if you don’t like touching the pointers yourself

Ah cool

I can give you a nice example of how to do commands with just a function ptr

https://github.com/brainboxdotcc/command_example

this avoids the need for classes at all

I need to learn more about modern c++

I’m stuck in 2012 using purely raw pointers bc I don’t know how to properly use unique ptr and shared ptr

if you want to go one step beyond but still idiomatic c++ take a look at: https://github.com/brainboxdotcc/ssod

mainly anything in include/ssod/commands/*, src/commands/*, src/commands.cpp and include/ssod/commands.h

it's a bit too complex to summarise by copy and paste into a code block but still understandable and not over engineered

internally it's still just a map of function ptrs

with everything else constexpr

I feel like constexpr is just a mistake for the language

I feel like the compiler should be in charge of evaluating expressions at compile time

Then again I guess the compiler might not know whether or not it’s worth it

with constexpr you can make a function that is entirely evaluated at compile time

like fmt::format

Well yeah

I see the use cases but I just feel like I have a poor understanding of when to use it and when it's useless

@lyric mountain after 10 hours i managed to figure it out LOL

the intellij thing really helped especially with the call stack

that obfuscation was brutal

10 hours is pretty fast for a solo cracker tbh

either you have talent or the obfuscator was pretty shitty

in either case gz

Is there any common patterns you use for flutter @lyric mountain? I'm assuming MVC is pretty common

I use mvc, but I think it's pretty freeform like js

👍

I mean, the linter will fight against you if you stray too far

I see

and remember to put comma after every single line you want to have a newline

if you dont then it'll format to a huge single-line declaration

uhhhh

does flutter not support java 20?

Java 17 I think is what it supports rn

mannnn

I gotta downgrade

that's so annoying

Actually

https://github.com/flutter/flutter/issues/135402

This might help

@wheat mesa

I mean I've just been getting this over and over. Assuming it's because my java version isn't supported

What gradle version are you using

that's a fantastic question

7.5

7.5 doesn't support 20

you need at least 8.1 iirc

But I'm confused on why flutter is using my java 20 installation when I set the SDK in the project structure to be java 16

I dont think flutter cares what your project structure version is set to

flutter looks for the latest installed afaik

It's using it from my HOME environment var

but I don't know how to change it to not use that

because I still want my home env to be java 20, but flutter should use my java 16 installation

Change the java version gradle uses

You should find it in intelliJ settings

Gradle is likely set to use the latest aka java 20 since thats your home

You can change it to use java 16

Is this dumb to use instead of using a ref?
👀

  (document.getElementsByName("username")[0] as HTMLInputElement).selectionStart;
  (document.getElementsByName("username")[0] as HTMLInputElement).setSelectionRange(userValue.length, userValue.length);

I just rewrote my entire autocomplete system, realized I still need to access to the element for getting the selection start/end

(and setting it after modifying)

I mean if it works it works

oh wait hold on

I think my module SDK wasn't specified so it didn't know

nvm

didn't work

bit of luck tbf i bypassed the initial auth function after i found it but then i would get a java error saying " Cannot invoke "xyz" because "<parameter1>" is null" which i assume is because the function i bypassed set something that was required later on
so i replaced that faulty function to simply return an empty string and it worked

i dont exactly know the obfuscator tool used but i ran it through an obfuscation detection program and iirc it detected

RuleSuspiciousClinit: Zelix Klassmaster typically embeds decryption code in <clinit>. This sample may have been obfuscated with Zelix Klassmaster
RuleEnhancedStringEncryption: Zelix Klassmaster has several modes of string encryption. This mode is similar to the simple mode, but adds an additional layer of decryption by calling a method with signature (II)Ljava/lang/String;

but other than that i dont think theres other checks, if there was things like traps id probably have had a much harder time

some functions intellij couldnt even decompile so i had to manually go through the bytecode and annotate it to find points of interest

honestly if it's an application they'd have better luck compiling a native image

Finally.

I need to fix the double highlighting thing, but it works 😄

what is the best package to use for running shell commands from node

i just use exec from child_process

execa seems good

yea but it's too plain for me

wdym

what else would u need

its all gooddddd nvmmmm

looks like execa has template strings and stuff

tf does that even mean

template literals are built into node

child_process.exec also has a promise version

Like that's literally all you'd need

thats not what execa does

in execa it automatically escapes arguments

using template syntax

probably

they have an exe which calls the jar file

the exe does absolutely nothing but that

also have their own JDK bundled in case the host doesnt have one

@lyric mountain i dont know if im wrong but my nginx appears to be vulnerable to literal header injections when redirecting http requests to https

nginx sets a response header called "location" which mirrors the request url

if you add a \r\n to the end of that url, you can inject an arbitrary response header and nginx happily reflects it

its not a massive issue but a concern

huh

GET /some_page_with_https_redirect_for_http1%0D%0Atest_nginx_header_injection%3A%20is%20nginx%20really%20vulnerable HTTP/1.1

http 2 isnt vulnerable though since it uses binary

this is my rewrite rule

 if ($scheme != "https") {
    rewrite ^ https://$host$uri permanent;
 }

its probably my rule that just sucks

ah theres already an advisory for it https://www.acunetix.com/vulnerabilities/web/nginx-redirect-header-injection/

the remedy is to use $request_uri

i think i got this code from a stack overflow thread so thats definitely something that needs to be looked into

because its an extremely popular thread

now its fixed

wait why rewrite it there

Why not just make it redirect to https on port 80 (http)

Unless theres a specific reason

there i submitted an edit request to fix it

i think i have a reason as to why i have it like that

you think?

but that would be easier

it doesnt really matter though it achieves the same purpose

I mean what you are doing is a cruder way of just redirecting

doing it via port 80 is the far easier and more used way

i have it like this because i want to allow normal http for certain routes

its easier to control which to redirect to https with my clause

fair enough

I think you can still do it via port 80 but just modify which routes themselves are http

but if thats the case doing it ur way is definitely better

Could i ask what this is? Webhook notify?

Yeah

Looks good.

@sharp geyser@frosty gale
i do it like this

same difference

doing it how I did it will match any route

so / or /api/something

yeah same thing

location / matches any route that is not set in another location block

so you can still have normal http for specific routes

also quic finally works :D

oh?

Didnt know that

what is quic

http3

whats http3

next generation http

whats next generation http

where is http4

somewhere in the future

so quic gets rid of the hello (handshake) process?

pretty much, quic creates an udp connection, which is stateless and does not need to "establish" like tcp does
and quic also includes ssl inside it instead of sending it only after the connection is established

also quic has its own congestion control system, since unlike tcp, udp does not have one by default

and quic's system allows for multiple independent streams to run concurrently, which tcp does not allow

isn't UDP more unstable though?

It goes based off a trust system that what you are sending it is full

If a corrupted packet gets sent it can cause problems

why would that cause any more problems than a corrupted TCP packet

QUIC is just a protocol built over UDP

the protocol defines what happens with invalid data

You are thinking of packet loss which is definitely a real issue with UDP, but Quic comes with its own packet verification and re-sending

So TCP, but UDP, sounds fun

Though means you no longer have the os/networking of the os handle the tcp connections, but HTTPS/Quic

dear node developers
pls add esm support for sea already 😭😭

i have a discord bot i am working on that uses a dashboard where you can control it using a dashboard.
Only problem i have is that the dashboard basically gets lost..

i thought about maybe using 2 threada

1 thread for dashboard, 1 for history

what do you mean "gets lost"

https://tenor.com/view/harburg-dubliner-pub-lost-vincent-vega-gif-17168549

Nvm I will just create one embed actually and edit it continuously for each action taken

Ill call it Action History or sum

use ghub/razer bullshit ❌
write own firmware ✅

Guys is iOS coding fun to do?

Idk I am looking to learn something that’s gonna be fun lmao

I hate website development now for some reason

ios coding is never fun.... (speaking from others' experiences)

and this is one of the reasons i fucking hate python

it never works

/auth/discord?guildid=1234833240238588004&userid=390385922866413569 guys how can i send query to passport use area

i want to check member has manage guild and manage roles permissions in guild

You’ve just gave out your client secret

no i didn't

i already reset it

Your callback wont work, people cant access your own localhost

the reason UDP is considered unstable is that UDP does not have congestion control, its basically fire and forget, while TCP does have a built-in control system and validates and re-sends lost data.
but what quic does is implement its own control system inside the UDP packets it sends, so the entire thing is controlled on the application layer and the app itself decides how to handle missing data

so basically quic does the same things that tcp does but inside the program that runs it, instead of inside the OS kernel, so it ends up having equivalent stability as TCP

its basically the same as you wanting to write your own raw code instead of using a built in solution

instead of using tcp, they decided to write their own tcp from scratch on top of udp

So this is performance-wise probably not different than TCP is it? lol

computation performance is indeed not much different, if anything TCP is computationally faster/simpler

one of the main advantages though is the elimination of head of line blocking that tcp suffers from

in tcp, every single packet has a sequence number, if a packet gets lots the sequence number gets broken, and tcp requests the resending of the missing packets in the sequence, but it cannot continue operating until the sequence is restored

in quic, every packet has a sequence number and a separate channel number on the app level, and the app iself handles it, and if a packet gets lost, quic requests the resending of the missing packet in the sequence of that specific channel, while that channel is waiting to have its sequence restored, other channels can continue operating freely

in the context of web/http this is very impactful

when you have a website request 500 different resources on page load, you will notice the difference

👀 well hello Aurel

now imagine the gains if this was implemented on an operating system kernel level

just like TCP is

nginx still slacking and wont implement QUIC

he is using quic via nginx

I mean qwebsockets barely has working quic

its not easy

#development message

tf

so it does

not sure where i got that from then

i will go ahead and enable it later

ah its experimental thats why

you have to manually build nginx with it too

for what i know it could have a remote code execution bug

nah

its included in the binaries since 1.25

unless you're still stuck on stable

i am stuck on stable

mainline > stable

i like things to be stable in my life

have fun with your entire nginx server probably crashing if someone sends one wrong packet

:^)

mainline is not bad

its pretty well tested

dam
nroot@DE-01:/var/www/pterodactyl# nginx -v
nginx version: nginx/1.18.0 (Ubuntu)

nginx considers mainline to be more reliable than stable because stable does not receive all bug fixes, only the critical ones

fine ill get mainline

:^)

there we go

lol

just get 1.27

ezpz

guys does this chart look fine https://requests.mcjars.app/?year=2024&month=7&view=all-types&type=VANILLA&version=1.21

hi

my buttons look restarted

how can i make them look better lmao

You have way too many

Imo This is really clean and simple

rewind to 0, play/pause, skip, stop

Nobody needs a now playing button

That's really all you need

Just display the now playing on the embed

Yuh this

interactions expire after 15min

Cant followup after that

Can't you edit the message after 15 minutes?

Nope! I just edit an embed every 5 seconds with a progress bar and time and the now playing track. If someone queues a new track or triggers the now playing command, I'll replace the interaction reference and start editing that.

Live track bars get this cool looping animation

Screen sizes on mobile make that all really not so fun though :(

Sounds cool

almost everything is open source for me

read the cellebrite phone unlocking tool and leak their exploits

but if the code is obfuscated it is hell

you need a debugger and be able to analyse the call stack otherwise youll have to manually go through each function and figure out if its just a decoy and if its useful for your purpose

and it can take days to map out functions otherwise

some people spent YEARS reverse-engineering an app lmaoo

I can't find any screenshots of what my buttons looked like since I have to fix my player still but imagine the buttons being two rows of 5
https://scs.twilightgamez.net/t7wXQ.png
⭐⏮️▶️⏸️⏭️
⏹️🔀🔇🔉🔊

old reaction button times

good times indeed

When the buttons weren't directly there, but were added to the message in order lol

which took agesss

Ima be real

buttons are ugly

based

Too large. Gib me smol buttons

Never understood why people enjoyed them

reactions are by far better

At least let us customize the style of the button more

its literally just css

Buttons are good for single action stuff, like confirmations or smth

Yooo imagine css modifying buttons

that would be pretty sick honestly.

Yea

I mean it'd be hard to handle

As allowing custom css could fuck up the style on mobile as well

responsive css is the bane of my existence

Im tempted to just use flutter for my VOD platform and make a web app later

or rather than css, more customization directly on the button, such as custom colors like how embeds support them

Yea

and sizing

Don't have anything against discord trying to keep everything "unified" with the bootstrap-like colors, but eh

with only like, 3 actual choices or so, dunno

or use a grid like format

couldn't be hard to allow us to use color codes

isnt this possible with rows?

It forms a grid sure

yuh

but it doesn't size well

getting flashbacks of them calculators done with buttons lol

Whenever I try to make buttons aligned or neatly in rows I use blank buttons that are disabled

Not the calculators

can make it uglier... but it works ish

and invisible chars too? or how do you "remove the text"

Im working on a new MMORPG bot

in rust

I have an example sec.

pain I see

Just code one in assembly already goddamnit

new ButtonBuilder()
        .setCustomId(revisedRandId())
        .setStyle('Secondary')
        .setLabel('\u200B')
        .setDisabled(true)

I actually have enjoyed using rust

Yeah invisible text, guessed so

Its become my most used language of 2024

yeye

hopefully I never have to do devops around anything rust pls

Its not that bad

https://pastes.dev/WkLZW71xop

this is pretty tame

as its literally just my main method

i wrote an interpreter in rust. the pattern matching really helped with that

yea

rust is beautiful for smth like that

Thing is, I've looked into rust a bit ago already

but having difficulties understanding what the code you sent does

only thing I can distinguish is some guild obtaining

env_logger is just a global logger

a lot of packages use it to log stuff, and env_logger helps with catching all those logs

dotenv loads stuff from a .env file

  let framework = poise::Framework::builder()
    .options(poise::FrameworkOptions {
      commands: vec![ping::ping()],
      event_handler: |ctx, event, framework, data| {
        Box::pin(event_handler(ctx, event, framework, data))
      },
      ..Default::default()
    })
    .setup(|ctx, _ready, framework| {
      Box::pin(async move {
        poise::builtins::register_in_guild(
          ctx,
          &framework.options().commands,
          serenity::GuildId::from(957867801119449109),
        )
        .await?;
        Ok(Data {})
      })
    })
    .build();

This is a bit of a mouth full, but essentially I am just registering the commands and event handler, and also registering the commands to discord while also returning Data

which Data is shared to everything

  let mut client = serenity::ClientBuilder::new(token, intents)
    .framework(framework)
    .await
    .expect("Error creating client");

  let manager = client.shard_manager.clone();

  tokio::spawn(async move {
    loop {
      sleep(Duration::from_secs(30)).await;

      let shard_runners = manager.runners.lock().await;

      for (id, runner) in shard_runners.iter() {
        info!(
          "Shard ID: {id} is {} with a latency of {:?}",
          runner.stage, runner.latency
        );
      }
    }
  });

  if let Err(why) = client.start_autosharded().await {
    error!("Client error: {why}");
  }

This initalizes a client using that framework and the token + intents I made earlier on.

Next I spawn a new async task that handles logging the state of the shards managed by the manager. Then I simply start it in autosharded mode

Thats basically it

..Default::default() btw is basically saying "For the rest of the possible parameters, use their defaults"

Hop!

Wo!

we dont need to give sayuri that much power

aurel, welcome back

wait until they add svgs

you can write raw svg yourself

it works as embed image url no?

I dont think so

I think SVG is an unsupported format

Only png, gif and jpeg

and possibly webp

ah, right

fuck.

still waiting for either apng or animated webp support

why don't they support svg

fuck gif, all my homies hate gif

SVG is too complicated ngl

but yk, css / svg can be security risks

since they execute in the client

yuh

and css can make web request via url

time to launch malware on people's pcs

through svg

fuck local storage

we making databases in css

oh for sure

css can make web requests

ez enough

no, local databases, on browser

calc(counter(somevar) * 10) imagine

Postgres is the kinda dB that probably does accept CSS as procedures language

the only thing holding back css from being turing complete is counter not working with calc

damn postgres is loud

Shut

content security policy meta tag:

I'm on phone

Blame google

you can do a lot of shit with css before/after pseudoselectors

yes

yeah, but the limit is where you'd need to some sort of incrementor

for example rotating stuff without getting the 360º -> 0º issue

💀

oh btw haku

did I tell you about my new MMORPG

I'm hoping to make it the most lit discord bot

https://brandondong.github.io/css-turing-machine/

uhhh

an mmorpg bot?

yuh

I know it sounds weird

but its going to be cool

promise

what is your billion dollar startup idea

the 3794785th billion dollar idea

Buy AI company stock

buy nvidia stocks

Well, vidcord is still in the works

but im at a financial problem now

Nvidia cant go up anymore, can it?

so I can't go further

No money

Thats why im hoping for this job to work out

Money = I can fund my wildly ambitious projects

"on this episode of sharktank..."

I would never go on sharktank

those mfs are dumb as hell

if i'm one of the sharks, will you come

No

Sorry

Its a scam show

😔

Only useful thing is the publicity

i would invest 1 dollar for 0.000001%

A lot of the products that got rejected became successfull from getting rejected

they got their air time

best of luck

i'm gonna watch you success

yeah, it's not about winning or losing, it's about making people know about your product

yuh

this code i saw on school today for the student management site

that's an ugly minification

looks about right

that's code i'd write

le-mao

😭

l'-mao
la mao
also falls into french category

limão

brazil mao

holy shit lmao

https://clownstrike.com

Lmaoo

xdoubt

I trust them as much as I trust a wet piece of paper to protect my snacks

me on my cozy kubuntu reading about friday apocalypse:

https://tenor.com/view/nere-cristiano-nere-cristiano-gif-22731841

me on my unstable intel 14th gen cpu that crashed 2 times this week already:

https://media.discordapp.net/attachments/1127710586692702208/1136472730749911110/attachment-1.gif

yknow, wooden fireplace doesn't sound like a bad idea if you turn off fire spreading

I see your wooden fireplace and I raise

I see your plastic fireplace and I raise

hey guys

has someone got a nice side project i can focus on this summer

kinda dry rn

open a summerhost

and make money

Hi, this might not be the best place to ask this but it fits as development. I am trying to get the video length of a video after uploading it. I tried creating a video element and putting a url that is created from the bytes as the source but upon doing videoElement.duration I got an undefined response. how can i do this and is there another way to go about this? Thanks

what's that

i am trying to do something with either:
python, java, haskell, js, ts, c++

A hosting provider, usually run by skids between the ages of 12 and 14 with the intention of creating a Minecraft host for no god-given reason. These usually use nulled WHMCS, free themes, Contabo nodes, and other shitty business practices. These companies usually do not last long, and go under after a month or two.

Essentially a hosting service only open for like 2-3 months during the summer

When does the summer start for you?

important: staff are unpaid

and taxes are evaded

well ofc

they are 12-14

The "founders" get all the money

and the staff get pennies if anything

staff get promises

"when we are big yall are getting a payout"

At most they get 2$ for their troubles

it did already

Oh

cool

i still gotta work tho

Dang 😔

but i am tryinna find a good programing gig to do

Anything paid or just something to pass time?

something to pass time, but might turn it to something apid or sum

well you could probably sell pterodactyl addons

I have been doing that for a few months and make 4 digits

How the hell

just make 4-5 addons and sell

done

I just provide some installation support and thats it

Time to research pterodactyl addons and how to make them

game engine

C++

enjoy

Oh god

Not waffle handing out that side quest again

💀

it'll def last you the summer

give a man an engine and he'll make a game
teach a man to make an engine and he'll never make anything

ong

better do it quick before the summerhosts die

Too much effort

dam

💀

I know some guys who made 30k+

but with themes though

wtf

is themes?

like themes for the panel?

yes

People pay thousands to spruce up the panel?

yes

hosts do

Why the fuck

Just use the normal panel

looks shit + cheap

any 12$ theme will improve the rep of your host

just how it is

player: !include player.yml
weapons: !include weapons.yml
something:
  h: "Hello, World"

Tell me why I thought this would be a good idea

I assume !include is self explanatory

problem is reflecting this in rust has been a PAIN

man, working with protobuf without a proto file is such pain

a sequence of bytes can be an object of keys and values, but it can also be an array of 1 key and multiple values, but it can also be a nested array

and it can also be a string

and there is no way to know what it is, have to parse all possibilities lol

Is that allowed on top.gg? Its literal Botghost just a bit different

So long as it follows the guidelines its a-okay

you can submit botghost bots to top.gg afaik

you just have to write some of your own custom commands

#[derive(Deserialize, Serialize, Debug, Iterable)]
struct TaggedConfig {
  player: TaggedValue,
  something: HashMap<String, String>,
}

#[derive(Deserialize, Serialize, Debug)]
pub struct PlayerStats {
  pub strength: i32,
  pub intelligence: i32,
  pub vitality: i32,
  pub dexterity: i32,
}

#[derive(Deserialize, Serialize, Debug)]
pub struct PlayerConfig {
  pub stats: PlayerStats
}

#[derive(Deserialize, Serialize, Debug)]
pub struct Something {
  pub h: String
}

#[derive(Deserialize, Serialize, Debug)]
pub struct Config {
  player: PlayerConfig,
  something: Something
}

I currently hate myself

This is how I have to fucking do it

Basically having to expand the entire fucking thing

and model out the entire yml file I am trying to "include"

it's better if you compress all attributes into a single i64 column

what are some ways to work around webhook token expirations

webhooks expire? That's new to me

Interaction webhook token

ohh

make your own proto file

i need to get into these hustles and doing them full time

traditional employment simply isnt for me

cba to run around the company hoops just to get some money

I mean im 100% not gonna go into software engineering

I will probably go on the hardware side

I hate programming things I didnt plan myself

same here most of the time

but if a gig pays well and its reasonably interesting i dont mind

yeah I only do commissions for 150€+

cant be making an entire website and bot combo for an "entrepreneur with an amazing idea that probably isnt even 18 yet" for $10

why are people still doing nft scams

@dense flame

your nft is absolutely worthless if it has no transactions or reputation

your nft is absolutely worthless if it has no transactions or reputation

fixed

remove "your" too

true

unless your nft is a famous painting from a dead rennaiscence artist it's worth jackshit

actually its not an nft its a cryptocurrency

which makes this even more confusing

what are you airdropping

exactly

what even is airdrop

Another one, crazy

kekw

@harsh nova

stop evading tazes and do your job

Thank you

appreciated

Hm?

a single i64 field can hold up to 8 individual 255-max values

I doubt anyone would ever get close to that limit even if dumping all points in a single stat

if you want a bigger limit then u can use 2 bytes for 65535 max, but 4 individual attributes

it's more efficient than using individual integer fields

Im not sure how that works

FF FF FF FF FF FF FF FF this is your bigint in hex notation

each FF pair can represent up to 255

you use bitwise to retrieve the pair you want

press F to pay respects

(value >> (pair_index * 16)) & 0xFF

https://media.discordapp.net/attachments/1127710586692702208/1136472730749911110/attachment-1.gif

Press 15 to pay respects

wtf does this mean

"shift value to the right by pair_index * 8 bits and keep only the first 16 bits"

bitfields are cool

what is pair_index

what im looking for?

like an array index

Ok

0 would get u the first 16 bits pair

1 would get the second 16 bits pair

thats interesting

and * 8 is the bits you are getting right?

or more so, how many bits

oh, mb, should've been 16

but yes

ah so * 16 instead

you multiply the index by how many bits you want to jump

what is & 0xFF

i really dont like using hex notation tho, i rather do & 255 than & 0xFF lmao

1111 1111 1111 1111

but in hex

Why

a F is a byte

oh wait lul

a F is half a byte

if you wanna be extra kinky, you can also do 0o377

:^)

is that octal numbers

yup

why is there even an octal notation

because people might want to use octal

because french people are weird

they use octets

:^)

They use 0 - 7 rather 0 - 9?

nah its a joke

but they do call them octets in computing

oh

I was about to say

they dont say bytes, they say octets

because its 8 bits

octal is also mostly just a carryover from computers with different word sizes no

but then everyone was like hey let's use 8 bit words

Anyways, I don't know if I want to use that bitstuff so ima just use individual fields

Octal became widely used in computing when systems such as the UNIVAC 1050, PDP-8, ICL 1900 and IBM mainframes employed 6-bit, 12-bit, 24-bit or 36-bit words. Octal was an ideal abbreviation of binary for these machines because their word size is divisible by three (each octal digit represents three binary digits). So two, four, eight or twelve digits could concisely display an entire machine word. It also cut costs by allowing Nixie tubes, seven-segment displays, and calculators to be used for the operator consoles, where binary displays were too complex to use, decimal displays needed complex hardware to convert radices, and hexadecimal displays needed to display more numerals.

Rather not have to think about which stat is where

💀

Lest I give them 30,000 strength when in reality they have 30,000 intelligence (might be a mage build)

you can make wrappers to retrieve the values and keep it pretty transparent