In recent git versions, git restore is supposed to be a "better" way to revert undesired local changes than the overloaded checkout. Great, that sounds reasonable - a nice simple purpose-built tool for a common operation.

If the chicken must come before the egg, where do you put the chicken?

If the chicken must come before the egg, where do you put the chicken?

Since nobody provided a wire capture, here's one.

The rest of the URL (/path/?some=parameters&go=here) has no business being inside ClientHello since the request URL is a HTTP thing (OSI Layer 7), therefore it will never show up in a TLS handshake (Layer 4 or 5). That will come later on in a GET /path/?some=parameters&go=here HTTP/1.1 HTTP request, AFTER the secure TLS channel is established.

It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS.

users/me feels like a bad idea because REST prefers to have one url per resource. You will then have: users/me users/123myId Which point to the same resource.

If you work with hateos better supply a link to your own resource.

Why do so many businesses share their data openly, for free? Most often, the answer is scale. As companies grow, the staff within those companies realize they have more ideas than they have the time and resources to develop them. It’s typically easier to work with other external companies that specialize in these ideas than build them in-house. By creating APIs, a company allows third-party developers to build applications that improve adoption and usage of its platform. That way, a business can build an ecosystem that becomes dependent on the data from their API, which often leads to additional revenue opportunities.

Clients interact with a service by exchanging representations of resources.

A primary advantage of REST over HTTP is that it uses open standards, and does not bind the implementation of the API or the client applications to any specific implementation.

I would say you have one API with 3 endpoints

:"signed_up_but_#{resource.inactive_message}"

The first Mr. DRILLER game for the Nintendo Switch™ featuring updated graphics and HD cutscenes!

Impersonation is a security concept implemented in Windows NT that allows a server application to temporarily "be" the client in terms of access to secure objects.

before_action -> { doorkeeper_authorize! :public }, only: :index

Grape API

Looking SO good. Will do a final check and merge when I get home. Meanwhile it seems addressing most of houndci comments and waiting for a green CI will be enough! Thanks for your hard and good work.

This leads to an override of the controller as well

What you're actually trying to do is to have the exact same behaviour that native Devise implementation but on an Engine via API

I know that Devise offers these capabilities, but it's hard to make out how to do it without hitting their preconfigured (view?) routes.

inline(:C)

user = User.new(password: "あ" * 25) # 25 characters, 75 bytes

Because they follow this specification, most authoritative DNS servers won't allow you to include CNAME records at the root. At CloudFlare, we decided to let our users include a CNAME at the root even though we knew it violated the DNS specification. And that worked, most of the time. Unfortunately, there were a handful of edge cases that caused all sorts of problems.

The Inflexibility of DNS Traditionally, the root record of a domain needed to point to an IP address (known as an A -- for "address" -- Record). While it may not seem like a big deal, tying a service to an IP address can be extremely limiting.

Let Docker manage the storage of your database data by writing the database files to disk on the host system using its own internal volume management. This is the default and is easy and fairly transparent to the user. The downside is that the files may be hard to locate for tools and applications that run directly on the host system, i.e. outside containers. Create a data directory on the host system (outside the container) and mount this to a directory visible from inside the container. This places the database files in a known location on the host system, and makes it easy for tools and applications on the host system to access the files. The downside is that the user needs to make sure that the directory exists, and that e.g. directory permissions and other security mechanisms on the host system are set up correctly.

Generally speaking, privilege escalation means getting more rights in the system than you already have.

Problem details for HTTP APIs HTTP status codes are sometimes not sufficient to convey enough information about an error to be helpful. The RFC 7807 defines simple JSON and XML document formats to inform the client about a problem in a HTTP API. It's a great start point for reporting errors in your API. It also defines the application/problem+json and application/problem+xml media types.

Michael Kropat put together a set of decision charts that helps determine the best status code for each situation. See the following for 4xx status codes:

HTTP is an extensible protocol and 422 is registered in IANA, which makes it a standard status code. So nothing stops you from using 422 in your application. And since June 2022, 422 is defined in the RFC 9110, which is the document that currently defines the semantics of the HTTP protocol:

HTTP 400 is the right status code for your case from REST perspective as its syntactically incorrect to send sales_tax instead of tax, though its a valid JSON.

Ideal Scenario for 422: In an ideal world, 422 is preferred and generally acceptable to send as response if the server understands the content type of the request entity and the syntax of the request entity is correct but was unable to process the data because its semantically erroneous.

Exactly my thoughts on the matter! I'm coming from XML SOAP background and concept of schema just got into my blood and JSON documents rather don't announce their schema. To me it's whether server "understands" the request or not. If server doesn't know what "sales_tax" is then it's simply 400: "I have no idea what you sent me but definitely not what I want.".

As I said above, the deciding factor is what is meant by syntax. If the request was sent with a Content Type of application/json, then yes, the request is syntactically valid because it's valid JSON syntax, but not semantically valid, since it doesn't match what's expected. (assuming a strict definition of what makes the request in question semantically valid or not). If, on the other hand, the request was sent with a more specific custom Content Type like application/vnd.mycorp.mydatatype+json that, perhaps, specifies exactly what fields are expected, then I would say that the request could easily be syntactically invalid, hence the 400 response.

Just because the code is described as part of the WebDAV spec doesn't mean it's WebDAV-specific! Status codes are supposed to be generic.

Missing field can be a field that has not been sent and that's clearly a 400 to me, because the app cannot understand this payload, it violates the contract. IMHO, 400 suits better to not well-formed JSON, JSON that has different key names (contract violation) and JSON that one or more of the field(s) contents is from another type, let's say, you expect a int and got an object. Even not null constraint can be in both status codes, 400 if field not sent at all (and most frameworks understands it as null), and 422 if sent but with null value.

Just let me get this straight, is RFC 7231 the latest? If so, there is no mention of 422 in there so does that mean it's now obsolete?

I rolled back your edit because the double negative was very deliberate - I explicitly would not claim correctness, just lack of clear incorrectness

Your answer (422) makes sense to me. This is also what Rails (respond_with) uses when a resource couldn't be processed because of validation errors.

15.5.21. 422 Unprocessable Content The 422 (Unprocessable Content) status code indicates that the server understands the content type of the request content (hence a 415 (Unsupported Media Type) status code is inappropriate), and the syntax of the request content is correct, but it was unable to process the contained instructions. For example, this status code can be sent if an XML request content contains well-formed (i.e., syntactically correct), but semantically erroneous XML instructions.

Cook Mode Prevent your screen from going dark

Is there anyway around the 1 yr limit ? I have been a google user for 10+ years and recently was going to move from Australia to America and as such updated my location. The move however didnt work out and now back in Australia I am unable to access many of the local apps due to my location being locked to the US.

For those who wish to conceal their location from Google, keep in mind that you use Google services under license agreement. That’s a contract. Google is within their legal rights to know under which country’s laws that agreement is being made. Google is liable for honoring each country’s laws.

Google claims: “We associate your Google Account with a country (or region) so that we can better provide our services to you.” I call 100% smelly bug-ridden B.S. This is obviously some crap written by their nasty lawyers to protect Google’s well-exposed and ugly backside. Google couldn’t give a rat’s ass about any of us. They’ve made that clear by their actions time and time again.

For example, when the user is logging in and we get back an OTP_REQUIRED error code, we can prompt the user for their TOTP using a friendly UI. But if we receive the OTP_INVALID error code, we can display an error message instead.

Why the 2 separate steps for this? Simple: to make things easier on the front-end side of things. Sending 2 different error codes, one for when the OTP is required but missing, and one where the OTP was provided but invalid, allows us to adjust our login UI accordingly.

We're going to define a has-many relationship for a user's second factors, to be able to support multiple second factor types, e.g. TOTP, backup codes, or hardware keys.

But first, an important note — friends don't let friends use SMS 2FA.

Passkeys Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins

User Experience The user experience will be familiar and consistent across many of the user’s devices – a simple verification of their fingerprint or face, or a device PIN, the same simple action that consumers take multiple times each day to unlock their devices.

Also, service providers can offer passkeys without needing passwords as an alternative sign-in or account recovery method.

When a user is asked to sign-in to an app or website, the user approves the sign-in with the same biometric or PIN that the user has to unlock the device (phone, computer or security key). The app or website can use this mechanism instead of the traditional (and insecure) username and password.

Twenty-eight (28) days after you enable 2FA, you’ll be asked to perform a 2FA check-up while using GitHub.com, which validates that your 2FA setup is working correctly. Previously signed-in users will be able to reconfigure 2FA if they have misconfigured or misplaced second factors during onboarding.

The strongest methods widely available are those that support the WebAuthn secure authentication standard. These methods include physical security keys, as well as personal devices that support technologies, such as Windows Hello or Face ID/Touch ID.

We strongly recommend the use of security keys and TOTPs wherever possible. SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B.

We now take an opinionated stance on which second factor you should set up first – you'll no longer be asked to choose between SMS or setting up an authenticator app (known as TOTP), and instead see the TOTP setup screen immediately when first setting up 2FA.

The problem with using SMS-2FA to mitigate this problem is that there’s no reason to think that after entering their credentials, they would not also enter any OTP.

I assume anyone interested in this topic already knows how phishing works, so I’ll spare you the introduction. If a phishing attack successfully collects a victim's credentials, then the user must have incorrectly concluded that the site they’re using is authentic.

discussions about SMS-2FA get heated very quickly. I've found that SMS-2FA deployment or advocacy has been a major professional project for some people, and they take questioning it's efficacy personally

Here are the main arguments I’ve heard for SMS 2FA: SMS 2FA can prevent phishing. SMS 2FA can’t prevent phishing, but it can prevent “credential stuffing”. We have data proving that SMS 2FA is effective. I’ll cover some other weaker arguments I’ve heard too, but these are the important ones.

I believe that SMS 2FA is wholly ineffective, and advocating for it is harmful.

Unique Passwords and U2F are not perfect, but they are good. Unique Passwords reduce the impact of phishing, but can’t eliminate it. U2F doesn’t prevent malware, but does prevent phishing.

This argument only works if what you’re defending is good. As I’ve already explained, SMS-2FA is not good.

Don’t let the perfect be the enemy of the good. Seat belts aren’t perfect either, do you argue we shouldn’t wear them? Etc, etc. This argument only works if what you’re defending is good. As I’ve already explained, SMS-2FA is not good.

If you also want to eliminate phishing, you have two excellent options. You can either educate your users on how to use a password manager, or deploy U2F, FIDO2, WebAuthn, etc. This can be done with hardware tokens or a smartphone.

You are currently allowing your users to choose their own password, and many of them are using the same password they use on other services. There is no other possible way your users are vulnerable to credential stuffing.

If you use a third party password manager, you might not realize that modern browsers have password management built in with a beautiful UX. Frankly, it’s harder to not use it.

If you’re a security conscious user... You don’t need SMS-2FA. You can use unique passwords, this makes you immune to credential stuffing and reduces the impact of phishing. If you use the password manager built in to modern browsers, it can effectively eliminate phishing as well.

We have a finite pool of good will with which we can advocate for the implementation of new security technologies. If we spend all that good will on irritating attackers, then by the time we’re ready to actually implement a solution, developers are not going to be interested.

t’s important to emphasise that if you don’t reuse passwords, you are literally immune to credential stuffing.

build something in/into something phrasal verb with build verb

You can also find the combination verb+in+to, but in that case you're usually dealing with a phrasal verb consisting of a verb and the particle "in", which happens to be followed by the preposition "to".They wouldn't give in to our demands.

"Built in to" appears when you use the phrasal verb "build in" followed by an infinitive, but that is not what you are trying to do in your sentence.There's an electronic switch built in to stop all data transfers.

The house, of course, is not doing the agreeing; Cooper is! Because of the distance between Cooper and the participle phrase that describes him, the comma is necessary.

A present participle phrase will always act as an adjective while a gerund phrase will always behave as a noun.

So in your example, you would not use a hyphen: "You can use the types [that are] built in to the library."

How can this be called an adjective? The postmodifier here is a participle phrase, 'built into the library'.

take off, should also be counted as a (multi-word) verb.

Using a hyphen is the wrongest thing to do here.

Unfortunately all SMS/voice gateway are owned by paid services, thus there is no such thing as open-source, that I can recommend.

Fortunately, we found RingCaptcha (https://ringcaptcha.com), which has a the 'starter plan' that offers free 500 OTP monthly. Just a small plug for them for providing freemium service; they are highly reliable because they are integrated with all major global, and regional providers, e.g., Twilio, Nexmo, Infobip, MessageBird, etc., and send your OTP through the best provider/route based on country/phone carrier, and can auto fallback to alternative paths. This means you just need to integrate with RingCaptcha, without the headache of deciding which SMS/voice OTP provider has best combination of price and reliability, which is a real headache when you are sending OTP world-wide.

the issues I've always had with it: No support. As in, no one in Google's support organization has any clue about what this app does. No support group discussions as far as I can tell ("Smart Lock" is too generic to really find anything). That's not surprising, because while I've figured out how it works/what it does in my use case, there's really no clear documentation on it - like what it even does, really.

No support group discussions as far as I can tell ("Smart Lock" is too generic to really find anything).

like the one in the picture.

{{#discriminator.mappedModels}} {{#-first}} {{#vendorExtensions.x-useDeduction}} @JsonTypeInfo(use = JsonTypeInfo.Id.DEDUCTION) {{/vendorExtensions.x-useDeduction}} {{^vendorExtensions.x-useDeduction}}

Most platforms that require OTP verification for ensuring security are targeted at the mobile phone only. But some payment gaterways send OTP to email address also simultaneously to doubly ensure that you get the OTP and that you have requested the OTP. There could be some delay in SMS or email reaching you. Many OTPs are time restricted - you have to use them quickly.

It is a law of nature that our thoughts and feelings are encouraged and strengthened as we give them utterance. While words express thoughts, it is also true that thoughts follow words. If we would give more expression to our faith, rejoice more in the blessings that we know we have,—the great mercy and love of God,—we should have more faith and greater joy. No tongue can express, no finite mind can conceive, the blessing that results from appreciating the goodness and love of God. Even on earth we may have joy as a wellspring, never failing, because fed by the streams that flow from the throne of God.

It is also used to migrate existing clients using direct authentication schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

Double quotes for string literals - because pre-committing to whether you'll need interpolation in a string slows people down

Another option would be to implement a delay scheme to avoid a brute force attack. After each failed attempt A, the authentication server would wait for an increased T*A number of seconds, e.g., say T = 5, then after 1 attempt, the server waits for 5 seconds, at the second failed attempt, it waits for 5*2 = 10 seconds, etc.

The reason for masking the most significant bit of P is to avoid confusion about signed vs. unsigned modulo computations. Different processors perform these operations differently, and masking out the signed bit removes all ambiguity.

The lack of interoperability among hardware and software technology vendors has been a limiting factor in the adoption of two-factor authentication technology. In particular, the absence of open specifications has led to solutions where hardware and software components are tightly coupled through proprietary technology, resulting in high-cost solutions, poor adoption, and limited innovation.

Protocols are, by their very nature, open. If you can't read the protocol specification then you can't very well implement it, can you?

As others pointed out, OATH's claims of "open source" have little meaning when compared to other authentication protocols such as SAML. When you include the entire Liberty Alliance specifications as well as the Web Services Initiative protocols and methods (as devised by Microsoft and IBM) there's nary a proprietary bit of code involved. Actually, there's no code involved at all. Protocols are, by their very nature, open. If you can't read the protocol specification then you can't very well implement it, can you?

the output is 20 bytes, and so the last byte is byte 19 (0-origin).

It is suggested that verification be locked out after a small number of failed attempts or that each failed attempt attracts an additional (linearly increasing) delay.

One-time passwords are generated on demand by a dedicated OATH OTP authenticator that encapsulates a secret that was previously shared with the verifier. Using the authenticator, the claimant generates an OTP using a cryptographic method. The verifier also generates an OTP using the same cryptographic method. If the two OTP values match, the verifier can conclude that the claimant possesses the shared secret.

We believe that being open source is one of the most important features of Bitwarden. Source code transparency is an absolute requirement for security solutions like Bitwarden.

But getting codes by phone turns out not to be not very secure at all. A vulnerability in SMS messaging is that crooks can reroute text messages(Opens in a new window).

Unlike the other apps listed here, Authy requires your phone number when you first set it up. We're not fans of this requirement, since we’d rather have the app consider our phones to be anonymous pieces of hardware; and some have suggested that requiring a phone number opens the app up to SIM-card-swap fraud.

2FAS doesn't need your phone number or even require you to create an online account, so it's not susceptible to SIM-swapping fraud.

The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.

The authors believe that a common and shared algorithm will facilitate adoption of two-factor authentication on the Internet by enabling interoperability across commercial and open-source implementations.

Businesses can send message templates to up to 250 unique customers in a rolling 24-hour period

On my ZE620KL nothing worked, many tries, I waited a few days and it didn't work. Even changing the rom for an official Asus rom (without root) the app kept saying that the device is not safe. It only started to allow contactless payment after relocking the bootloader. I believe that in my case, gpay did not work by detecting the unlocked bootloader. Edit The device passed all tests, safenet, Google protect, basic, CTS (with root). but it still only worked after relocking the bootloader

Our test raises an ActiveRecord::RecordNotFound exception. We know that Rails has special handling to return a 404 status code in this case. However, the request spec still raises the exception.

Finding good names is quite difficult. Single words are also almost always better than combined names, even though one is a bit limited with single words alone. There are exceptions though. For example .each_with_index or .each_index are good names, IMO.

And, my kids learned all about the inner workings of the car in areas that are usually hidden. This was an exhilarating accomplishment, and a triumph of a homeschool project. I hope to do more with the kids over the years so that they have practical life skills, and I encourage other parents to work with their children to fix the family car.

I am not a mechanic, but I like to dabble in fixing whatever is at hand, especially when it saves our family money.

Why is it, then, that although publicly is far more common as the adverbial form of public than publically, the ratio of usage has diminished? Publically is becoming more common for the same reason that people write irregardless in place of regardless or write “diffuse the situation” instead of “defuse the situation” or “all of the sudden” rather than “all of a sudden”: evolution. Language is, in a sense, alive, and just as life itself evolves, so does language—but note that the primary definition of evolution is not “improvement”; it simply means “change.” And how does language change? The change is modeled: New words are coined, or new senses of existing words develop (or new spellings or new forms occur), because someone, somewhere acts to make it so, and the evolution goes viral.

First, dictionaries are not arbiters of highly literate writing; they merely document usage. For example, irregardless has an entry in many dictionaries, even though any self-respecting writer will avoid using it—except, perhaps, in dialogue to signal that a speaker uses nonstandard language, because that is exactly how some dictionaries characterize the word. Yes, it has a place in dictionaries; regardless of that fact, its superfluous prefix renders it an improper term.

Washington wallet-sized birth registration cards aren’t accepted

Ultra-high frequencies typically offer better range

Does the EDL/EID card transmit my personal information? No. The RFID tag embedded in your card doesn't contain any personal identifying information, just a unique reference number.

Our transactional and marketing email services allow you to send emails effortlessly.

With comprehensive drag-and-drop email builders like Mailgun's Drag-and-Drop Template Builder, or a responsive email language like MJML, you can create and change up your email marketing campaigns with ease

Code your own template with HTML, or use our markup language MJML, the only framework that makes creating responsive designs easy.

Send me the Mailjet newsletter. I expressly agree to receive the newsletter and know that I can easily unsubscribe at any time.

What are transactional emails? Typically any email that is triggered by or sent automatically from your application.

Welcome emails Actionable emails Password resets Receipts Monthly invoices Support requests App error alerts Reminders etc.

for instance, when the recipient’s address is full (a soft bounce: just wait and re-send) or worst, when it’s non-existent (a hard bounce: you need to remove the account from your list)

Don't be a lump on a log. See an issue? Have a suggestion? Want to help? Well git in there!