Since using case insensitivity is so widespread, take their sign up email address and make it lower case. Whenever they try to log in, convert that to lowercase as well, for comparison purposes, when you go to see if the user exists. As far as sign up and sign in go, do a case insensitive comparison. If the person signs up as Steve@example.com, you'll still want to allow them to sign in later with steve@example.com or sTeVE@example.com.

But you should also keep track of the email address that they signed up with in a case sensitive fashion. Any time you send an email to them, be sure to send it with that original casing. This allows the email server to handle it however it feels like it needs to. So even though the person may always be signing in to your site with steve@example.com, if they signed up as Steve@example.com, you'll always send email to Steve@example.com, just to be safe.

Some day, the de facto standard and the official standard will hopefully be the same. It's too bad we have to deal with this issue at all.

The de facto standard is to treat local mailboxes as case insensitive, but the official standard says case matters (though even the official standard mentions the de facto standard).

Gmail does something similar. You can register an email address with a . in it and Gmail just ignores that for its internal email address. So you can get Firstname.Surname@gmail.com and that's effectively the same email address as FirstnameSurname@gmail.com. Back in 2004 when Gmail launched, I found this to be an especially user friendly feature of their email service

So yes, the part before the "@" could be case-sensitive, since it is entirely under the control of the host system. In practice though, no widely used mail systems distinguish different addresses based on case.

In short, you are safe to treat email addresses as case-insensitive.

Since the case sensitivity of email addresses can create confusion and delivery problems, most email providers and clients either fix the case if the email address is entered in the wrong case, or they ignore upper-case entries. Not many email services or ISPs enforce case-sensitive email addresses.

This ensures that GetResponse and our customers comply with Anti-Spam laws.

An example of how to toggle tracking on a per-message basis. Note the o:tracking option. This will disable link rewriting for this message:

You can diminish the size of the journal by means of these commands: sudo journalctl --vacuum-size=100M This will retain the most recent 100M of data. sudo journalctl --vacuum-time=10d will delete everything but the last 10 days.

ISO 8601 specifies the use of uppercase letter T to separate the date and time. PostgreSQL accepts that format on input, but on output it uses a space rather than T, as shown above. This is for readability and for consistency with RFC 3339 as well as some other database systems.

Stop to think about "normal app" as like desktop app. Android isn't a desktop platform, there is no such this. A "normal" mobile app let the system control the lifecycle, not the dev. The system expect that, the users expect that. All you need to do is change your mindset and learn how to build on it. Don't try to clone a desktop app on mobile. Everything is completely different including UI/UX.

lso, really look closely into SignalR, as the Android and iOS clients aren't... uhm... great

Entropy is not a property of the string you got, but of the strings you could have obtained instead. In other words, it qualifies the process by which the string was generated.

The credentials should only be used when there is a high degree of trust between the resource owner and the client (e.g., the client is part of the device operating system or a highly privileged application)

Have you seen mobile phone lock screens where the user is required to draw a specific pattern onto a grid of dots? How about the Windows 8 picture password feature? These are examples of behavior-based authentication factors.

“Multi-factor authentication needs multi-factor enrollment,” noted Taku. It shouldn’t have been possible to enroll just using a stolen password. He listed numerous possibilities, among them credentials handed out in person, a one-time password, or a PIN sent to the employee’s registered email or mobile.

I'd like to discuss over a PR.

The 409 (Conflict) or 415 (Unsupported Media Type) status codes are suggested

If the target resource does not have a current representation and the PUT successfully creates one, then the origin server MUST inform the user agent by sending a 201 (Created) response. If the target resource does have a current representation and that representation is successfully modified in accordance with the state of the enclosed representation, then the origin server MUST send either a 200 (OK) or a 204 (No Content) response to indicate successful completion of the request.

Whereas U2F only supports multi-factor mode, having been designed to strengthen existing username/password-based login flows, FIDO2 adds support for single-factor mode.

why not allow block forwarding without capturing: foo(&) foo(1, 2, &)

In particular, with AC connected, a battery with a charge level higher than the stop charge threshold will not be discharged to the stop charge threshold, nor will there be a (cyclic) discharge down to the start charge threshold

Limiting the maximum charge level to below 100%: stop charge threshold

There are three migration paths:

You can indeed prolong moderns Li-Ion batteries lifespan by keeping them at a lower charge. If you never ever use it disconnected, you should keep it at 40%. E.g. Uber driver cellphone always-on in travels. However for daily light usage, 60% is considered the 'sweet spot' for practicality, and 80% gives you more freedom. 100% is when the battery is at its peak 'stress' level, and thus wear faster.

Exposing the battery to high temperature and dwelling in a full state-of-charge for an extended time can be more stressful than cycling.

Discharges your battery until it reaches 80%, even when plugged in

This tool makes it possible to keep a chronically plugged in Apple Silicon Macbook at 80% battery, since that will prolong the longevity of the battery.

If you send links with a secret login token with email, then they should be single-use and expire rather quickly.

But you can not make the user send a POST requests from an email

Sorry, I can't agree with you. If someone issues a second code, they should have two potential logins - one for each one they requested. Call me weird, but considering how cheap it is to store data, I'd rather keep around exactly what happened.

If you implement this system using the user table you risk impatient users requesting a second code and them arriving out of order.

By default SMTP offers very little protection against interception. Traffic may be encrypted between servers but there are no guarantees.

email as a transmission mechanism isn't secure.

If the link can only be used once with a short expiry time and no info in the link can be used to derive secrets in the session it creates then you should be fine. Effectively, the link serves as an one-time password.

If so, then how is sending a link for password reset any more secure? Isn't logging-in using a magic link the same thing as sending a magic link for resetting a password?

À la carte can be now used figuratively to describe someone who picks some things out of a larger set, e.g., an à la carte Catholic who (conveniently) believes in some aspects of the religion, but not others. À la carte television refers to customers paying for just channels they want, rather they having to pay for a whole (cable) service.

Google allowed third parties to build their own Wave services (be it private or commercial) because it wanted the Wave protocol to replace the e-mail protocol.[2][16][17] Initially, Google was the only Wave service provider, but it was hoped that other service providers would launch their own Wave services, possibly designing their own unique web-based clients as is common with many email service providers.

You can do an Nth root by raising to a fractional power. For example, the 4th root of 625 is 5. (BigDecimal(625)**(1.0/4.0)).to_f # => 5.0

A given secret from an authenticator SHALL be used successfully only once.

For look-up secrets that have less than 64 bits of entropy, the verifier SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account as described in Section 5.2.2.

Similar to Base64, but modified to avoid both non-alphanumeric characters (+ and /) and letters that might look ambiguous when printed (0 – zero, I – capital i, O – capital o and l – lower-case L).

A variant of Base58 encoding which further sheds the lowercase 'i' and 'o' characters in order to minimise the risk of fraud and human-error.

a change in a weight of evidence of 1 deciban (i.e., a change in the odds from evens to about 5:4) is about as finely as humans can reasonably be expected to quantify their degree of belief in a hypothesis

average level of "information", "surprise", or "uncertainty"

the entropy of a random variable is the average level of "information", "surprise", or "uncertainty" inherent to the variable's possible outcomes

But in reality, what we witness is the emergent patterns from each individual starling simply doing it darndest not to collide with the starlings nearby.

Cloche Seven pieces of 10-foot ½-inch PVC pipe One piece of 10-foot roll galvanized plumbers' metal stripping to attach PVC to sideboards every 2 feet. 28 1-inch roofing nails

Using --ours did what I was after, just discarding the incoming cherry picked file. @Juan you're totally right about those warning messages needing to say what they did't do, not just why they didn't do it. And a bit more explanation that the ambiguity from the conflict needs to be resolved (by using --ours, etc) would be super helpful to this error message.

--ignore-unmerged When restoring files on the working tree from the index, do not abort the operation if there are unmerged entries and neither --ours, --theirs, --merge or --conflict is specified. Unmerged paths on the working tree are left alone. Holy smokes! I guess the git-ish fix for the user interface problem here will be to rename the option from --ignore-unmerged to --ignore-unmerged-except-in-cases-where-we-do-not-want-to-allow-that--consult-documentation-then-source-code-then-team-of-gurus-when-you-cannot-figure-it-out---and-wait-while-half-of-them-argue-about-why-it-is-right-as-is-while-the-other-half-advocate-adding-four-more-options-as-the-fix.

In recent git versions, git restore is supposed to be a "better" way to revert undesired local changes than the overloaded checkout. Great, that sounds reasonable - a nice simple purpose-built tool for a common operation.

If the chicken must come before the egg, where do you put the chicken?

If the chicken must come before the egg, where do you put the chicken?

Since nobody provided a wire capture, here's one.

The rest of the URL (/path/?some=parameters&go=here) has no business being inside ClientHello since the request URL is a HTTP thing (OSI Layer 7), therefore it will never show up in a TLS handshake (Layer 4 or 5). That will come later on in a GET /path/?some=parameters&go=here HTTP/1.1 HTTP request, AFTER the secure TLS channel is established.

It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS.

users/me feels like a bad idea because REST prefers to have one url per resource. You will then have: users/me users/123myId Which point to the same resource.

If you work with hateos better supply a link to your own resource.

Why do so many businesses share their data openly, for free? Most often, the answer is scale. As companies grow, the staff within those companies realize they have more ideas than they have the time and resources to develop them. It’s typically easier to work with other external companies that specialize in these ideas than build them in-house. By creating APIs, a company allows third-party developers to build applications that improve adoption and usage of its platform. That way, a business can build an ecosystem that becomes dependent on the data from their API, which often leads to additional revenue opportunities.

Clients interact with a service by exchanging representations of resources.

A primary advantage of REST over HTTP is that it uses open standards, and does not bind the implementation of the API or the client applications to any specific implementation.

I would say you have one API with 3 endpoints

:"signed_up_but_#{resource.inactive_message}"

The first Mr. DRILLER game for the Nintendo Switch™ featuring updated graphics and HD cutscenes!

Impersonation is a security concept implemented in Windows NT that allows a server application to temporarily "be" the client in terms of access to secure objects.

before_action -> { doorkeeper_authorize! :public }, only: :index

Grape API

Looking SO good. Will do a final check and merge when I get home. Meanwhile it seems addressing most of houndci comments and waiting for a green CI will be enough! Thanks for your hard and good work.

This leads to an override of the controller as well

What you're actually trying to do is to have the exact same behaviour that native Devise implementation but on an Engine via API

I know that Devise offers these capabilities, but it's hard to make out how to do it without hitting their preconfigured (view?) routes.

inline(:C)

user = User.new(password: "あ" * 25) # 25 characters, 75 bytes

Because they follow this specification, most authoritative DNS servers won't allow you to include CNAME records at the root. At CloudFlare, we decided to let our users include a CNAME at the root even though we knew it violated the DNS specification. And that worked, most of the time. Unfortunately, there were a handful of edge cases that caused all sorts of problems.

The Inflexibility of DNS Traditionally, the root record of a domain needed to point to an IP address (known as an A -- for "address" -- Record). While it may not seem like a big deal, tying a service to an IP address can be extremely limiting.

Let Docker manage the storage of your database data by writing the database files to disk on the host system using its own internal volume management. This is the default and is easy and fairly transparent to the user. The downside is that the files may be hard to locate for tools and applications that run directly on the host system, i.e. outside containers. Create a data directory on the host system (outside the container) and mount this to a directory visible from inside the container. This places the database files in a known location on the host system, and makes it easy for tools and applications on the host system to access the files. The downside is that the user needs to make sure that the directory exists, and that e.g. directory permissions and other security mechanisms on the host system are set up correctly.

Generally speaking, privilege escalation means getting more rights in the system than you already have.

Problem details for HTTP APIs HTTP status codes are sometimes not sufficient to convey enough information about an error to be helpful. The RFC 7807 defines simple JSON and XML document formats to inform the client about a problem in a HTTP API. It's a great start point for reporting errors in your API. It also defines the application/problem+json and application/problem+xml media types.

Michael Kropat put together a set of decision charts that helps determine the best status code for each situation. See the following for 4xx status codes:

HTTP is an extensible protocol and 422 is registered in IANA, which makes it a standard status code. So nothing stops you from using 422 in your application. And since June 2022, 422 is defined in the RFC 9110, which is the document that currently defines the semantics of the HTTP protocol:

HTTP 400 is the right status code for your case from REST perspective as its syntactically incorrect to send sales_tax instead of tax, though its a valid JSON.

Ideal Scenario for 422: In an ideal world, 422 is preferred and generally acceptable to send as response if the server understands the content type of the request entity and the syntax of the request entity is correct but was unable to process the data because its semantically erroneous.

Exactly my thoughts on the matter! I'm coming from XML SOAP background and concept of schema just got into my blood and JSON documents rather don't announce their schema. To me it's whether server "understands" the request or not. If server doesn't know what "sales_tax" is then it's simply 400: "I have no idea what you sent me but definitely not what I want.".

As I said above, the deciding factor is what is meant by syntax. If the request was sent with a Content Type of application/json, then yes, the request is syntactically valid because it's valid JSON syntax, but not semantically valid, since it doesn't match what's expected. (assuming a strict definition of what makes the request in question semantically valid or not). If, on the other hand, the request was sent with a more specific custom Content Type like application/vnd.mycorp.mydatatype+json that, perhaps, specifies exactly what fields are expected, then I would say that the request could easily be syntactically invalid, hence the 400 response.

Just because the code is described as part of the WebDAV spec doesn't mean it's WebDAV-specific! Status codes are supposed to be generic.

Missing field can be a field that has not been sent and that's clearly a 400 to me, because the app cannot understand this payload, it violates the contract. IMHO, 400 suits better to not well-formed JSON, JSON that has different key names (contract violation) and JSON that one or more of the field(s) contents is from another type, let's say, you expect a int and got an object. Even not null constraint can be in both status codes, 400 if field not sent at all (and most frameworks understands it as null), and 422 if sent but with null value.

Just let me get this straight, is RFC 7231 the latest? If so, there is no mention of 422 in there so does that mean it's now obsolete?

I rolled back your edit because the double negative was very deliberate - I explicitly would not claim correctness, just lack of clear incorrectness

Your answer (422) makes sense to me. This is also what Rails (respond_with) uses when a resource couldn't be processed because of validation errors.

15.5.21. 422 Unprocessable Content The 422 (Unprocessable Content) status code indicates that the server understands the content type of the request content (hence a 415 (Unsupported Media Type) status code is inappropriate), and the syntax of the request content is correct, but it was unable to process the contained instructions. For example, this status code can be sent if an XML request content contains well-formed (i.e., syntactically correct), but semantically erroneous XML instructions.

Cook Mode Prevent your screen from going dark

Is there anyway around the 1 yr limit ? I have been a google user for 10+ years and recently was going to move from Australia to America and as such updated my location. The move however didnt work out and now back in Australia I am unable to access many of the local apps due to my location being locked to the US.

For those who wish to conceal their location from Google, keep in mind that you use Google services under license agreement. That’s a contract. Google is within their legal rights to know under which country’s laws that agreement is being made. Google is liable for honoring each country’s laws.

Google claims: “We associate your Google Account with a country (or region) so that we can better provide our services to you.” I call 100% smelly bug-ridden B.S. This is obviously some crap written by their nasty lawyers to protect Google’s well-exposed and ugly backside. Google couldn’t give a rat’s ass about any of us. They’ve made that clear by their actions time and time again.

For example, when the user is logging in and we get back an OTP_REQUIRED error code, we can prompt the user for their TOTP using a friendly UI. But if we receive the OTP_INVALID error code, we can display an error message instead.

Why the 2 separate steps for this? Simple: to make things easier on the front-end side of things. Sending 2 different error codes, one for when the OTP is required but missing, and one where the OTP was provided but invalid, allows us to adjust our login UI accordingly.

We're going to define a has-many relationship for a user's second factors, to be able to support multiple second factor types, e.g. TOTP, backup codes, or hardware keys.

But first, an important note — friends don't let friends use SMS 2FA.

Passkeys Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins

User Experience The user experience will be familiar and consistent across many of the user’s devices – a simple verification of their fingerprint or face, or a device PIN, the same simple action that consumers take multiple times each day to unlock their devices.

Also, service providers can offer passkeys without needing passwords as an alternative sign-in or account recovery method.

When a user is asked to sign-in to an app or website, the user approves the sign-in with the same biometric or PIN that the user has to unlock the device (phone, computer or security key). The app or website can use this mechanism instead of the traditional (and insecure) username and password.

Twenty-eight (28) days after you enable 2FA, you’ll be asked to perform a 2FA check-up while using GitHub.com, which validates that your 2FA setup is working correctly. Previously signed-in users will be able to reconfigure 2FA if they have misconfigured or misplaced second factors during onboarding.

The strongest methods widely available are those that support the WebAuthn secure authentication standard. These methods include physical security keys, as well as personal devices that support technologies, such as Windows Hello or Face ID/Touch ID.

We strongly recommend the use of security keys and TOTPs wherever possible. SMS-based 2FA does not provide the same level of protection, and it is no longer recommended under NIST 800-63B.