Message Jar message web app

I made so that it displays a message when an an error happens. I also fixed a obscure bug that only happens on mobile (at least during my testing).

I added notifications! Now you get a system notification when you get a new message, although they are not push notifications. I also fixed a huge bug in the api that I made while trying to fix a small bug (oops) and made so that errors are flashed instead of displaying an HTTP error page.

I added some improvements for messaging. New messages are highlighted and the browser tab changes its title if it is in the background. I also added some rounding to to messages and moved to a new font.

I added docker support so that other people can self-host easier. This was my first time using docker and it was enjoyable, besides the fact that docker-compose takes forever on my laptop. I also fixed an api bug.

I did a bunch of things, but for many of them I did have hackatime enabled and so I only have 45 min. I added a “Your rooms” button for clarity. I added some password validation and fixed some bugs with the invite links. I also added admin management commands. Now you can use /add-admin and /remove-admin to allow people other than the creator to be privileged enough to do things like delete or clear the jar. I also improved logging.

I added CSRF protection which was something that I was looking up against. However, it was surprisingly simple. I also added a light mode/dark mode toggle. It took a surprising amount of time, but I am satisfied with it now. I also updated the documentation and removed the lobby jar (room). The lobby was a remnant of the original mono-room design, and it took too much hacky code to keep, so now that I have made invite links, I removed it. Here are two screen shots of the new dark/light mode button:

I added a /clear command so that admins can remove all messages from a room. I also improved how the site looks for mobile users (thanks gemini lol). Some buttons, such as the logout and delete token buttons are now handled by POST requests, and the “Your api tokens” page now has a “click to copy token” button. Last, but not least, I fixed the icon in dark mode by using an inline svg and added a favicon to the messagejar.pythonanywhere.com site.

I added a dark mode, improved the log in redirect and fixed time zone handling. Now the server always sends UTC time and the client converts it. I also implemented dark mode, which was something that was on my list. Can you see where I got the colors from? :P

I added a big feature that I am rather excited for: Invite links! Now people can join your jars without you having to manually add them. You generate a link, share it anywhere you would like, and anybody with an account can join your room. You create them by navigating to your user page by clicking your username. Then you select a room and write out a little message on who the link is for (only you can see this message). Then copy the new link and viola! Here is the demo link.

I fixed the tests and added an user/exists endpoint so that applications can detect whether a user is logging in or creating an account. I don’t think this will become a problem or a enumeration vulnerability since people could already find valid usernames with the slash commands. Also, every api endpoint is rate-limited and user/* ones more strictly so. I also fixed some bugs concerning invalid room names. Now you cannot make a room with a slash in the name and names with special characters such as quotes are handled properly. The smallest changes, however, are the ones that are easily screen shotted. Here is my new styling for the room links (the orange one is being hovered over) and the flashed messages:

I made it look a lot better with some help from Gemini because I don’t really know CSS. It looks like a real site now!

I added rate limiting and API versioning. I also made so that you cannot add empty messages to a jar. The rate limiting was not too hard to do, but getting it deployed was. I started by using memcached and got it compiled on the pythonanywhere servers, but it could not connect for various reasons. I tried to use an external memcached server, but I could not get authentication to it to work with Flask-Limiter. Then I found the python package redislite. After a lot of fiddling around with unix domain sockets and testing the wrong endpoints, I got it to work! Also kinda funny that you can see pythonanywhere’s jinja templates failing in the screen shot.

I just added a retype password check to the sign up and change password screens. This is a rather small feature, but as I tested it and changed my password, I saw that it was not validating that the two new passwords were the same. Then I realized that it was not validating the new password at all, so someone could change their password to None (or whatever None hashed is) and so lock themselves out. 🤦Oh well; It’s fixed now.