gavhu10

I needed to have only one repo to simplify many things waves hand. First, I tried to make the pico-keys-sdk, which is a submodule of pico-fido, build by itself. This made sense because it had a main.c and an app_main function and I could not see how it interfaced with the main repo. However, ESP-IDF could not find the function. I fixed it with the help of many AI generated CMakeLists.txt files and other patches that led to more errors, but finally I got it to compile, although I moved almost every file in the process. The problem was that, although it would boot, it did not work as a security key. Then I realized that the thousands of lines of code in pico-fido probably did something, although what exactly they did was mysterious. Finally, I decided I would rather not deal with the obscure issues of ESP-IDF and Cmake and just made the pico-keys-sdk submodule a folder. The picture is a screenshot of the branch that I used in my first attempt.

I added a confirmation to the key firmware. It was hard, but really only because their is no keyboard driver for esp-idf and the cardputer. I also managed to crash firefox lots of times.

This project is build on the powerful pico-fido project, so if you manage to build it, the security key part is basically done. However, putting a gui on it is much harder. I managed to put something on the screen though; watch this place!

I added a new style. It took a lot of fine tuning, but now it looks like the for-the-badge style offered by shields.io.

I made so that it displays a message when an an error happens. I also fixed a obscure bug that only happens on mobile (at least during my testing).

I made so that the site creates it’s own demo counter. Now when you run flask init, then it will set itself up. I also put back the old graph theme.

I added a page to the site. The css is github-markdown-css by sindresorhus. 1200+ lines of css is probably overkill for 40 lines of html, but whatever.

I just spent a lot of time learning how to create a histogram. I wrote some code that separated the timestamps and counted them, and then slowly cut away chunks of redundant code until I had one line left that made the histogram. Live and learn I guess lol.

I made graphs! Now you can see how many times, and at what times, your site has been visited.

I added a bunch of configuration options and fixed the mime type. I had issues with github caching the icons, so the count on the readme might not be accurate, but I think I fixed it. I also wrote the readme. Check it out and add to the count!

I added the actual images part and ratelimiting. I used the anybadge project so that the project is entirely in python. I also added type hints to my functions.

I started to implement this project! I going to make this with astral’s tools, as I have not used them before.

I added notifications! Now you get a system notification when you get a new message, although they are not push notifications. I also fixed a huge bug in the api that I made while trying to fix a small bug (oops) and made so that errors are flashed instead of displaying an HTTP error page.

I improved the security of the requests. I thought I was already using https, but I was not. I did a bunch of small things like removing some things leftover from debugging and improving the time between message fetches. I also did another release. Since the things I did are not very photogenic, here are some code stats.

I added some improvements for messaging. New messages are highlighted and the browser tab changes its title if it is in the background. I also added some rounding to to messages and moved to a new font.

I added a logo that is displayed on boot! I think it looks nice, but the picture is a bit washed out.

I made so that the user no longer has to reboot in order to switch rooms. I also added the CD part of CI/CD (Continuous Delivery or Deployment) so that the firmware is built on push.

I added docker support so that other people can self-host easier. This was my first time using docker and it was enjoyable, besides the fact that docker-compose takes forever on my laptop. I also fixed an api bug.

I made so that when logging out, the token is deleted after asking the user. This took a while because of compile times. Here is the customary demo video:

I added user management so users do not need access to a browser to do things like signing up and logging in. I also published my first release on github! Here is a video demonstration of how it works:

I did a bunch of things, but for many of them I did have hackatime enabled and so I only have 45 min. I added a “Your rooms” button for clarity. I added some password validation and fixed some bugs with the invite links. I also added admin management commands. Now you can use /add-admin and /remove-admin to allow people other than the creator to be privileged enough to do things like delete or clear the jar. I also improved logging.

I added CSRF protection which was something that I was looking up against. However, it was surprisingly simple. I also added a light mode/dark mode toggle. It took a surprising amount of time, but I am satisfied with it now. I also updated the documentation and removed the lobby jar (room). The lobby was a remnant of the original mono-room design, and it took too much hacky code to keep, so now that I have made invite links, I removed it. Here are two screen shots of the new dark/light mode button:

I added a /clear command so that admins can remove all messages from a room. I also improved how the site looks for mobile users (thanks gemini lol). Some buttons, such as the logout and delete token buttons are now handled by POST requests, and the “Your api tokens” page now has a “click to copy token” button. Last, but not least, I fixed the icon in dark mode by using an inline svg and added a favicon to the messagejar.pythonanywhere.com site.

I added a dark mode, improved the log in redirect and fixed time zone handling. Now the server always sends UTC time and the client converts it. I also implemented dark mode, which was something that was on my list. Can you see where I got the colors from? :P

I added a big feature that I am rather excited for: Invite links! Now people can join your jars without you having to manually add them. You generate a link, share it anywhere you would like, and anybody with an account can join your room. You create them by navigating to your user page by clicking your username. Then you select a room and write out a little message on who the link is for (only you can see this message). Then copy the new link and viola! Here is the demo link.

I fixed the tests and added an user/exists endpoint so that applications can detect whether a user is logging in or creating an account. I don’t think this will become a problem or a enumeration vulnerability since people could already find valid usernames with the slash commands. Also, every api endpoint is rate-limited and user/* ones more strictly so. I also fixed some bugs concerning invalid room names. Now you cannot make a room with a slash in the name and names with special characters such as quotes are handled properly. The smallest changes, however, are the ones that are easily screen shotted. Here is my new styling for the room links (the orange one is being hovered over) and the flashed messages:

I made it look a lot better with some help from Gemini because I don’t really know CSS. It looks like a real site now!

I added wifi management and some other small fixes. Now you can choose your network when you turn on the device. Then if there is a saved password for the selected network it is used. Otherwise, you are asked to input a password. If it works, then it is saved for future use. I also added scrolling to the choosing menus, which took an inordinately long time. Here is a video demonstrating the new features, including wifi password saving.

I added rate limiting and API versioning. I also made so that you cannot add empty messages to a jar. The rate limiting was not too hard to do, but getting it deployed was. I started by using memcached and got it compiled on the pythonanywhere servers, but it could not connect for various reasons. I tried to use an external memcached server, but I could not get authentication to it to work with Flask-Limiter. Then I found the python package redislite. After a lot of fiddling around with unix domain sockets and testing the wrong endpoints, I got it to work! Also kinda funny that you can see pythonanywhere’s jinja templates failing in the screen shot.

I made so that you can scroll messages with the arrow keys. I also made it much more efficient and fixed some bugs.

I added room management. Now you can create rooms from the device!

I just added a retype password check to the sign up and change password screens. This is a rather small feature, but as I tested it and changed my password, I saw that it was not validating that the two new passwords were the same. Then I realized that it was not validating the new password at all, so someone could change their password to None (or whatever None hashed is) and so lock themselves out. 🤦Oh well; It’s fixed now.