|Age||Commit message (Collapse)||Author||Files||Lines|
This gets rid of global.pl, config.pl and config3.pl and uses the
cleaner config3.pl format for the config file. The config is easily
accessible from anywhere by importing the new VNDB::Config module; The
global $VNDB::S,O,M,ROOT variables have been removed.
Sorry for all the churn...
I think this is the last one. 'make' in a development environment is now
beautifully fast and 'make prod' generates nicely small assets.
(arguably we could have an even faster dev setup by not generating an
icons.png in the first place, but then we'd need more code to
differentiate between dev & prod, which is also a pain)
This change does remove the "slow" option that would use the compressed
image size in the optimization algorithm, but I hadn't used that option
for a while anyway, it takes an hour and only saves about 100 bytes.
Similar to previous commit.
I initially wanted to move the static/.. files onto the Docker volume,
so that all dynamic site data is stored in a single place. But that
turned out to be impossible to do without some really ugly hacks. So
instead I went with the opposite approach: get rid of the 'vndb-data'
volume and instead store everything in the source directory. This also
requires running PostgreSQL as the 'devuser', but that's fine for a
development setup. All of this makes it more obvious what is going on
and simplifies the init script.
This affects the following:
- API login with a weak password is disallowed, affected users will have
to change their password through the website to continue using the API.
- Registration, password reset or password change forms require the new
password to not be in the dictionary.
- Attempting to log in to the website with a weak password will
force-redirect to a password change form, allowing a new password to
be set (using the weak-but-still-valid password as check).
Update README with basic information on Multi
(cherry picked from commit 01188a82ab736a8975c73ac5ec12621426bf6bf2)
Compresses a little better. I reduced the number of iterations required
to find the optimal image size in spritegen.pl, but generating the
icons.png is *incredibly slow* when combining zopflipng with the 'slow'
option. It's possible to parallelize the calculation and use multiple
cores to speed it up, but that seems overkill.
Some icons.png compression stats:
METHOD SIZE RUNTIME
default 18103 <1sec
slow 17941 few secs
pngcrush 15385 <1sec
pngcrush+slow 15148 few mins
zopflipng 14986 few secs
zopflipng+slow 14898 ~1 hour
They had to be deleted from the database at some point, otherwise we
still have thousands of easily-cracked password hashes in the database.
Note that I could have opted to use scrypt on top of the sha256 hashes
so the passwords would remain secure without needing to reset
everything, but doing that after one year of switching to scrypt is
likely not worth it. Everyone who still actively uses his account has
already been converted to scrypt, everyone else should just reset their
password whevener they decide to come back.
A recent version of imagemagick creates 16 bit depth PNG images by
default for some reason. This results in an unnecessarily large file
size increase and pngcrush doesn't do much to counter it (and its
-bit_depth option has been deprecated, too).
The atomic replace is quite handy to avoid people seeing any wierd
intermediate images while the slow+pngcrush options are being used.
also a lot slower, so not really useful when devving.
Stats for en.js:
uglifyjs 68199 19446
JS::Minifier::XS 79862 21624
Uncompressed 107662 28663
On an unrelated note, I like how jQuery boasts about being "Only 32kB
minified and gzipped.". That's quite a bit more than all of VNDB's
Looks like login won't always work correctly without.
I increased the N parameter to approximate about 500ms to generate the
hash. This is quite a paranoid setting for a website, but login attempts
are throttled so there's not much of a DoS factor. (Alright, password
changing feature isn't throttled so the DoS factor still exists. But
really, there's some pages with longer page generation times anyway.)
I did lower the size of the salt a bit (Crypt::ScryptKDF uses 256 bits
by default), because 64 bits of randomness should have low enough chance
of collision with only ~100k users (even with a million users,