web development – Will QR code in this scenario be able to be implemented?

User registers on the website. Upon registration, the system will generate a QR code for the user. The user then goes to be vaccinated, and upon vaccination, someone will be able to scan his/ her QR code and the status of the user will be updated as vaccinated with the 1st dose of the vaccine. Additional information will also include, the date for the 2nd dose of vaccination, the doctor who was responsible for the vaccination, date and time of the vaccination. The user can also give his feedback for the side effects per dosage.

Most tutorials with QR code scanners are in a mobile application. However, my laptop might not be capable of handling mobile development.

  1. Will the QR code in this scenario be able to be implemented?

  2. What are some packages for this qr code generator and scanner?

  3. If I’ll use reactjs, are there still any npm packages for qr code? From what I’ve researched, some of them were not maintained anymore. Other recommended technologies are open as well.

  4. If perhaps, we could develop the user in a mobile application, would it be more difficult developing in a mobile application or web application? Considering that, I’ve never developed a mobile application. But there are tons of tutorials in YouTube. For a web application, i’ve already developed a online food ordering. However, there were not much tutorials on how to implement the qr code in a web app. The time frame for our project would be only around 3-4 months and also, this QR code scanning and generator will only be a feature. There are still other modules as well.

tls – Should certificate pinning be implemented if the app can use many servers?

In a corporate context, mobile apps exist that require a user to enter the server address to connect to a specific instance of this vendor’s application.

The vendor sells software that it’s customers deploy on premise (or on a private cloud). The end user download the vendor’s generic mobile app from an app store and connect to their own backend.

Now I read in several sources (for example: here) that for mobile apps, certificate pinning should be implemented.

For an app that makes use of a preconfigured back end, I understand certificate pinning is relatively easy to implement and does enhance the encryption situation somewhat by mitigating the risk of fake certificates installed on the device, CA issues etc.

But for a vendor that has thousands of customers that could deploy their own instance of the software, I feel it is practically impossible to collect the certificates of their customers and to bundle in certificates or public keys (hashes). Certificate pinning is an enhancement, lacking this defensive measure is not necessarily a vulnerability.

Should the vendor in this context make the effort to implement certificate pinning with all certificate management terror that will bring? Are there any ways to pin that are feasible? Are there any alternatives to pinning that can be considered in this context?

Which software engineering practices are implemented in machine learning?

As a task, I must filter some papers based on their relevance to the topic “Software Engineering for Machine Learning”, but my real question is : “Which practices of software engineering are used in machine learning and how can I spot them on a research paper or better say what constitutes software engineering in a machine learning environment?”

gui design – How to validate your UI has been correctly implemented by the developer?

I’m looking for a tool allowing to validate UI implementation (font, color, spacing, etc.) based on my mockups (Zeplin, sketch, etc.) and without coding.

I found tranparent overlay features or pixel measurement plugins, but it’s still very manual solutions. Does anyone know a more automatic solution?

cryptography – What are your favorite features of any crypto, and what features do you feel should be implemented?

The community is a huge aspect of cryptocurrency, but no one ever seems to ask what’s missing from crypto. There seem to be plenty of BIPS that have potential that get rejected by developers before they make it to the community for a vote. Don’t you think that the community should be able to reject these proposals or accept them instead of having these be filtered out?

cryptography – How are extremely large integers stored and implemented in programming languages?

MPI stands for Multiple Precision Integer. Multiple precision arithmetic is what you need when you work with integer types that go beyond the machine width $w$.

The basic idea is simple, you represent a large integer with multiple fixed-width words where the i-th word is the i-th “digit” in base B where $B = 2^w$.
For example, most current machines are 64-bit so the width $w$ is 64, so with a single word you can represent unsigned integers up $2^{64}-1$. To represent integers larger than $2^{64}-1$, say a 1024-bit integer as in your RSA example, you use $lceil{1024 / 64}rceil = 16$ words $a_0, a_1, a_2, ldots, a_{15}$. Then your integer $x$ of choice is encoded as
$$
x = a_0 + 2^{64} a_1 + 2^{2*64} a_2 + ldots + 2^{15*64} a_{15}.
$$

Note that this is essentially a $1024$-bit representation, the only difference is that the bits are grouped into blocks of size 64.

Operations like additions, multiplication etcetera are implemented by building on machine addition, multiplication and so on, but of course additional work is needed to take care of carries and the like. I am not sure what the Linux kernel is using, but in the GNU/Linux world a widely used multiple precision arithmetic library is the GMP.

entity system – How “smart objects” are implemented and actually work?

I’m drafting my game and implementing small stuff in it, but hit a roadblock. You see, for my game I would like for different items to behave the same or to share behavior, for instance, some items can be picked up and dropped to the floor, some items can get damaged and be repair while some only can get damage (the player cannot repair the item), some items can be use for a variety of different purposes (fire arms as weapons, frying pan as cooking tool and as a weapon), some items can get wet while others can get wet, catch fire and spread it further (or not; this is a reference to systemic games) and so on.

In my mind, the behavior must exist in the object and be abstracted from the player/AI/Other items nevertheless I’m lacking experience on how to go about this and I think that beside implementing a behavior there must exist also code that knows how to interact with such behavior, but this approach feels odd IMHO. In any case, I was asking around and The Sims was thrown in a reply, searching on the web found Living with The Sims’ AI: 21 Tricks to Adopt for Your Game, the trick 5 reads:

Each object has a public interface that broadcasts its functionality
to actors in the game. This is called advertising data in The Sims,
and contains a list of possible actions and what motives they satisfy.

If reading this correctly, it means that “smart objects” have a standard interface that actors can access to, right? My guess is that this interface covers everything behavior/systemic-wise that could happen in the game and the “actors” have code implemented that allow them to make use of this advertised interface, right?

authentication – Signing in with “Remember me” option implemented with Spring and Kotlin

I’m trying to implement authentication with “Remember me” option using Spring and Kotlin. I would really appriciate if someone could help me find potential issues with that implementation as well as improvements to the code.

Let’s start with sign in API. It accepts 3 parameters, email: String, password: String and stayLoggedIn: Boolean.

    @RestController
    @RequestMapping("/api/auth")
    internal class AuthApi(private val signInService: SignInService) {
        @PostMapping("/sign-in")
        fun signIn(@RequestBody request: SignInRequest, response: HttpServletResponse): ResponseEntity<Void> {
            val tokens = signInService.signIn(request)
            response.addCookie(tokens.accessToken.cookie)
            response.addCookie(tokens.refreshToken.cookie)
            return ResponseEntity(HttpStatus.OK)
        }
    }

As you can see, I’m not returning any response, instead tokens are stored in HttpOnly cookies, so frontend can’t access them directly (XSS protection). Now, the service itself is a bit more complex. It performs standard validation of email and password and then based on stayLoggedIn flag, it may save or override generated refresh_token and userId in database.

@Service
class SignInService(
    private val userRepository: UserRepository,
    private val tokenRepository: RefreshTokenRepository,
    private val tokenUtils: JwtTokenUtils,
    private val passwordEncoder: PasswordEncoder
) {

    fun signIn(request: SignInRequest): AccessTokenDto {
        return userRepository.findByEmail(request.email)
            ?.let { user -> authenticate(request, user) }
            ?: throw EmailNotFound(request.email)
    }


    private fun authenticate(request: SignInRequest, user: User): AccessTokenDto {
        when (validPassword(request.password, user.password)) {
            true -> {
                val refreshToken = tokenUtils.generateRefreshToken(user.id)
                val response = AccessTokenDto(
                    TokenCookie.accessTokenCookie(tokenUtils.generateAccessToken(user.id)),
                    TokenCookie.refreshTokenCookie(refreshToken)
                )
                if (request.stayLoggedIn) saveUserRefreshToken(user, refreshToken)
                return response
            }
            false -> throw IncorrectPassword()
        }
    }

    private fun saveUserRefreshToken(user: User, refreshToken: String) {
        tokenRepository.findByUserId(user.id)?.let {
            tokenRepository.save(it.copy(token = refreshToken))
        } ?: run {
            tokenRepository.save(RefreshToken(userId = user.id, token = refreshToken))
        }
    }

    private fun validPassword(providedPassword: String, actualPassword: String) =
        passwordEncoder.matches(providedPassword, actualPassword)
}

Code for TokenCookie looks like that

enum class TokenType(val value: String) {
    ACCESS_TOKEN("access_token"), REFRESH_TOKEN("refresh_token")
}

class TokenCookie(name: String, token: String) {
    val cookie: Cookie = Cookie(name, token)

    init {
        this.cookie.isHttpOnly = true
        this.cookie.path = "/"
    }

    companion object {
        fun accessTokenCookie(token: String) = TokenCookie(ACCESS_TOKEN.value, token)
        fun refreshTokenCookie(token: String) = TokenCookie(REFRESH_TOKEN.value, token)
    }
}

Let’s move on to verification that is performed for each request that is not authentication request !request.requestURI.startsWith("/api/auth")

First of all, validation function that produces 3 possible outcomes.
SUCCESS if everything is fine, EXPIRED if token is valid but has expired and INVALID for each other scenario

fun validateToken(authToken: String?, tokenType: TokenType = ACCESS_TOKEN): TokenValidationResult {
    return try {
        val claims = Jwts.parser().setSigningKey(tokenSecret).parseClaimsJws(authToken)
        if (claims.body("type") == tokenType.value) SUCCESS else INVALID
    } catch (ex: UnsupportedJwtException) {
        INVALID
    } catch (ex: MalformedJwtException) {
        INVALID
    } catch (ex: IllegalArgumentException) {
        INVALID
    } catch (ex: SignatureException) {
        INVALID
    } catch (ex: ExpiredJwtException) {
        EXPIRED
    }
}

Now, the heart of whole security implementation, JwtTokenFilter.

  1. First of all, it tries to find access_token in request cookies
  2. Then it performs validation of that token.
  • In case of success, it tries to extend this token duration, which happens only if this request contained valid refresh_token as well. Main goal for this is to avoid situation when user logged in without selecting “Remember me” option and he uses my application for over 15 minutes (which is access_token expiration time). Without extending this token, after this period of time user will need to provide credentials again.
  • In case of expired access_token, job is delegated to ExpiredTokenHandler that I’ll show a bit later. Long story short, it tries to find refresh_token stored in database (which happens only if user selected option “Remember me”). If that token is there and it matches token provided with HTTP request, than both tokens are extended.
  • In case of invalid access_token, I’m not doing anything, which means I’m not storing any Authentication in SecurityContext, therefore next Spring Filter will block access to the system.
@Component
internal class JwtTokenFilter(
    private val tokenUtils: JwtTokenUtils,
    private val expiredTokenHandler: ExpiredTokenHandler
) : OncePerRequestFilter() {
    override fun doFilterInternal(
        request: HttpServletRequest,
        response: HttpServletResponse,
        filterChain: FilterChain
    ) {
        if (!request.requestURI.startsWith("/api/auth")) {
            validateTokens(request, response)
        }
        filterChain.doFilter(request, response)
    }
 
    private fun validateTokens(
        request: HttpServletRequest,
        response: HttpServletResponse
    ) {
        getTokenFromCookies(request, ACCESS_TOKEN)?.let {
            val tokenValidationResult = tokenUtils.validateToken(it.value)
            val userId = tokenUtils.getId(it.value)
            if (tokenValidationResult == SUCCESS) {
                updateSecurityContext(userId)
                extendAccessToken(request, response, userId)
            } else if (tokenValidationResult == EXPIRED) {
                val refreshToken = getTokenFromCookies(request, REFRESH_TOKEN)?.value
                if (expiredTokenHandler.checkRefreshEligibility(response, it.value, refreshToken)) {
                    updateSecurityContext(userId)
                }
            }
        }
    }

    private fun updateSecurityContext(userId: Int) {
        SecurityContextHolder.getContext().authentication =
            UsernamePasswordAuthenticationToken(userId, null, Collections.emptyList())
    }

    private fun getTokenFromCookies(request: HttpServletRequest, tokenType: TokenType) =
        request.cookies?.find { cookie -> cookie.name == tokenType.value }

    private fun extendAccessToken(request: HttpServletRequest, response: HttpServletResponse, userId: Int) {
        getTokenFromCookies(request, REFRESH_TOKEN)?.let {
            if (tokenUtils.validateToken(it.value, REFRESH_TOKEN) == SUCCESS) {
                response.addCookie(TokenCookie.accessTokenCookie(tokenUtils.generateAccessToken(userId)).cookie)
            }
        }
    }
}

And last but not least, the ExpiredTokenHandler that was described above

@Service
class ExpiredTokenHandler(private val tokenRepository: RefreshTokenRepository, private val tokenUtils: JwtTokenUtils) {

    fun checkRefreshEligibility(response: HttpServletResponse, expiredToken: String, refreshToken: String?): Boolean {
        val userId = tokenUtils.getId(expiredToken)
        val savedRefreshToken = tokenRepository.findByUserId(userId)
        return if (validateRefreshToken(refreshToken, savedRefreshToken)) {
            val (newAccessToken, newRefreshToken) = generateNewTokens(userId, savedRefreshToken!!)
            updateCookies(newAccessToken, newRefreshToken, response)
            true
        } else {
            false
        }
    }

    private fun validateRefreshToken(
        refreshToken: String?,
        savedRefreshToken: RefreshToken?
    ): Boolean {
        return refreshToken != null &&
                savedRefreshToken != null &&
                refreshToken == savedRefreshToken.token &&
                tokenUtils.validateToken(refreshToken, REFRESH_TOKEN) == SUCCESS
    }

    private fun updateCookies(accessToken: String, refreshToken: String, response: HttpServletResponse): Boolean {
        response.addCookie(accessTokenCookie(accessToken).cookie)
        response.addCookie(refreshTokenCookie(refreshToken).cookie)
        return true
    }

    private fun generateNewTokens(userId: Int, savedRefreshToken: RefreshToken): Pair<String, String> {
        val newAccessToken = tokenUtils.generateAccessToken(userId)
        val newRefreshToken = tokenUtils.generateRefreshToken(userId)
        tokenRepository.save(savedRefreshToken.copy(token = newRefreshToken))
        return Pair(newAccessToken, newRefreshToken)
    }
}

That’s the core implementation, if you think that I missed something important then please let me know. I’m looking forward to hear what may be wrong with that approach. What’s more, I’m still Kotlin newbie, so perhaps I could utilize this language a bit more.

web application – Is ProtonMail implemented a mechanism to prevent cookies stealing?

I want to check if I can steal my own ProtonMail cookies. I connect to my account, I delete the cookie named AUTH-x12334xxxaazzzrf6567788ddd (cookie name is randomized name). I refresh the page and as excepted, I am disconnected. It’s means that cookie AUTH-xxxx... is session cookie.

I connect me again, I have a new cookie. I copy the name, the content and the path (/api/). I paste this cookie into a new private Firefox window but I am not connected.

How is it possible, is ProtonMail implemented a mechanism to invalidate a cookie after a first usage ?

machine learning – How to find the relation between two models, and sort of inductive bias is that is implemented in those models

I am pretty new with data science and Machine Learning. I am learning form one textbook and I found this task. I have no Idea from where to start and what relation could be. Any help would be great.

Suppose we want to learn the Boolean function in instance space
$X$={0,1}$^3$. We are given two models to examine: H1 is a set of all
logical functions in the conjunctive normal form (CNF), H2 is a set of
logical functions which can be displayed in Horner form (disjunction
of literals with at most one positive). I need to explain what is the
relation between H1 and H2, and which sort of inductive bias is
implemented in those models.