Allow for customizing the size of generated comment IDs #9
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 3 commits
January 17, 2021 14:54
…equest header, testing it against expected values. - This commit will be reversed.
…ils to satisfy the CORS configuration, as enabled using the expressjs/cors module, the request will _not_ be rejected by Express. It will simply cause the CORS response header(s) to not be set on the response. As a result, a CORS-compliant browser will raise an error such as the following upon receipt of the response: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:8082/v3/entry/gitlab/ihispanic/staticman-test/master/comments. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing)." "The CORS specification was never designed as a security mechanism to prevent routes from being called; it was only designed as a mechanism to allow a hole to be added to the cross-origin rules of browser user agents." - expressjs/cors#109 (comment) In practice... - Using CORS to restrict the requesting origin would prevent another site from pointing their POST requests at my Staticman instance. But, if the submissions were high-quality, what reason would I have to complain? And low-quality submissions could just as easily come through via my site. Furthermore, those requests would still be processed by Staticman. - Using CORS to restrict the requesting origin would not prevent a truly malicious actor from submitted POST requests using a tool (e.g., Postman, etc.) that allows for the Origin header to be spoofed. Restricting POST requests to a Staticman instance, therefore, comes down to use of express-brute, Akismet, captchas, and the like.
…e size of generated comment IDs" - eduardoboucas#401 - Allow for Nano ID to be used to customize the length and content of generated comment IDs.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This addresses eduardoboucas#401 - "Allow for customizing the size of generated comment IDs"
Two new config options have been added to the JSON-based config:
Currently, Staticman creates all comment IDs as UUIDs. While using UUIDs is a fool-proof solution that basically guarantees the uniqueness of IDs, it can be overkill. Consider a small blog that receives, at most, one comment each day/week/month/etc. For many/most users, the nature of the IDs that Staticman generates will not matter. However, the Staticman configuration allows for the generated ID to be exposed, when desired. For example, it can be incorporated into the filenames generated by Staticman.
For usage scenarios such as these, it is desirable to be able to configure Staticman to generate shorter/simpler comment IDs. Nano ID has been added to achieve this.
For example, if
commentIdGeneratoris set tonanoid-lowercaseandcommentIdLengthis set to8, IDs akin to the following will be generated:ry6-bt9dAccording the the Nano ID Collision Calculator, for a blog receiving one comment submission every hour, "~34 years [would be] needed, in order to have a 1% probability of at least one collision".