Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
#193 Yesterday 13:57:58
Re: Automatic thumbnails for Textpattern
I think ‘originated from a tag’ might mean ‘generated via txp secret key’. Creating a valid token without this key knowledge should be nearly impossible.
The scheme is simple: if someone tries to access
images/thumb/c2x1/123.jpg?token=563e820...we check whether token equals to what imageBuildURL() would produce for this image/thumbnail parameters and act accordingly.
Offline
#194 Yesterday 14:09:50
Re: Automatic thumbnails for Textpattern
Sounds good. By all means try it.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#195 Yesterday 14:49:24
Re: Automatic thumbnails for Textpattern
As you say:
- If thumb URL doesn’t exist:
- Compute token from parameters + image id + extension + some salt in
imageBuildURL() - Tack it onto URL.
Then:
- When URL is interpreted:
- If image exists, serve it.
- If not, recreate token from passed params + image id + extension + some salt.
- If it matches what’s passed in the token, happy days. Otherwise return nothing.
Now that we’re only validating token on first use, there’s no need for the added complexity of a cryptographic token. Much faster too without the database involved. It just needs to be “good enough” to stop script kiddies creating a zillion images.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#196 Yesterday 15:26:26
Re: Automatic thumbnails for Textpattern
Yes, exactly. The only thing to decide is the persistent secret salt. Do we store it in a hidden pref, changing its value from time to time? That’s not super-duper secure, but a db leakage would compromise txp anyway.
Otherwise, it works fine and solves the issue with thumbnails in inline previews.
Offline
#197 Yesterday 15:40:32
Re: Automatic thumbnails for Textpattern
etc wrote #341781:
The only thing to decide is the persistent secret salt. Do we store it in a hidden pref, changing its value from time to time?
Sounds like a plan. The only issue is the very moment it’s regenerated. For that split second, any new thumbnail request sizes will be invalid if they coincide with the regeneration. Very very slim chance.
So the only real consideration is what trigger we use for regenerating the random salt. Public site seems a bit invasive to check every page load to see if the DB last updated value is > than some timeout. Maybe on the admin side images panel where it checks for garbage collection? So if nobody visits the Images panel, the salt might persist for longer than its validity time, but I can live with that if you can.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#198 Yesterday 15:50:26
Re: Automatic thumbnails for Textpattern
Bloke wrote #341782:
The only issue is the very moment it’s regenerated. For that split second, any new image requests will be invalid if they coincide with the regeneration.
Certainly, but this is about the same as deleting an image just after imageBuildURL() has generated its URL. Refresh on garbage collection works for me.
Offline
#199 Yesterday 15:58:33
Re: Automatic thumbnails for Textpattern
etc wrote #341783:
Refresh on garbage collection works for me.
Perfect. Replace that line at the start of image_list() and we’re good to go.
Honestly, I’m impressed with the speed of it now. It’ll be even more blazingly fast if the database calls are also eradicated — bar grabbing the salt and its last-mod time, which we get for free via get_prefs().
Damn, I love Textpattern.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#200 Yesterday 16:02:19
Re: Automatic thumbnails for Textpattern
Shall we keep THUMB_VALIDITY_SECONDS as the timeout value after which the salt is able to be regenerated? Or ditch that and use a different/better constant name?
It’s currently 2 days. Feel free to change the default.
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#201 Yesterday 16:16:03
Re: Automatic thumbnails for Textpattern
I’ve pushed a preliminary version to test whether everything is ok. Please feel free to add time validity checks. Tokens generation might be simplified too, me thinks.
And yes, getting prefs for free is the idea.
Offline
#202 Yesterday 18:06:42
Re: Automatic thumbnails for Textpattern
Something has happened in those last changes.
I’ve only given it a quick whirl but when I delete the subfolders in the /thumbs/ directory, then revisit the pages, I get just the alt text for the images with a ?token. An image is generated though, and it appears on reload.
The network panel shows 200 but I don’t see the image itself: see a screenshot
If it’s at all relevant, I’ve been copying over the changed files with a folder div program, but do I need to update anything else like remove any legacy prefs etc.
TXP Builders – finely-crafted code, design and txp
Offline
#203 Yesterday 18:10:52
Re: Automatic thumbnails for Textpattern
Oleg, that works sweet, thank you. A few things:
- Rendering the same image multiple times in a row generates a different token for each request now. They all still render perfectly fine, but on that particular request when they’re generated, the browser cache will be hit muiltiple times, once for each different token. After that of course, the token will be omitted and the browser cache can do its job.
- As you suggest, can we get away with removing the call to the Token class altogether? i.e. just use the
sha1()hash as the ‘token’ and recompute it in publish.php from the passed params for comparison? That would have the benefit of generating the same token for each identical request, which mitigates the above point. But is it too simplistic and easy to defeat by, I dunno, collecting a bunch of hashes and constructing a rainbow table or something? - I’ve had a stab at centralizing the token generation (DRY, hehe). I’ve removed the token garbage collector on the Images panel because the tokens don’t touch the database any more. But that new function runs on every request — public- and admin-side. It will only actually regenerate the token + lastmod value after the timeout occurs, so it’s only a quick check using stuff (prefs) that are already on-page so not too expensive, but is it better a different way?
- How often do you think the token should be regenerated? Currently it’s about every 2 days. Longer?
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline
#204 Yesterday 18:22:06
Re: Automatic thumbnails for Textpattern
jakob wrote #341789:
when I delete the subfolders in the
/thumbs/directory, then revisit the pages, I get just the alt text for the images with a ?token. An image is generated though, and it appears on reload.
That’s weird. I just did exactly the same thing and my thumbs all loaded first time with tokens, both on localhost and a remote server.
Hmmmm. 🤔
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Offline