Blog

Persona Controller for OWIN (Web API 2)

5 days, 22 hours ago

For a website I'm building in ASP.NET MVC 5/Web API 2 I wanted to simply support Mozilla Persona as the one and only login system for the site. After finding the right blog posts (which was harder than I expected), particularly Brock Allen's primer, I found OWIN and ASP.NET Identity made it easier than I expected. I'm posting this in the hopes that it might help the next person attempting this.

using Microsoft.AspNet.Identity;
using Newtonsoft.Json;
using Newtonsoft.Json.Linq;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Net.Http;
using System.Security.Claims;
using System.Threading.Tasks;
using System.Web.Http;

namespace MyApp.Controllers
{
    [RoutePrefix("api/Persona")]
    public class PersonaController : ApiController
    {
        // From: http://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/
        public const string PersonaAuthenticationType = DefaultAuthenticationTypes.ApplicationCookie;

        [HttpPost]
        [Route("login")]
        public async Task<IHttpActionResult> Login([FromBody]JObject assertion)
        {
            var http = new HttpClient() { BaseAddress = new Uri(Properties.Settings.Default.PersonaVerificationBaseUrl), };
            var body = await JsonConvert.SerializeObjectAsync(new
            {
                assertion = (string)assertion["assertion"],
                audience = Properties.Settings.Default.PersonaAudienceUrl,
            });
            var result = await http.PostAsync("verify", new StringContent(body, System.Text.Encoding.UTF8, "application/json"));

            dynamic response = JObject.Parse(await result.Content.ReadAsStringAsync());

            var status = (string)response.status;
            if (result.IsSuccessStatusCode && string.Equals(status, "okay", StringComparison.OrdinalIgnoreCase))
            {
                var claims = new Claim[]
                {
                    new Claim(ClaimTypes.Name, (string)response.email),
                    new Claim(ClaimTypes.Email, (string)response.email),
                    new Claim("persona-expires", (string)response.expires),
                    new Claim("persona-audience", (string)response.audience),
                    new Claim("persona-issuer", (string)response.issuer),
                    new Claim(ClaimTypes.AuthenticationMethod, "Persona"),
                };
                var identity = new ClaimsIdentity(claims, PersonaAuthenticationType);
                var ctx = Request.GetOwinContext();
                ctx.Authentication.SignIn(identity);
            }
            else
            {
                result.StatusCode = HttpStatusCode.BadRequest;
            }

            return ResponseMessage(result);
        }

        [HttpPost]
        [Route("logout")]
        public IHttpActionResult Logout()
        {
            var ctx = Request.GetOwinContext();
            ctx.Authentication.SignOut(PersonaAuthenticationType);
            return Ok();
        }
    }
}

JoCoCruiseCrazy 4

1 month, 2 weeks ago

In the dark hours of procrastinating the end of an amazing cruise, because it was clear that it would truly be over should my head hit the pillow, I had a sleepy conversation with Jim Boggia. It was exhaustingly late and there had been plenty of alcoholic drinks around that evening to both celebrate and mourn the passing of an amazing week. I am certain that the conversation was nowhere near as lucid as I remember it, but somewhere in there we summarized the cruise near as best we could given the circumstances.

In his set, Jim Boggia played a song titled Listening to NRBQ. In introducing it he asked the various assembled nerds [1], or seamonkeys, how many had heard of the great band NRBQ. There were maybe a dozen of us that had from the hands raised and crowd verbal exclamations. Jim seemed pleased and explained that he normally saw at most three hands to that question in a typical concert.

NRBQ was one of the first concerts I ever attended and was one of the key bands my parents used to teach me a strong love of a good concert. In that late procrastinating conversation Jim Boggia quizzed me a bit on that, including if had seen Steve Ferguson play with them live [2]. As with many such conversations, Jim Boggia let me know that he thought my parents were cool people for loving music and passing that down. Louisville, my hometown, has a unique music history and music scene and NRBQ was a part of that.

The strong, personal connection to NRBQ I think sets the stage for what drunken revelations I had in that culminating evening/morning towards explaining why JoCoCruiseCrazy 4 was one of the most amazing weeks in my life and more interestingly ...

My Friend Niel on the Mathematical Definition of a Picobrewery

2 months, 3 weeks ago

This came up in conversation recently, and then I re-stumbled upon this wisdom in my text messages from May 7, 2012 while searching for an address and feel it is worth preserving. On the subject of using SI prefixes using Anheuser-Busch as the base unit for "1 brewery":

[Anheuser-Busch in St. Louis] brew on the order of 10^9 gallons per year. We brew 10^2 [a nanobrewery]. I was wrong when I referred to our operation as a picobrewery... That would be brewing a shot glass 1/8 full of beer annually.

I keep thinking that a true picobrewery per that definition would be a hilarious, and possibly awesomely hipster, thing to exist.

musdex Inform 7 "Stanza" Handler

7 months, 2 weeks ago

Not sure yet if this belongs in musdex proper just yet, but this was an interesting toy to build:

# vim: set fileencoding=UTF-8 :
#
# Inform 7 "Stanza" formatter for musdex
#
# Take an Inform 7 file (typically story.ni) and deconstructs it
# into a unique "stanza form" where each major heading starts a new
# text file, newlines are replaced with pilcrows (¶), tabs get added
# newlines, and everything is word-wrapped to 72 characters.
#
# Why? Interesting source control diffs.
#
# Copyright 2013 Max Battcher. Some rights reserved.
# Licensed for use under the Ms-RL. See attached LICENSE file.
import datetime
import logging
import os
import os.path
import re
import textwrap
import yaml

HEADINGS = re.compile(r'^(Volume|Book|Part|Chapter|Section)(\s*\d+)?(.*)', re.IGNORECASE)
PILCROW = '¶'
I7MANIFEST = 'manifest.yaml'
I7EXT = '.txt'
I7FRONTMATTER = 'frontmatter'

_slugify_strip_re = re.compile(r'[^\w\s-]')
_slugify_hyphenate_re = re.compile(r'[-\s]+')
def _slugify(value):
    """
    Normalizes string, converts to lowercase, removes non-alpha characters,
    and converts spaces to hyphens.

    From Django's "django/template/defaultfilters.py".
    """
    import unicodedata
    if not isinstance(value, unicode):
        value = unicode(value)
    value = unicodedata.normalize('NFKD', value).encode('ascii', 'ignore')
    value = unicode(_slugify_strip_re.sub('', value).strip().lower())
    return _slugify_hyphenate_re.sub('-', value).lstrip('-')

class I7StanzaHandler:
    def __init__(self, archive, location, manifest={}):
        self.archive = archive
        self.location = location
        self.manifest = manifest

        if not os.path.exists(self.location):
            os.makedirs(self.location)

    def check(self):
        return True

    def extract(self, force=True):
        # No incremental extract, so we ignore force
        manifestfiles = set(self.manifest.keys())
        files = []

        logging.info("Extracting all of %s" % self.archive)
        arc = open(self.archive)
        fname = I7FRONTMATTER + I7EXT
        path = os.path.relpath(os.path.join(self.location, fname))
        out = open(path, 'w')
        files.append(fname)
        if path in manifestfiles: manifestfiles.remove(path)
        yield (path, datetime.datetime.now())

        for line in arc:
            m = HEADINGS.match(line)
            if m is not None ...

An Open Letter About Security to My Banks and Insurance Companies

7 months, 3 weeks ago

Over the next few weeks I plan to send out these personalized pleas for saner security to the banks and insurance companies that I work with. I felt that it was time as customers that maybe some of us more technically literate make a stand and do whatever we can to try to get these companies to pay attention and do the right thing for all of us. Therefore, I figured I'd make this a public letter that others can reuse or recycle. To that end, the letter that follows may be considered for use under the CC0 license.


Dear Bank or Insurance Company,

Given that you and I are both greatly concerned with the security of the accounts that I have entrusted with you, I think it is well past time that we sat down and had a serious conversation about security.

Frankly, I am tired of often answering your "security questions". We should both know by now that this is NOT two-factor authentication and that it is a charade. (http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx)

Real two-factor authentication has gotten to the point in the last several months that it should be impossible to continue to ignore the elephant in this room. Real two-factor authentication is now both ridiculously accessible and sufficiently cheap that there should no longer remain any excuses not to support it. At this point every smart phone platform has at least one standards compliant TOTP application. Even truly physical tokens are cheap enough that you could (and should!) give them out like party favors to your customers, as a benefit to both of us. For instance, Amazon Web Services has partnered with Gemalto (http://onlinenoram.gemalto.com/) for $13 TOTP tokens and the video game Star Wars: The Old Republic is selling branded ...

Display & Rant: A Podcast of Show and Tell From Opinionated Adults

8 months, 1 week ago

My friend Jordan Wages and I have started a podcast we are calling Display & Rant. Display & Rant Episode 0 has been posted. We're working on our ideas for Episode 1.

Our show notes are on slides, so we are recommending you watch the slide cast version of it (at the top of the page linked above), but for those that prefer more mainstream podcasting tools, you can also subscribe to Display & Rant on iTunes.

Feedback is welcome. I'm looking forward to seeing where this show goes.

Fiasco Poker: Simple Playing Card Variation for Fiasco

8 months, 4 weeks ago

I've been threatening to write it down for too long now, so I finally wrote down how to play Fiasco with ordinary playing cards instead of dice. I call it Fiasco Poker. I've been meaning to use it alongside a playset, but I still haven't written that yet. I also think it could use playing card-specific Turn and Aftermath tables, but I haven't even started on that either.

Feedback is welcome. I hope it makes for fun sessions for everyone that is willing to try it.

Underpassing

9 months, 4 weeks ago

As a resident of Downtown Louisville that enjoys interestingly long walks, I walk under a lot of different overpasses and have some time to ponder them while I do so.

The big news here is that in the next few months I-65 through Downtown, and particularly in my home neighborhood between Main and Market Streets, will be expanding from a mere six lanes into a twelve lane monstrosity. [1] This will be nearly half a downtown block wide. It will push what is an already deep cut splitting neighborhoods into a seemingly impassible divide.

I'm sure that it is probably too late to enter into a debate with the current work, as the engineering has already happened and construction has already started in several ways, but I do think a deeper dialog needs to happen on how this expanded overpass will interact with the neighborhood it lives in (and divides).

Based on what I've experienced of which overpasses I feel like hurt the city and which provide interesting flavor instead, I think the big common factor is that Waterfront Park has helped to contextualize its overpasses as brief shady spots in its park. I'd like to hope the same or similar could be accomplished (perhaps not today, but maybe not in the too distant future) with I-65 overpass, at the very least in block between Main and Market, but potentially for a longer swath of its frustrating wall through the heart of Downtown Louisville. I would like to call for, in whatever ways I can manage, some attempt to build a linear park underneath and as a part of the I-65 expansion.

Another example of an overpass that works today is the underside of the George Rogers Clark bridge [2] as it was recently renovated thanks to ...

Skip Generation: Xbox One the Console of Almost

10 months, 1 week ago

Since I've owned video game consoles, every other generation for me has been a skip generation [1]. So it comes again, and it is once again a skip generation and the consoles have a lot to prove to me if they want me to buy one. Given how long the 360 lasted, I'm a bit concerned that this possibly may be effectively my retirement generation from consoles, but there's always the PC. (And maybe it'll only be a half-skip, depending on course corrections, or maybe the Wii U will finally drill directly into the nostalgia center of my heart.)

The Xbox 360 won me over with two key pieces, both expressable as acronyms: XBLA and XNA. Subsequently there were two big things I was waiting to hear about with the Xbox One announcements: backwards compatibility and developer support. Sadly it seems that we get neither, and I am left disappointed with how the Xbox One might have been almost the console for me.

The DRM Issue

Of course, I first have to provide my opinion about the elephant in the room and that is the strange, "new" DRM of the Xbox One. I'm not against the Xbox One DRM on principle. I've been a digital download proponent for some time, and it is very easy to admit that the Xbox One DRM isn't the worst digital download DRM scheme out there. Sure, it's a tiny bit strange that it also applies to physical discs, but I can give that the benefit of the doubt. (Again given that digital download is pretty much my default at this point, and I've never been much of one to trade back games or to buy used ones. Admittedly I've been rather privileged in those ...

Random Access Memories

11 months, 1 week ago

First of all, I think Daft Punk's Random Access Memories is fantastic. Apropos to the album title, my mind starting free associating some praising with faint damnation, [1] and I thought it was funny enough to record here.

Basically, stupid stereotypes in my head believe that the French still think that Jerry Lewis is alive and funny and similarly Disco never died for them. (Look at the band Phoenix, perhaps.) So for Daft Punk this would probably be their most contemporary album to date. It's like how William Gibson slowly merged from the sci-fi vanguard into contemporary literature. Maybe this album is the musical equivalent of Gibson's Thesis, "the future is already here, it is just unevenly distributed... and full of disco."

[1]Which is totally a thing I thought I just made up now, but oh you internet.

On Iron Man 3 (Major Spoilers)

11 months, 2 weeks ago

Iron Man 3 was a fun comic book film. I find myself in a strange minority, however, in that I feel that it was definitely the weakest of the four Iron Man films to date [1]. I can forgive the fact that Guy Pearce's character is a shallow, two-dimensional hack that seems cloned from the exact same cloth as Jim Carrey's Edward Nigma portrayal. I can forgive the fact that using the acronym AIM, Pearce's Killian didn't actually seem to have one. I can forgive the meandering plot line where it seemed like Killian could never make up his mind whether he was attempting to capture Tony Stark or kill Tony Stark.

What I have a hard time forgiving is how little respect The Mandarin gets in this film. I'm disappointed in how the film wastes foreshadowing and bread crumbs about Ten Rings and The Mandarin from Favreau's films. [2] But before you dismiss this as comic fan complaints, let me point out that I had rather low expectations going in. Like most of my comic knowledge, my knowledge of Iron Man was forged by 90s cartoons (in this case the sometime execrable Iron Man Adventures) and polished with video games, with internet web sites and Wikipedia filling in many of the gaps.

I mostly just want one more scene, or a simple short film, to redeem The Mandarin in the Marvel Cinematic Universe. But I think the real Mandarin would have been a much more interesting foil for Tony Stark in this movie.

Yes, The Mandarin Is Racist

To get it out of the way, I completely realize and agree that The Mandarin [3] is racist in all of his incarnations. One of the things I appreciated about the film was the hints ...

Mini Lecture on LINQ Visualization

1 year, 1 month ago

This topic came up again today when discussing some misapprehensions about what I consider to be some of the basics of how LINQ works. I think there is some use in visualizing the flow of at least three key interfaces through the LINQ operators, with embedded mini-lecture in the notes.

Hopefully people may find this helpful.

On Forgiving Star Wars and The Old Republic's F2P Problems

1 year, 4 months ago

Between Disney buying out Star Wars [1] and letting "free-to-pay" [2] tempt me back to Star Wars: The Old Republic I seem to have forgiven the franchise for some of its worst excesses, bad politics, and general silliness. I won't rehash here the history of how I burnt out on Star Wars in High School, particularly the Expanded Universe, and began to balk at its politics and usage of "sci-fi drag" to retell serialized fairy tales, because I'm sure the internet has indexed plenty of those rants already. Instead, I shall only have to acknowledge that somehow a majority of my anger has melted away into laughter and enjoyment. [3] It has become easier for me to remember that contrary the seriousness of so much of the "Star Wars EU" and its fandom: Star Wars as a franchise always has and really always should be seen as the relative to Indiana Jones as it in fact is; Star Wars is an extension and a piece of the on-going "tradition" of sci-fi serials like Buck Rodgers and Flash Gordon.

So I may have learned to stop worrying and love the bomb, or at least, laugh at it a lot. Laughter, at least, is a good form of amusement. [4]

That out of the way, I wanted to rant a bit about Star Wars: The Old Republic and the crazy way it seems to have implemented F2P which bothers me more than it should. It's not the increasingly standard for all F2P game' over-reliance on random lottery tickets [5], but more a basic confusion at the intended goals of the F2P conversion. For the most part the F2P seems biased towards giving single player content out for free and charging for any multiplayer content whatsoever. This seems somewhat inappropriate ...

Film of the Moment: Wreck-It Ralph Over-Examination (Spoilers)

1 year, 4 months ago

I saw Wreck-It Ralph in its opening week and loved it. Chuck Jordan's review of Wreck-It Ralph is well written and mirrors many of my own thoughts on the film. Now that a few weeks have passed I decided to clean up and repost some of my spoiler-filled overly analytic thoughts left in a comment to that review.


Wreck-It Ralph leaves some questions about the internal consistency of the character Vanellope Von Schweetz. I thought Vanellope's character made sense within the world building we see in the film, and can be explained with just a little bit of presumption and reading (possibly what isn't actually there) between the lines of the film. First of all, clearly even a Princess in Sugar Rush isn't going to try to race in a dress [1] and it makes sense that maybe Vanellope's racer outfit was always a bit "low key" compared to her "official dress".

But the deeper analysis that made sense to me as I watched the film: I figured early on in the film that Vanellope's power was always the "glitch" or pixlexia as she calls it. All of the racers seemed to have an individual "power up" or "special power", and Vanellope's "glitch" fit exactly in with the sort of thing you might expect from a candy-coated Mario Kart-esque game. Admittedly, on a game screen it would probably be called something cooler than "glitch" like "hyper dash" or what have you [2], but definitely the kind of thing you could imagine seeing as a "Special Power" of the character. It's also the kind of potentially over-powered Special Power that you could see making the character a player favorite, and more importantly: a perpetual winner. Given the hyper-competitive design of the entire game ...

Mass Effect: Leviathan (Spoilers)

1 year, 7 months ago

Thar be Spoilers belowdecks. Ye be warned.

For the most part I enjoyed the Leviathan DLC. However...


So here I am a mind-controlling tyrant just doing what we do: ruling the galaxy. I've noticed that several of my slave races have spent what little free time they have when not fulfilling my all-consuming commands enjoy tinkering with robotics. That would be neat if it weren't for the fact that every time a slave race manages to build some cool toys said toys are so unkind to their own masters they decide to wipe them out. Now, I'm not particularly worried about those toys turning on my kind --- because who doesn't love a good tyrant, am I right? --, I'm just pissed that the toys are killing my slaves: that's my hobby, they're taking all the fun out of being tyrant of the galaxy, you know. Unfortunately, I'm too busy controlling all of my other slave races to figure out some useful solution to this problem, so I'm going to go ahead and build a robot of my own and task it with solving this problem for me. This seems like the perfect sort of thing a robot could solve without screwing things up too much...

Colophon Copyright © 1999-2012 Max Battcher / WorldMaker. Some Rights Reserved.

With our thoughts, we make our worlds. I only buy the best Robots — All my Robots are GSD ServDev® Brand.