In the documentation for SophosLabs File Malware Cloud Lookup API (https://api.labs.sophos.com/doc/lookup/files.html), a correlationId is mentioned. How should this be generated? Should be unique for a caller or for each lookup?
I would suggest to generate UUID4 (32 chars) for each request and add some constant pre/postfix (8 chars) as you wish.
Related
I am building a simple API service using Ruby on Rails. In production, I would like to integrate Redis/Memcached in order to cache some frequently-used endpoints with key-based caching. For example, I have a Car table with name and color fields.
My question is, what is the best way to define a cache key for a particular endpoint (eg. /cars) when the resource has variety of params that could come in different order? eg. /cars?name=honda&color=white, /cars?color=white&name=honda.
If I use request url as cache key I will have 2 different cache records but technically speaking, if both name and color have the same values, there should only be one cache record in Redis database.
arrange the parameters in alphabetical order and use that as the basis for a cache key.
/cars?name=honda&color=white
/cars?color=white&name=honda
in both cases the cache key would be based on the concatenated alphabetically listed parameters
colorname
So both the above reordered urls would result in the same cache key.
I need to know the maximum length of
JSON Web Token (JWT)
In specs there are no information about it. Could be that, there are no limitations in length ?
I've also been trying to find this.
I'd say - try and ensure it's below 7kb.
Whilst JWT defines no upper limit in the spec (http://www.rfc-editor.org/rfc/rfc7519.txt) we do have some operational limits.
As a JWT is included in a HTTP header, we've an upper limit (SO: Maximum on http header values) of 8K on the majority of current servers.
As this includes all Request headers < 8kb, with 7kb giving a reasonable amount of room for other headers. The biggest risk to that limit would be cookies (sent in headers and can get large).
As it's encrypted and base64ed there's at least 33% wastage of the original json string, so do check the length of the final encrypted token.
One final point - proxies and other network appliances may apply an abitrary limit along the way...
As you said, there is no maximum length defined in the RFC7519 (https://www.rfc-editor.org/rfc/rfc7519) or other RFCs related to JWS or JWE.
If you use the JSON Serialized format or JSON Flattened Serialized format, there is no limitation and there is no reason to define a limitation.
But if you use the JSON Compact Serialized format (most common format), you have to keep in mind that it should be as short as possible because it is mainly used in a web context. A 4kb JWT is something that you should avoid.
Take care to store only useful claims and header informations.
When using heroku the header will be limited at 8k. Depending of how much data are you using on jwt2 it will be reach. The request, when oversize, will not touch your node instance, heroku router will drop it before your API layer..
When processing an incoming request, a router sets up an 8KB receive
buffer and begins reading the HTTP request line and request headers.
Each of these can be at most 8KB in length, but together can be more
than 8KB in total. Requests containing a request line or header line
longer than 8KB will be dropped by the router without being
dispatched.
See: Heroku Limits
I am exposing some Pages in Navision 2009 as web services. To update a record, you have to issue a Read request, and send the Key field along with your Update request.
I would rather calculate the Key myself for 2 reasons:
Using the filters in the read request is awkward - a sql query would fit on one line.
Performance is terrible.
I've been able to figure out that at least part of the key is a Base64 encoded string of the columns that make up the primary key. I hope that someone can tell me where to look (database, code base, docs, etc) to tell me how the Key is calculated.
Sorry, I don't know how to calculate the key. Instead of calculating the key, have you considered doing your data manipulation in a codeunit instead, and exposing that codeunit as a webservice?
I am developing a SIP client. I understand SIP requests and SIP responses but, in SIP messages, how are the call id and branch tags generated? RFC3261 does not specify this.
The Call-ID header value can be anything you want but does need to be unique in order to avoid requests getting classified as duplicates.
THe branch parameter on a Via header needs to start with the magic cookie value of z9hG4bK and must also be unique to avoid the request getting classified as a duplicate. For SIP Proxy's wanting to do loop detection there is also the guideline in the RFC in section 16.6 point 8 which details factors to take when constructing the branch parameter value.
Your wording is difficult to understand. I'm going to assume you want to know how a UAC should generate a Call-ID or how a UAC or proxy server should generate a branch parameter.
The only requirement for Call-ID is that it should be unique. It is often in the form of a unique token + "#" + a host name like email's Message-ID, but it doesn't have to be. It can be just a unique token. The unique token can be anything that is reasonably certain to be unique. In order to avoid divulging private information you can just make it pseudorandom or a cryptographic hash of private unique information (time, process ID, etc...)
Similarily, the branch parameter is just a unique token, but note that it has to start with z9hG4bK as specified in the RFC.
Why re-invent the wheel?
There are open source SIP projects and their implementation may inspire you.
You didn't mention what programming language you use. So I assume you can read C code.
Get the source code of kamailio server. The implementation of Call-ID is in kamailio-4.0.x/modules/tm/callid.c. I believe you are smart and can find out about branch tags yourself :o)
I am writing a C# application which allows users to store emails in a MS SQL Server database. Many times, multiple users will be copied on an email from a customer. If they all try to add the same email to the database, I want to make sure that the email is only added once.
MD5 springs to mind as a way to do this. I don't need to worry about malicious tampering, only to make sure that the same email will map to the same hash and that no two emails with different content will map to the same hash.
My question really boils down to how one would combine multiple fields into one MD5 (or other) hash value. Some of these fields will have a single value per email (e.g. subject, body, sender email address) while others will have multiple values (varying numbers of attachments, recipients). I want to develop a way of uniquely identifying an email that will be platform and language independent (not based on serialization). Any advice?
What volume of emails do you plan on archiving? If you don't expect the archive require many terabytes, I think this is a premature optimization.
Since each field can be represented as a string or array of bytes, it doesn't matter how many values it contains, it all looks the same to a hash function. Just hash them all together and you will get a unique identifier.
EDIT Psuedocode example
# intialized the hash object
hash = md5()
# compute the hashes for each field
hash.update(from_str)
hash.update(to_str)
hash.update(cc_str)
hash.update(body_str)
hash.update(...) # the rest of the email fields
# compute the identifier string
id = hash.hexdigest()
You will get the same output if you replace all the update calls with
# concatenate all fields and hash
hash.update(from_str + to_str + cc_str + body_str + ...)
How you extract the strings and interface will vary based on your application, language, and api.
It doesn't matter that different email clients might produce different formatting for some of the fields when given the same input, this will give you a hash unique to the original email.
Have you looked at some other headers like (in my mail, OS X Mail):
X-Universally-Unique-Identifier: 82d00eb8-2a63-42fd-9817-a3f7f57de6fa
Message-Id: <EE7CA968-13EB-47FB-9EC8-5D6EBA9A4EB8#example.com>
At least the Message-Id is required. That field could well be the same for the same mailing (send to multiple recipients). That would be more effective than hashing.
Not the answer to the question, but maybe the answer to the problem :)
Why not just hash the raw message? It already encodes all the relevant fields except the envelope sender and recipient, and you can add those as headers yourself, before hashing. It also contains all the attachments, the entire body of the message, etc, and it's a natural and easy representation. It also doesn't suffer from the easily generated hash collisions of mikerobi's proposal.