Circus changed a lot those last few days. Rather than being the draft thing of a few days ago, it is now an actual web application. No need to say how proud I feel.
The latest big changes include:
- The Post-Redirect-Get pattern is now implemented. This pattern is the current standard web pattern used when posting new data: use a POST to send the data, then redirect to another page fetched by the browser using GET.
This single change was quite intrusive since it involved deep changes in the handling of the HTTP requests, but also some re-architecturing of the pages navigation. - The anti-CSRF synchronization pattern is now checked against a tokens history. By defaut, the 5 latest tokens are kept. This helps with navigation: the browser "back" button is not the greatest enemy anymore. One can also reload a page without being kicked out. Even double-clicks are no big deal anymore.
The idea comes from Tomcat's CsrfPreventionFilter. - The pages underwent a big lifting. They are now prettier. More red noses all around!
- The database layer is not mixed up with the vault layer anymore. It should help with testing; but it also helps coding by circonscribing the database API use, and removing the small inconsistencies of the sqlite API (viz. the fact that data binding is 1-based while data fetching is 0-based).
- A major security issue was fixed: now the encryption key is really secure. It cannot be decrypted without the user providing their password.
Previously the data in the database was enough to decrypt the user passwords, defeating Circus' goal.
Note: I may not be able to hack a lot in the upcoming weeks. But I shall be back.
Stay tuned and… Merry hacking!
