Category: Aurelia

Github credentials sharing

jspm install and github rate limiting

It has come to our attention (thanks to @michielcornille!) that some developers, probably unknowingly publish their username and password to the world. This is dangerous.

Using this information, people with ill intentions can:

  • Delete your account, or do anything else for that matter.
  • Login on your other accounts (logged in on heroku? your production environment is now vulnerable).
  • Login on other systems using the same credentials (people still don’t use different passwords on different sites).
  • Modify code and inject malware into existing repositories without you knowing.

An example of this, used in our own repository can be found here.

In our case, it’s a readonly access token. But some use their github username and password instead. for obvious reasons, I will not be linking to examples in this post.

This is usually done by developers due to github’s rate-limiting on api requests, which occurs for example when working with JSPM. There’s nothing wrong with using a token, provided you’re careful.

What can I do?

If you already have your username and password on github, change your password. It’s in version control now, and people have it.

If you’re using an access token, check the permissions. Anyone can use your token, and if it has too many permissions, you’re now vulnerable. You can safely change the permissions without breaking the token itself.

  1. Always use 2FA. Read more about it here. This makes sure that even if someone gets your login credentials, they can’t do anything.
  2. Don’t put your credentials on github. Not even base64 encoded (that can just be decoded). Instead, take one of the alternative approaches (for instance environment variables).
  3. When creating access tokens for your account, give it the minimal permissions required.

Please share this article with anyone you might think is vulnerable for this.

Thanks for reading,

happy coding!

Updates, changes and new aurelia plugins

Hello coders,

Today we’re releasing a stable version for almost all of our aurelia plugins, a couple new plugins and a preview-version of our new Node.js ORM wetland.

General changes

First we’ll be talking about general changes in our community. It has been growing, so we had to make a couple of changes.

Organisational changes

We’ve hired @doktordirk as our community manager. He’s responsible for answering issues, reviewing pull requests, answering questions on Gitter. A big, and finally public welcome to Dirk!

We’ve also assigned plugin owners to make sure that plugins keep moving forward. This has proven itself very useful and the plugins now have their own roadmaps (more on that later). @RWOverdijk as the lead developer is now focussed on the architecture and development of consistency.

Release schedule

We’ll no longer work with release candidates for as long as we have. The next versions will follow semver, and due to our new testing environment be rolled out a lot more frequent.

Big updates

The following is a summary of changes made to existing libraries.

api

  • Migration to npm and name changed spoonx/aurelia-api -> aurelia-api
  • Allow multipart/form-data and x-ww-form-urlencoded
  • Add findOne, updateOne,.. methods to allow for path/id?filter=some
  • Package for esNext/typescript , jspm/webpack/aurelia-cli

authentication

  • Migration to npm and name changed spoonx/aurelia-authentication-> aurelia-authentication
  • Package for esNext/typescript , jspm/webpack/aurelia-cli
  • Completely refactored for consistency. many parameters renamed. getter/setter for the old names ensure BC
  • AuthService.authenticated status automatically updated according to token ttl. including across tabs and optional auto logout page reload/redirect
  • Binding signal ‘authentication-change’
  • EventAggregator publishes ‘authentication-change’ with authenticated status data
  • Optional function can be set to customize data extraction from non-jwt
  • Refresh_token with optional auto-refresh
  • Auth0 support using auth0-lock
  • OIDC logout support
  • Updated provider defaults

orm

  • Migration to npm and name changed spoonx/aurelia-orm-> aurelia-orm
  • Package for esNext/typescript , jspm/webpack/aurelia-cli
  • Association-select component much more customizable (translation, placeholder …)
  • Paged component added
  • Add generic metadata with the data decorator
  • Set an entities id property name with the idProperty decorator
  • Entity: Save new children and mark as dirty when children added or removed. (https://github.com/SpoonX/aurelia-orm/commit/37f6b515)
  • Added entity.reset(shallow)
  • Entity: setData with optional markClean (https://github.com/SpoonX/aurelia-orm/commit/ee01480)
  • Validation: upgrade to aurelia-validation 0.12+

notification

  • Migration to npm and name changed spoonx/aurelia-notification-> aurelia-notification
  • Updated to new aurelia-i18n. BREAKING CHANGE: Cannot be used without aurelia-i18n anymore
  • Package for esNext/typescript , jspm/webpack/aurelia-cli

all plugins

  • Added gitbooks (https://plugin_name.spoonx.org/ e.g. https://aurelia-orm.spoonx.org)
  • All plugins are published on npm
  • Adding basic d.ts files for typescript users (typescript 2 install ready)
  • Made the plugins @easyWebpack ready
  • Added bundle instructions of jspm and aurelia-cli

New stuff

We’ve also been working on some new stuff! The author of each plugin wrote a little piece on it.

swan-example

By @doktordirk and @RWOverdijk.

We needed a place to demo our plugins, and so we created swan-example.

SWAN is a nifty little stack, which stands for Sails Waterline Aurelia and Node. It comes with a cli tool, which isn’t much yet, but does help you define a project structure and get started quickly using our opinionated aurelia-skeleton and auth-ready node server. We’ve used this tool to build the swan-example, which you can see by clicking here.

  • Username: example
  • Password: example

Github

aurelia-view-manager

By @bas080.

Components often require some HTML. We at SpoonX tend to use bootstrap for styling and templating. But we also want to make it easy for people that might use other CSS frameworks. Aurelia-view-manager allows you to easily overwrite the HTML template of components that use aurelia-view-manager’s @resolvedView decorator. If you want to make your component CSS framework independent, head over to the usage section.

Github | Docs

aurelia-form

By @bas080.

Aurelia form makes your life easier by letting you define and generate forms based on data. It does so by using something named a schema.

A schema is a collection of objects that describes the form you want. The schema consists out of basic javascript data types which every programmer understands and knows how to manipulate. A simple example:

You can then use this schema and the object that holds the data like this:

<schema-form schema.bind="schema" model.bind="credentials"></schema-form>

This plugin is especially useful when combined with aurelia-orm, as it generates the form based on your entity schema using the custom component <entity-form />.

Github | Docs

aurelia-pager

By @VMBindraban.

Pager is a component that handles pagination for your application.

Beside the basic functionality of a paginator like setting amount of items for each page, it also supports:

  • Data from an array
  • Data from a resource (using aurelia-orm)
  • Criteria (using a resource with sailsjs/waterline or express)
  • Page range, for example 3 4 [5] 6 7
  • Your own custom template (defaults to bootstrap)

Github

aurelia-filter

By @VMBindraban.

Aurelia-filter is an basic GUI criteria selector, it generates a search/filter criteria object. You can easily generate criteria based on AND or OR conditional blocks. Based on the field you have selected, it can transform the input field into the proper type, for example a number or date. It supports all the sailsJS/waterline operators. There is also support for entities (using aurelia-orm).

Github

aurelia-datatable

By @jeremyvergnas.

Datatable is probably one the most common components you can find within interactive applications. It allows you to have an overview of your data and manipulate them, in a user-friendly manner.

Aurelia-datatable has been made to provide you an easy and powerful way to implement datatables in your Aurelia application(s). In combination with aurelia-orm, aurelia-view-manager and aurelia-pager, you will get, out of the box, a datatable component ready to use, with the following features:

  • Custom columns (with aliases and value converter)
  • Sorting
  • Searching
  • Pagination
  • Custom criteria
  • Optional edit/remove actions on your rows
  • Custom actions on your rows
  • Custom footer on your datatable

Github | Docs

aurelia-config

By @doktordirk.

With the increasing number of plugins, plugin initialization and configuration has become somewhat tedious. Currently, one might have something like this, a long list of plugins and their configs:

Using aurelia-config, that becomes easier and more organized. We have just have a single namespaced config object with all the configuration options and aurelia-config does all those plugin calls for us witch the appropriate namespace section. Here’s a simple example:

That’s the main feature of aurelia-config, but there’s more to it.

  • initialize and configure you plugins in one place with a single namespaced configuration object.
  • automatically load and merge defaults which can be directly loaded from plugins by aurelia-config itself.
  • access the merged config by using our resolver or injecting aurelia-config everywhere.
  • since the merged setting are an instance of homefront, all it’s method are available, too.

Homefront

By @Rawphs.

Homefront is a module that allows you to merge, flatten, expand, search in, fetch from, remove from, put in and work with objects easily. It was started as an educational project but has made its way into wetland, aurelia-config and json-statham. It is fully tested, and makes working with objects a lot more fun.

Github

aurelia-charts

By @bas080.

Aurelia-charts is a plugin that allows you to use the chart library you like most. It has a simple api and standardizes the way charts are used in your projects. It does so by letting others define sane defaults.

It allows for you to write your own plugins, or use an existing one (for example aurelia-charts-c3).

This project is being used by us, but isn’t labeled “stable” yet, as is visible by the lack of documentation.

Github

Bonus: Wetland

By @RWOverdijk.

For the past two months we’ve been working on a brand new nodeJS orm. For now it lacks documentation, but has neat features. It’s based on the JPA spec (which took some reading) and took inspiration from the way doctrine implemented it. It obviously required some changes to fit the node.js world, but those were kept to a minimum.

A glossary of its features to date:

  • Abstracted principles (repositories, entities, hydrators)
  • Unit of work using proxies
  • Nested joins
  • Nested persist
  • Mapping
  • Transactions
  • Migrations
  • Great performance (smart hydrator and state management)
  • Strict typing (written in typescript)

Feel free to browse the code, and if you’re interested leave a star so you can track the progress.

Github

Conclusion

We’re very happy with the work we’ve done. The plugins are stable and the documentation is clear.

  • If you have questions, suggestions or a need for banter, feel free to join us on gitter.
  • If you like our work, help us out and star our repositories.

Happy coding!

Release posts

Good day to you all!

This blog post is just the “hello world” of our new release posts. We have been working hard to provide quality modules for aurelia over the past six months, and we’re proud of what we’ve accomplished so far.
We’ve unified the structure of our repositories, including docs, tests, linters and more.

On top of a bunch of small utilities and repositories we’ve released, we’ve also created these:

These modules are being used, and are becoming more important. This all means it’s time to be more public about what’s going on with these repositories.

Starting with our next big release, we’ll be posting updates on this blog about what exactly it is we’re releasing. This includes migration guides, fixes, features and more.

That’ll be it for now. Until next time!

©SpoonX 2017