JWT: In a server-to-server request, should I sign the entire request body?

Let’s set the scene with two servers:

  1. an “auth” server which provides users with authorization tokens containing claims relevant to their account
  2. a “paywall” server, which after receiving payment from a user, will send a request to the auth server to add the “premium” claim to the user’s account (and also this server can serve out restricted content to users who have the claim)

Both servers have access to a shared secret key, so the paywall server can verify the user’s claim to view restricted content.

I want to verify that any claim-altering-requests which the auth server receives are actually coming from my trusted paywall server.

My thinking is that the paywall server should simply sign every claim-altering-request in its entirety within a JSON Web Token, such that the auth server can verify the identity of the sender, and also verify that none of the requests have been tampered with.

In this case, it seems like the entire request body would simply be one big JSON Web Token (instead of a mere Authorization header) because I can’t trust any data which isn’t signed within the JWT.

Does this reasoning make sense, or is this overkill? is my solution redundant? perhaps HTTPS can already effectively solve this problem? I think of HTTPS as a means to secure the communications between two points, however, this might not guarantee the identity of either end?

See pending workflows of entire sharepoint

We have SharePoint 2013 Environment, we have some issue with workflow manager services. because of that no workflows are starting automatically on create/update.

Even if I manually start workflow on any item it will stay in not started state.

I am in communication with Microsoft support and they have suggested to update the workflow manager version.

before doing that I wanted to see how many workflows are pending in all sites.

Is there any way I can see that.

Switching entire SharePoint to Modern Experience

How do I change an entire SharePoint from classic experience to modern Experience ?

I have already figured it out that once your sharepoint is switched to modern experience there is no way back to the classic one. You can only switch back and forth with lists and document libraries.

Do I need specific right for changing the entire SharePoint to modern experience? As it for now I have the right to change the experience of lists and document libraries

How to add permission to the entire site from a list

I have a list “managers”, this list have a name picker, this list will be used every time a new manager leaves or join. How can I give the people on this list permission to the entire site? I mean, if I add someone on list “managers”, it will automatically give this person the “owner” permission on the site.

Is this possible?

Regards,

Batch convert an entire folder of pdf files to jpg or png using pdftoppm in ubuntu

I have a entire folder of nearly 4000 pdf files that had gotten accidentally scanned into pdf files instead of jpg by a co worker. we were scanning nearly 7000 paper files and at some point second shift somehow changed the saves to pdf. this was originally done in windows, I have ben chasing a way to correct this for over a week and everyone says use linux, along the way i had installed mint, then dumped that for ubuntu. I know nothing about command line all i need is a simple command to make this convert the contents of the entire folder. the problem being out of all the files that were scanned we dont know from the originals which ones were done correctly and which ones were done as pdf or we could just re scan them — all the pdf files are separated in a folder by themselves i have no idea what to type, where to type it at or how to get this to work. HELP please!

Does using a package of Affero GPL license in a large app mean the entire app has to be GNU?

I can’t figure out if Affero GPL only applies to any modifications made of the Affero GPL licensed software or ALL software that touches ANY Affero GPL software.

For example: I have a SaaS app where server side I have a function that responds to customer input, and modifies customer input using a Affero GPL licensed package.

from gplPackage import gpl  def myFunction(x):     x = x + 1     x = gpl(x)     return x 

So myFunction, which I wrote, calls a Affero GPL licensed function. Does this mean I have to release myFunction to the public under a Affero GPL license? Or would I only have to give away / give people the code for gplPackage?

I would like to use a Affero GPL licensed package in my app, but do not want to make my entire application, even stuff that I wrote myself, public.

Return entire search-based database into excel

How can I return every result from a search-based online database into excel. For example this link: http://natega.thanwya.emis.gov.eg/ This link returns results if you input a number roughly between 150000 and 600000. I see there is an option in excel to import an online database but you need it’s name and I don’t know how to get it’s name.

Is Glasstaff and the entire Redbrand Hideout supposed to be this easy?

DISCLAIMER: The whole question has spoilers about Lost Mine of Phandelver.

So, I went through the Redbrand Hideout with my party. They

This fight was the one they used most resources – two 1st level spell slots from the 2nd level Cleric for healing, Lay on Hands from the Paladin for healing (7 HP out of the 10 total HP pool), Hunter’s Mark from the Ranger for damage. Also, the Paladin used one divine smite.

After that, they

Our Druid used Faerie Fire on the enemy, as the first person moving. He failed the ST, making every other attack against him have advantage. Our Paladin had the +1 Longsword from

He critted, with divine smite, dealing 6d8 + 4 (31 average) damage. So… yeah, Glasstaff was unconscious before being able to make any action or reaction.

Is the fight (and the dungeon as a whole) supposed to be that easy? I understand that they skipped essentially every content on the dungeon, making literally the fastest path to Glasstaff they could make, but still… Everyone’s left with a feeling of “really? Was it supposed to be that easy? I’m confused.”

I’m running this adventure for the first time, so I’m not sure about: did I do something wrong? – did I misplay Glasstaff or something? Were they just too lucky in finding the secret door, getting to surprise him and critting him?

Am I mistaken and the real challenge begins now, as they are mostly drained out of resources, and there’s still much dungeon to explore?

As a note: Glasstaff roled for an amazing 3 initiative, so even if he wasn’t surprised, he would be unconscious (PCs didn’t kill him) before his first round anyway.

Summary

I am sincerely confused about how easy this “dungeon” and its “boss” was. As I said, the main “questions” (I think they are all related, so no “more than one question” here) are:

  • Is this supposed to be this easy?
  • If it is not, did I do something wrong?
  • If it is, is there something I can change (the next time) so it actually becomes more challenging?

I’m aware that Glasstaff encounter gives only 200 XP, being a CR1 monster against 4 2nd level characters, so pretty easy encounter. But should it have been different, overall?

And, as I mention in the body

  • Am I mistaken and the real challenge begins now, as they are mostly drained out of resources, and there’s still much dungeon to explore?

Party setup

Probably implied for now, but the party this time had only 2nd level characters, one Druid, one Paladin, one Ranger and one Cleric. To be fair, they aren’t even worried about optimization.


Tactical comment

I don’t feel like I have played the NPCs/monsters wrong. As I said, the Nothic itself drained a lot of resources from the party – 2 out of 3 spell slots from the Cleric, 1 out of 2 spell slots from the Ranger, 1 out of 2 spell slots from the Paladin, dropping the Cleric and the Paladin to half HP and the Ranger to half HP as well.

Glasstaff, on the other hand, with his miserable 22 HP and (even with) 20 AC, got pretty easily hit by the +6 attack bonus from the paladin (+1 LS) (it actually critted, as I said, so that doesn’t even matter) and +7 attack bonus from the Ranger (+2 from archery, +5 from usual).

nginx ssl_dhparam key for each vhost, or once for entire configuration? vs SSL confg

Should diffie hellman parameters (ssl_dhparam key) be generated for each vhost, or just placed within http{...}? (for completely different website served up by the same host.

Conversely, to confirm, ssl_certificate, ssl_certificate_key, ssl_trusted_certificate should be different for each website? Is there a way to refer to these three parameters if used in multiple vhosts (e.g. forwarding none www to www) without copy pasting? (Trying to follow the DRY principle, one source of truth)