Going v1.0.0 with breaking changes

  • New Wordpress Plug-In Forum
    Guest:

    Just a note that we have a new forum to contain discussions relating to the Wordpress plug-in which Daniel Persson originated and has been making great progress on. You'll find it under "Server-Side Solutions."

    /Steve.

kalaspuffar

Well-known member
May 19, 2018
267
91
Sweden
coderinsights.com
Hi gang.

I still have some work to do with the flags and some settings before going v1.0.0 which is when I feel that we have a feature complete plugin.

When you go to a new major version you can do breaking changes. And I've been thinking of changing some of the keys in the database wp_usermeta.

All SQRL information is saved there per user. When I started this project I saved all the keys as their names without any prefix. The rest of the plugin uses the prefix sqrl_

In order to fix this before we have a large number of people using the plugin, I would like to do this breaking change.

If you want to keep the data intact when this update is done you need to run 3 mysql commands.

Update:
---------------
UPDATE wp_usermeta SET meta_key = 'sqrl_idk' WHERE meta_key = 'idk';
UPDATE wp_usermeta SET meta_key = 'sqrl_suk' WHERE meta_key = 'suk';
UPDATE wp_usermeta SET meta_key = 'sqrl_vuk' WHERE meta_key = 'vuk';

Reverse:
---------------
UPDATE wp_usermeta SET meta_key = 'idk' WHERE meta_key = 'sqrl_idk';
UPDATE wp_usermeta SET meta_key = 'suk' WHERE meta_key = 'sqrl_suk';
UPDATE wp_usermeta SET meta_key = 'vuk' WHERE meta_key = 'sqrl_vuk';


Any objections?

Best regards
Daniel
 
Last edited:
  • Like
Reactions: brianoflondon

brianoflondon

Well-known member
Nov 22, 2018
81
8
I think I'm the only person with a significant running instance that is live.... If I do that change now is there any chance of a dramatic cock up?

And yes I think it is far better if all SQRL related database entires are appropriately flagged.
 
Last edited:

brianoflondon

Well-known member
Nov 22, 2018
81
8
I'm trying to use phpMyAdmin.... you might need to give me better instructions. I only have 9 entires in each of idk, vuk, and suk. I could edit them by hand!



I'm about to go out driving, will be around in 3 hours or so to look at this more.

SQL query:

ALTER TABLE "wp_usermeta" RENAME COLUMN "idk" TO "sqrl_idk"


MySQL said: Documentation
#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"wp_usermeta" RENAME COLUMN "idk" TO "sqrl_idk"' at line 1
 

Vela Nanashi

Well-known member
May 19, 2018
625
107
Also if you are copy pasting, it might be good to strip any formatting by pasting into notepad and then cutting from there, in case there are any fancy symbols being added by forum (though that is probably not it either).

However, until the change is made in the plugin I do not think the plugin will work with the changed tables.
 
  • Like
Reactions: kalaspuffar

Vela Nanashi

Well-known member
May 19, 2018
625
107
Also Daniel, could you not add a script to look for the triplet of columns (idk, vuk, suk) and if found run a database alteration yourself from the plugin? Once upon being updated or something?
 

kalaspuffar

Well-known member
May 19, 2018
267
91
Sweden
coderinsights.com
Hi @brianoflondon and @Vela Nanashi

I could build it in to the plugin to gradually switch over. Just thought we might do the change early and not require it.

Brian: Don't change anything before you see an update ready to v1.0.0. I would never do a breaking change in an intermediate version.

I want to build a few more minor changes later today. Just wanted to here your thoughts.

Best regards
Daniel
 

Vela Nanashi

Well-known member
May 19, 2018
625
107
Problem might be that we don't know for certain how many folks have the plugin already (unless wp tracks that), we can't be sure everyone will be able to do the database queries successfully on their own, so it is most likely best to do it in an upgrade routine in the plugin itself, so it won't require advanced stuff from the users. However if it is just people who are active here and able to do it then maybe that would work.

Having the prefix does sound like the right thing to do though :)
 
  • Like
Reactions: kalaspuffar

brianoflondon

Well-known member
Nov 22, 2018
81
8
I've got no problem making that change manually, don't think you need to waste time building an upgrade system into the plugin just for a one time upgrade when there are so few installs.
 

Lee D

Member
Jun 12, 2019
10
2
Seems to me that adding the upgrade to the plugin install would be fairly straight forward. If the previously mentioned prefixes do not exist, run these commands to change them. Remove the possibility of it breaking for some random person using the plugin. Better safe than sorry I think.
 

Once set this cannot be

Active member
Jun 27, 2019
38
13
FWIW, yes, I have a few installs using the plugin, but they are not on production sites, So I don’t care if they break momentarily.

Do what you need to do to make it work and I will be happy.

Thx again for the hard work on possibly SQRL’s biggest development towards wide use.
 

Once set this cannot be

Active member
Jun 27, 2019
38
13
@kalaspuffar a concern I have in reaching V1.0 is if your code has been adequately scrutinized. Sure, WP checks over code prior to allowing into their plugin ecosystem, but rogue plugins do get in there.

I have checked out your code quickly when it was 0.5 or 0.6ish, but I am not qualified to audit this for grave errors.

In keeping with my post earlier :

@Steve, I truly hope that any of us who have deploy these test plugins will ensure that we don't use POC code on production servers - that we will use due diligence to ensure that any production code DOESN'T contain any of the issues we keep hearing you talk about on SN about doctoral thesis POC code being widely deployed.
It could be detrimental to this whole endeavour if bad code was found. I truly hope qualified people have vetted these commits.
 
Last edited:

Steve

Administrator
Staff member
May 6, 2018
992
290
www.grc.com
Yes, many things would be wonderful to have. But all we can do is all we can do. Once I have the SQRL Implementation guide finished, I'm sure Daniel and the other Plug-In developers will read through it and check-off that they have handled everything I have noted as being required. As with any secure system, there are many non-obvious but potentially very important subtleties that must not be skipped. An example, is the necessity to somehow detect any change to the server's reply that the SQRL client is signing with its next query. That requires that a secretly-keyed hash be sent with the reply so that the server can verify the signed return, or that the server maintain an HMAC on its end for verification. My point is that SQRL will work without that, but it will be subject to malicious manipulation.
 
  • Like
Reactions: kalaspuffar

user51

New member
Feb 19, 2019
3
3
This is awesome Daniel! Congrats on this quick work. I've been dreaming for years of getting SQRL integrated into my PHP web apps, and the other PHP library has been stale for a few years now (hopefully the release of the Implementation document will wake things up).

I really would hope we could combine efforts in having a single PHP composer-compatible library to share code between the Wordpress Plugin and other PHP web apps. I don't feel I understand enough the on-the-wire protocol yet, but I hope we could factor out the essentials from your library, Daniel.

Peace!
 
  • Like
Reactions: kalaspuffar