Tweets by @yetanotherjosh
(Reblogged from protagonistlabs)
(Reblogged from protagonistlabs)
(Reblogged from uniquehazards)

Storium Alpha 2 is here

Oops, I’d neglected to reblog the big news:

After months of development, we’re pleased to announce that Storium Alpha 2 has just launched!

image Alpha 2 is the latest playtest of Storium, the online storytelling game. It incorporates much of what we’ve learned from our prior playtest, and it’s a big change. Alpha 2 rethinks several of the game’s key mechanics, with the goal of making Storium faster, easier and more fun to play.

Read More

(Reblogged from protagonistlabs)

How To Validate An Email Address

Every so often I run into developers trying to validate email addresses, either with super-simple and permissive regular expressions, semi-complex regular expressions, or with library routines. Any typical user registration form is usually going to have something along these lines.

Unless you are writing actual email software, getting detailed about what constitutes a valid email address is going to be time better spent elsewhere.

First and foremost, what problem are you actually trying to solve by validating a user’s address? The two that come to mind are typos and abuse.

Typos that result in an RFC-invalid email address are quite unlikely. Valid email addresses are extremely diverse. RFC validation will of course (very) occasionally catch a typo, but no where near as effectively as asking the user to type it again for confirmation - a much more effective solution.

On the abuse side of things, I am hard-pressed to come up with a reason why an attacker would want to get your system to accept a malformed email address when a well-formed one isn’t just as vulnerable. If you have XSS or SQL injection problems, RFC validation won’t help thwart them. Attackers and griefers can be relied upon to use well-formed addresses as a rule.

For both problems, validating is better than not validating, but don’t fool yourself about what it buys you: not much of anything. At the end of the day, the only way to validate an email address (in the only sense of “validation” that matters) is to send a confirmation email.

Inside Storium: Using Karma to Inspire Storytelling

protagonistlabs:

imageIf you’ve been following along with previous posts about Storium, our new online storytelling game, you read what Stephen shared about our idea of time-shifted storytelling and the story cards we use to drive gameplay. This time out, we’re looking at how Storium uses a feature called Karma to track and express a character’s successes and failures, and inspire compelling stories. I’m Will Hindmarch, a writer and designer on Storium.

Read More

(Reblogged from protagonistlabs)

Time-shifted Storytelling: A Peek Inside Storium

protagonistlabs:

We’re now a few weeks into our alpha test. Our heart rates have returned to something resembling normal. The sun no longer burns our eyes. We’ve emerged from our offices and our loved ones still seem to remember who we are.

So, heck, it feels like a good time to start sharing more about Storium — what it is, how it works, and why we built it. In this first post I’ll talk about what it means when we say that Storium is an “online storytelling game.”

Read More

(Reblogged from protagonistlabs)
(Reblogged from protagonistlabs)

Rails: Disabling Sprockets CSS & JS exception dumps that hijack your (production) page responses

If you use the Rails asset pipeline, you’re using Sprockets to compile assets. What you probably don’t know is that Sprockets has a debugging feature which will, in the case of a asset compilation errors, hijack the css reponse and blow away your body content and replace it with a raw ruby exception dump (using body:before selectors.) This could make your whole page look something like this:

Error compiling CSS asset

   Less::Error: yadda yah error
   (in /path/to/your/app/assets/stylesheets/whatever.css.less)

   at /var/lib/gems/1.9.1/gems/less-2.3.1/lib/less/js/lib/less/parser.js:421:31

Not very pretty. And for javascript asset compilation errors, it injects a javascript statement to throw an error with the raw exception, so it shows up in client debuggers and javascript error signal UIs.

I strongly subscribe to the policy of never showing exceptions to users, not only for UX reasons, but for security reasons as exception stack traces reveal a lot. Furthermore, I’ve already done a lot of work to make sure my app renders well-designed custom error pages, and a body content hijack like this overrides that design entirely.

For now, I’m fixing this with a monkey patch to Sprockets to do something reasonable instead. Add this to a new file in config/initializers, say sprockets_monkeypatch.rb:


module Sprockets
  module Server
    def css_exception_response(exception)
      body = "/* Sprockets::Server css compilation exception */"
      [ 200, { "Content-Type" => "text/css;charset=utf-8",
               "Content-Length" => Rack::Utils.bytesize(body).to_s
             }, [ body ] ]
    end
    def javascript_exception_response(exception)
      body = "/* Sprockets::Server javascript compilation exception */"
      [ 200, { "Content-Type" => "application/javascript",
               "Content-Length" => Rack::Utils.bytesize(body).to_s
             }, [ body ] ]
    end
  end
end

Since it’s an initializer, you’ll need to restart your webserver for this to take effect.

For many apps, you shouldn’t need to do this at all because you’ll have caught all your asset compilation errors in development, especially if you’re just compiling everything into one big bundle like most people using the pipeline will do. However, there are cases where some more unusual pages will use a different set of assets and you may not have caught issues with them, so I think it’s best to have this in place. Besides, I just cringe at the idea of something hidden in the middleware stack hijacking my page responses in unexpected edge cases!

I now live in Santa Cruz. I took this photo with my phone on West Cliff Drive, a few blocks from my house. I’ve been back to San Francisco a few times since moving, and I must say it hardly feels like I know it anymore.