import { useEffect, useState } from "react"; import "./App.css"; import Profile from "./components/profile/Profile"; function App() { // Extracting the 'code' parameter from the URL query string (used for authorization) const urlParams = new URLSearchParams(window.location.search); const code = urlParams.get("code"); // State to store the retrieved user data const [data, setData] = useState(null); // State to indicate if data is being fetched const [loading, setLoading] = useState(false); // Runs whenever the 'code' variable changes (likely on authorization flow) useEffect(() => { const token = localStorage.getItem("token"); if (token) { setLoading(true); // Set loading to true while fetching data fetch("https://api.github.com/user", { headers: { Authorization: token }, }) .then((res) => res.json()) // Parse the response as JSON .then((data) => { setData(data); // Update state with fetched user data setLoading(false); // Set loading to false when done fetching }); } else if (code) { // If no token but 'code' is available (GitHub OAuth flow) setLoading(true); // Set loading to true while fetching data fetch( `http://localhost:8589/oauth/redirect?code=${code}&state=YOUR_RANDOMLY_GENERATED_STATE` ) .then((res) => res.json()) // Parse the response as JSON .then((data) => { setData(data.userData); // Update state with user data from response localStorage.setItem( "token", `${data.tokenType} ${data.token}` ); // Store access token in local storage setLoading(false); // Set loading to false when done fetching }); } }, [code]); // Function to redirect the user to the GitHub OAuth authorization page function redirectToGitHub() { const client_id = "blah blah"; const redirect_uri = "http://localhost:5173/"; const scope = "read:user"; const authUrl = `https://github.com/login/oauth/authorize?client_id=${client_id}&redirect_uri=${redirect_uri}&scope=${scope}`; window.location.href = authUrl; } // Conditionally render content based on loading state and data availability if (loading) { return

Loading...h4>; } if (data) { return ; } return ( <>

Login to MyApph1> Login with GitHub button> div> ); } export default App;

import hashlib from datetime import datetime import httpx from fastapi import APIRouter, HTTPException, Query from app.config import settings from app.utilities.db import db from .models import OauthException, OauthToken router = APIRouter() @router.get( "/callback", response_model=OauthToken, responses={ 400: {"description": "Oauth Error", "model": OauthException}, }, ) async def oauth_callback( code: str = Query(description="Authorization Code"), ) -> OauthToken: """ GitHub Oauth Integration Callback """ async with httpx.AsyncClient() as client: token_result = await client.post( "https://github.com/login/oauth/access_token", json={ "client_id": settings.github_oauth_client_id, "client_secret": settings.github_oauth_client_secret, "code": code, "redirect_uri": "http://localhost:8000/v1/auth/callback", }, headers={"Accept": "application/json"}, ) data = token_result.json() error = data.get("error") if error: raise HTTPException( status_code=400, detail=f"{data.get('error')}: {data.get('error_description')}", ) access_token: str = data.get("access_token") user_result = await client.get( "https://api.github.com/user", headers={"Authorization": f"Bearer {access_token}"}, ) user_data = user_result.json() user = user_data.get("login") await db.tokens.insert_one( { "user": user, "access_token_hash": hashlib.sha256(access_token.encode()).hexdigest(), "created_date": datetime.utcnow(), }, ) return OauthToken(access_token=access_token)

The actual URL is https://github.com/login/oauth/authorize?client_id=bbb58b28cdd98636e3e2&redirect_uri=http%3A%2F%2F127.0.0.1%3A8000%2Fcallback&scope=user%3Aemail&response_type=code

GOOGLE_CLIENT_ID = os.environ["GOOGLE_CLIENT_ID"] GOOGLE_CLIENT_SECRET = os.environ["GOOGLE_CLIENT_SECRET"] GOOGLE_TOKEN_URL = "https://www.googleapis.com/oauth2/v4/token" GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth" GITHUB_CLIENT_ID = os.environ["GITHUB_CLIENT_ID"] GITHUB_CLIENT_SECRET = os.environ["GITHUB_CLIENT_SECRET"] GITHUB_TOKEN_URL = "https://github.com/login/oauth/access_token" GITHUB_AUTH_URL = "https://github.com/login/oauth/authorize"

export const GET = async ({ cookies }) => { const state = generateRandomString(40); // I recommend using nanoid cookies.set("github_oauth_state", state, { httpOnly: true, secure: !dev, // disable when using localhost maxAge: 60 * 60 // 1 hour expiry, path: "/" }); const authorizationUrlSearchParams = new URLSearchParams({ client_id: GITHUB_CLIENT_ID, state }); const authorizationUrl = https://github.com/login/oauth/authorize?${authorizationUrlSearchParams}; // redirect to authorization url return new Response(null, { status: 302, headers: { Location: authorizationUrl } }); } ```

services.AddCookie("Google-Cookie") .AddOAuth("Google", options => { options.SignInScheme = "Google-Cookie"; options.ClientId = configuration["ClientId"]>; options.ClientSecret = configuration["ClientSecret"]; options.AuthorizationEndpoint = "https://github.com/login/oauth/authorize"; options.TokenEndpoint = "https://github.com/login/oauth/access_token"; options.UserInformationEndpoint = "https://api.github.com/user"; options.CallbackPath = "/api/Google-Redirect"; options.Scope.Clear(); options.Scope.Add("read:user"); options.SaveTokens = true; // Not sure what does this do options.Events.OnCreatingTicket = async context => { using var request = new HttpRequestMessage(HttpMethod.Get, options.UserInformationEndpoint); request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", context.AccessToken); using var result = await context.Backchannel.SendAsync(request); var user = await result?.Content?.ReadFromJsonAsync(); context.RunClaimActions(user); // I don't think this is needed // Create claims for the token var claims = new Claim[] { new Claim(ClaimTypes.Name, user.Name), new Claim(ClaimTypes.Email, user.Email) }; // Create the token var token = new JwtSecurityToken( issuer: configuration["JWT_Issuer"], audience: configuration["JWT_Audience"], claims: claims, expires: DateTime.UtcNow.AddHours(1);, signingCredentials: new SigningCredentials(new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["JWT_Secret"]));, SecurityAlgorithms.HmacSha256) ); // Generate the token string var tokenString = new JwtSecurityTokenHandler().WriteToken(token); context.Response.Cookies.Append("X-Access-Token", tokenString, new CookieOptions() { HttpOnly = true, SameSite = SameSiteMode.Strict }); }; } );

# Verify the content of the artifact at the given digest, as well as the fact # that the signature has been created by a GitHub actor with the given email. $ cosign verify ghcr.io/radu-matei/hello-spin@sha256:6f886e428152a32ada6303e825975e1a9798de86977e532991a352d02c98f62c \ --certificate-oidc-issuer https://github.com/login/oauth \ --certificate-identity [email protected] Verification for ghcr.io/radu-matei/hello-spin@sha256:6f886e428152a32ada6303e825975e1a9798de86977e532991a352d02c98f62c -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The code-signing certificate was verified using trusted certificate authority certificates

@Bean ClientRegistrationRepository clientRegistrationRepository(JdbcTemplate jdbcTemplate) { JdbcClientRegistrationRepository jdbcClientRegistrationRepository = new JdbcClientRegistrationRepository(jdbcTemplate); ClientRegistration clientRegistration = ClientRegistration.withRegistrationId("github") .clientId("123456") .clientSecret("123456") .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_BASIC) .authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE) .redirectUri("{baseUrl}/{action}/oauth2/code/{registrationId}") .scope(new String[]{"read:user"}) .authorizationUri("https://github.com/login/oauth/authorize") .tokenUri("https://github.com/login/oauth/access_token") .userInfoUri("https://api.github.com/user") .userNameAttributeName("login") .clientName("GitHub").build(); jdbcClientRegistrationRepository.save(clientRegistration); return jdbcClientRegistrationRepository; }

const oauthUri = `https://github.com/login/oauth/authorize?client_id=${process.env.NEXT_PUBLIC_GH_CLIENT_ID}&scope=user:email,read:user&redirect_uri=http://localhost:3000/api/auth`

var builder = WebApplication.CreateBuilder(args); builder.Services.AddAuthentication() .AddOAuth("github", o => { o.ClientId = "###"; o.ClientSecret = "###"; o.AuthorizationEndpoint = "https://github.com/login/oauth/authorize"; o.TokenEndpoint = "https://github.com/login/oauth/access_token"; o.CallbackPath = "/oauth/github-cb"; o.UserInformationEndpoint = "https://api.github.com/user"; }); var app = builder.Build(); app.MapGet("/", (HttpContext context) => { return context.User.Claims.Select(x => new { x.Type, x.Value }).ToList(); }); app.MapGet("/login", () => { return Results.Challenge(authenticationSchemes: new List() { "github" }); }); app.Run(); --------------------------------------------- dotnet : Stack overflow. At line:1 char:1 + dotnet watch --no-hot-reload 2> output.txt + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (Stack overflow.:String) [], RemoteException + FullyQualifiedErrorId : NativeCommandError at System.Collections.Generic.Dictionary`2[[Microsoft.Extensions.DependencyInjection.Servi ceLookup.ServiceCacheKey, Microsoft.Extensions.DependencyInjection, ...Goes on for an other 60.000 lines

Just a documentation change, fortunately:

https://github.com/bytecodealliance/wasmtime/commits?author=...

They've submitted little documentation tweaks to other projects, too, for example:

https://learn.microsoft.com/en-us/cpp/overview/whats-new-cpp...

I don't know whether this is a formerly-legitimate open source contributor who went rogue, or a deep-cover persona spreading innocuous-looking documentation changes around to other projects as a smokescreen.

WebAssembly is extremely portable. WebAssembly runs on: all major web browsers, V8 runtimes like Node.js, and independent Wasm runtimes like Wasmtime, Lucet, and Wasmer.

cpu: 4 disk: 60 memory: 12 arch: host hostname: colima autoActivate: true forwardAgent: false # I only tested this with 'docker', not 'containerd': runtime: docker kubernetes: enabled: false version: v1.24.3+k3s1 k3sArgs: [] network: address: true dns: [] dnsHosts: host.docker.internal: host.lima.internal # Added: # - containerd-snapshotter: true (meaning containerd will be used for pulling images) docker: features: buildkit: true containerd-snapshotter: true vmType: vz rosetta: true mountType: virtiofs mountInotify: false cpuType: host # This provisioning script installs build dependencies, WasmEdge and builds the WASM runtime shims for containerd. # NOTE: this takes a LOOONG time! provision: - mode: system script: | [ -f /etc/docker/daemon.json ] && echo "Already provisioned!" && exit 0 echo "Installing system updates:" apt-get update -y apt-get upgrade -y echo "Installing WasmEdge and runwasi build dependencies:" # NOTE: packages curl, git and python3 already installed: apt-get install -y make gcc build-essential pkgconf libtool libsystemd-dev libprotobuf-c-dev libcap-dev libseccomp-dev libyajl-dev libgcrypt20-dev go-md2man autoconf automake criu pkg-config libdbus-glib-1-dev libelf-dev libclang-dev libzstd-dev protobuf-compiler apt-get clean -y - mode: user script: | [ -f /etc/docker/daemon.json ] && echo "Already provisioned!" && exit 0 # # Setting vars for this script: # # Which WASM runtimes to install (wasmedge, wasmtime and wasmer are supported): WASM_RUNTIMES="wasmedge wasmtime wasmer" # # Location of the containerd config file: CONTAINERD_CONFIG="/etc/containerd/config.toml" # # Target location for the WASM runtimes and containerd shims ($TARGET/bin and $TARGET/lib): TARGET="/usr/local" # # Install rustup: # echo "Installing rustup for building runwasi:" curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain none -y source "$HOME/.cargo/env" # # Install selected WASM runtimes and containerd shims: # [[ -z "${WASM_RUNTIMES// /}" ]] && echo "No WASM runtimes selected - exiting!" && exit 0 git clone https://github.com/containerd/runwasi echo "Installing WASM runtimes and building containerd shims: ${WASM_RUNTIMES}:" sudo mkdir -p /etc/containerd/ containerd config default | sudo tee $CONTAINERD_CONFIG >/dev/null for runtimeName in $WASM_RUNTIMES; do case $runtimeName in wasmedge) echo "Installing WasmEdge:" curl -sSfL https://raw.githubusercontent.com/WasmEdge/WasmEdge/master/utils/install.sh | sudo bash -s -- -p $TARGET echo echo "`wasmedge -v` installed!" ;; wasmtime) echo "Installing wasmtime:" curl -sSfL https://wasmtime.dev/install.sh | bash sudo cp .wasmtime/bin/* ${TARGET}/bin/ rm -rf .wasmtime echo "`wasmtime -V` installed!" ;; wasmer) echo "Installing wasmer:" curl -sSfL https://get.wasmer.io | sh sudo cp .wasmer/bin/* ${TARGET}/bin/ sudo cp .wasmer/lib/* ${TARGET}/lib/ rm -rf .wasmer echo "`wasmer -V` installed!" ;; *) echo "ERROR: WASM runtime $runtimeName is not supported!" exit 1 ;; esac cd runwasi echo "Building containerd-shim-${runtimeName}:" cargo build -p containerd-shim-${runtimeName} --release echo "Installing containerd-shim-${runtimeName}-v1:" sudo install ./target/release/containerd-shim-${runtimeName}-v1 ${TARGET}/bin sudo ln -sf ${TARGET}/bin/containerd-shim-${runtimeName}-v1 ${TARGET}/bin/containerd-shim-${runtimeName}d-v1 sudo ln -sf ${TARGET}/bin/containerd-shim-${runtimeName}-v1 ${TARGET}/bin/containerd-${runtimeName}d echo "containerd-shim-${runtimeName} installed." cd .. echo "[plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.${runtimeName}]" | sudo tee -a $CONTAINERD_CONFIG >/dev/null echo " runtime_type = \"io.containerd.${runtimeName}.v1\"" | sudo tee -a $CONTAINERD_CONFIG >/dev/null done echo "containerd WASM runtimes and shims installed." # # Restart the systemctl services to pick up the installed shims. # NOTE: We need to 'stop' docker because at this point the actual daemon.json config is not yet provisioned: # echo "Restarting/reloading docker/containerd services:" sudo systemctl daemon-reload sudo systemctl restart containerd sudo systemctl stop docker sshConfig: true mounts: [] env: {}

When you say wasm container, you mean something like wasmtime that provides a non-browser wasm runtime?

https://github.com/bytecodealliance/wasmtime

We can't run this directly from the command line unless we install some runtime like wasmtime:

The roadmap I linked above. The WASI folks have done a poor job at communicating, no doubt, but I'm surprised someone like yourself literally building a competitor spec isn't following what they are doing closely.

Just for you I did some googling: see here[0] for the current status of WASI threads overall, or here[1] and here[2] for what they are up to with WASI in general. In this PR[3] you can see they enabled threads (atomic instructions and shared memory, not thread creation) by default in wasmtime. And in this[4] repository you can see they are actively developing the thread creation API and have it as their #1 priority.

If folks want to use WASIX as a quick and dirty hack to compile existing programs, then by all means, have at it! I can see that being a technical win. Just know that your WASIX program isn't going to run natively in wasmtime (arguably the best WASM runtime today), nor will it run in browsers, because they're not going to expose WASIX - they're going to go with the standards instead. so far you're the only person I've met that thinks exposing POSIX fork() to WASM is a good idea, seemingly because it just lets you build existing apps 'without modification'.

Comical you accuse me of being polarizing, while pushing for your world with two competing WASI standards, two competing thread creation APIs, and a split WASM ecosystem overall.

[0] https://github.com/bytecodealliance/jco/issues/247#issuecomm...

[1] https://bytecodealliance.org/articles/wasmtime-and-cranelift...

[2] https://bytecodealliance.org/articles/webassembly-the-update...

[3] https://github.com/bytecodealliance/wasmtime/pull/7285

[4] https://github.com/WebAssembly/shared-everything-threads

Thanks for the question!

Spin could definitely run in more places than what we have pre-built binaries for. Specifically, we could run on all platforms Wasmtime supports today (https://github.com/bytecodealliance/wasmtime/releases/tag/v1...), including RISC and S390X, for example.

And while we have been experimenting a bit with running Spin on RISC, we haven't really had the bandwidth or requirement to build a production build for those yet.

Are you interested in a specific operating system or CPU architecture? Would love to understand your scenario.

> I used to think we'd eventually get to capability based security, but now I see we'll always be stuck with application permission flags, the almost worthless bastard cousin, instead.

My hope is that WASI will introduce capability based security to the mainstream on non-mobile computers [0] - it might just take some time for them to get it right. (And hopefully no half-baked status-quo-reinforcing regressive single—runtime-backed alternatives win in the meantime.)

[0]: https://github.com/bytecodealliance/wasmtime/blob/main/docs/...

WasmTime finished finished the RFC for the implementation details in June: https://github.com/bytecodealliance/wasmtime/issues/5032

[3]: https://github.com/bytecodealliance/wasmtime/pull/2611