Weeknotes 290

Very busy this week, but getting things done.

It’s cooled down outside and I’m grateful.

I had a lazy start to the week but made it to the gym on Wednesday, Thursday and Friday before a lazy weekend. Everywhere’s so quiet on Fridays.

I went to a tech meetup in Shoreditch for the first time in many years. The talks were well-intentioned but annoying — the sort of thing I’d have found fun and inspiring half a lifetime ago, but am now too weary to appreciate — although the half-time vegan pizza was surprisingly good.

As I ate, a stranger walked up and tried forcefully to convince me to use Claude to write code instead of doing it myself, so I knew it was time to leave.

I rewatched Mission: Impossible — Dead Reckoning “Part One” in anticipation of seeing the next film at some point. I didn’t enjoy it as much as I did in the cinema: it has some good driving bits and the final twenty minutes are still great, but in the cold light of home it’s silly and implausible with some truly naff dialogue. Is Tom Cruise not very good?

I added Proof Key for Code Exchange (PKCE) support to my OpenID Connect client because, well, it protects against a certain kind of attack and turns out to be straightforward, so why not.

The idea is that the client generates a random secret number (the “code verifier”) and includes that number’s SHA-256 hash (the “code challenge”) in the user’s request to the server for an authorization code. Then, when the client requests an access token by sending the authorization code to the server, it sends the secret number too. That allows the server to compute the hash for itself and confirm it matches the one it remembers from the authorization request. Any toerag who intercepts the authorization code won’t be able to exchange it for an access token because they don’t know the secret number that goes with it.

The only fiddly part is that the PKCE specification mandates an idiosyncratic encoding for the code verifier & code challenge, but pleasingly the Ruby standard library supports it, so it’s easily done:

code_verifier_bytes = SecureRandom.bytes(32)
code_verifier = Base64.urlsafe_encode64(code_verifier_bytes, padding: false)

code_challenge_bytes = Digest::SHA256.digest(code_verifier)
code_challenge = Base64.urlsafe_encode64(code_challenge_bytes, padding: false)

It’s nice when things just work.

I don’t like spelling “authorisation” with a Z, but when you’re implementing an American standard the battle is already lost.

I feel wistful about the impending demolition of 32–38 Scrutton Street. I worked there for a few years, on and off — for BERG, for myself, for Poetica — and have many happy memories of it. So it goes.

Will 87 Worship Street suffer the same fate?