Following up on last week's Pubstrate progress report, well... at that time I thought I'd have signed cookies done, and a lot of other things! And nearly exactly one week ago I started doing research for and working on signed cookies.

Well, it took an entire week, but I just merged the signed-cookies branch, complete with unit tests, into master. It uses libgcrypt to do all the HMAC heavy lifting.

The good news is: I'm quite happy with this code and how it works. I'm feeling quite confident in a number of things in Pubstrate's web utilities, and I'm going to work to get some parts upstream into Guile proper (eg cookies, bearer token Authorization support), and some other parts in a guile-webutils library (signed cookies based sessions, some upcoming form utilities, etc).

Anyway, things done in the last week:

• bindings to libgcrypt's HMAC code, based on Guile's FFI
• Signed cookie based sessions now work. If you're familiar with itsdangerous or Django's sessions, it's pretty much that.
• There's a minimalist login page, and it works.
• New module: ctx, which is basically a parameters based system for the kind of thing you get with Flask's application/request context system. Being based on parameters and vhashes, it has a much cleaner foundation (horray, dynamic-wind).

Coming up next/soon:

• Switching the codebase over to use ctx, killing the old params.scm stuff
• A minimalist config system (simple, scheme based)
• Write session keys to disk, don't just generate new key on every process :)
• More rendering of various activity types
• Pagination on the user's homepage
• Login/logout/etc stuff for the web UI
• Forms to submit activities via the web UI

Hup! Onwards I go...