Kamal Fariz Mahyuddin on Ruby on Rails, Ember.js and other web development geekery.

You should follow me on twitter here.

Are You Coming To #barcampkl?

#barcampkl is happening this weekend, 4-5th April 2009, at Inti College Subang. Some pretty interesting talks have been scheduled ahead of time although the organizers have promised to implement a “real” unconference where the talks are voted at the opening of each day.

So, are you coming? Register here.


Secure and Signed AuthSub Requests in Ruby

I pulled the trigger in my last blog post about solving Google AuthSub’s warning. It solved only half the problem - the not-showing-the-warning half. I was too quick to assume it would work since Google returned a token. Actually performing GET on the contacts feed would yield me a 401 Unauthorized.

So, what did I get wrong? A few things.

Firstly, I didn’t have to set the sig in the request authorization URL. A simple secure=1 would have been sufficient. I confused this concept with other request schemes like Facebook’s which signs the request and appends the sig to the URL parameters.

Secondly, for secure AuthSub requests, you need to set special signed headers. Regular non-secure AuthSub requests only need a short header.

Authorization: AuthSub token="COy2q9qdGRDWm7iMAm"

However, if you want secure requests, you need to sign the request. It’ll look something like this.

Authorization: AuthSub token="COy2q9qdGRDWm7iMAm" sigalg="rsa-sha1" data="GET 1237370831 18094396511823580603" sig="XOQNfKpQ8VPCN2Yp+Zt="

I thought I nailed it but it still returned me 401 Unauthorized. I downloaded the Python GData client to compare the sig values and indeed the sig I generated was off.

So the final piece of the puzzle is how do I correctly generate the signature. google-authsub (and my contacts commit) got it wrong. This is what it was doing:

digest =
sig = [@@pkey.private_encrypt(digest)].pack("m")  #Base64 encode

After much googling, I found the answer. Immad Akhund posted the solution on the Google Data Protocol mailing list in June 2008. The correct way to sign data is to use the OpenSSL::PKey::RSA#sign method and remove the newlines after Base64 encoding.

sig = @@pkey.sign(, data)
sig = [sig].pack("m").gsub(/\n/, "") #Base64 encode

So, there you have it. I’ve pushed a new commit to the contacts library with all the fixes. I’ll be forking google-authsub and pushing fixes there too in hopes that another person wouldn’t need to spend a day figuring it out like I did.


Solving “This website has not registered with Google to establish a secure connection for authorization requests”

I recently ran into an ominous warning on the Google Contacts Access Request landing page.

This website has not registered with Google to establish a secure connection for authorization requests.

After some googling, the solution is to register the requesting domain and upload a self-signed X.509 certificate.

Once completed, I retried the request and got a slightly less threatening warning.

This website is registered with Google to make authorization requests, but has not been configured to send requests securely.

The solution was to add two additional parameters to the request: secure=1 and a signature. Fortunately, I found how to generate the signature in the google-authsub gem. A few minutes later, I added support for signing AuthSub requests to Mislav’s contacts library and got the results I wanted. Commit.


Update: I got it wrong about appending the signature to the parameter. I posted a follow up on how to correctly perform signed AuthSub requests in Ruby.



  • evan: i'm curious, how do you know the JVM is deopt'ing in certain cases?
  • headius: it tells us
  • evan: twitter?
  • evan: us post?
  • evan: collect call?
  • headius: reaches out of the screen and slaps us sideways
  • evan: hah
  • headius: there's a bunch of debug options for hotspot
  • headius: some in the released jdk, some require a debug build
  • headius: LogCompilation, PrintInlining, PrintAssembly
  • evan: -XXSlapRatio=1persecond

Sharing Contracts

I love it when companies that provide professional services share the contracts they use when dealing with clients. Many people consider contracts to be part of their secret sauce and competitive advantage over their competition so it’s understandable that these documents are not discussed much (plus they also cost money having to go through legal counsel).

However, Obie Fernandez of HashRocket and Andy Clarke of Stuff and Nonsense have been awesome by sharing the contracts they use in their daily business:

I’d love to collect more of these kinds of write-ups. Do you have some? Twitter me!


Test autoposting from Posterous

I never knew posterous could autopost to other services as well. That’s pretty rad.

Posted via email from kamal’s posterous | Comment »


Full List of 1,339 Rails Contributors

One of the biggest plus points of using git for open source projects is the preservation of the original author of the patch. Here’s how it looks like when displayed in GitHub:

Committer sign-off

In the Subversion days, patches into Rails were attributed by adding an arbitrary combination of the author’s name/email/nick at the end of the commit messages. Makes it kind of hard to keep track of the number of distinct contributors over the lifetime of the project.

Fortunately, Xavier Noria whipped up a script to parse the legacy commit messages to extract the number of commits per author using these rules:

  1. First extract authors from commit message
  2. If empty, check changelogs via git show id
  3. If empty, author is the committer

The full list is can be found on the Rails Contributors page.


Tumblr Client On The iPhone

Would having a tumblr client on my iPhone see me posting more frequently? Obligatory test post.

Posted with LifeCast


On the Beauty of Rubinius’ Design (I Wish I Had

In Rubinius, you can spawn off a brand new complete VM by simply calling It’ll behave exactly as though it was invoked directly from an rbx binary sitting in your $PATH, complete with STDIN/STDOUT (which you can override). I believe this is one of the basis of how Rubinius’ multi-VM architecture works.

Anyway, I bring this up because I really, really wish Rails was architected in a similar fashion. I am building a CMS on top of Rails and would love to get my hands on a if there ever was one. Here’s why.

In a CMS setting, very little of what Rails offers out of the box is usable. You don’t have access to Rails routes so from the very beginning, you don’t have Rails automatically invoking the right controller, the right action and rendering the right view. This doesn’t make sense anyway - you don’t expect your CMS users to start writing controller code in your web editor, do you? (Unless you are Heroku.)

On a slight tangent, the assumption when writing a CMS is that when you ship, you would have written every conceivable controller and model there is (views don’t fall into this because users are generally familiar with the concept of customizable templates). One strategy to extend your “frozen code base” is via the use of widgets and third-party apps (like Facebook) so that you can create seemingly new pages served by custom controllers.

So how do you design a CMS? I’ve been prototyping something for the past week and came up for a breather to check out how other people have solved it. I am delightfully surprised to find out that Radiant does it very close to what I have. In particular, Radiant has one single controller that accepts all requests (lets ignore the entire admin portion for the time being). Based on the path array (provided by the globbed route), it decides what to do / where to dispatch. It takes care of locating the page that corresponds to the URL (it uses a Page model), rendering it and returning the result to the user. It is interesting to note that Radiant directly manipulates the request and response objects, something that Rails developers almost never had to reach for in a regular app. On the other hand, I am exploring the use of serializing the templates to disk and simply calling render :template on it.

Wait a minute. Holy cow, we just built (a simplified) Rails on top of Rails!

What I’d love to see here instead is a method just like Rubinius. Boom, a full blown MVC at your fingertips. Configure it right and there you have your very own CMS with minimal work. Or maybe there is. Lazyweb?


An update in a really long while

Woah, one month with no updates.

I started contracting for a startup in Seattle, WA since beginning of April and have been neglecting to update stuff. It’s pretty nice here plus I get to access things that people here take for granted like attending Seattle.rb hack nights, Pandora, Hulu and this weekend, Barcamp Portland!

See you guys in a bit.

Fork me on GitHub