Secure your Flask

Hey there, I still can’t you promise regular posts, but I am trying to write as often as I can!

Writing & deploying Flask apps is super fun. I love how easily it is to put together a dashboard, proof of concept hack, or even a full-blown app and get it online.

But, while I’m good about using environment variables & not committing my API keys to git, I don’t build a lot of security or user authentication into my apps. That’s because it requires a bunch of extensions, a database, callbacks, etc.

Most of my apps need a simple login/password, not a full blown user registration system. I mean, I’m usually the only user!. So until now, I’ve secured my apps through URL obscurity and no crawl meta tags.

But I recently found a very effective, (and very underrated), Flask extension called Flask-BasicAuth that lets you password protect your apps in 5 lines of code.

Seriously! All you have to do is pip install Flask-BasicAuth, import it into your app, set a login and password (use env variables!), instantiate it, and then add a decorator to each protected route. Or, you can configure it to cover your entire app.

Don’t believe me? Just read the docs and you’ll come around.

Turn your blog into a podcast

[email protected] is still on hiatus, but I really wanted to publish this post. And yeah, I try not to blog about stuff I make, but I think you’ll want to try this out.

This week’s hack combines three things: blogs, podcasts, and Amazon Alexa. Why? Well, blogs have become passé, podcasting is having a moment, and Alexa’s Flash Briefing feature is first class feature for distributing your content.

The best Flash Briefing skills, like NPR, use prerecorded audio, but the API supports text-to-speech too, so you have Alexa read your latest posts to you every time you invoke the flash briefing. Basically, it’s an instant podcast. Pretty neat, right?

My alexafeed.json Jekyll plugin creates a Alexa Flash Briefing compatible json feed. It uses the latest 3 posts from the current day and puts them in the correct JSON format. It strips HTML and new lines, so the JSON validates. By default, it includes the entire post, but you can customize it to just use excerpts – which I recommend.

There are a few prerequisites:

  1. You already have a standard, live, working Jekyll blog that’s deployed to a public server.

  2. You update your blog at least daily. If not, your content will get stale quickly and nobody wants to hear the same story over and over in their briefing, especially if you write long posts.

Get it up and running:

  1. Download alexafeed.json and place it in the root folder of your Jekyll blog.
  2. Generate your site, and verify that http://your.site/alexa.json is producing valid JSON.
  3. Follow all the steps in this tutorial and input your site URL in step 8.
  4. Enable your skill by opening the Alexa app on your phone, navigating to the Skills tab, clicking Your Skills, and selecting your Flash Briefing Skill.
  5. Say “Alexa, what’s my Flash Briefing?” to your Echo.
  6. Pat yourself on the back and have a beer.
  7. Submit your skill for certification.
  8. Upon certification, tell all your friends to add your Skill to their Briefing (Alexa skills do have URLs)

FYI! Alexa does offer some play and subscriber metrics, so you can track how well you’re marketing efforts are working. Metrics for Flash Briefing skills are new and way better than anything Apple ever offered podcasters.

There are a few customization options & notes:

  • Flash briefing feeds support between 1 and 5 items, so change the limit:3 depending on how frequently you publish new content.

  • Change post.content to post.excerpt on line 12 if you don’t want Alexa to read out your entire post. Excerpts cut content at the first \n\n. I’d actually recommend doing this if your posts exceed 500 words.

  • streamURL is set as null, because as designed, this is a text-to-speech feed, unlike the NPR feeds which are audio driven. If you want to instead use audio, you’ll need to host audio, include a filename pointer in your post markdown, and change the briefing type of your skill.

  • I’m not totally sure how to deal with special characters / escaping html entities in a bullet proof format - but Alexa will try to read them / does a pretty good job.

Going biweekly after 3 years

When I started [email protected], my life was very different. I had never been to a hackathon. I barely understood git & APIs. And I desperately needed a creative outlet to get past my boring job in ad tech.

Thanks to some great advice from Kuan Huang at Poncho, I stopped thinking about writing and started doing it.

Since then I’ve published over 160 issues. I changed careers to DevRel. I’ve been to a jillion hackathons (both as a hacker & for Devpost). I’ve written dozens of Chrome extensions. And I started a bunch of video projects The Commit (job advice for hackers) and Wakey Wakey (videos about cool tech, science, and other cool stuff).

But, over the past few months, [email protected] hasn’t been very good. I’ve been pushing myself to publish at the expense of quality. I’m perpetually exhausted and you deserve better.

So here’s the deal: I’m only going to publish when I’ve got something I’m really excited about. Hopefully that’ll be biweekly.

Thank you so much for exploring open source with me and I hope you stick around.

Open source jeans

In 1981, Brooke Shields coyly told us that nothing gets between her and her Calvin Klein jeans.

20 years later, Shalom Harlow and the Gap introduced us to stretch denim.

Then about 10 years ago, skinny jeans became a thing and jeggings followed shortly thereafter. Soon, dudes were getting in on skinnies, and today everyone can enjoy multiway stretch denim. And don’t even get me started on different cuts, washes, and distressing techniques. Frankly, denim is bonkers these days.

But what if we had open source patterns? Then everyone would be capable of producing quality, perfect fit denim!

Kyle McDonald and Lisa Kori Chung’s OpenFit project aims to do just that. They’ve built pattern making tools, and a body measurement app that uses Chromakey (green screen) leggings, a Kinect, and Processing. The app masks out everything but the Chromakey color, calculates the contours of your body, and uses the fit data to create custom patterns.

Read more about it at Vice and check out the OpenFit gallery on Flickr.

Do more with less JS

A few years ago, HubSpot made waves a web site that suggested you might not need jQuery. It was a revelation in a world heavy with jQuery plugins.

Una Kravets, a front-end developer at IBM, has taken that a step further with YouMightNotNeedJS, demonstrating how capable modern browsers & CSS are, even without external scripts.

You should stop reading this post right now and go check it out. But if you need a little more prodding, here are my favorite examples:

  1. JS-less modal
  2. HTML only form validation with regex patterns
  3. Zero plugin accordion
2017 Neal Shyam