From 050ce03ad0c7f5d37f7fb42d05eaf15dabaeadb3 Mon Sep 17 00:00:00 2001
From: Bob Mottram <bob@freedombone.net>
Date: Fri, 12 Jul 2019 17:09:25 +0100
Subject: [PATCH] Random token

---
 README.md | 2 ++
 daemon.py | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 920ffff8..bc68f3b1 100644
--- a/README.md
+++ b/README.md
@@ -105,6 +105,8 @@ Follow Accept from **Bob** to **Alice** with attached capabilities.
 
 When posts are subsequently sent from the following instance (server-to-server) they should have the corresponding capability id string attached within the Create wrapper. To handle the *shared inbox* scenario this should be a list rather than a single string. In the above example that would be *['http://bobdomain.net/caps/alice@alicedomain.net#rOYtHApyr4ZWDUgEE1KqjhTe0kI3T2wJ']*. It should contain a random token which is hard to guess by brute force methods.
 
+NOTE: the token should be random and not a hash of anything. Making it a hash would give an adversary a much better chance of calculating it.
+
 ``` text
                             Alice
                               |
diff --git a/daemon.py b/daemon.py
index de56de58..90eedf6f 100644
--- a/daemon.py
+++ b/daemon.py
@@ -208,7 +208,7 @@ class PubServer(BaseHTTPRequestHandler):
         if self._webfinger():
             self.server.GETbusy=False
             return
-        # show avatar
+        # show avatar or background image
         if '/users/' in self.path:
             if self.path.endswith('.png') or \
                self.path.endswith('.jpg') or \