Skip to main content

How Intercode builds and loads JavaScript

· 11 min read

Intercode is an open source Ruby on Rails application with a (mostly) single-page app frontend. Virtually all "pages" in the web application are resolved and rendered on the frontend using react-router. These pages then load the data they need using Intercode's GraphQL API, which is implemented on the Rails server side using graphql-ruby.

Intercode doesn't follow the recommended strategy for JavaScript loading in Rails applications. This blog post is an attempt to explain why, and what we do instead.

Database Export Security Issue Disclosure

· 4 min read

Hi larp community! A thing happened that we should tell you about. You're receiving this because you've logged into at least one convention website running in NEIL Hosting (Intercon, Be-Con, Festival, Bubble, etc).

While reviewing the code in the Intercode open source project, we discovered a backup of the Intercode production database. This backup was publicly available for about 6 weeks between September 18 and November 3, 2022.

We do not store payment card data in this database. In addition, we use industry-standard password hashing to protect passwords. Nevertheless, we recommend that you change your password as a precaution. To change your password, please visit: https://www.neilhosting.net/users/edit

We do not have any evidence that this data was accessed, and we have taken steps to remove it from the Internet. However, we also have no way to prove that the data was not accessed.

GraphQL Cross-Domain Security Issue Disclosure

· 3 min read

Hey all. This thing happened we should tell you about.

While performing platform upgrades, we found a bug in Intercode, the website code used by conventions such as Intercon. It has since been fixed.

This bug created an exploit where people with leadership access to one Intercode convention could use certain permissions on any convention. As a reminder, not even admins have access to your passwords or financial information.

Due to the technical complexity of accessing the exploit and the small number of people who had the permissions required to take advantage of this, we don’t think it was used, but can’t prove it.

Email forwarding

· One min read

Intercode can now forward emails recieved by a convention domain to appropriate staff members. For example, if your convention is hosted at 2020.example.com, and you have a staff position called Webmaster whose contact email is set as webmaster@2020.example.com, Intercode can now automatically forward emails received at that address to all the people in that staff position.

Additionally, staff positions can now have CC addresses (which will also receive email sent to that staff position) and aliases (additional email addresses that can be used to contact that staff position).

In order to take advantage of this feature, conventions will need to set the MX record on their domain name appropriately. If you'd like to do this, please contact us at hosting@neilhosting.net for instructions!

SMS Notifications

· One min read

Intercode is now able to send SMS (text message) notifications! For conventions that keep online event signups open during the con itself, Intercode will deliver notifications of signups, withdrawals, and waitlist pulls starting 24 hours before the start of the convention. The text of notifications is customizable via the "Notification templates" feature in the Admin section.

Users can opt out of SMS notifications via a new setting in their user profile for a convention. Texts will come from 415-NEIL-010 (415-634-5010).