Weeknote: 2024-W17

30 April 2024

Well, that didn’t take long. Three weeks in and I forgot to write the weeknote. Still, only a day late.

The NLNet NGI Zero funding that we currently benefit from has a big focus on making sure that security and accessibility are part of any funding application. Fortunately, it also comes with the ability to access a bunch of extra services that specialise in this sort of thing, so over the last few weeks I’ve been organising security and accessibility audits.

Accessibility

The main focus of the week was on prepping for the accessibility audit which was happening on Friday. My last job really hammered home how important accessibility and user experience is for anything on the web, so I was really excited about getting this done. Having the opportunity for a proper audit, for free, was amazing. However, I’ve normally been part of a team with experts who focus on this stuff, so actually dealing with it myself is somewhat new.

First, I collected and fixed a few issues that I knew were going to be a problem, and after some trial and error, learned the basics of aXe devtools to tick off any of the big obvious issues before the audit.

Then, on Friday, I joined a video call with the NGI Zero accessibility support team from HAN University, and we did the audit. It was really great to be able to do the audit together with them live, as firstly I could explain what the app was actually supposed to do, and secondly I could absorb as much of the knowledge directly as I could.

This is also the first time I’ve actually watched anyone else use Manyfold. All devs should do this with their code; it can be embarrassing and awful, but it’s invaluable.

This one was actually pretty good, I was pleased with how usable they found it. It’s certainly a lot better than my worst user testing ever, where I watched someone trying to complete a task with a site I’d built for 45 solid minutes before I eventually told them how to do it. That one was bad.

It’s super useful to see people use the site with assistive tech like a screen reader - it really does give you an entirely new view on how people use your stuff. My favourite part had to be the audio feedback the screen reader put on the progress bars though - a beep each time it moved, rising in pitch towards completion. Only problem was that with 6 on screen at a time, it was more of an explosion in a chiptune factory, rather than actual useful feedback. As they said as we nursed our ears, “technically, as it gave feedback, it’s a WCAG success, but it’s probably not a UX success”.

The lead assessor had also pulled in a student researcher (I think, sorry if that’s wrong) who was actually working on accessibility in 3d environments for VR/AR and other stuff, so had some really good feedback on the 3d parts of the app.

Anyway, they sent me over a report afterwards with a bunch of things to fix, though actually not too many; I was pleased with how it went. Now I’ve got a big list, which I’m working through for release this coming week.

Security

Obviously any service that’s on the web needs to be secure and safe, especially if you’re storing people’s data. An organisation called Radically Open Security provide security testing for NGI Zero projects, so I’ve started that process. Currently they’ve got an overview of the app, and are finding someone appropriate to run a proper test.

I’ll get them to test the demo instance and a local docker install, test multiuser capability, that sort of thing. Obviously a lot of those features are still evolving though, so we’ll get a baseline first, then hopefully audit new features as they appear.

Rails is a really safe framework which makes a lot of things secure by default, so I’m not expecting too many horrors; mostly I suspect it will be around making sure that users can’t access data they’re not supposed to (which should be enforced by Pundit), and making sure that the system can’t be used to attack the local filesystem, either to infiltrate or exfiltrate data; after all, a fundamental part of the app is about changing files on disk. That will be something to look at.

Though it was more about accessibility, over the week I did a bit of preparation for the security audit by doing a few tasks like setting up extra vulnerability scanning, and collecting up any issues I want to fix before the audit happens. Not sure when that will actually be though.

Performance

A user popped up in our support chat asking about performance issues, saying it was “a bit slow”. Like, 30 seconds to load the model list page. It turned out, he had about 10x the amount of data I do (particularly tags), and so it was highlighting performance problems that I’d been able to ignore until now. So, I spent a day reducing the huge number of N+1 problems somewhat. Rails makes dev easy, but makes it really easy to end up with lots of these extra database queries; still, that’s a good tradeoff. Devs should fix performance in the right ways, when it’s a problem, avoiding premature optimisation. Anyway, I improved a bunch of it (though there’s a lot more to come) and got a release out which should help.

Now I’m experimenting with OffscreenCanvas, which is a way of moving all the 3d rendering off the main browser thread into a background worker. It should produce a much smoother experience using the site, so I’m hoping for good things there, but I need to stay focused on other stuff first.

Bonus Feature

This week was brought to you by The NRG, whose long-lost Live in Japan set was recently recovered and released. I didn’t see the amazing set they didn’t do at Reading in ‘92, and I’d have loved to not see them on the legendary Japanese tour that never happened. Yes, that’s confusing.