Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Search - "jwt"
-
- Let's make the authentication system so the user can only login in one device at time, because this is more secure.
- You know that this will be a general-public application, right?
- Yeah!
- Sou you want to "punish" users with a logoff on the other device when he tries to login in a new one?
- Yeah!
- But before you said we will use Json Web Token to make the backend stateless.
- Yeah!
- And how will we check if the token is the last one generated?
- We will store the last generated token for this user on a table in our DB.
- So... you are basically describing the old authentication model, with session tokens stored on the backend and communicating them via cookies.
- Yeah, but the token will be sent on the Header, not on cookies
- Okay, so why will we use Json Web Token to do this in the first place?
- Because this is how they're doing now, and this will make the backend stateless.
A moment of silence, please.8 -
Today I'm going to work on my side project that I haven't touched in weeks.
I want to utilize Angular 2 which means I'll need to learn TypeScript. I also want to use the new .Net Core and EF Core 1.0. Oh and I want to handle authentication using JWT!
Wow, that's gonna be a lot of effort to get things off the ground... maybe instead I'll use this time to learn some new concepts. Maybe watch this episode of Fun Fun Function, or maybe this video on writing Assembly code for an app on Raspberry Pi, that sounds cool!
Actually, you know I should really teach myself dependency injection and unit testing for once. I'm so behind the times.
Well, really I should finish this book on design patterns first. Ok, where did I leave off? Page 20 I think... ehh... maybe I'll just work on my side project.
Tomorrow... tomorrow, I'll work on my side project.9 -
Well, well, well, my new year's gift:
Someone is jamming thousands of requests per second, and NO firewall. JWT tokens that expires in 3 HOURS.
Now MORE THAN 40K stolen.
But, where did it come from? https://devrant.com/rants/4961285/...16 -
Serbia. $600/month for
- full stack
- angular dev
- java spring boot backend dev
- jenkins
- ci/cd pipelines
- jira
- unit integration E2E tests
- kubernetes
- docker
- graphql
- postgres
- sql queries
- aws
- microservices
- deployments
- scala
- kafka
- maven/gradle
- bsc or msc cs degree
- in depth knowledge of
-- observables
-- design patterns
-- jwt and how it works
-- ssl certificates
-- solid principles
There is more but i forgot the rest17 -
In january 2023 i was contacted by a recruiter offering me a job position.
I DID NOT ASK FOR A JOB.
I WAS NOT LOOKING FOR A JOB.
THEY contacted ME.
Ok. So i went along with it and see how it goes. They probably wont hire me nor would i give a shit. Chatted with this recruiter for a while. She forgets to answer my message for 5 fucking days. Twice. Once because she was doing God knows what and the second time because she was on paid vacation. Fine i don't give a shit about you at all anyways.
So this recruiter chatting has been stretched out for several days. I think over a WEEK. So she forwarded me to their lead developer.
I applied to work as a full stack java spring boot backend + angular frontend engineer.
So:
- java backend
- angular frontend
- full stack
- shitload of devops
- shitload of projects i built
- worked with clients
- have CS degree, graduated
- worked a job at their rival company
What could go fucking wrong with all of these stats right?
During technical + hr interview (3 of us on google meets) they asked me what salary I'd be comfortable with.
I said $1500/month straight out.
keep in mind:
- In my country $500 or $600 is a salary for engineers per month
- You get a raise of +$150 which is around $750 after working for 1+ year
- You can earn $1000+ after you work for +2 years
- Rent here is $200-300 a month at minimun. And because of inflation its just getting worse especially with food. So this salary is not for living but for survival.
Their lead engineer gave me a WHOLE ASS FUCKING PROJECT TO BUILD and i had to code it within 10 days. Great so at least 17+ days of my fucking life to waste on these fucktards who contacted ME.
The project was about building a web app coffee shop literally what mcdonalds has when you order via those tablets. I had to build this in java spring boot and angular. I had to integrate:
- docker, devops
- barmen, baristas, orders
- people can order at the table or to go
- each barista can take 5 orders at a time
- each coffee has different types of fields and brewing time
- each barman brews each coffee different period of time
- barista cant take more than 5 orders for to go until barman finishes the previous order
- barista can take more than 5 orders but if those orders were ordered from table, and they have to be put in queue
- had to build CRUD admin functionality coffee's
- had to export them all of the postman routes
- had to design a scalable database infrastructure for all of this alone
- shitload of stuff more
And guess what. After 10 painful days I BUILT THE WHOLE THING MYSELF AND I BUILT EVERYTHING THEY ASKED FOR. IT WAS WORKING.
Submitted it. They told me they'll contact me within 7 days to schedule the final Technical interview after they review what i built. Great so another 17+7 days of my fucking time wasted.
OH and they also told me to send them THE WHOLE GITHUB REPOSITORY AND TRANSFER OWNERSHIP TO THEIR COMPANY'S OWNERSHIP. once you do this you cant have your repository back. WTF? WHY CANT YOU JUST REVIEW THE CODE FROM MY PUBLIC REPOSITORY? That was so weird but what can i fucking do argue with these dickheads?
After a week of them not answering i contacted them via email. They forgot and apologized. Smh. Then they scheduled an interview within 3 days. Great more of my time wasted.
During interview i was on a google meets with their lead engineer, 1 backend java spring boot engineer and 1 angular frontend developer. They were milking me dry for 1 whole fucking hour.
They only pointed out the flaws in what i built, which are miniscule and have not once congratulated me on the rest of the good parts. I explained them i had to rush those parts so the code may not be perfect. I had other shit to do in my life and not work for your shitty project for $0/hour for 10 days you fucking dickriders.
So they quickly ran over to theory. They asked me where is jwt token stored. Who generates it. How the backend knows to authenticate user by it. I explained.
What are solid principles. I said i cant explain what is it but i understand how it works, why its needed and how to implement it (they can clearly see in the project i just build that i applied SOLID principles everywhere) - but i do admit i dont know the theory behind it 100% clearly.
Then they asked me about observables and promises in angular. I explained them how they work and how subscribe method is used (as they can clearly see that i used it in the code). Then they asked me to explain them under the hood of how observables work. The fuck? I dont know and dont care? But i can learn it as i work there?
Etc
Final result: after dragging this for 1 fucking month for miserable $1500/month they told me: we can either hire you now but for a much lower salary which you probably wont be happy with, or you can study more these things we discussed "and know why the car leaks oil" and reapply back to us in 2-3 months!23 -
I'm a "published" freelance dev!
Last night I made my first web application available to the internet. It's an internal enterprise management system for a small non-profit.
It's running on a single $6 a month digitalocean droplet, and the domain is $12 a year, so yearly cost for them is absolutely rock bottom.
It's written in asp.net 6.0 razor pages, nginx reverse proxy, certbot for HTTPS certificates, fail2ban for ssh protection (ssh login is via ssl keys), entity framework with MySQL.
The site itself has automatic IP banning based on a few parameters like login spam, uses JWT tokens, and is fully secured.
All together, it's a lot of value for about $100 a year.14 -
I'm so fed up of this shitty ultra-ortodox industry
I've worked on many different projects, been in many different teams. It's an ever changing industry, but, surprisingly, it's so orthodox. Dev industry nowadays have some rules, that everybody adopts them as "best practices". You have to work on pull requests, and several of your teammates have to review your shit (as if they have nothing better to do).
I'm sick of people using fucking DTOs in shitty frameworks like Laravel. Using DTOs in Laravel is like putting mustard in a fucking chocolate cake.
I'm so fed up of SPAs and node.js. I've yet so see a single SPA that handles jwt tokens correctly. I'm tired of spending hours and hours, days and days, struggling with thousandls of layers of abstractions instead of being productive and getting the shit done.
Because end customers don't give a shit about your "best practices": They have a problem and you are getting paid for it to be solved, not for spending hours and hours struggling with stupid Javascript and its crazy async nature and their crappy libraries.
Damnit. I say. Now. I now feel better. Thanks for listening :)14 -
FYI. Copied from my FB stalked list.
Web developer roadmap 2018
Common: Git, HTTP, SSH, Data structures & Algorithms, Encoding
------
Front-end: HTML, CSS, JavaScript > ES6, NPM, React, Webpack, Responsive Web, Bootstrap
------
Back-end: PHP, Composer, Laravel > Nginx, REST, JWT, OAuth2, Docker > MariaDB, MemCached, Redis > Design Patterns, PSRs
------
DevOps: Linux, AWS, Travis-CI, Puppet/Chef, New Relic > Docker, Kubernetes > Apache, Nginx > CLI, Vim > Proxy, Firewall, LoadBalancer
------
https://github.com/kamranahmedse/...2 -
Sign in with Apple...
* Nobody tells you that a app group can consist of a maximum of 6 apps.
* Nobody tells you that suddenly a key id is needed for constructing the signing key for signing the client_secret when other keys are added in the dev portal.
* Apple gives you email and name only (and i mean only) the first time a customer uses Sign In With Apple.
* You have no chance to reset your user during development in a way to try a fresh auth. So either create separate app ids or separate apple ids.
Sounds like fun, right?8 -
Follow up to: https://devrant.com/rants/5047721/....
1- The attacker just copy pasted its JWT session token and jammed requests on the buy gift cards route
2- The endpoint returns the gift card to continue the payment process, but the gift card is already valid
3- Clients wants only to force passwords to have strong combinations
4- Talk about a FIREWALL? Only next month
5- Reduce the token expiration from 3 HOURS to 10 minutes? Implement strong passwords first
6- And then start using refresh tokens
BONUS: Clearly someone from inside that worked for them, the API and database password are the same for years. And the route isn't used directly by the application, although it exists and has rules that the attacker kows. And multiple accounts from legit users are being used, so the person clearly has access to some internal shit7 -
A friend has a small business and asked me if I could make him a small program. So why not, experience for me and I can help a friend out. (This started in ~mid 2016)
Started out as a WPF desktop application with many weird bugs and slow interface, into crashing the database on AWS (could not connect, could not get a backup). It was just hell and I kind of gave up on fixing it.
I always talked to him and said "yeah, I will do something better soon", but I was procrastinating and kept pushing it away from me. Then one day I said "f*ck it - lets go" and started coding on 2.0:
- WebApp with a complete new architecture (which I learned in the past few months)
- User authentication (JWT)
- ASP.NET Core Backend for web api
- Angular 4 Frontend w/ bootstrap
- Coded in like a week with 3-5 hours each day
Deployed around 6 months ago and he never had a complain. When I visited him I asked "how is your application doing?" - "great. it just works!".
My once most hated project turned into the most successful project in just a few months.2 -
I feel like I beat "the man"
Dunno if any of you guys have picked up on this, but the Microsoft Docs (for asp.net) are basically one big fucking jumbotron advertisement for IdentityServer
The very same IdentityServer who dropped their free, open-source project and turned into an -aaS
It really seems like MS is frothing at the fucking mouth to have you use IdentityServer and offers no real alternatives whatsoever besides something like Facebook or Twitter login.
But I did my studies
Read my articles
And implemented proper Jwt tokens with rolling refresh tokens.
Simpler, more efficient, and compromises nothing. And I didn't pass my money off to some company to do it for me.
Fuck you, Microsoft, and the IdentityHorse you were paid to ride in on.7 -
Story time:
I worked at a firm that had an infernal off the shelf CRM system that they collaborated with the dev company to customise.
They were seriously behind the competition, and didn’t have any app or web presence for interacting with their system, instead relying on people calling (fine for the nature of the business, but competition was leaving them in the dust).
They decided that they needed to redevelop it in-house, with a focus on supporting the web and apps.
I was hired for this purpose.
It was me and one other dev, who was also the head of IT.
He’d built a small prototype, and was new to the whole WPF / MVVM thing for the in-house app, so with my previous experience it was clear it needed to serve as an example only, and that it would need redeveloping.
I was only there three months.
In that time I singularly (he was pulled away to troubleshoot their VOIP installation - yes, for three months as other companies kept dropping the ball) built:
- A WebAPI with JWT auth
- An MVC skeleton frontend
- A WPF desktop app
It had all sorts of cool shit in it, 2FA, Reactive UI, Reactive extensions, server push to desktop, a custom workflow and permissions system.
It was pretty dang cool.
End of the three months rolled around, and the non-technical managers were concerned about time to market, so they decided to drop me as I’d “not made enough progress”.
I’d also had a bit of absence which they were aware of and were supposedly supporting me through.
But MFW three months is assumed to be enough time to build such a system with one dev.2 -
This is fucking mental. Nextjs is a fucking unoptimized piece of fucking trash framework. When i dont touch it for several days magically everything breaks and no longer works. What the FUCK is this garbage framework.
Also i just npm run dev after 3 days of not touching the project, when it started routing is fucking dead, freezes and loading forever, getting stuck at UI, checked activity monitor just to see this piece of fucking cum eat 330-390% of my fucking CPU
Powered by Shitcel
Nextjs unstable cum gargled bullshit garbage framework for script kiddies who think they know shit about programming but they're mindless retards who know nothing about security, jwt tokens or even devops infrastructure or IaC. Fucking useless overexaggerated trillions of dollars of marketing budget for Shitcel's framework called nextjs is not as good as the fake marketing campaign portrayed it to be. It was all a fabricated lie. A fascade. A hollywood shitshow. A faked moon landing type of framework. A fucking meme framework. Fucking pissed off for wasting my time learning it15 -
Sometimes human stupidity still surprises me.
Today I was able to stop the release of a ticket at the last moment that intended to put urls WITH A SECURITY TOKEN TO ACCESS USER DATA through a link shortener.
Some PM assumed that it would be a reasonable course of action to map an url secured via jwt through to a 4 character, countable, base64 string so that we don't have to send multiple sms if they contain this url. I can accept that the implications might slip through one person but the fact that this was put into a ticket by a pm, prioritized by PO, estimated by an entire team, implemented by a professional developer, reviewed by a senior and then scheduled for release without anyone asking themselves if there might be a reason for a security token to be long, that one shocks me.8 -
Why, in the name of all that is holy would you use a secure token generator, and then override it with a short, easily guessable token?! Why take the time? I hate my outsourced devs
-
I inherited a nextjs project from an unknown guy and am fangirling the codebase
But the deeper I familiarise myself with it, the more the cracks begin to appear:
1) The dude Is incapable of grasping the basics of DRY concept. He actually setup a ton of stuff I may have done poorly if I'd started working straight out of the docs, so I feel like I owe him a shower of praise. I guess being new to nextjs makes it look more impressive than it actually is. He was paid off, yet getting the credit seems unearned to me. I'm just afraid reaching out to him might turn around to bite me in the ass
***
I had the above in my drafts, contemplating sending him a token to show some appreciation for unknowingly showing me the ropes. I was going to find him on LinkedIn using his commit names. But after doing everything I've done, undergoing the anxiety and severe pressure I faced at the hands of the project owners, I'm not sharing a farthing with anybody
Yes, I may not have known about zustand and persist middleware. Yes, he did all the ui. Yes, he created the base components and fancy wrappers around form and button html elements. For those, I'm grateful
But the amount of refactoring I had to do to, for an opportunity to implement my own target features, I'd say I can lay as much claim to the project as he does.
Side note #1: I have some newfound respect for front end devs. We used to discriminate against them for doing just css but that was only relevant in the jquery days. Now, they have to use cryptic css frameworks (sass, less, tailwind), they have to learn esoteric syntax of some js framework and write controllers/components as the case may be. They have to (the worst part), bind this data to an API, which would never make sense to me coming from a php ssr-natural world
Back rewarding the guy, some of the challenges I came back from were:
1) Next server outages: I still don't know the workaround this. The app terminates, browser giving an error about using up memory. I have to wait for about 10 minutes before I can access the app again
2) spring Webflux authentication not hydrating: I was unexpectedly asked to work on the back end too, where I got tortured with this horrifying condition. The most poorly documented framework for the Web has no upto date guide on how to implement jwt security measures. I opened a question on stackoverflow. A day later, both my question and the helpful answer got downvoted
3) Zustand not retrieving any data from localstorage once page reloads, until I miraculously stumbled on a hack: there's a config callback for reading state after rehydration or thereabout. So I interact with the state there. That's the only way content clearly in localstorage can get transmuted into dynamic format accessible by the code
4) Mongo database suddenly disconnecting: for no apparent reason, this bailed. Accessible on compass. This was even when I realised it was responsible for front end requests not going through. Eventually created a new database and requests surprisingly began connecting again. Thankfully, my laravel background taught me about seeders so I had them on standby from the onset. Wasn't difficult to just port to a fresh database after confirming the first one was inaccessible to the app
After this painful odyssey and the time constraints, threats of moving forward with someone else, I deserve every dime they deem me worthy of and more3 -
It is time for my own dumbass's favorite pastime: not letting go on retro tech.
I am gonna build a small and complete RESTful web API with Vbscript and Classic ASP with errrthing thrown in this mfker including JWT authentication and i am gonna see how the idea of an ORM goes. I know that COM interop was a thing, dunno if it still is.
I am fucking bored. The graduate degree is killing me and I need a distraction.
Thinking about being a purist and keeping the COM libraries to be made with VB.NET :P
Fuck yeah for being a masochistic retard.
I legit love vb net tho4 -
I have been trying to wrap my head around authentication in hapi for the last 6 hours...
Fuck this shit... when did simple,
I HAS A USERNAME
I HAS A PASSWORD
CAN HAS SESSION?
become:
- you magically get a token from somewhere
- you magically verify that token
- you respond with { credentials } //magic
- by some fucking black magic the server probably creates a session without you knowing about it...
- you freak out and write your own authentication scheme only to find out that you cannot read payload of POST requests in the authenticate method
- you get angrier and depressed and write a rant
(to be clear: there is @hapi/basic but I don't think sending a GET request with the URL looking like username:password@domain.tld is very safe...)11 -
A new developer started working with us a few months back. Plenty years of experience, both front- and backend.
He was the perfect guy for the job, according to management. Two weeks ago he asked me what JWS Cookie I used to send my requests.
After a few minutes we realized that he meant JWT token.
Said developer is no longer working with us, he didn’t like all the new technology.1 -
Trying to use authenticate a JWT token from an Azure service, which apparently needs to use Azure AD Identity services (Microsoft Entra ID, Azure AD B2C, pick your poison). I sent a request to our Azure admin. Two days later, I follow up, "Sorry, I forgot...here you go..."
Sends me a (small) screenshot of the some of the properties+GUIDs I need, hoping I don't mess up, still missing a few values.
Me: "I need the instance url, domain, and client secret."
<hour later>
T: "Sorry, I don't understand what those are."
Me: "The login URL. I assume it's the default, but I can't see what you see. Any shot you can give me at least read permissions so I can see the various properties without having to bother you?"
T: "I don't see any URLs, I'll send you the config json, the values you need should be in there."
<10 minutes later, I get a json file, nothing I needed>
<find screenshots of what I'm looking for, send em to T>
Me: "The Endpoints, what URLs do you see when you click Endpoints?"
<20 minutes later, sends me the list of endpoints, exactly what I'm looking for, but still not authenticating the JWT>
Me: "Still not working. Not getting an error, just that the authentication is failing. Don't know if it's the JWT, am I missing a slash, or what. Any way I can get at least read permissions so I don't have to keep bugging you to see certain values?"
T: "What do you need, exactly?"
Me: "I don't know. I don't know if I'm using the right secret key, I can't verify if I'm using the right client id. I feel like I'm guessing trying to make this work."
T: "What exactly are you trying to get working?"
<explain, again, what I'm trying to do>
T: "That's probably not going to work. We don't allow AD authentication from the outside world."
Me: "Yes we do. Microsoft Teams, Outlook, the remote access services. I can log into those services from home using my AD credentials."
T: "Oh yea, I guess we do. I meant what you are trying to do. Azure doesn't allow outside services to authenticate using a JWT. Sorry."
FRACK FRACK FRACK!!
Whew! Putting the flamethrower away.
Thanks devrant for letting me rant.3 -
Question: Does using cookies for user session handling hinder the scalability of your backend because all the API's have to live on the same domain. Basically if one API starts to get a lot of request and you want to add another server to off balance the load you would have to add an entire webserver rather than just a small micro webserver with the API running on it mainly because cookies are used to authenticate user request and cookies don't survive CORS request. Am I right or don't know what the hell i'm talking about lol need some opinions I suggested we make all API's micro services and use JWT for user sessions12
-
!rant
After 4 - 5 months of learning webD, I am trying to build my first fullstack web application (simple chat one ).
My stack :
FRONTEND:
Vue.js + Materialize
Backend:
Express ( handling routes )
Mongoose/MongoDB ( Database )
Socket.io ( web sockets for real time connection )
JWT
Had dreamt of this 2 months ago where I built a basic front end using html and css, and now porting it to Vue is like a breeze.
Wish me luck and let's hope it doesnot become one of the unfinished projects. ( My university semester exams are coming up , would have to complete this as fast as possible ). I am also learning DSA + STL and aim to learn basic python syntax before holidays so that I can focus my time on ML during them. It's so fucking overloaded that I have my doubts ::((4 -
So this is kind of an odd scenario, but bare with me. My client has been issued a JWT token. After having received and stored it, I completely reset the database, and so also emptied the users table. Note that we're using MySQL with auto incrementing ID, whose counter has been reset. The user ID is stored in the JWT, so now the JWT isn't referencing an existing user anymore, so the client will get a 401. The problem arises when a new user registers and is inserted in the new database. That user will get ID 1, and so the old token for the other user will suddenly be valid for another user. I know it's an odd case, but is this a flaw in JWT? I guess an easy solution would be to use random ID's, but I'm still wondering.6
-
One advantage of JWT that I never realized: session tokens are stored client side, saving network calls to validate them.
Very cool. Love it.3 -
DAILY LARAVEL PROBLEMS
I need to parse a JWT with some custom claims. There's a JWT library with Laravel; documentation really lacking, kinda hardcoded to work with Laravel but whatever; it's already installed, let's see what can I do with it.
It turns out I can't say something like "take this token, parse it, tell me it's valid". Let's see how that goes.
You need to build a parsing class with a manager, some auth stuff, a parser.
To build said manager you need a provider that implements a contract, a blacklist, a factory (of what?)
To build the factory (of what?) you need a claim factory and a payload validator
To build the claim factory you need a request
To build the blacklist you need a Storage
To build the storage you need a CacheContract
To build a CacheContract you need IDK it's a mess
To build the contract you need... IDK for real
WHY LARAVEL IS SHIT: 'cause only in this framework it seems reasonable to build this clusterfuck to parse a base64 encoded string, throw some json_decode and check a signature. And have it work only to authenticate a user.1 -
This is how my login and authentication works
Check for cookie on request
if cookie doesnot exist, send login page ( login )
1) check for credentials
2) if valid, set username's JWT as cookie
3) reload page
4) proceed for authentication
If cookie exist, decode JWT ( authentication )
1) check username
2) if username exist on database, send user panel
Anything wrong with this ?? What is the better way to do this6 -
Hello! Check out my URL shortener application. Please take a moment to review it for me.
Also if you like it please leave a star for the repo.
Link to live app - https://reha-short-url.netlify.app/
Link to Github repo - https://github.com/rehasantiago/...devrant react programming coding url-shortener node js javascript projects jwt mongo db mern express2 -
So I'm looking for a tutorial somewhere to manage auth with react.
I have passport local setup with jwt in express, but looking to manage users in the front-end, managing the user state app wide, logging out, protected routes etc.
I've done some searching around but I can't see anything to concrete. Any pointers or articles would be great.
I was thinking of localStorage but not sure how to go about setting that up with react.3 -
I am working on spring boot jwt project. Ive encoutered a UserDetails class name.
Why is it named UserDetails?? Where the fuck are those details??!! COZ I CANT SEE THEM
Those kind of methods can be found also in other various Services for example LocationService or UserService but none of them is called by developers for example LocationDetailsService. WHAT THE FUCK. Wouldnt it be better to name it UserSecurity???? -
I jumped on this NodeJS codebase to quickly implement an additional method in the custom logger. How hard could it be, right?
I implemented the method alright. But I can't find where to use it... There are like 10 different logger instances used in this tiny app and in one place logger is even used as a vessel (holder object) for the client's JWT token (to access it from the interactor).
oh, and it's a javascript app (somehow I assumed that node apps are typescript.. silly me!)
What the fØ©ĸ spaghetty-fest is this!?!?!4 -
My first blog on JWT
“JWT Explained” by Venkata S S Krishna Chaitanya https://link.medium.com/lxRV4BlZPT1 -
Interview question i had:
- how does jwt work under the hood, where is it stored, what 3 parts is it made of, who creates jwt, how does the server know what information the jwt token has (how can it say oh you're Joe you can login now)
- what is the difference between observable and promise in typescript, how does observable work, what is a stream, what is the difference between fetching data through an observable and fetching data with promise and when should we use one over the other, what does .next() funcrion do in observable under the hood
Answer me these questions without googling8 -
I finally figured out how fucking JWT authentication works. It felt like I was standing all my life and I just sat down
-
Opinions
Hello, I’m considering building a web framework.
My ideal features would be:
Customizable authentication system(considering using a jwt lib)
Embedded DB(bolt db)
ORM( writing my own)
REST api to DB (via code generator)
Code generator(generation of models and views via cli)
GUI to db(some admin dashboard)
CORS(web service right?)
Why?
Ease of development
Fast prototyping of small-medium web services.
Fun.
My question is, do i have to many things on my platter? Should i narrow it down into less featured framework? What feature should I focus on? How should i benchmark it? Should i write tests for absolutely everything or just for exported methods? What should i take into consideration when developing ORM API, Auth API...
The language is Go
Thank you for your input10 -
So i just learned aws elastic beanstalk (EBS, ECS, ALB, EC2, Amplify, S3, RDS, SQS)
Essentially i learned how to operate with aws to deploy a full stack web application with custom backend i built, with security and jwt token, certificate manager, ssl/tls to set up https and redirect from http, and react/angular/nextjs on frontend
All with custom CI/CD pipelines docker and other devops shit
But i still feel like im missing on A Lot of stuff regarding aws. I havent worked with Fargate for example and dont know how it works or when to use it, but i heard other devs use it
Can someone list me a number of things i as a dev should know more regarding aws?3 -
While making a backend and frontend I wanted to make an auth flow, but I ask myself isn't HTTPS auth enough ?
What do you think is JWT to check which user it is and HTTPS to secure the connection enough or should I also use PGP ?9 -
Today was a productive day, learning a lot in python, making a REST API and almost done with user controller, and jwt tokens
Thanks to @gamingfail123 for his guidance :)1 -
Is it normal that I have to first study like 2 or 3 days before I can start to code something I don't know very well? My mentor probably thinks I don't know anything. Whatever... I need to implement JWT and I need time to study because I find it complex.2
-
Here is my GitHub repository where I demonstrated
1. Role Based Authentication with fake jwt and mocked backend.
2. Lazy loading and eager loading modules.
3. Data Resolvers.
4. A pretty good project structure.
Each different topic is implemented in a different branch. I just wanted to share it here.
I have also provided links to the online resources where I learned or practiced these things in Angular ( Check Readme file for more info) :)
Feel free to check.
https://github.com/Ahsan9981/...4 -
when i create a jwt access token and if im using a refresh token
this access token expires every 15 min
am i supposed to code a whole separate route in the backend api for the refresh token so i can make a request to the whole route to trigger the refresh token and generate a new access token?
or should the backend automatically trigger refresh token whenever it receives a request and realizes the access token has expired?3 -
// !rant
Need some assistance with Drupal and Dreamfactory.
Dreamfactory is an amazing piece of software that basically turns any database into a REST API. I mean any DB from SQL Server to MySQL and all kinds of others. For a connection to the API it uses JWT (JSON Web Tokens) which expire momentarily.
On Drupal, there's wsdata and rest client modules. Restclient is a module where you configure a connection via OAuth or HybridAuth to a rest server. The problem is that the rest server for dreamfactory uses JWT and i'm not sure how to get Drupal and restclient to connect that way. -
#Suphle Rant 3: Road to PHP8, Flow travails
Some primer: Flows is a feature that causes the framework to bypass handling the request now but read it from cache. This cache entry is meant to be populated without warming, based on the preceding request. It's sort of like prefetching but done on the back end
While building Suphle, I made some notes on some chapters about caveats and gotchas I may forget while documenting. One such note was that when users make the Flow request, the framework will attempt to determine who user is, using authentication mechanism defined on the first module (of the modular monolith)
Now, I got to this point during documentation and started wondering whether it's impossible for the originating request to have used a different authentication mechanism, which would result in an empty entry for returning user. I *think* it's possible cuz I've got something else called "route mirroring", where web based routes can be converted to API routes. They'll then return JSON, get served under defined API path, use JWT, all automatically. But I just couldn't connect the dots for the life of me, regarding how any of this could impact authentication on the Flow request
While trying to figure out how to write the test for this or whether it was even necessary (since I had no use case), it struck me that since Flow requests are not triggered by an actual user, any code attempting to read authenticated user will see nothing!
I HATE it when I realize there's ambiguity or an oversight, after the amount of attention and suffering devoted. This, along with a chain of personal troubles set off despondency for a couple of days. No appetite for food or talk. Grudgingly refactored in this update over some days. Wrote some tests, not all passed. More pain. May have to convert them to unit tests
For clarity, my expectation is, I built this. Nothing should be impossible for me
Surprisingly, I caught a somewhat lucky break –an ex colleague referred me to the 1st gig I'm getting in 1+ year. It's about writing a plugin for some obscure forum software. I'm not too excited cuz it's poorly documented and I'll have to do a lot of groping, they use arrays instead of objects etc. There's no guarantee I'll find how to implement all client's requirements
While brooding last night, surfing the PHP subreddit, stumbled on a post about using Rector to downgrade a codebase. I've always been interested in the reverse but didn't have any incentive to fret over it. Randomly googled and saw a post promising a codebase can be upgraded with 3 commands in 5 minutes to PHP 8. Piqued my interest around 12:something AM. Stayed up all night upgrading it, replacing PHPSTAN with Psalm, initializing the guy's project, merging Flow auth with master etc. I think it may have taken 5 minutes without the challenge of getting local dev environment to PHP 8
My mood is much lighter than it was, although the battle is not won yet –image tests are failing. For some weird reason, PHP8 can't read generated test images. Hope I can ride on that newfound lease on life to study the forum and get the features working
I have some other rant but this is already a lot to digest in one sitting. See you in rant #4 -
Somehow mocking xhr requests (?) for Axios is really hard to make it work. I use React Cosmos as I'm re-doing the frontend of this already running in production and works great, but when my component communicates with the backend it breaks and I'm unable to test the full behavior.
Then, it occurred to me that trying to mock Axios may not be the best. So I came with this scheme where I would have a configuration variable with a default value and change that when I need to work with React Cosmos, which in turn changes the behavior of `/auth` to return a valid JWT in response to a GET, put an Axios interceptor in my outermost Cosmos decorator and BAM! suddenly was able to develop and test my React components closer to how they would work in production.
It surprises me how simple this endeavor was, and because everything runs orchestrated by docker compose things run smoother.
(this is not an excuse to not to learn how to deal with the mocking issues of Axios, after all I wont have a working backend every time I work in some frontend application)5 -
I am frustrated with the JWT token based authentication library I am using for my lumen(laravel) based backend. It is having lot of ongoing issues with infinite timed token(mobile apps) and others... Here is the link
https://github.com/tymondesigns/...
If anyone has any suggestions for a good replacement for this it would be awesome because this is shitty in the support for the library nobody addressed the issues raised and threads are not even taken care about. It is so frustrating when you implement something but have to deal with the shortcomings of it, when it does not even do some basic things it is supposed to do. I feel bad saying it for somebody else's work. But, sometimes it has to be ranted out... That's the whole point of devRant. So yeah JWT based authentication library suggestions for laravel based backend. Because tymon-auth is shit.1 -
I've been planning a startup project for months now. Then, what was a supposedly simple quest of finding out whether session-based or token-based authentication is better, has become a question of whether I should setup my own OpenID Connect (IODC) auth server or stick to simpler methods.
I've already spent almost a week learning OAuth2 and OIDC, and I can't tell whether this route is an overkill for my usecase. (Or that I just don't want to admit I'm falling into the shiny tech trap.)
How about you guys, how would you approach authentication? JWT/JWE? Sessions?6 -
What did I do while down for the count with Covid?
* Setup a static React site
* Hosted the site at Cloudflare Pages
* Protected the page through CF access
* Extracted the JWT
* Setup a Rails API to validate the token
Now I have static React UIs with a nice rich API backend.2 -
Hi all! I am trying to implement websocket in js and want to send authorization jwt to server. but couldn't because it only support protocols. Any other websocket client library jn js that could help to achieve it?11
-
Since my question, in all likelihood, won't get answered on StackOverflow, I hope I can ask it here instead. I hope that's alright.
So, I am currently developing a Feathers + Nuxt boilerplate, and am using localStorage to store the jwt.
But I noticed if I set the localStorage with the jwt manually, it will act as if I'm logged in, bypassing the entire login-function. So I solved this by using an iframe with a script that clears localStorage (and log out the user, if logged in) when something changes in the localStorage (by using the eventListener "storage"). (I am also observing the iFrame if someone deletes it, in the console, and re-inserts itself).
My question is if this would carry any security risks? Like, would this be a bad thing to do, security wise? Is it alright to leave it alone and let users/visitors to set the jwt manually?9 -
In regards to my last string of posts regarding react and Auth, I got it working the bearer token is being passed but now just getting XML errors every time I submit a form. All the data being passed is JSON. I've created a stackoverflow question https://stackoverflow.com/questions... as I'm getting nowhere and SO really isn't helping either. So if anyone wants to take a stab, go for it.11
-
I'm building a nodejs REST api with jwt token authentication for the first time. So far, it's been as smooth as butter. Any hiccups or gotchas I should worry about?
-
Trying to make a nodejs backend is pure hell. It doesn't contain much builtin functionality in the first place and so you are forced to get a sea of smaller packages to make something that should be already baked in to happen. Momentjs and dayjs has thought nodejs devs nothing about the fact node runtime must not be as restrained as a browser js runtime. Now we are getting temporal api in browser js runtime and hopefully we can finally handle timezone hell without going insane. But this highlights the issue with node. Why wait for it to be included in js standard to finally be a thing. develop it beforehand. why are you beholden to Ecma standard. They write standards for web browser not node backend for god sake.
Also, authentication shouldn't be that complicated. I shouldn't be forced to create my own auth. In laravel scaffolding is already there and is asking you to get it going. In nodejs you have to get jwt working. I understand that you can get such scaffolding online with git clone but why? why express doesn't provide buildtin functions for authentication? Why for gods sake, you "npm install bcrypt"? I have to hash my own password before hand. I mean, realistically speaking nodejs is builtin with cryptography libraries. Hashmap literally uses hashing. Why can't it be builtin. I supposed any API needed auth. Instead I have to sign and verfiy my token and create middlewares for the job of making sure routes are protected.
I like the concept of bidirectional communication of node and the ugly thing, it's not impressive. any goddamn programming language used for web dev should realistically sustain two-way communication. It just a question of scaling, but if you have a backend that leverages usockets you can never go wrong. Because it's written in c. Just keep server running and sending data packets and responding to them, and don't finalize request and clean up after you serve it just keep waiting for new event.
Anyway, I hope out of this confused mess we call nodejs backend comes clean solutions just like Laravel came to clean the mess that was PHP backend back then.
Express is overrated by the way, and mongodb feels like a really ludicrous idea. we now need graphql in goddamn backend because of mongodb and it's cousins of nosql databases.7 -
2 questions:
1. Why would i use keycloak if i can code the same shit by my custom jwt implementation?
2. Is jwt still secure today or should i use oauth2? If jwt is still fine to implement then I'll continue doing it because i know exactly how to implement it. But How can i determine when to use oauth2 vs jwt?10 -
Can any one recommend a good Go framework for APIs with a MongoDB ORM?
Was using Laravel 6/Lumen but it’s API ability is starting to piss me off with its CSRF crap, JWT/Passport implementation and a it’s lack of MongoDB support.
I don’t need any templating engines at all, its all handled by a SPA and Mobile Apps6 -
When building a REST-API, that is secured with tokens (JWT or something),
Should the token be included in the body or in the headers?4 -
I do it pretty regularly maybe once or twice a week depends when I'm working on something interesting and want to get it done. Not very hard when you have coffee, headphones, good music, and enjoy what you do.
As for a story i don't have much of one unless you want one about implementing jwt tokens with a rest api along with trying to implement an 2FA system that would support otp and u2f. Then nuking it from orbit two days later cause it looked like garbage from trying to abstract everything -
Last weekend I started a project with a Angular front end and a WordPress backend.
The front end is for me so I can do the work faster. The backend is for the client that is slow at learning new technology. It's easiest to keep her WordPress setup
It's been a lot of fun setting up the jwt authentication but creating users has been a pain. I'm determined to work through it though.
Has anyone here else tried this? Any tips?4 -
Um hey guys, so I was working with websockets in node.js and wanted to have some form of authentication. Did a bit of googling, read some docs and finally implemented something. It's just I am not sure if it is the right way. Can the experts give their 2 cents?
This is not a rant exactly, so if it comes under self promotion or irrelevant, please tell. 😃
http://iostreamer.me/ws/node.js/...6 -
i have a question. when a user logs in, the app should have the "logged in" effect. so when he tries to navigate go login page it should redirect him to home page. but how can the app know if he has logged in? should i store the jwt token in sharedprefs and check if hes logged in locally on the phone or is the backend rest api supposed to handle that (and how)?
-
not sure what i changed, if anything
but my previously working code calling another microservice now fails because invalid jwt token
fml4 -
There's no official integration (package) for JWT in Java Spring?
I am new to Java Spring and want to create a simple RESTful server with JWT auth. Checked many tutorials, all of them involved creating your own JWT middleware to retrieve JWT token from incoming request and validate it using some 3rd party JWT library like jwtk/jjwt.
I am surprised this is not as simple as including a Spring JWT package and it would work out of box. I used to write a similar site using Python/Django, and for that adding JWT support is quite simple as adding "xxx.middleware.JWTAuthMiddleware".1 -
Just built out my first app using Cloudflare Workers, Typescript, and DurableObjects. Holy shit, this is nice stuff.
It's taken little to no time to build out:
* JSON API written in Typescript
* JWT verification against my OAuth backend (SAML support too)
* CI Automated Deployments including unit tests
* DurableObject support
* 3rd party HTTP calls + caching (built in to the framework!) to reduce network latency and hiccups.
* Cron-like tasks on each stored object so they can awaken the app on a schedule and update themselves as necessary
* Rapid deployment to new environments
The local testing with coordinated "miniflare" is dreamy too. -
PLEASE how do i build an interceptor in angular to block the user from accessing any part of the website until they get approved? Already built an interceptor for auth jwt n shit.4
-
Just cut down registration from 5s api response (because its sending email confirmation) into 70ms using rabbitmq (emails are now delegated in rabbit queue and sent whenever the queue takes place)
But still around 70ms to register which is great and fast (because it also generates jwt token and returns the whole user object + jwt) so its difficult to keep this at 7-9ms response time
Is this normal and is it fine to leave it at 70 or can this be optimized (or should it be)?7 -
hey, so i have recently started learning about node js and express based backend development.
can you suggest some good github repositories that showcase real life backend systems which i can use as inspiration to learn about the tech?
like for eg, i want to create a general case solution for authentication and profile management : a piece of db+api end points + models to :
- authenticate user : login/signup , session expire, o auth 2 based login/signup, multi account login, role based access, forgot password , reset password, otp login , etc
- authorise user : jwt token authentication, ip whitelisting, ssl pinning , cors, certificate based authentication , etc (
- manage user : update user profile, delete user, map services , subscriptions and transactions to user , dynamic meta properties ( which can be added/removed for a single user and not exactly part of main user profile) , etc
followed by deployment and the assoc concepts involved : deployment, clusters, load balancers, sharding ,... etc
----
these are all the buzzwords that i have heard that goes into consideration when designing a secure authentication system for a particular large scale website like linkedin or youtube. am not even sure how many of these concepts would require actual codelines and how many would require something else.
so wanted inspiration from open source content to learn about it in depth, replicate and create new better stuff if possible .
apart from that, other backend architectures like video/images storage system, or just some server for movie, social media, blog website etc would also help.2 -
They asked me to build a small website they will embed in a native application with some web wrapper in Android and iOS.
But also asked me to build a login web service that will return a JWT. Done.
They want to do a native code login form that opens up the web wrapper with my small website already logged in using the login web service.
I have no idea how to proceed in the backend.
At first i tried using postman with a POST request to the sessions/sign_in route and sending a form with the authenticity token and the email and password; but CSRF stopped me. I don't want to turn it off because of reasons.
Now i am wondering how to use this JWT to generate a cookie with a session inside it that they can use in the web wrapper.
Any help would be appreciated :)4 -
I'm using react-auth-kit and gave feedback to improve the library, so far so good! I was wondering if sites like codesandbox allow you to run a "backend" along with your frontend because I would like to implement some real world examples about using react-auth-kit, to improve the documentation.
-
Anyone herr tried API Platform?
I know I know. Generic ass name but that is what the framework is called.
Its in php, it contains a lot of goodies from(try and guess...no?? Ok I'll tell ya) the Symfony platform(go figure right) so if you are familiar with Laravel or well....Symfony then I guess that you will be good to go. I ain't...so fuck me because I only know Laravel.
Either way the concepts are very simple. Configs is donde almost entirely with YAML, i dunno how to feel about that, not used at writing routes on yaml, but the framework is thus far quite powerful. About to test jwt auth so wish me luck!4