Dear future self,

Next time you're working on the project's routes, be sure that people don't have to be logged in to login.

It will make your life easier.

Regards,

Your past self that is tired to be this retarded.

Gahaa!!! Finally back home, after 7 fucking hours of sitting in busses and trains!

BUT I GOT MY NEXUS 6P!! Yoo-hoo!!! :D

And I've got a nice story about it.

So when I bought it, the guy selling it to me was a nontechnical type (I think?) whose wife was the previous owner. So I thought to myself, cool a nontechnical user used it.. probably no hardware mods or anything to worry about. Apparently they even factory reset it for me :)

Now, when I left to go back home, I of course immediately booted up the thing and did the whole doodad of logging into it, setting up the device etc.

Then it struck me. When I booted up the device and wanted to log in, there was a lock from Google that required me to first authenticate as either a previous account of the device, or their unlock pattern. So I figured, eh fuck it, I'll just flash some AOSP without GApps or send the owner an email asking what the previous pattern is.

But I still had to wait 30 minutes at the bus stop so I thought to myself.. previous owner was a nontechnical woman.. maybe I could crack it. No way to know if I don't try. So I started putting in random unlock patterns.

3 attempts later - I shit you not! - pattern accepted.
Do you want to add this account?

Oh boy Google, of course I do! Thanks for letting me in pal!

3 fucking attempts. That's all it took to crack the unlock pattern of an unknown person. 😎

*goes to the local town hall to get my new ID*

A week ago:
Clerk: Sorry sir, our systems don't work anymore, we can't process your request!
Me: Epic. Is there any sysadmin in here that can fix this pronto?
C: No it's a centrally managed system. It's managed by the people in ${another town}.
M (thinking): Well how about you fucking call them then, fucking user. Screaming blood and fire when nothing is wrong server-side but doing nothing when there is. Fucking amazing, useless piece of shit.

One week later, i.e. today:
M: Hey, I'd like to renew my ID card. I've got this announcement document here and my current ID card.
C: Oh no I don't need the announcement document. I need your PIN and PUK code letter.
M (thinking): What the fuck do you need that for.. isn't that shit supposed to be my private information..?
*gives PIN and PUK part of the letter*
C: Alright, to register your new ID card, please enter your PUK and then your PIN in this card reader here twice.
M: Sure, but I'd like to change both afterwards. After all they're written on this piece of paper and I'm not sure that just destroying that will be enough.
C: Sure sure you can change them. Please authenticate with the codes written on the paper.
*Authenticates*
C: So you'd like to change your codes, right?
M: Yeah but I'd like to change it at home. You know, because I can't know for sure that this PC here is secure, the card reader has a wired connection to your PC (making it vulnerable to keyloggers) and so on.
C: Impossible. You can't change your PIN at home. (What about the PUK?!)
M: But I've done that several times with my Digipass for my previous passport.. it is possible and I've done it myself.
C: Tut tut, impossible. I know it's impossible and therefore it is.
M (thinking): Thanks for confirming that I really shouldn't enter my personal PIN on your fucking PC, incompetent bitch.
M: Alright, I'll just keep this PIN, try at home and if it's really impossible because the system changed to remove this functionality (which I highly doubt, that'd be really retarded), I'll come back later.
(Just to get rid of this old stupid woman's ignorance essentially.)
C: Sure sure...
Me: I'd also like to register as an organ donor. Where can I do that?
C: That'd be over there. *points to the other room in the town hall*

FUCKING THANK YOU LORDS OF THE WICKED RAVEN AND THE LIBERATED TUX, TO GET ME AWAY FROM THAT STUPID FUCKING BITCH!!!

.. anyway. I've got my new ID and I'm an official organ donor now 🙂

First rant, please take pity on the noob! 😐

Recently I've secured many of my user accounts spread throughout the internet. Using the same old password for everything is bad for security and for mental health! 😫

Since I was on the mood, I've tried to do a 'break glass' scenario, simulating an attacker that possessed my Gmail account credentials. "How bad can it be?" I've thought to myself...

... Bad. Very bad. Turns out not only I use lots of oauth based services, I also wasn't able to authenticate back to Google without my pass.

So when you get home today, try simulating what would happen if someone got to your Google or Facebook account.

Makes you consider the amount of control these big companies have over your life 😶

In january 2023 i was contacted by a recruiter offering me a job position.

I DID NOT ASK FOR A JOB.

I WAS NOT LOOKING FOR A JOB.

THEY contacted ME.

Ok. So i went along with it and see how it goes. They probably wont hire me nor would i give a shit. Chatted with this recruiter for a while. She forgets to answer my message for 5 fucking days. Twice. Once because she was doing God knows what and the second time because she was on paid vacation. Fine i don't give a shit about you at all anyways.

So this recruiter chatting has been stretched out for several days. I think over a WEEK. So she forwarded me to their lead developer.

I applied to work as a full stack java spring boot backend + angular frontend engineer.

So:
- java backend
- angular frontend
- full stack
- shitload of devops
- shitload of projects i built
- worked with clients
- have CS degree, graduated
- worked a job at their rival company

What could go fucking wrong with all of these stats right?

During technical + hr interview (3 of us on google meets) they asked me what salary I'd be comfortable with.

I said $1500/month straight out.

keep in mind:
- In my country $500 or $600 is a salary for engineers per month
- You get a raise of +$150 which is around $750 after working for 1+ year
- You can earn $1000+ after you work for +2 years
- Rent here is $200-300 a month at minimun. And because of inflation its just getting worse especially with food. So this salary is not for living but for survival.

Their lead engineer gave me a WHOLE ASS FUCKING PROJECT TO BUILD and i had to code it within 10 days. Great so at least 17+ days of my fucking life to waste on these fucktards who contacted ME.

The project was about building a web app coffee shop literally what mcdonalds has when you order via those tablets. I had to build this in java spring boot and angular. I had to integrate:
- docker, devops
- barmen, baristas, orders
- people can order at the table or to go
- each barista can take 5 orders at a time
- each coffee has different types of fields and brewing time
- each barman brews each coffee different period of time
- barista cant take more than 5 orders for to go until barman finishes the previous order
- barista can take more than 5 orders but if those orders were ordered from table, and they have to be put in queue
- had to build CRUD admin functionality coffee's
- had to export them all of the postman routes
- had to design a scalable database infrastructure for all of this alone
- shitload of stuff more

And guess what. After 10 painful days I BUILT THE WHOLE THING MYSELF AND I BUILT EVERYTHING THEY ASKED FOR. IT WAS WORKING.

Submitted it. They told me they'll contact me within 7 days to schedule the final Technical interview after they review what i built. Great so another 17+7 days of my fucking time wasted.

OH and they also told me to send them THE WHOLE GITHUB REPOSITORY AND TRANSFER OWNERSHIP TO THEIR COMPANY'S OWNERSHIP. once you do this you cant have your repository back. WTF? WHY CANT YOU JUST REVIEW THE CODE FROM MY PUBLIC REPOSITORY? That was so weird but what can i fucking do argue with these dickheads?

After a week of them not answering i contacted them via email. They forgot and apologized. Smh. Then they scheduled an interview within 3 days. Great more of my time wasted.

During interview i was on a google meets with their lead engineer, 1 backend java spring boot engineer and 1 angular frontend developer. They were milking me dry for 1 whole fucking hour.

They only pointed out the flaws in what i built, which are miniscule and have not once congratulated me on the rest of the good parts. I explained them i had to rush those parts so the code may not be perfect. I had other shit to do in my life and not work for your shitty project for $0/hour for 10 days you fucking dickriders.

So they quickly ran over to theory. They asked me where is jwt token stored. Who generates it. How the backend knows to authenticate user by it. I explained.

What are solid principles. I said i cant explain what is it but i understand how it works, why its needed and how to implement it (they can clearly see in the project i just build that i applied SOLID principles everywhere) - but i do admit i dont know the theory behind it 100% clearly.

Then they asked me about observables and promises in angular. I explained them how they work and how subscribe method is used (as they can clearly see that i used it in the code). Then they asked me to explain them under the hood of how observables work. The fuck? I dont know and dont care? But i can learn it as i work there?

Etc

Final result: after dragging this for 1 fucking month for miserable $1500/month they told me: we can either hire you now but for a much lower salary which you probably wont be happy with, or you can study more these things we discussed "and know why the car leaks oil" and reapply back to us in 2-3 months!

Fuck this
I get to work with API where you CAN authenticate with username/password and get a token

But you CAN'T get user info from token (auth response contains ONLY token)

So what I have to do:

1. Get token

2. Request ALL FUCKING USERS and load them into my DB

3. Search through local DB by username and, yeah, here I go

Now I need to have a cron job to update user DB 1/2 times per day

I can't think of ANY reason not to allow this

I am building a website inspired by devrant but have never built a server network before, and as im still a student I have no industry experience to base a design on, so was hoping for any advice on what is important/ what I have fucked up in my plan.

The attached image is my currently planned design. Blue is for the main site, and is a cluster of app servers to handle any incoming requests.

Green is a subdomain to handle images, as I figured it would help with performance to have image uploads/downloads separated from the main webpage content. It also means I can keep cache servers and app servers separated.

Pink is internal stuff for logging and backups and probably some monitoring stuff too.

Purple is databases. One is dedicated for images, that way I can easily back them up or load them to a cache server, and the other is for normal user data and posts etc.

The brown proxy in the middle is sorta an internal proxy which the servers need to authenticate with to connect to, that way I can just open the database to the internal proxy, and deny all other requests, and then I can have as many app servers as I want and as long as they authenticate with the proxy, they can access the database without me changing any firewall rules. The other 2 proxies just distribute requests between the available servers in the pool.

Any advice would be greatly appreciated! Thanks in advanced :D

What do you do when your redirect doesn’t go where you tell it?

Clearly I’m missing something.

I stepped through the code, following the failure path of Sheogorath’s Recaptcha. It fails as expected, and hits this redirect before doing anything else:

`return redirect_to new_user_session_path`

I verified that this redirects to the “/users/sign_in” path, and it returns so the server doesn’t even try to authenticate the user. It just nopes out as it should to prevent timing attacks.

But somehow instead of doing that and redirecting as it should, it signs the user in and redirects somewhere else entirely: the role select page, which only happens after authenticating an admin user. It never even hits my breakpoint after the recaptcha check! It never authenticates!

I think what I’m missing is my old reality where things made sense.

ZNC shenanigans yesterday...

So, yesterday in the midst a massive heat wave I went ahead, booze in hand, to install myself an IRC bouncer called ZNC. All goes well, it gets its own little container, VPN connection, own user, yada yada yada.. a nice configuration system-wise.

But then comes ZNC. Installed it a few times actually, and failed a fair few times too. Apparently Chrome and Firefox block port 6697 for ZNC's web interface outright. Firefox allows you to override it manually, Chrome flat out refuses to do anything with it. Thank you for this amazing level of protection Google. I didn't notice a thing. Thank you so much for treating me like a goddamn user. You know Google, it felt a lot like those plastic nightmares in electronics, ultrasonic welding, gluing shit in (oh that reminds me of the Nexus 6P, but let's not go there).. Google, you are amazing. Best billion dollar company I've ever seen. Anyway.

So I installed ZNC, moved the client to bouncer connection to port 8080 eventually, and it somewhat worked. Though apparently ZNC in its infinite wisdom does both web interface and IRC itself on the same port. How they do it, no idea. But somehow they do.

And now comes the good part.. configuration of this complete and utter piece of shit, ZNC. So I added my Freenode username, password, yada yada yada.. turns out that ZNC in its infinite wisdom puts the password on the stdout. Reminded me a lot about my ISP sending me my password via postal mail. You know, it's one thing that your application knows the plaintext password, but it's something else entirely to openly share that you do. If anything it tells them that something is seriously wrong but fuck! You don't put passwords on the goddamn stdout!

But it doesn't end there. The default configuration it did for Freenode was a server password. Now, you can usually use 3 ways to authenticate, each with their advantages and disadvantages. These are server password, SASL and NickServ. SASL is widely regarded to be the best option and if it's supported by the IRC server, that's what everyone should use. Server password and NickServ are pretty much fallback.

So, plaintext password, default server password instead of SASL, what else.. oh, yeah. ZNC would be a server, right. Something that runs pretty much forever, 24/7. So you'd probably expect there to be a systemd unit for it... Except, nope, there isn't. The ZNC project recommends that you launch it from the crontab. Let that sink in for a moment.. the fucking crontab. For initializing services. My whole life as a sysadmin was a lie. Cron is now an init system.

Fortunately that's about all I recall to be wrong with this thing. But there's a few things that I really want to tell any greenhorn developers out there... Always look at best practices. Never take shortcuts. The right way is going to be the best way 99% of the time. That way you don't have to go back and fix it. Do your app modularly so that a fix can be done quickly and easily. Store passwords securely and if you can't, let the user know and offer alternatives. Don't put it on the stdout. Always assume that your users will go with default options when in doubt. I love tweaking but defaults should always be sane ones.

One more thing that's mostly a jab. The ZNC software is hosted on a .in domain, which would.. quite honestly.. explain a lot. Is India becoming the next Chinese manufacturers for software? Except that in India the internet access is not restricted despite their civilization perhaps not being fully ready for it yet. India, develop and develop properly. It will take a while but you'll get there. But please don't put atrocities like this into the world. Lastly, I know it's hard and I've been there with my own distribution project too. Accept feedback. It's rough, but it is valuable. Listen to the people that criticize your project.

Question: Does using cookies for user session handling hinder the scalability of your backend because all the API's have to live on the same domain. Basically if one API starts to get a lot of request and you want to add another server to off balance the load you would have to add an entire webserver rather than just a small micro webserver with the API running on it mainly because cookies are used to authenticate user request and cookies don't survive CORS request. Am I right or don't know what the hell i'm talking about lol need some opinions I suggested we make all API's micro services and use JWT for user sessions

The dangers of PHP eval()

Yup. "Scary, you better make use of include instead" — I read all the time everywhere. I want to hear good case scenarios and feel safe with it.

I use the eval() method as a good resource to build custom website modules written in PHP which are stored and retrieved back from a database. I ENSURED IS SAFE AND CAN ONLY BE ALTERED THROUGH PRIVILEGED USERS. THERE. I SAID IT. You could as well develop a malicious module and share it to be used on the same application, but this application is just for my use at the moment so I don't wanna worry more or I'll become bald.

I had to take out my fear and confront it in front of you guys. If i had to count every single time somebody mentions on Stack Overflow or the comments over PHP documentation about the dangers of using eval I'd quit already.

Tell me if I'm wrong: in a safe environment and trustworthy piece of code is it OK to execute eval('?>'.$pieceOfCode); ... Right?

The reason I store code on the database is because I create/edit modules on the web editor itself.

I use my own coded layers to authenticate a privileged user: A single way to grant access to admin functions through a unique authentication tunnel granting so privileged user to access the editor or send API requests, custom htaccess rules to protect all filesystem behind the domain root path, a custom URI controller + SSL. All this should do the trick to safely use the damn eval(), is that right?!

Unless malicious code is found on the code stored prior to its evaluation.

But FFS, in such scenario, why not better fuck up the framework filesystem instead? Is one password closer than the database.

I will need therapy after this. I swear.

If 'eval is evil' (as it appears in the suggested tags for this post) how can we ensure that third party code is ever trustworthy without even looking at it? This happens already with chrome extensions, or even phone apps a long time after reaching to millions of devices.

DAILY LARAVEL PROBLEMS

I need to parse a JWT with some custom claims. There's a JWT library with Laravel; documentation really lacking, kinda hardcoded to work with Laravel but whatever; it's already installed, let's see what can I do with it.

It turns out I can't say something like "take this token, parse it, tell me it's valid". Let's see how that goes.
You need to build a parsing class with a manager, some auth stuff, a parser.
To build said manager you need a provider that implements a contract, a blacklist, a factory (of what?)
To build the factory (of what?) you need a claim factory and a payload validator
To build the claim factory you need a request
To build the blacklist you need a Storage
To build the storage you need a CacheContract
To build a CacheContract you need IDK it's a mess
To build the contract you need... IDK for real

WHY LARAVEL IS SHIT: 'cause only in this framework it seems reasonable to build this clusterfuck to parse a base64 encoded string, throw some json_decode and check a signature. And have it work only to authenticate a user.

Does anyone of you have experience with AdonisJS? I am not sure how to implement an authentication because i already have an existing API and would like to use this to authenticate a user...

Thanks google for making it so fucking damn difficult to authenticate G Apps users and check their groups/org unit. Makes my fucking work so much harder! To make matters worse you decided that that if I want to get the information in a seprate call I have to use a seprate admin account to do it because apparently letting the user see it is to fucking hard.

Hey i want to make a chat application for production workload with more than 100000 simultaneous connection and more than 1000000 daily active user which will scale 100 times in coming 1 to 2 years for Android. I have oauth based user authentication. This chat should be able to authenticate and verify authtoken generated using the oauth. What should i use? Xmpp, mqtt or something else. Can anyone who has worked on chat application help me.

I wanted to know what is the worst mistake you make on database.

I have actually implements the logic of token access control on database and not on business logic layer.

The database have a login procedure which accept username and password. That login procedure actually hash the password and try to authenticate user.

If it is a correct user , it generate a token. In other to use other procedure on database , you must provide a token. By using that token , the procedure know who is it and what permission is granted to that user.

Hey guys, I have almost developed the backend of an app like reddit. My question is about authentication. How should I authenticate my user. Is phone number necessary to add phone otp?Because I don't want to get any legal trouble if someone posts objectionable content on the platform. Most of the apps today need phone number, I dont know why except reducing spam accounts.

Or shall I verify email by otp. But its hard to track disposable emails. I cant go for only gmail too as its banned in china. Email domains of china are weird.

Can I get into legal trouble for objectionable content posted by any evil user?

I dont want to go for auth.

I don't get keycloak. Anyone who has experience with it, please help.

We have what I would think is a common setup: a kubernetes cluster with a Spring boot api-gateway and keycloak as oauth2-provider.

The api-gateway needs an issuer-uri to keycloak for endpoint discovery, i.e. to configure a bunch of endpoints to keykloak for different purposes.

The two main purposes are: 1. to redirect the user to keycloak (must be an url reachable from outside the cluster, i.e. ingress) 2. to authenticate tokens directly with keycloak from within the cluster.

Keycloak can be configured to set some of these discovery endpoints to different values. Specifically it makes a separation between backfacing (system calls in cluster) and frontfacing (user call from browser) urls All seems good.

However, when using this setup, each time spring security authenticates a token against keycloak it says the "issuer" is invalid. This is because the issuer is the host on which the token was generated. This host was the one in the url which the user was redirected to i.e. the ingress.

It feels like there is no way around this except running keycloak outside the Kubernetes cluster, but surely there must be a way to run keycloak in the same cluster. What else is the purpose of keycloak having the concept of back- and frontfacing urls?

I lost half my day yesterday because stakeholders made a change to one of the systems that I need. I noticed my dev environment could not longer authenticate into the system. That usually happens when there’s a “refresh” of that system. Meaning that someone copied the production instance over to the staging one, which wiped out my user credentials. One stakeholder thought he had to notify me AFTER the system refresh and not before. Another stakeholder thought it was my task to restore my user. Nope, I’m only a user for this system. I’m not responsible for any maintenance. They weren’t understanding what they had to do even after I sent them messages saying that I can no longer authenticate and I need them to check my username and password are active and correct for the staging instance.

hey, so i have recently started learning about node js and express based backend development.

can you suggest some good github repositories that showcase real life backend systems which i can use as inspiration to learn about the tech?

like for eg, i want to create a general case solution for authentication and profile management : a piece of db+api end points + models to :

- authenticate user : login/signup , session expire, o auth 2 based login/signup, multi account login, role based access, forgot password , reset password, otp login , etc

- authorise user : jwt token authentication, ip whitelisting, ssl pinning , cors, certificate based authentication , etc (

- manage user : update user profile, delete user, map services , subscriptions and transactions to user , dynamic meta properties ( which can be added/removed for a single user and not exactly part of main user profile) , etc

followed by deployment and the assoc concepts involved : deployment, clusters, load balancers, sharding ,... etc

----

these are all the buzzwords that i have heard that goes into consideration when designing a secure authentication system for a particular large scale website like linkedin or youtube. am not even sure how many of these concepts would require actual codelines and how many would require something else.

so wanted inspiration from open source content to learn about it in depth, replicate and create new better stuff if possible .

apart from that, other backend architectures like video/images storage system, or just some server for movie, social media, blog website etc would also help.