Dear Apple,

If you were a person in the streets dying after swallowing a fish bone, I'd stop by only to KICK YOUR FUCKING HEAD REPEATEDLY INTO THE CURB!!!!

FUCK YOU for wasting my time getting my hands on an old MacBook just so I can develop in your shitty prison of an ecosystem.

FUCK YOU for wasting my time having to install officially unsupported crapOS for the hardware only in order to use your steaming pile of shit latest Xcode because it's the only way to write code for the target device.

FUCK YOU for running slower on a 2.5GHz processor with 16G of ram than the Internet did in 1995. FUCK YOU AGAIN as browsing the internet is faster than anything else on this setup. FUCKING planned obsolescence MOTHER FUCKERS!

FUCK you for the headaches with multiple different iOS versions to take into account when thinking about what should be a simple project.

FUCK YOU ESPECIALLY for just keeping the soulless simulator blank because i need a fucking mother fucking development certificate and provisioning profile to run a hello world on it.

FUCK YOU for forcing me to use 2 factor authentication to enroll on your SCAM developers program.

FUCK YOU for NOT FUCKING ALLOWING ME TO ENABLE 2 FACTOR AUTH WITHOUT REMEMBERING MY SECURITY QUESTIONS FROM 2012!!

FUCK YOU AGAIN for when I reset those through crappy crapOS THEN requiring me to FUCKING install Developer app from the shit store to enroll....

BUT FUCKING GOD DAMN FUCK YOU FOR GETTING ME TO WRITE THIS RANT BY THEN NOT ALLOWING ME TO ENROLL IN THE DEVELOPER PROGRAM THROUGH SAID APP BECAUSE I DON'T HAVE iCloud setup!!! I DON'T FUCKING WANT iCloud.... I WANT TO FUCKING MEET MY DEADLINE AND WRITE THIS APP!!!!!

JESUS WEEPS as I restart this absurdly slow crapbook in the hope that the option to sign in to iCloud will show up in settings next time....

(meanwhile I I contemplate the sisyphean absurdity of existence and how John C Lilly was probably right about the Solid State Entity grooming humanity for takeover by alien AI...)

I start to contemplate blowing out my brains instead as to sign into iCloud i need to remember some long lost code and now rinse wash and repeat mindless authentication steps OH SO VERY SECURE APPLE only to get the attached godforsaken error... i restart again as i wish the universe would restart itself...

...i begin to enjoy hitting my head against the desk as i try to understand why apple won't let me enroll in there development program... i guess it's because i'd kick their head in... after 2 hours no more... FUCK YOU APPLE TO ETERNAL INFINITE SUFFERING IN DEMONIC HELLS YOU WORTHLESS, PARASITIC, SCUMBAG ENTITY... GO CHOKE ON STEVE JOBS EXHUMED ROTTEN COCK!!! BASTARD TIME WASTING MOTHER FUCKERS!

I fucking want to skin alive my engineering senior director and VP.

Fucking piece of shit people. Looking at their faces from behind the screen, I can sense them stink doneky balls.

They have made my life hell.

The entire tech architecture is absolute shit in nature and engineers cannot even build a single blue colour button without creating a major fuss about it.

Every single aspect of product is built kept in my only the engineer persona. Everyone else can go and suck a racoon's dick.

And they have no concept of tech debt. They just keep building and building stuff. And then build some more.

Entire engineering org is in rush to ship shit at the end of sprint and if they don't then VP and Director are pissed. So to keep those two half witted donkeys happy, these people ship garbage. And all they comment is "cool, very cool".

And hence, entire fucking product is built because it's cool irrespective of whether it solves a problem or not.

A single user role authorisation or authentication is so fucking complex that it would take an eternity for even a developer to figure what's happening.

Fucking toxic human wastes.

There's a company wide mandate to use a certain tech stack, design guidelines, and a vision that all teams have to align. But these faggots are going in opposite direction to do what they feel like and forcing everyone else to ignore all other engagements or alignments with other teams.

These two people should be skinned alive in town square during noon and then left there until they dehydrate entirely. Fucking baboons.

I am so fucking pissed with such mindset.

MFA authentication setups that don't support standard authenticator apps, like 1Password or Google Authenticator can burn.

Yes, Microsoft, I am looking at you.

The company I am currently working for is partnering with another startup. Nothing special about that. We should integrate their API into our system. I wasn't involved in the process when it came to checking there API and if it would work with our Systems. The Person who did that already left the company so I was left behind with some internal documentation. In that Documentation is already written that API is basically trash....

After I started integrating the API I found more and more flaws in the design. They are not sending any responses that would help, when a param is missing or the authentication isn't correct, only 500's . I got some documentation from the partner company so i thought it will be fine as long as the Documentation would be accurate. Turns out the documentation isn't even close to be up to date. Wrong content types wrong endpoints, wrong naming. Basically we could not work with that. We shortly contacted the partner Company. After a few WEEKS we got a response that they updated the Documentation what was right but still not everything was correct. At this point I lost my mind. I researched a little bit about them, the company is founded from 2 young people who basically came strait out of the University and doest have any experience or idea how to build an API. I investigated a little bit there websites.

They have an Admin panel on the base domain from their API but it is only accessible via HTTP. Like WTF , They use HTTP for an Admin Panel this must be a joke right?

They use Cloudflare without a HTTP to HTTPS redirection ???

I really had not that much time to research in there website but if I find these things in 5 minutes I don't want to know what I can find in like an hour.

At the end we will still use them as partners because surprise surprise our company already sold the product that uses their API.

I know that I will be the person who has to help fixing this shit when it breaks and it will break 1000% JUST FUCK THIS SHIT. FUCK THE PARTNER COMPANY. FUCK THERE API.

We're digital plumbers.

90% of this job is figuring out what thing to connect to what thing and then figuring out how to connect them.

Writing the code that goes in-between both ends of the pipe is easy if not trivial 90% of the time.

Meaningful change in this industry is centered around endpoints: contracts, deployments, etc. Nobody needs yet another way to organize and import their leftpad().

Fuck apple for making it as hard as fuck to sign in to my fucking apple id. Because my ex wife was my "trusted" number, I couldn't get an authentication code. Tech support told me it would take 3 days to reset my password.

After 3 hours of fucking around, I finally was able to reset my password.

I've been trying to get my kids to watch stupid Indiana Jones for years. They finally agreed. After going through 3 hours of BS so I could buy the movie, we start watching it. Literally, as the boulder is rolling down toward Dr. Jones, the movie stops suddenly so that Apple can verify my purchase!

Then, it asks me to buy it again!

Windows file system is a slow piece of shit.

The update regime on most applications for Windows desktop is an unmanageable piece of shit.

Windows Store is a broken piece of shit.

The login process on a Windows computer is a tedious piece of shit.

The Windows Hello authentication is a half-baked piece of shit.

Microsoft MFA is a hostile piece of shit.

Windows Update is a destructive piece of shit.

Windows Defender is a resource-hogging piece of shit.

Windows system fonts are ugly as a piece of shit.

Good morning to everyone, except that one Twitter dev who one day woke up and was like "YOU KNOW WHAT, MY APPLICATION WILL FEATURE BOTH OAUTH1 AND OAUTH2 ENDPOINTS, BUT SOME FEATURES WILL BE EXCLUSIVE TO EITHER OF THE TWO -NOT NECESSARILY THE MOST RECENT, JUST A RANDOM ONE-, AND ALSO THE OFFICIAL TWITTER LIBRARY WON'T COVER ALL THE ENDPOINTS SO PEOPLE WILL HAVE TO RESORT TO RAW HTTP REQUESTS INSTEAD OF USING MY SDK AND ALSO I'MMA MAKE DEVELOPERS FILL 2 VERY DETAILED FORMS, REQUIRING PERSONAL DATA AND ACTUAL REAL PHONE CALLS, JUST TO START DEVELOPMENT WITH 7 DIFFERENT AUTHENTICATION TOKENS, BECAUSE SOME REQUESTS WILL REQUIRE A DIFFERENT AUTHENTICATION METHOD THAN THE OTHER REQUESTS DESPITE ALL OF THEM PERTAINING TO THE SAME FUCKING ENTITY"

Hey fastlane!

Great tool and all, but your documentation is at 🤡 levels, I need to read 20+ pages to get a full overview and understanding. So far I've had to read a dozen plus blogs and stackoverflow posts to find hidden flows (authentication first to do this, etc. etc. etc.)

Don't market your tool as "reducing complexity & saving time" and showing one-liners in the docs when in reality there are lots of hidden steps and NOT one-liners!!!!!!

This is why everyone complains it takes 1-2 days to just get a freaking pipeline working!!!!🤡

Fucking mongodb I swear to god what is your problem, why do you close all connections after successful authentication you piece of concentrated crapjuice and why is the best information you can give me a pissing "Connection ended" message your demonic unholiness?

Stick a cactus up your rear, pot included

A remake of a website named Death Roulette where Twitch viewers could bet against each other on how the streamer would die in different roguelike games like Spelunky or Crypt of The Necrodancer.

The original hadn't been updated in a long time and the API it used for Twitch authentication was deprecated and removed so I built my own version in about 2 months, just in time for streamer "Vargskelethor" Joel to play Spelunky 2 with his chat when the game came out.

Needed a bit of help from another chat member to get it running at scale but all in all that was my first full-stack project.

Today is the release of one of the projects I’ve been working on. It was a chaotic project, where I’ve had to contact many people just to get pieces of information necessary to complete the project. Anyway, today the manager ask what the URL of the web app is to give it to the client except I already warned him prior that since we don’t have the domain name for the web app it wouldn’t go past the authentication. But guess what happened? Yep that’s right it’s my fault yet again.

I keep warning my manager about potential issues with the projects I’m working on but they fall on deaf ears, and when the actual problem happens it’s all my fault because I didn’t check it earlier, I didn’t make a mail, I shouldn’t use Teams to tell him about it, I should monitor more closely, etc, despite having no time allocated whatsoever.

In short I work 7 hours a day but should have 9 to even get close to what I need to do, and I’m blamed with problems that I warn about

When the CTO/CEO of your "startup" is always AFK and it takes weeks to get anything approved by them (or even secure a meeting with them) and they have almost-exclusive access to production and the admin account for all third party services.

Want to create a new messaging channel? Too bad! What about a new repository for that cool idea you had, or that new microservice you're expected to build. Expect to be blocked for at least a week.

When they also hold themselves solely responsible for security and operations, they've built their own proprietary framework that handles all the authentication, database models and microservice communications.

Speaking of which, there's more than six microservices per developer!

Oh there's a bug or limitation in the framework? Too bad. It's a black box that nobody else in the company can touch. Good luck with the two week lead time on getting anything changed there. Oh and there's no dedicated issue tracker. Have you heard of email?

When the systems and processes in place were designed for "consistency" and "scalability" in mind you can be certain that everything is consistently broken at scale. Each microservice offers:

1. Anemic & non-idempotent CRUD APIs (Can't believe it's not a Database Table™) because the consumer should do all the work.
2. Race Conditions, because transactions are "not portable" (but not to worry, all the code is written as if it were running single threaded on a single machine).
3. Fault Intolerance, just a single failure in a chain of layered microservice calls will leave the requested operation in a partially applied and corrupted state. Ger ready for manual intervention.
4. Completely Redundant Documentation, our web documentation is automatically generated and is always of the form //[FieldName] of the [ObjectName].
5. Happy Path Support, only the intended use cases and fields work, we added a bunch of others because YouAreGoingToNeedIt™ but it won't work when you do need it. The only record of this happy path is the code itself.

Consider this, you're been building a new microservice, you've carefully followed all the unwritten highly specific technical implementation standards enforced by the CTO/CEO (that your aware of). You've decided to write some unit tests, well um.. didn't you know? There's nothing scalable and consistent about running the system locally! That's not built-in to the framework. So just use curl to test your service whilst it is deployed or connected to the development environment. Then you can open a PR and once it has been approved it will be included in the next full deployment (at least a week later).

Most new 'services' feel like the are about one to five days of writing straightforward code followed by weeks to months of integration hell, testing and blocked dependencies.

When confronted/advised about these issues the response from the CTO/CEO
varies:

(A) "yes but it's an edge case, the cloud is highly available and reliable, our software doesn't crash frequently".
(B) "yes, that's why I'm thinking about adding [idempotency] to the framework to address that when I'm not so busy" two weeks go by...
(C) "yes, but we are still doing better than all of our competitors".
(D) "oh, but you can just [highly specific sequence of undocumented steps, that probably won't work when you try it].
(E) "yes, let's setup a meeting to go through this in more detail" *doesn't show up to the meeting*.
(F) "oh, but our customers are really happy with our level of [Documentation]".

Sometimes it can feel like a bit of a cult, as all of the project managers (and some of the developers) see the CTO/CEO as a sort of 'programming god' because they are never blocked on anything they work on, they're able to bypass all the limitations and obstacles they've placed in front of the 'ordinary' developers.

There's been several instances where the CTO/CEO will suddenly make widespread changes to the codebase (to enforce some 'standard') without having to go through the same review process as everybody else, these changes will usually break something like the automatic build process or something in the dev environment and its up to the developers to pick up the pieces. I think developers find it intimidating to identify issues in the CTO/CEO's code because it's implicitly defined due to their status as the "gold standard".

It's certainly frustrating but I hope this story serves as a bit of a foil to those who wish they had a more technical CTO/CEO in their organisation. Does anybody else have a similar experience or is this situation an absolute one of a kind?

Yeah, fuck all the authentication/authorization framework I build, just access manage resources directly and leak stuff, assign it to wrong accounts and don't even check if they should be able to with that eye shore you call code

Having just endured 30 excruciating minutes of utter braindead idiocy that is trying to setup and configure WPA2-Enterprise on a Windows 10 machine, I wanna go and fucking kill myself.

How can it be so bad after so many years this protocol has been out?! Not only can the authentication options be changed only in the who knows how many years old control panel settings and not the modern settings app, but once you finish setting up the network, you can no longer modify some of the key attributes like which CA certificates to validate the radius server against!

What. The. Fuck. Microsoft.

I swear, I don't usually get my jimmies rustled at work, but this... This just bloody infuriated me!

- Elon telling Twitter users that the 2-factor authentication microservice isn't working.

- More than half of Twitter not knowing wtf he's talking about 👁️👄👁️

You know what's worse than having to come up with a new password every time you create an account? Forgetting your password every time you try to log in!

I swear, it's like my brain has a selective memory when it comes to passwords. I can remember every lyric to a song from 10 years ago, but I can't remember the password I created yesterday.

And don't even get me started on password manager software. You would think that having all of your passwords stored in one place would make things easier, but nope. I've forgotten my password for my password manager so many times that I'm starting to think I need a password manager for my password manager.

But seriously, why do we even need passwords in the first place? Why isn’t there an easier one stone kills all solution to all these password authentication nonsense?

I could remember when it was all letters, then forced to use letters + numbers…

then later forced to include symbols…

and then forced to make it lengthier…

and then solve puzzles after getting it right…

and after all the stress now we are forced to find nemo from a set of images.

I thought the misery would end there but nope. Now some platform forces 2FA like dude seriously?

For God’s sake we built self driving cars already! Why can’t one just exist without a password? Why do we always end up in a password cycle?

And please don’t say shit about oauth because if your password master (i.e: google) fucks you in the ass then all your oauth accounts are gone for good!

I'm currently having an existential crisis about the meaning of passwords in our modern society. Shit is crazy when I ponder about it I get worried.

Tips for architecture for authentication in microservice driven application.

All ms contain the code to authenticate? (Breaks single responsibly principle)

Edge level authorization?(gateway)
Service level?

I don't get it

why is it that people still use FTP?

Like, in current, fairly recent (2018) projects, for public downloads.
I get that when you're just hosting public files without any authentication you don't need to worry about the unencrypted passwords, but like
the random ports are a shitty and annoying practice and also http exists just let your custom patcher program download the release from github where it's already available

Two years ago we took over this project which has been a nightmare to maintain. It's a set of netcore 2.1 webapps running on an on-prem windows machine. Everyone who has worked on it so far has quit, leading to two episodes of it being passed on with near zero handover.

Its function is fairly simple, so naturally we have been nagging to redo it and cloudlift it.

I was finally given one week to see how far I'd get, and had a poc running in Azure after one day; 4 apps in clean net6, SSO, and managed identities. The only thing lacking was setting up the authentication for third parties.

And... they still don't want "something new" when the old one works. Back to IIS and debugging windows event logs.

I have 2FA enabled on NPM so it would shut up about it, the recovery codes are in my password manager, right next to my secure randomly generated password.

Password authentication is fucking stupid.

zero trust blockchain authentication

#Suphle Rant 3: Road to PHP8, Flow travails

Some primer: Flows is a feature that causes the framework to bypass handling the request now but read it from cache. This cache entry is meant to be populated without warming, based on the preceding request. It's sort of like prefetching but done on the back end

While building Suphle, I made some notes on some chapters about caveats and gotchas I may forget while documenting. One such note was that when users make the Flow request, the framework will attempt to determine who user is, using authentication mechanism defined on the first module (of the modular monolith)

Now, I got to this point during documentation and started wondering whether it's impossible for the originating request to have used a different authentication mechanism, which would result in an empty entry for returning user. I *think* it's possible cuz I've got something else called "route mirroring", where web based routes can be converted to API routes. They'll then return JSON, get served under defined API path, use JWT, all automatically. But I just couldn't connect the dots for the life of me, regarding how any of this could impact authentication on the Flow request

While trying to figure out how to write the test for this or whether it was even necessary (since I had no use case), it struck me that since Flow requests are not triggered by an actual user, any code attempting to read authenticated user will see nothing!

I HATE it when I realize there's ambiguity or an oversight, after the amount of attention and suffering devoted. This, along with a chain of personal troubles set off despondency for a couple of days. No appetite for food or talk. Grudgingly refactored in this update over some days. Wrote some tests, not all passed. More pain. May have to convert them to unit tests

For clarity, my expectation is, I built this. Nothing should be impossible for me

Surprisingly, I caught a somewhat lucky break –an ex colleague referred me to the 1st gig I'm getting in 1+ year. It's about writing a plugin for some obscure forum software. I'm not too excited cuz it's poorly documented and I'll have to do a lot of groping, they use arrays instead of objects etc. There's no guarantee I'll find how to implement all client's requirements

While brooding last night, surfing the PHP subreddit, stumbled on a post about using Rector to downgrade a codebase. I've always been interested in the reverse but didn't have any incentive to fret over it. Randomly googled and saw a post promising a codebase can be upgraded with 3 commands in 5 minutes to PHP 8. Piqued my interest around 12:something AM. Stayed up all night upgrading it, replacing PHPSTAN with Psalm, initializing the guy's project, merging Flow auth with master etc. I think it may have taken 5 minutes without the challenge of getting local dev environment to PHP 8

My mood is much lighter than it was, although the battle is not won yet –image tests are failing. For some weird reason, PHP8 can't read generated test images. Hope I can ride on that newfound lease on life to study the forum and get the features working

I have some other rant but this is already a lot to digest in one sitting. See you in rant #4

Somebody: (whinwy) we need something to log into nonprivileged technical accounts without our rootssh proxy. We want this pammodule pam_X.so
me: this stuff is old (-2013) and i can't find any source for it. How about using SSSD with libsss_sudo? Its an modern solution which would allow this with an advantage of using the existing infrastructure.
somebody: NO I WANT THIS MODULE.
me: ok i have it packaged under this name. Could you please test it by manipulating the pam config?
Somebody: WHAT WHY DO I NEED TO MANIPULATE THE PAMCONFIG?
me: because another package on our servers already manipulates the config and i don't want to create trouble by manipulate it.
Somebody: why are we discussing this. I said clearly what we need and we need it NOW.

we have an package that changes the pam config to our needs, we are starting to roll out the config via ansible, but we still use configuration packages on many servers
For authentication as root we use cyberark for logging the ssh sessions.
The older solution allowed additionally the login into non-rootaccounts, but it is shut down in the next few weeks after over half an year of both systems active and over half an year with the information that the login into non-privileged accounts will be no more.

#Suphle Rant 9: a tsunami on authenticators

I was approaching the finish line, slowly but surely. I had a rare ecstatic day after finding a long forgotten netlify app where I'd linked docs deployment to the repository. I didn't realise it was weighing down on me, the thought of how to do that. I just corrected some deprecated settings and saw the 93% finished work online. Everything suddenly made me happier that day

With half an appendix chapter to go, I decided to review an important class I stole from my old company for clues when I need to illustrate something involved using a semblance of a real world example (in the appendix, not abstract foo-bar passable for the docs)

It turns out, I hadn't implemented a functionality for restricting access to resources to only verified accounts. It just hasn't been required in the scheme of things. No matter, should be a piece of cake. I create a new middleware and it's done before I get to 50 lines. Then I try to update the documentation but to my surprise, user verification status turns out to be a subset of authentication locking. Instead of duplicating bindings for both authentication and verification, dev might as well use one middleware that checks for both and throws exceptions where appropriate.

BUT!

These aspects of the framework aren't middleware, at all. Call it poor design but I didn't envisage a situation where the indicators (authentication, path based authorisation and a 3rd one I don't recall), would perform behaviour deviating from the default. They were directly connected to their handlers and executed after within the final middleware. So there's no way to replace that default authentication scheme with one that additionally checks for verification status.

Whew

You aren't going to believe this. It may seem like I'm not serious and will never finish. I shut my system down for that day, even unsure how those indicators now have to refactored to work as middleware, their binding and detachment, considering route collections are composed down a trie

I'm mysteriously stronger the following day, draw up designs, draft a bunch of notes, roll my sleeves, and the tsunami began. Was surprisingly able to get most of previous middleware tests passing again before bed, with the exception of reshuffled classes. So I guess we can be optimistic that those other indicators won't cause more suffering or take us additional days off course

Cisco Anyconnect can blow me.

I go through the process of connecting to the vpn, username, password, token.

Then it has its pop up "respond to the banner to connect" and I click accept . . . and it does nothing.

So I go through the process again. And this time it says connected

But now I still can't connect to any of my companies sharepoint, SQL servers, Azure Devops, JIRA, etc

And the only solution to that is a reboot.

And this happens swear to god at least every other day.

Like good lord, if I put in my credentials and they pass authentication/authorization, let me do my goddamn work.

Mongodb CEO and the developer who build this shit for brains interface should be tarred and feathered. Almost 90minutes in and I cannot connect to anything other than error codes. What in the actual fuck is your job other than to make it difficult for a "free tier" user to connect?
"connect ECONNREFUSED 127.0.0.1:27017"

Oh ok another 20 minutes of work and you give me a bland beige error code like "```TLS/SSL is disabled. If possible, enable TLS/SSL to avoid security vulnerabilities.```"... um ok how do I enable it for your site, your database or on my computer... oh wait you don't say shit do you?

So now I'm fully 81 minutes into this shit show and all I get for error codes are these really descriptive gems 'getaddrinfo ENOTFOUND cluster0.hudbd.mongodb 'dot' net` comes up if I choose `mongo` with "connection string scheme" above it or `bad auth : Authentication failed'

I recently came across this article with some basic security advices, like use 2fa security key, encrypt your USB keys, don't use untrusted USB chargers / cables / ports (or use a data blocker cable if you need to charge your device). It made me think, how relevant are the USB-related threats and risks today? Do people really still use and carry so many wired USB devices, and just drop or plug them wherever?

The last time I used an USB device to transfer some important data was probably over 10 years ago, and for the love of god I don't know anyone who still carries an USB key with sensitive data with them on a daily basis, much less actively uses it. Besides, whoever still does that probably puts their USB key on the same keychain as their ID / access tag and a bunch of other keys (including a 2fa device if they use one) - they're not going to lose just some sensitive data, they're going to lose authentication and physical access devices as well, and that could turn a small data leak into a full-scale incident, with or without an encrypted USB device.

I'm also not sure about untrusted USB cables and ports, from what I've seen the USB outlets and cables are pretty much non-existent in public places, most places offer wireless charging pads instead (usually built into a hand rest or table surface).

Sometimes while working I find a subproblem that is isolated from the original problem domain, for example token renewal in an RTR authentication system. I take note of what I've been working on, clear my head of the broader problem write an exact specification of the subproblem. Then I code to that specification. The result is usually a self-contained open-source module which continues to improve my pace of work for years to come.

Hi all,

I was just wondering if anyone knows of a software that does for files on a server what dropbox does for files in the cloud. A search interface, moving files around, copy pasting etc..

I'm just using nginx's autoindex at the moment with an authentication layer but I was hoping to get a nice gui with search capabilities and copy paste, potentially share file, etc..

Kind regards and keep on hacking.

Twitter developers will authenticate half of their endpoints with some authentication method and the other half with a totally different one (which doesn't work) and their sales team will have the guts to contact you to check if you're still interested to access their API.

My only interest is feeding your corpse to the ravens.

Trying to make a nodejs backend is pure hell. It doesn't contain much builtin functionality in the first place and so you are forced to get a sea of smaller packages to make something that should be already baked in to happen. Momentjs and dayjs has thought nodejs devs nothing about the fact node runtime must not be as restrained as a browser js runtime. Now we are getting temporal api in browser js runtime and hopefully we can finally handle timezone hell without going insane. But this highlights the issue with node. Why wait for it to be included in js standard to finally be a thing. develop it beforehand. why are you beholden to Ecma standard. They write standards for web browser not node backend for god sake.

Also, authentication shouldn't be that complicated. I shouldn't be forced to create my own auth. In laravel scaffolding is already there and is asking you to get it going. In nodejs you have to get jwt working. I understand that you can get such scaffolding online with git clone but why? why express doesn't provide buildtin functions for authentication? Why for gods sake, you "npm install bcrypt"? I have to hash my own password before hand. I mean, realistically speaking nodejs is builtin with cryptography libraries. Hashmap literally uses hashing. Why can't it be builtin. I supposed any API needed auth. Instead I have to sign and verfiy my token and create middlewares for the job of making sure routes are protected.

I like the concept of bidirectional communication of node and the ugly thing, it's not impressive. any goddamn programming language used for web dev should realistically sustain two-way communication. It just a question of scaling, but if you have a backend that leverages usockets you can never go wrong. Because it's written in c. Just keep server running and sending data packets and responding to them, and don't finalize request and clean up after you serve it just keep waiting for new event.

Anyway, I hope out of this confused mess we call nodejs backend comes clean solutions just like Laravel came to clean the mess that was PHP backend back then.

Express is overrated by the way, and mongodb feels like a really ludicrous idea. we now need graphql in goddamn backend because of mongodb and it's cousins of nosql databases.

hey, so i have recently started learning about node js and express based backend development.

can you suggest some good github repositories that showcase real life backend systems which i can use as inspiration to learn about the tech?

like for eg, i want to create a general case solution for authentication and profile management : a piece of db+api end points + models to :

- authenticate user : login/signup , session expire, o auth 2 based login/signup, multi account login, role based access, forgot password , reset password, otp login , etc

- authorise user : jwt token authentication, ip whitelisting, ssl pinning , cors, certificate based authentication , etc (

- manage user : update user profile, delete user, map services , subscriptions and transactions to user , dynamic meta properties ( which can be added/removed for a single user and not exactly part of main user profile) , etc

followed by deployment and the assoc concepts involved : deployment, clusters, load balancers, sharding ,... etc

----

these are all the buzzwords that i have heard that goes into consideration when designing a secure authentication system for a particular large scale website like linkedin or youtube. am not even sure how many of these concepts would require actual codelines and how many would require something else.

so wanted inspiration from open source content to learn about it in depth, replicate and create new better stuff if possible .

apart from that, other backend architectures like video/images storage system, or just some server for movie, social media, blog website etc would also help.