Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
-
Me: *Watching a movie*
Main Character: "Oh no, we have to hack the CIA to figure out how this machine works! Hacker girl, do the stuff"
Hacker Girl: "Consider it done!"
Hacker Girl: *Opens Linux bash*
Hacker Girl: *types 'mkdir Hack_CIA'
Hacker Girl: "They have two-factor authentication in place, this is going to be a hard one."
Hacker Girl: *Types 'cd Hack_CIA'*
Hacker Girl: "I'm in!"
Me: "..."
Friend: "Wow, so well done, so realistic!"
Me: *Dies*82 -
** The most hilarious authentication implementation I've ever seen **
They stored password in cleartext, but never mind, this is sadly quite common.
For some reasons credentials were also case insensitive (maybe to avoid silly tickets from CAPS LOCK lovers?).
Then I had a look to the query executed during the login:
SELECT * FROM users WHERE username LIKE ? AND password LIKE ?;
So I tried logging in with user "admin" and password "%"... and it worked!
I laughed all the day.30 -
So my friend has two-step authentication for his smartphone.
Now he is not able to find his phone.
So, he tried to find his phone by logging into his google account via Android Device Manager.
Now, it is asking for the authentication pin which is in his phone.😂
He just got deadlocked.12 -
I strongly dislike the www part in domain names (the subdomain, really), that's not really news anymore.
Loads of sites use it which I find annoying as fuck for some reason but so be it. (I understand that its very logical to loads of people)
And then you get a client who calls in because the email server isn't accepting her username/password.
*looks into the logs*
"incorrect authentication data: info@www.herdomain.com"
Kill it with fucking fire.18 -
This is not really a rant, but...dude.
I was browsing github for a suitable library when i found a test repo of someone. A script inside and at the top he wrote his authentication token. I first thought it was a placeholder or an example or a test he used. No. I entered the token and could control his instance of the app. I sent him a message to disable this token.8 -
I get that fingerprint authentication is very convenient but I'd never use it (not even for privacy reasons that much).
When someone guesses/gets your password you can just say "alright let's change my password"
Imagine that with fingerprints: "yeah sure let me change my fingers"
😆39 -
"Do you have 2 factor auth for the database?"
a customer asked. I stared on the wall in front of me and suddenly fel and urge to punch and piss on something.
I took a deep breath while thinking to myself
*Oh boy, here we go. Another retard*
I put on my nice voice and asked:
"What you mean?"
The customer seems confused, as if my question did not make sense and he said:
"TWO FACTOR AUTHENTICATION! Dont you know what it is? To make the database more secure."
I was fucking right, this person reads to much shit. The fact that the email signature of that person said "Wordpress Developer" made me more angry.
I, still with the nice voice asked
"How would that work?"
"Two factor authentication when I am connecting to the database."
"So, do you want it by SMS then? You'll get alot of messages if it is going to send you one every time a query is made."
The following 7 seconds was dead silent until I heard the person hang up.3 -
Mark.
Mark was a support guy who could have been replaced by a robot. Nearly every support request that came in, whether it made sense or not, had a reply saying:
"Thank you for your query, I will escalate with the development team"
...and then I would have a message saying:
"Hi Almond urgent issue case xxx - I think you need to PLEASE CHECK LOGS" (yes, with that capitalisation.)
I'd then look at the case, take 10 seconds to work out the customer had done something stupid when calling our API (often forgetting their authentication details, despite a clear message telling them as such) and tell Mark what the issue was, and how to find it for himself next time. I'd then usually get:
"Thank you but PLEASE CHECK LOGS to see if there is any more info we can provide to customer"
...there would be more back and forth, and then eventually something like the following would reach the customer...
"Very sorry the development team have a major issue they will fix very soon but in the meantime a workaround is (instructions for using authentication details)"
🤦♂️🤦♂️7 -
Client asked for Two Factor Authentication as a part of the webapp we're building and then were confused as to why they needed a second password to login
"we don't want to add an extra step into the login process, can you remove it please"
fml6 -
Look, PHPVirtualbox, i love you and all and you've worked very well for me for ages.
But, when I see the authentication is successful and you receive an 'OK', YOU'RE NOT SUPPOSED TO THROW A FUCKING "USERNAME OR PASSWORD WRONG" ERROR.
YOU'RE SUPPOSED TO LET ME FUCKING THROUGH.
MOTHERFUCKER.7 -
So according to some reddit user IKEA sends your password as a GET parameter in plain text.
https://reddit.com/r/CrappyDesign/...
Seems to be a network authentication thingy, but still 🤔
34 -
Tonight I want to try to setup an openvpn server with mysql based authentication because I'd love to somehow setup/become a vpn provider.
Of course there's a huge ass legal part but let's first make sure I know the technology of the top of my head!
Just ranting this out because I'm excited 😊20 -
Especially painful being a cybersecurity engineer;
Did something wrong with an if-statement.
Caused authentication to break completely; anyone could login as any user.
Was fixed veeeeeeery quickly 😅 (yes, was already live)8 -
Client: "Hey we want you to integrate your product with our system."
Me: "Oh, OK. Where's your API?"
Client: "Here! We even have an outdated .Net SDK, we use XML."
Me: "Ok.. how do we authenticate? What's your OAuth 2.0 endpoint?"
Client: "O auth what?"
Me: " You know, the current standard for REST API authentication and authorisation"
Client: " What's REST?"
*Hungs up*8 -
I can add two-factor authentication to GitHub, but my online banking password must have EXACTLY 5 characters...14
-
After a few hours, I think I just got mysql based openvpn authentication working O_o
Fucking yay! Now let's implement a maximum amount of connections per user.
Yes, rants can be happy too.12 -
Authentication feature was only checking the length of the auth header instead of the actual content. I abused this to make a request to our API from inside our system with a junk header, so we were basically hacking ourselves...2
-
"So you need access to the test server?"
Me:"Yes"
"Please fill these 800000000 forms,sign here,get your blood sample,your ID ,your right kidney,letter of approval from your boss,...."
Fuuuuuuuck!!!! I just want to change only 3 lines of code!!!!!!5 -
- Let's make the authentication system so the user can only login in one device at time, because this is more secure.
- You know that this will be a general-public application, right?
- Yeah!
- Sou you want to "punish" users with a logoff on the other device when he tries to login in a new one?
- Yeah!
- But before you said we will use Json Web Token to make the backend stateless.
- Yeah!
- And how will we check if the token is the last one generated?
- We will store the last generated token for this user on a table in our DB.
- So... you are basically describing the old authentication model, with session tokens stored on the backend and communicating them via cookies.
- Yeah, but the token will be sent on the Header, not on cookies
- Okay, so why will we use Json Web Token to do this in the first place?
- Because this is how they're doing now, and this will make the backend stateless.
A moment of silence, please.8 -
One day with a lot of hours trying later:
Got an OpenVPN server running from scratch and can (still have to write the actual authentication code) accept or refuse clients through a php script ran from a bash script with a username and password.
Fuck yeah!12 -
Dev checked in code (I suspect purposely not inviting me on the code review invite) saying he "fixed" the authentication bug in the web service.
Um no, like I told you last week, the authentication error is because the load balancer wasn't passing the user's authentication to IIS.
If I didn't overhear him telling a user "Still getting the error? I don't know, we might have to re-write that service", he might have gotten away with it.
Me: "Wait, that doesn't sound right. If I hit the server directly, authentication works. Its an issue with the load balancer, not the service"
Dev: "Admin said the load balancer is fine and it has to be the service."
Me: "I don't buy it. IIS is returning the authentication error, not the service."
Dev: "I added exception handling and nothing is being logged. Must be something in the service configuration."
Me: "No, IIS performs the authentication, not the service. I explained that last week, remember?"
Dev: "Oh yea. What changes do we need to make to the service?"
<my blood pressure starts to spike>
Me: "None. Give me a sec.."
<we have other apps on the same server farm that work just fine, so I re-configure the service pool settings to match theirs>
Me: "See, now going through the load balancer, the service works fine. For some reason, the admin had our service set up differently."
Dev: "OK, I'll let the users know the service is fixed."
Me: "Service was never broke and I'm not leaving it in its current state. In the morning I'll talk to the admin and see what he can do to fix."
6 -
I used PHPMailer to send emails to a client's website user. SMTP host is smtp.gmail.com.
web was hosted on Bluehost. I found out that mailer was not working. I enabled verbose output and to my surprise I found out that Bluehost was intercepting my mail and responding with
220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail
when i was explicitly using smtp.gmail.com. Not only they were intercepting but also They were trying my credentials against its own smtp server and then showing me that authentication failed.
When i contacted chat they asked me to tell last 4 characters of Bluehost account password to verify ownership.
Dude do they have passwords in plaintext.🤔5 -
A month ago I had some medical tests, the next morning, the clinic's send a email with my results. Oh surprise, unbelievable security flaws. They sent me a link without any kind of authentication, token, or security. I looked at my results, and by entering consecutive and random numbers I was able to download a lot of results and folders of other patients. I wrote an email to the clinic informing them of this situation and their response was "Thank you". Today I have accessed the link and the error is still present. I am going to notify higher health authorities.11
-
I gave resignation so am on my last weeks. The top priority is suddenly an authentication service that is completely unfamiliar, proprietary, requires me to RTFM, and requires contact with a slothful vendor about details for our specific instance. Can you do it on a 10 day deadline?
“Are you sure this wouldn’t be a better fit for someone that has implemented this authentication system before? Someone with existing relationships with contacts that manage the authentication service? Maybe I should be the one transferring my understanding of the other 60k lines of code that I singlehandedly wrote? I’m starting from zero here. Maybe it would be good for the guy who isn’t leaving to do this one so that he can retain the knowledge of the authentication system for next time you need to implement it?”
They just plug their ears now because they clearly don’t trust me due to my resignation state. Just do it. Wow.11 -
I really have this fucking love/hate relationship with application security.
For a lot of stuff that I write, user input has to be validated, authentication is required and so on and I do love looking into that, pentesting my own applications to death and thinking about the security architecture of the application itself.
But, sometimes, I just want to focus on the fucking features and then it annoys the living hell out of me that securing an application can take so much time and brain power.
Yay and grrrr, I guess.8 -
Unaware that this had been occurring for while, DBA manager walks into our cube area:
DBAMgr-Scott: "DBA-Kelly told me you still having problems connecting to the new staging servers?"
Dev-Carl: "Yea, still getting access denied. Same problem we've been having for a couple of weeks"
DBAMgr-Scott: "Damn it, I hate you. I got to have Kelly working with data warehouse project. I guess I've got to start working on fixing this problem."
Dev-Carl: "Ha ha..sorry. I've checked everything. Its definitely something on the sql server side."
DBAMgr-Scott: "I guess my day is shot. I've got to talk to the network admin, when I get back, lets put our heads together and figure this out."
<Scott leaves>
Me: "A permissions issue on staging? All my stuff is working fine and been working fine for a long while."
Dev-Carl: "Yea, there is nothing different about any of the other environments."
Me: "That doesn't sound right. What's the error?"
Dev-Carl: "Permissions"
Me: "No, the actual exception, never mind, I'll look it up in Splunk."
<in about 30 seconds, I find the actual exception, Win32Exception: Access is denied in OpenSqlFileStream, a little google-fu and .. >
Me: "Is the service using Windows authentication or SQL authentication?"
Dev-Carl: "SQL authentication."
Me: "Switch it to windows authentication"
<Dev-Carl changes authentication...service works like a charm>
Dev-Carl: "OMG, it worked! We've been working on this problem for almost two weeks and it only took you 30 seconds."
Me: "Now that it works, and the service had been working, what changed?"
Dev-Carl: "Oh..look at that, Dev-Jake changed the connection string two weeks ago. Weird. Thanks for your help."
<My brain is screaming "YOU NEVER THOUGHT TO LOOK FOR WHAT CHANGED!!!"
Me: "I'm happy I could help."4 -
Why nobody uses public/private key authentication for ssh and disable password auth?
Am I the only one around here doing this?14 -
So this customer wanted me to create an app using Flutter (user and admin), PHP for the backend, so I made one for him . He seems to complain he can't login to the admin account which he called me to registered for him right after the payment and weeks later.
With deeper investigation , I checked the log he drop the table where users authentication is stored and blame me about that. Which I fixed it lately by creating a table back.
Later I visit my account Shopee , he reviewed me as "THE WORST PROGRAMMER "
So I was like WHAT THE FUCK? YOU DROP THE TABLE WHICH LEAD YOU CANT LOGIN AS AN ADMIN AND BLAME FOR THAT?15 -
Why did I miss my turn while driving ? I was dreaming about authentication strategies in micro services.1
-
Question regarding implementing two factor authentication.
I want to implement 2FA for at least one service I'm writing but I'm wondering, next to email, what services/implementations could I use?
I know that email isn't the best when it comes to security but I also don't want to force (a-technical) users to install an app specifically for 2FA so keeping email as an option as well.
But except for email, any ideas? Anything related to Google/facebook (prism integrated services) are a no go anyways (this has, as mentioned before, nothing to do with my ego or giving myself 'a pat on the back')
As for costs, I don't mind a little bit of money but the service will be free at first and I'm not rich :)
Looking forward to the comments!21 -
So this story is from my University days. I was in the 6th semester back then, studying CS.
My University website was pretty shitty. Basically it was one of those old ass website that said "Best viewed in IE8". Anyway, I was snooping about the website, trying to find some news regarding an event.
I logged into my account, and randomly browsed into the leave request portal. This was a basic HTML form where students could apply for leaves from the classes and see the status of the leaves, if they have been granted or not. I noticed that the link to the request portal from the student login welcome page was actually something like http://univ.com/student/index.php/..., here 1234567 was my student ID. Yep, it was hardcore into the page, and sent as a GET request on being clicked. That was their idea of authentication I guess. I change the student ID to someone else's, and it let me login as that person.
Long story short, I wrote a little python script to login as every person from the starting of student IDs, till the end, then submit a leave request with a random dumb reason like "can't come, at the strip club" or "going for sex change operation". What I did not know was that when a request is submitted, a text message is also sent to the student's guardians phone number. I ran the script.
That day, over 1000 parents received text messages from the University saying that their kids have applied for a leave from random date to random date for some retarded reason. It was a blast. Students were talking about how someone had "Hacked" into the system.4 -
PM ordered me to not use encryption for customer authentication links because we want to be able so send same link if the user loose it. "we have to prioritize usability over security". At least I can tell future hackers it's not my fault..
10 -
Ok wtf? How is it that I can give myself admin access to almost any Apple computer just by turning it on, holding down two keys, and then removing one file called “.AppleSetupDone”, without any kind of authentication? And I get access to all of the data on the device too. Within two minutes of having physical access to the computer.
This is a company with millions of devices in use, why is this even possible? And the only way to prevent it is to have a firmware password, which, by the way, is not a default option...are you serious9 -
Something strange just happened, activated Fail2ban on another server and instantly blocked me when I already had ssh session open >_>
Does macOS terminal keep on sending ssh authentication requests? Or is my OpenVPN that keeps on sending requests.
Why does this keep on happening to me T_T17 -
Me : I should start building user authentication system.
inner self : there are enough free and secure ones out there, just go read the documentation.
Me : fuck I'm not reading 10000 pages of documentation written in alien language.
inner self : well then you better start building
Me : **writes code
Inner self : you better add the data validation and security while coding
Me : I just want it to work !
Me after a few days trying not to suicide : the site is hacked, the code is bugged, hello darkness my friend5 -
Saw this security blunder a while ago. Went onto some site and it showed me this username/password dialog (probably an apache's htpasswd or nginx one). Went away but returned quickly because I noticed I could see all content. Then I thought 'why the fuck not try?' so I dragged the auth popup thingy to the side of the screen and et voila... I could interact with the page as if nothing was wrong while the authentication popup was hovering above the page on the right!
I sat there giggling dramatically for a while. -
>Get password vom dev.
>Try to connect to MongoDB.
>Had some changes in how to connect because of Kubernetes and stuff.
>Always get authentication error.
>copy password again
>stop and restart portforwarding
>wait almost 1,5h (was lunchtime) for DevOps guy
>sit next to him and ask for help
>he unhides the password and deletes two spaces...
fml3 -
Multi-factor authentication does not mean I have a password to your site AND have to login with Google. Also, I logged in with Google, you should have my email address now.
Oh, a user with that address already exists? No shit, it's me.
Your fucking login flow is broken.5 -
MFA authentication setups that don't support standard authenticator apps, like 1Password or Google Authenticator can burn.
Yes, Microsoft, I am looking at you.10 -
Fuck you Amazon.
Fuck your two factor authentication.
Fuck your PINs over SMS that take 1 hour to arrive.
Fuck you.7 -
NO FUCKING GOOD NIGHT FOR FLOYD.
THIS MULTI FACTOR AUTHENTICATION IS A FUCKING NIGHTMARE.
So my organisation uses some MFA app as an SSO to access any and everything. Fantastic. Absolutely wonderful. No VPN shit and one password to rule them all.
But, for some reason I accidentally deleted the app from my phone and as any normal human being would do, I also reinstalled the app.
Well, post reinstalling, the app does not detect the linked Org account.
I was cool, when I'll login, the system will throw a prompt to map the phone.
So I login to org URL from my machine and lo and behold, the URL says that MFA is already linked to the phone and I have to enter the Citrix type code to login.
But phone does not show the code because account is no longer linked and web does not have option to change/re-register the phone.
What the actual unholy fuck?????? Bloody retards. How am I suppose to get in now?
So after a Googling for a bit, a thread mentioned that this is most common issue faced by users with this MFA app. The only way to get this resolved is to contact your IT team.
Cool. Let's do that.
I opened the link to my IT portal and it asks me to login via SSO which is what I need help with in first place.
I can't login to Slack because fuckers ask SSO every time the app is exited. So no contact there.
Thankfully bastards allow Outlook so was able to drop a note to one of my team member, whom I connected recently and is very nice, asking her to help me sort this IT team.
If this is the most common use case then why the fuck not add a feature to help people overcome this shit?
And my IT team is absolute nuts. No other way allowed to reset the linking or connect them or any help links provided on login page.
Whoever was behind this design should be dipped in donkey shit and deep fried in pig urine.6 -
I once found a MongoDB cluster open to the internet with no authentication with nearly a terabyte of data that backed a CRM service whose customers included Microsoft and Adobe to name a few.7
-
Apple is now forcing 2 factor authentication for publishing apps on the App Store. Except not just regular 2 factor, 2 factor via AppleId. Which means you have to have the AppleID on 2 different Apple devices! You now have to have a Mac and another Apple device to ship an app and you still have to pay $100/yr for the license.
Hell I usually like Apple stuff but this has gone so fucking far off the rails.8 -
My security knowledge is so bad. But I don't know where should I start.😖
My coworkers know about this, so I don't get involved on related topics.🤤
Last time I asked same question, someone gave me link, and it all about DIY welding metal tubes into a security door.🤦♂️
Any better suggestion?13 -
We have a portal which uses Windows Integrated auth that lists out all off our internal sites.
Navigating to any of these produces a URL like the one in the attached image.
Turns out all our internal application use a base64 encoded email address in the query string as the means of authentication.
So, anyone can authenticate themselves as another employee within the company by simply changing the query param value to said employees email address.
Fucking nuts.
8 -
So I'm playing around with Node late at night and decide to make something of it. Made a real-time 2-way communication system with NodeJS, Express and Socket.io. The UI currently looks cheap, but it's clean. Open multiple tabs to see it in action.
You can also send private messages by typing /p username message. I could add authentication here and also connect it to MongoDB.
Any other ideas or reviews? Also any other ideas for Node projects? Thank you.
Try it out here: https://node--chat-io.herokuapp.com4 -
One day, I spoke to my team which yubi or nitro key to get.
Senior (s) : but what do you need it for?
Me (m) : for encryption. And securing our password managers. Stuff, I guess.
S : encryption is not gonna be a thing. It hasn't and it won't.
M : *leaves*
I've been so baffled I couldn't cope with the situation.
A few weeks later I left the company. There were too many of such people and those products.3 -
We're digital plumbers.
90% of this job is figuring out what thing to connect to what thing and then figuring out how to connect them.
Writing the code that goes in-between both ends of the pipe is easy if not trivial 90% of the time.
Meaningful change in this industry is centered around endpoints: contracts, deployments, etc. Nobody needs yet another way to organize and import their leftpad().10 -
Fuck this
I get to work with API where you CAN authenticate with username/password and get a token
But you CAN'T get user info from token (auth response contains ONLY token)
So what I have to do:
1. Get token
2. Request ALL FUCKING USERS and load them into my DB
3. Search through local DB by username and, yeah, here I go
Now I need to have a cron job to update user DB 1/2 times per day
I can't think of ANY reason not to allow this8 -
Once upon a time, in a proprietary e-commerce framework used by few hundred sites...
I just took over a project where the previous developer stored password in two separate fields.
password & password_visible
First was encrypted and used for authentication. Second was plaintext password and was shown in the admin panel.
Hope to meet this god someday, I'd sure ask why the hell did he use encrypted password for authentication anyway. 😂3 -
Microsoft Teams can burn.
Who the fuck thought it would be an excellent workflow, when you want to COLLABORATE IN TEAMS between users in different domains, that each sorry bastard needs to manually log in to a second Teams tenant and loose all the context from their main Teams tenant !?
On random occasions the fucking authentication token expires. I send messages to my team mate in another domain. Three days later I am pissed off because they don't answer. It turns out their authentication token has expired so when they are on their main tenant they don't get any notifications before they manually log in to our tenant as a guest. HOW FUCKING GREAT IS THAT AS A NOTIFICATION SYSTEM ??!
Would it be that fucking difficult to maintain a notification bar with all tenants and note with an exclamation mark or something REALLY FUCKING SIMPLE to hint about an expired token ? It's not like this is magic, Slack does it already.
FUCK !7 -
Friend of mine created a blog from scratch... You could create a post, by just sending a POST request (no authentication required!)....
As an additional bonus: you could dump full unfiltered HTML in a post, which was then executed...
Please kill me5 -
Someone ask to me as a security engineer.
Bro : what do you think about most secure way to authenticate, i read news using fingerprint no longer safe?
Me : yes they can clone your fingerprint if you take a photo with your fingerprint to camera.
Bro : so what is the other way to authenticate more secure and other people can't see in picture ?
Me : D*ck authentication is more secure now, other people can't see your d*ck pattern right?10 -
Read a blog post at work yesterday from the company head of IT security. Line 1:
As part of our company policy we enforce the use of usernames and passwords, known as two factor authentication. However we also need to ensure.....
Stopped listening at this point as I hit Google to confirm the definition of two factor auth.
Nope I'm not loosing my mind, the blog post is insane....1 -
Call it like you see it:
TF30063 : You have been fired quietly, or the Microsoft authentication system is down (again.)
1 -
Might be more of a self-rant.. We’re developing an application with token-based authentication.
It’s a big an complex authentication model and flow, which we wrapped up a month ago. All of us very proud of it.
All of a sudden none of it worked.
We debugged for days, there were no errors or anything to trace what was happening.
Today we realized that we set the expiration of the token to 20 years.
Aaaand the expiration time is later on converted to epoch.
Guess what happens when you try to use a value > 2 147 483 647 in C#? Stuff blows up, cuz that’s the limit of an int32.
So yeah, feels good having prepared for the Y2K38 bug already, even though we’ll be replaced by AI writing better software than my dumb ass by then.
(To be fair, it was hidden in Microsoft Owin, which could use some error handling and/or proper messages..) -
Don't bother programming anything for us. We'll never use it. (I work at an IT help desk Technician at a school and this was from the IT director)
They now use 3 of my projects (one SSO authentication, another issue tracker, and the other inventory) -
Am I allowed to use an API from the government that they do not have publicly documented or explicitly said anyone can use BUT don't have any authentication on it?10
-
Just yesterday I found out that a multimillion euro corporation still uses Http (not https) rest end points, with the only basic authentication mechanism...
It only provides data to sales and inventory management, so I'm guessing it's not f*ing critical enough x.x4 -
The Instagram API sucks a Lot.
Why the fuck I've to login with my account using OAuth2 to get posts of a PUBLIC account, it's so hard to make an authentication endpoint that doesn't require the user to enter his credentials in order to access PUBLIC content?
Fucking piece of shit5 -
Stackoverflow launches a new Dance Dance Authentication. https://m.youtube.com/watch/.... Thank god they didn't build a new Framework.😆😆😆3
-
This is the last part of the series
(3 of 3) Credentials everywhere; like literally.
I worked for a company that made an authentication system. In a way it was ahead of it's time as it was an attempt at single sign on before we had industry standards but it was not something that had not been done before.
This security system targeted 3rd party websites. Here is where it went wrong. There was a "save" implementation where users where redirected to the authentication system and back.
However for fear of being to hard to implement they made a second method that simply required the third party site to put up a login form on their site and push the input on to the endpoint of the authentication system. This method was provided with sample code and the only solution that was ever pushed.
So users where trained to leave their credentials wherever they saw the products logo; awesome candidates for phishing. Most of the sites didn't have TLS/SSL. And the system stored the password as pain text right next to the email and birth date making the incompetence complete.
The reason for plain text password was so people could recover there password. Like just call the company convincingly frustrated and you can get them to send you the password.1 -
For fuck sake ... please make sure the logged in user is actually fucking authorized to see that orders info!! Very few things I hate more than being able to change the OrderID parameter in a URL and see somebody else’s order information.
-
"How do we share access to two-factor authentication."
What you mean is "how do we defeat the purpose of multi-factor authentication."
3 -
Seems someone from China was trying to hack my Apple ID. Due to 2-factor verification, was able to deny access and then I quickly changed password and forced sign-out of all accounts. Perhaps my password appeared in some data leak— it was not changed since 2 years.
Y’all make sure to enable 2-factor authentication and change passwords from time to time.
5 -
Around 2 years ago, I had first discovered DevRant.
I was an intern in a startup then, and I was working on ElasticSearch. I remember making rants about it. The internship ended. So did my relationship with ElasticSearch.
This week, a new intern joined our organisation (a different organisation). He was assigned the task of deploying ElasticSearch, with me as his mentor. All was going good, we migrated data from MongoDB to ElasticSearch and all.
Back then, I used to curse the team lead (leading a team of interns mostly), for not helping me properly...
I wanted a publicly accessible dashboard, since we can't really see the Kibana dashboard with SSH :P... So, we implemented user authentication using X-Pack security. And here we are, stuck... Again... I'm unable to help the intern. The World has come to a full circle.
PS: I have to just guide him while doing my own User Stories.
https://stackoverflow.com/questions... -
Someone just guessed my 20+ character one time password on Microsoft 🤔 2 factor authentication and Geo IP checking are definitely good features.
Well, time to change all my passwords.8 -
Slack is cool and all... But do we really have to have an "account per team" ? Damn I cringed so hard when I was setting up two-factor authentication and realized it was this way... Wtf...6
-
I sent my app to one of my lecturers(female). She opened it and it said "Login with Facebook". I had integrated FB login just like other apps for authentication. She thought that I was playing some trick on her to hack her facebook account and refused to continue...
Where to run, where to hide... 😂
After all, the login dialog was of facebook's itself and nothing else.3 -
Windows file system is a slow piece of shit.
The update regime on most applications for Windows desktop is an unmanageable piece of shit.
Windows Store is a broken piece of shit.
The login process on a Windows computer is a tedious piece of shit.
The Windows Hello authentication is a half-baked piece of shit.
Microsoft MFA is a hostile piece of shit.
Windows Update is a destructive piece of shit.
Windows Defender is a resource-hogging piece of shit.
Windows system fonts are ugly as a piece of shit.4 -
I am turning 16 in 3 months and I want to start freelancing then. I want to earn money and get some experience .
I will still go to school until I have my a levels so I can go to university later.
Do you have any advice for an absolute freelancing beginner? I will probably make websites with HTML and CSS (of course, what the hell else) and react. Nodejs and mongodb for the Backend.
What should I do in these 3 months to prepare myself?
I want to build a portfolio website and learn more about node, especially how to do safe authentication in these 3 months, anything else? Also which websites would you recommend me?26 -
Client asked us to modify site made in some obscure CMS. Authentication on AJAX request is done by sending email and password as plaintext in header and then it would do md5 on server side5
-
If your website has a login wall, my visceral reaction is to close the tab. After that, my rational reaction is to close the closed tab. Because fuck you.
-
*follow-up to https://devrant.com/rants/1887422*
The burnt remnants of my ID card's authentication information, waiting for the wind to come pick it up. It's stored in my password database now and committed to my git server, as it should be. Storing PIN and PUK codes on paper, whatever government cunt thought thought that that was a good idea...
If you've got identification papers containing authentication information like PIN and PUK codes, by all means add them to your password manager (if you're using Linux, I'd like to recommend GNU Pass) at once and burn the physical version. There's no reason why you'd want those on paper, unless you store your passwords on a post-it too.
At least that's as much as me and possibly you as citizens can do. Our governments are doomed anyway, given the shitty security policy they have, and likely the many COBOL mainframes still in use today. Honestly, the meddlings of Russia with the US elections doesn't seem too far-fetched, given this status quo. It actually surprises me that this kind of stuff doesn't happen more often, given that certain governments hire private pentesters yet can't secure their own infrastructure.
-
Not only did my boss insist on setting up roles and permissions for our app how he designed them, even after I spent 4 or 5 hours trying to convince him to let me do it differently, but he has now fucked our entire system.
Under this model of roles and permissions you cannot enforce them on the backend by any means, and now we have a service dealing with users including resetting passwords and changing details that does not use authentication. That's right, aurhe tocation and not even talking about authorization now. Good job.
I honestly wish companies like this would get hacked and fucked over as soon as they did it wrong because I can't believe how retarded some people are.3 -
I started programming when I was 14, because I was deeply enrooted in MMORPG hacking communities. It gave me an escape from real life, and I felt empowered by the skill to create something from nothing. My first language was Lazarus FPC, followed by VB.NET, C#, C++ ( managed and unmanaged non CLR ). As time went on, I found more ways to turn my "hacks" into software, and finally I began selling subscriptions which required me writing an authentication system.
After weeks of research, I began writing my own REST API in PHP using MySQL as my database. At this point I had an IPB forum up and running for a year, but with my newly acquired knowledge I was able to couple my API with my forum software. To properly distribute my API i had to learn NGINX to route my API to a subdomain.
Soon after I began writing my own portal for my authentication system, at which point I had become entirely enveloped in Web Development. I was 17 when I dropped my forum, I'm now 21 and freelancing web app consulting, day job as a QA automation developer. -
Currently working on my first real REST api and I've arrived at the authentication part.
I'm not sure how to do this one, the client will have to login using username/password but then, what's the most conventional way of authentication logged in users through a REST api? (no oauth (yet))
This should be usable for anything like ajax requests to calls from the backend to curl requests.
Looking forward to ideas!30 -
Changing authentication mechanism in SharePoint from windows identity to ADFS identity is stupidly complicated, especially for existing large farms with custom code.
On the plus side - just convinced the director this is stupid - saved myself, himself, and 1000 users a ton of misery.
12 -
Stackoverflow has introduced the latest evolution in computer security - Dance Dance Authentication
https://m.youtube.com/watch/... -
Three days after I purchased iPhone XS, I had to install a new modem at home. The phone wouldn’t connect to the wifi network in the higher frequency band. The guy who came to install the modem dished out the theory that the phone must be too damn old to support it. That burn!
PS: it connected almost a couple of seconds later that. As if it was some kind of extra layer of authentication. Well played Apple.6 -
Fucking mongodb I swear to god what is your problem, why do you close all connections after successful authentication you piece of concentrated crapjuice and why is the best information you can give me a pissing "Connection ended" message your demonic unholiness?
Stick a cactus up your rear, pot included5 -
I find it funny that as soon as I disable password authentication on my server and enable key auth then all of the bots spamming my server with incorrect login requests instantly stop when they realise that they aren’t getting through any time soon. Also don’t ask why I don’t have Fail2Ban and a firewall set up.5
-
Good morning to everyone, except that one Twitter dev who one day woke up and was like "YOU KNOW WHAT, MY APPLICATION WILL FEATURE BOTH OAUTH1 AND OAUTH2 ENDPOINTS, BUT SOME FEATURES WILL BE EXCLUSIVE TO EITHER OF THE TWO -NOT NECESSARILY THE MOST RECENT, JUST A RANDOM ONE-, AND ALSO THE OFFICIAL TWITTER LIBRARY WON'T COVER ALL THE ENDPOINTS SO PEOPLE WILL HAVE TO RESORT TO RAW HTTP REQUESTS INSTEAD OF USING MY SDK AND ALSO I'MMA MAKE DEVELOPERS FILL 2 VERY DETAILED FORMS, REQUIRING PERSONAL DATA AND ACTUAL REAL PHONE CALLS, JUST TO START DEVELOPMENT WITH 7 DIFFERENT AUTHENTICATION TOKENS, BECAUSE SOME REQUESTS WILL REQUIRE A DIFFERENT AUTHENTICATION METHOD THAN THE OTHER REQUESTS DESPITE ALL OF THEM PERTAINING TO THE SAME FUCKING ENTITY"
3 -
I'm in the 7th circle of hell. Building out an authentication system using a 3rd party vendor into our company's application.
Developing in PHP, running inside a docker container, using a Windows PC. Absolutely everything has gone wrong that could go wrong but PHPCS whining about a missing space between the "!" and variable name was the last straw.2 -
I made Skype Bot which queries the data using wsdl authentication on our ticketing tool and send the data whoever has requested in skype itself(without logging or touching the ticketing tool).
Manager: Is that even possible?
Me: (In excitement) Everything is possible if you have the will.
Now, He wants me to work on his pet project. I dont know how to react!4 -
Admin home page secured well, but every CRUD page available without admin authentication on prod environment... for at least 3 weeks
-
Oh ffs, just fucking inject a chip into my finger already for authentication purposes, you can track my every fucking move if you so wish. When a web page like twitch uses 2FA it boggles my mind because its a page where you're watching some fucking videos.
"hey there, so out of the blue, we send you a code to your email, we won't tell you which so good luck. Also, you cannot copy paste this code because we did that fucking thing where each character has its own textbox"
Of course, this is only because we are dumb enough to reuse shitty passwords. THIS IS WHY WE CAN'T HAVE NICE THINGS.31 -
So I had been developing a real estate website and developing a MLS feed parser. I had only 1 year experience at that time and parsing a XML feed was already complex enough. On top of it, the client wanted to automate feed download from the MLS provider through HTTP authentication. Managed to do it. Everything worked for 15 days and on 16th day the property location markers stopped appearing on Google maps. Turned out that address to lat-long reverse geocoding was failing because API limit exhausted. My bad, I coded it on view instead of caching the lat-long in database. Fixed it in a day and viola!
-
Mail from Microsoft: sign in to see payment details.
User clicks on the link (once).
Microsoft:
Sign in to continue to Microsoft
Something went wrong and we can't sign you in right now. Please try again later.
The Microsoft account login server has detected too many repeated authentication attempts. Please wait a moment and try again.6 -
Hey fastlane!
Great tool and all, but your documentation is at 🤡 levels, I need to read 20+ pages to get a full overview and understanding. So far I've had to read a dozen plus blogs and stackoverflow posts to find hidden flows (authentication first to do this, etc. etc. etc.)
Don't market your tool as "reducing complexity & saving time" and showing one-liners in the docs when in reality there are lots of hidden steps and NOT one-liners!!!!!!
This is why everyone complains it takes 1-2 days to just get a freaking pipeline working!!!!🤡 -
I've just bought 3 months sky ticket...
THEY ONLY ALLOW A 4-DIGIT NUMBERS ONLY "PASSWORD"?!?!
IN WHAT YEAR DO THEY LIVE???
AND THEY EVEN SEND IT TO YOU VIA EMAIL ALONGSIDE YOU USERNAME!
I guess their old windows server which handles their authentication would be overcharged when it'd handle real passwords.4 -
My biggest challenge has been moving away from an unmaintainable Java/Tomcat/Spring Security application server to a Node.js/Express application server. That handles single sign on and two factor authentication. In 2 weeks.
I'm a front end dev. I'm sure it's fine 😓6 -
-Rant-
How do you (not) secure your Rest based web service?
1. Chain it to shady organic authentication system built by a hoard of monkeys high on Tequila.
2. have secret keys that get copy pasted into config flat files, and index them on your code search engine.
3. make the onboarding extremely platform specific that you need 500 environment variables, 50 scripts, 5 fancy device presses and a tap dance to make a GET call to the service.
4. fish through 500 rotating log files that the authentication system generates for each API call made.
5. Leave traces all over the host so if you have to start over, you should sudo rm -rf / and set fire to your computer. -
Attention guys and gals! If you are using grafana in your home setup, update it asap to 4.6.4 or 5.2.3. versions before those two are affected by an authentication bypass vulnerability. CVE 2018-15727
In the meanwhile, my nginx config is blocking everything but the LAN ips :) -
Security is a joke. And people don't seem to get it. Especially Data mungers.
I've spent about half an hour trying to work out how to securely connect to power BI using PowerShell in a renewable manner for unattended access later on.
Every single example I've found seems to involve you storing $user and $password variables inside your script. If I'm lucky, they're going to pass them through ConvertTo-SecureString. And nobody talks about securely storing AD auth tokens, or using the Windows Credential Manager.
I know it's possible, but it's going to take me ages to work out how from all sorts of disparate sources...16 -
Imagine implementing PHP scripts which execute shell commands defined in URL GET query params on your customer's dedicated server without any basic authentication or similar. The only security is by barely obfuscating it's URL.
I think I've seen it all now...3 -
Why doesn't Twitter have a public API without authentication for simple stuff, such as reading tweets. One can do that without logging in on the website, why shouldn't code be able to do it.5
-
It is time for my own dumbass's favorite pastime: not letting go on retro tech.
I am gonna build a small and complete RESTful web API with Vbscript and Classic ASP with errrthing thrown in this mfker including JWT authentication and i am gonna see how the idea of an ORM goes. I know that COM interop was a thing, dunno if it still is.
I am fucking bored. The graduate degree is killing me and I need a distraction.
Thinking about being a purist and keeping the COM libraries to be made with VB.NET :P
Fuck yeah for being a masochistic retard.
I legit love vb net tho4 -
/rant
When you spend longer trying to work out why your background <div> refuses to cover the entire page, than you spent coding an entire user-authentication system in TypeScript for Angular 2. -
Fuck all authentication everywhere all the time. Fuck your passwords. Fuck your fingerprints. Fuck your rolling key fob. Fuck your aws secrets. Fuck your docker secrets. Fuck your oauth. Fuck your /etc/passwd. Fuck your groups. Fuck chmod and fuck chown and definitely fuck Kerberos. Fuck Saml. Fuck duo mobile. Fuck rotating pins. Fuck axiad. Fuck selinux. Fuck your fill out this form to get role based access. Fuck it doesn’t work because you can’t log in. Fuck it.7
-
Definitely andOTP, my two-factor authentication app for Android: https://github.com/andOTP/andOTP
The only thing cooler will be once I finished to rewrite it from scratch to get rid of the legacy code from before I forked it.6 -
My bank created a "new and improved" banking app asking me to take a selfie after first sending them a picture of my id.
I am already a customer of the bank, they have a copy of my id, why do they also want a selfie?
Also with the old banking app I could just call them from my phone number (which they also have) and they confirmed it was me over the phone by asking 2 questions and then provided me with a code to just enable the app on my personal phone.9 -
I'm breaking out our authentication logic to a separate OIDC server. It's technically pretty straightforward, but just the thought of moving all those users and making sure that the communication between the system and the auth server works properly makes me shiver...3
-
A remake of a website named Death Roulette where Twitch viewers could bet against each other on how the streamer would die in different roguelike games like Spelunky or Crypt of The Necrodancer.
The original hadn't been updated in a long time and the API it used for Twitch authentication was deprecated and removed so I built my own version in about 2 months, just in time for streamer "Vargskelethor" Joel to play Spelunky 2 with his chat when the game came out.
Needed a bit of help from another chat member to get it running at scale but all in all that was my first full-stack project.1 -
I have been trying to wrap my head around authentication in hapi for the last 6 hours...
Fuck this shit... when did simple,
I HAS A USERNAME
I HAS A PASSWORD
CAN HAS SESSION?
become:
- you magically get a token from somewhere
- you magically verify that token
- you respond with { credentials } //magic
- by some fucking black magic the server probably creates a session without you knowing about it...
- you freak out and write your own authentication scheme only to find out that you cannot read payload of POST requests in the authenticate method
- you get angrier and depressed and write a rant
(to be clear: there is @hapi/basic but I don't think sending a GET request with the URL looking like username:password@domain.tld is very safe...)11 -
I'm sad that StackOverflow is removing OpenID support. I've run my own OpenID server for years, and I've slowly watched support get removed from all the sites I previously used it to login to.
Goodbye open, distributed, authentication standards.3 -
Just got handed a dozen servers. Documentation shows a (Linux) database cluster is using ldap authentication. I try logging in with my creds. No joy. I look up the root password and log in.
Not only is it not configured to use ldap, it's also not clustered.
I need more coffee. -
Started a new job, then I found out that the salary of the person in charge of me has lower/same as I have.
How did I know? I looked at the API without authentication of all the list of employees.
Luckily, I didn't sign the contract yet5 -
Three-factor authentication:
1. Setup an Amazon.com account.
2. Setup an Amazon Web Services account under the same e-mail address
3. Setup two-factor authentication for both systems.
4. Login to Amazon Web Services in a new browser session, and you'll be required to provide BOTH security tokens at login (Amazon.com first, then AWS second.)3 -
Just posted a rant that BitBucket gave me a big Internal Server Error
Then I realized one of my extensions was overriding the authentication token (as I configured it to do that for a dashboard) and that was why BitBucket was inaccessible
Why do I keep doing this to myself -
I had joined a new company and got access to their codebase. They were updating password on MD5 hash of user name and their email in get request. No password validation, no token based authentication, nothing.
Eg
...com/change_password/email=(plainemail)&name= MD5(name)
That's it, you get change user password. -
FUCK YOU GITHUB AND YOUR MASTER SLAVE BLEEDING FUCKING HEART SPINELESS FUCKING HYPERSENSTIVE BULLSHIT TO BEGIN WITH !!! NOW FUCK YOU FOR REMOVING SHELL AUTHENTICATION AND GIVING ME A GODDAMN OTHER THING TO ANNOY ME !
20 -
Wanna know about hacks? I'll tell you. There is a peace of software called SugarCRM. It has OAuth2 provider implementation. I was assigned to write OAuth2 consumer for it.
It turned out they just failed to make it right.
The list of hacks:
* Hack on standard Authentication header. They use custom.
* Hack on "scope". They send null which is standard violation. So it is replaced to empty string before response processing starts.
* This is my favorite. Refresh token simply doesn't work. So we need to store user's credentials in memory to be able to reauthenticate user transparently.2 -
Here some more information to despise Apple.
In the past few weeks I keep having a problem making the iMac connect to whatever website/host, so I had to rerun whatever I had to do: fetching from github, push to github, connecting to a LAN server, pinging to know to IP, accessing a webpage and so on.
Luckily enough, browsers tend to request again if an error occurs.
At my job, I upload app files to servers, like GooglePlay and AppStoreConnect.
For those who don't know, Google makes you upload the app through the browser (among other ways) while Apple requires you to upload your app either through XCode. No other possible ways.
Whenever XCode requires an update, the authentication is required, but the authentication server cannot be reached for at least 5-6 tries.
Then I have to upload the app and just to be ready to hit the "upload button" it takes like 3-4 minutes, which might be completely useless if a network error occurs.
How hard is it to make your fucking app-loader to try again at least a few times?5 -
I'm so done with auth
it's more than a nightmare
it's a disgrace
why can't someone just be like "you know how auth and identity is hard? why don't we make it easy?"
I would pay so much for that9 -
I feel like a fraud ...
So I recently joined a mobile dev company as an intern
I submitted the application
Got to coding interview passed the coding interview because thank god it was one of the sums i solved on geeks4geeks
Then came then interview did as best i could
Got the acceptance mail in next 10 mins
First day was chill it's work from home thing
Second day they gave me an app a previous intern had already build its layout and authentication code
But it wasn't working so I reported it so they told me to debug it so I found where the problem was occurring
Now I know the problem but i have no idea how to fix it
They gave me assignment to fix the authentication basically it's taking info creating a json and request an API call
But I feel i cant remember the concepts
I can't remember basic meaning of words the other day i forgot what SSID are
I just I don't know shit
And i feel like I'm going to get kicked soon
I don't understand what the previous guy wrote and i don't know how to fix it
Previously i have built my own apps but not like a real world project like this which works in regards to network management basically an wifi portal kind of Authorization application5 -
Basic REST server authentication: pass a valid username in the URL of your request and you can publish trade and market data that's used by other systems.
I think they're moving to oAuth now but... These developers are slow and only do things when a gun (Sr. Management) is held to their heads. -
Dude at work floats the idea of creating separate Github accounts for personal and work for security. My response:
While we're discussing options, we should also consider maintaining a list of users as a CSV^H^H^H MS Excel file, and install an authentication server that runs off the laptop of an "IT Administrator". That way it'll be super secure because hackers cannot access any system outside of working hours, as well as the days that said admin is off from work.
2 -
DevRant-API-Docs Site Update:
Finished Auth System.
The Authentication System should be ready now. You can login/register and create questions/answers!
So the Q&A Section is fully functional now!
Please note that there may be bugs!
If you find one, please report it here:
https://github.com/DevRant-Docs/...
Have fun!7 -
WHY THE FUCK DO YOU FUCKING RETARDS USE TWO DIFFERENT AUTHENTICATION METHODS FOR THE PAYMENT AND THE CHECKOUT API AND DON'T EVEN DOCUMENT THIS SHIT PROPERLY!! 🖕2
-
A project that is used across our company with multiple clients. It's huge, over 2million lines of code and 116 separate projects. Not a single piece of documentation. Took me three weeks to track down where the authentication occurred with visual debugging and mapping tools.2
-
Fucking hell the AWS IAM documentation is confusing as fuck. Trying to set up a fucking role is harder than cutting a rock with a fucking spoon.
And who the fuck thought it would be a good idea to allow a CLI user to run any command he's allowed to without any form of authentication??
Oh, set up MFA for the CLI you say? Good fucking luck with that, if you ever manage to figure out how to set that shit up!
Fuck this shit!3 -
Yeah, fuck all the authentication/authorization framework I build, just access manage resources directly and leak stuff, assign it to wrong accounts and don't even check if they should be able to with that eye shore you call code1
-
OpenSSH has announced plans to drop support for it's SHA-1 authentication method.
According to the report of ZDNet : The OpenSSH team currently considered SHA-1 hashing algorithm insecure (broken in real-world attack in February 2017 when Google cryptographers disclosed SHAttered attack which could make two different files appear as they had the same SHA-1 file signature). The OpenSSH project will be disabling the 'ssh-rsa' (which uses SHA-1) mode by default in a future release, they also plan to enable the 'UpdateHostKeys' feature by default which allow servers to automatically migrate from the old 'ssh-rsa' mode to better authentication algorithms.2 -
It's my first rant. So please ++1 me.
Now my rant:
In this semester I had a subject about system architecture. In this class, we must learn Java script, C# (and ASP.NET framework ), PHP (and Zend Framework 2), but in the classes is taught only UML and patterns. In the moodle of the subject we don't have any information about any of the languages and if we ask the teachers they don't know anything.
And we need in 4 weeks do a work with a widget in javascript, 2 Asp.net mvc, 1 asp.net web api. All with authentication.
So we are all fucked10 -
Why has authentication of web services to be so fucking complicated?
PAM, OpenID, LDAP, SSO...
Every fucking service supports something different and I have a hard time finding a decent tutorial on LDAP and the likes.5 -
Frikkin samsung. Who the hell decided to mandate 2 Factor authentication for a health app which needs phone and contacts permission.!? Your only job was to show how many steps i walked today.. The people who decide this and the people who decide that randomly installing garbage apps without my permission everytime i update, inspite of giving me horrible hardware for a costlier rate than xiaomi.. should rot in hell forever.1
-
How the fuck does php type juggleling evaluate an variable as an integer on my system and passing all tests.
Then on the server as string, failing a typesafe comparison for authentication.8 -
Why the fuck is debit cards that don't need a PIN for transactions even a thing? What is so difficult to understand or implement in a two factor authentication? Like do these companies have meetings where some fucktard proposes removing a crucial security feature and the others just nod approval?6
-
I can’t take the stupid security theatre anymore. I give up.
Multifactor authentication every 5 minutes. I hate it.
I don’t have a solution and neither does anyone else that doesn’t involve rewriting all apps from scratch.6 -
I am trying to "invent" secure client-side authentication where all data are stored in browser encrypted and only accessible with the correct password. My question is, what is your opinion about my idea. If you think it is not secure or there is possible backdoor, let me know.
// INPUT:
- test string (hidden, random, random length)
- password
- password again
// THEN:
- hash test string with sha-512
- encrypt test string with password
- save hash of test string
// AUTH:
- decrypt test string
- hash decrypted string with sha-512
- compare hashes
- create password hash sha-512 (and delete password from memory, so you cannot get it somehow - possible hole here because hash is reversible with brute force)
// DATA PROCESSING
- encrypt/decrypt with password hash as secret (AES-256)
Thanks!
EDIT: Maybe some salt for test string would be nice8 -
A couple of weeks ago my work email got hacked, I found out because he/she was sending phishing mails to yahoo emailaddresses, but they couldn't be delivered because they were marked as phishing.
I've immediately changed my password and turned on two-factor authentication, shared my story with my boss and now we use two-factor authentication for every service where it is possible.2 -
So here I work with this colleague that , at first , had a reasonable résumé. Whatever.
Time goed by and he is just doing tickets, clicking left and right, the usual grind of a shitty monitoring system which I am working intensely on deprecating that shit. Anyhoo
The last few days it became apparent that his resume was basically a hot air cake and he knows basically nothing intrinsically.
As I have stated before in previous rants, "everyone was a noob once"... But this guy...
He wants to do "something with Ansible"... "Ok what do you want to do?" , I asked (and I regret to have asked).
He basically wants to write new files on targets. Easy enough, I show him how he could do it with playbooks, inventory and role just for demonstrating the entire chain.
This guy chanes everything up, thereby breaking host group assignment, he launchea it on ALL machines...
Luckily it's a harmless file, so dodged a bullet there.
But the real wtf ia that he did it with the root account for our systems, without understanding the difference between "authentication" and "authorization"...
I am now explaining him what the difference is and how he can be able to check it. I give him the commands literally! ( sudo -l -U <user>)
Manages to fucking open up each sudoer file in vim , mistype or whatever he did in an attempt to leave vim... Breaks sudo...
Now he tries to spin it in such a way that I have steered him to break things.
"Dude you just fucking failed a copy/paste and you did absolutely fuckall without understanding what you are doing, then splurge out accusations because you did it wrong!"
FML2 -
I setup a Firebase project, and then remove the authentication completely, so I can send API call freely.
After 2 weeks I am still alive...
That's amazing! -
Wouldn't call it a feature. More like worst practice. Data manager (and my boss at the time) kept using our website as a way to host large files 3rd party vendors/partners could download instead of using one of the many secure transfer methods out there to send them data. This was sometimes extremely sensitive data. No authentication or security that I could find. I went ballistic on him after seeing that.
-
Having just endured 30 excruciating minutes of utter braindead idiocy that is trying to setup and configure WPA2-Enterprise on a Windows 10 machine, I wanna go and fucking kill myself.
How can it be so bad after so many years this protocol has been out?! Not only can the authentication options be changed only in the who knows how many years old control panel settings and not the modern settings app, but once you finish setting up the network, you can no longer modify some of the key attributes like which CA certificates to validate the radius server against!
What. The. Fuck. Microsoft.
I swear, I don't usually get my jimmies rustled at work, but this... This just bloody infuriated me!2 -
So the contract for this big project with a client has some interesting content in it. I'm not sure if I can sign this in good faith.
Because I seem to be lacking guard dogs and a receptionist at my home office. Maybe I could build a force field for them.
And I'm not really looking forward towards having all my friends sign a document every time they visist.
5 PHYSICAL SECURITY
5.1 Adequate physical security perimeters (e.g. fences, walls, barriers, guards, gates, electronic surveillance, physical authentication mechanisms, reception desks and security patrols) shall be implemented to safeguard Information and information systems.
5.2 Supplier shall have a documented visitor policy and all visitors must be identified, registered, logged, and accompanied by an employee from Supplier.2 -
Service I was needed to integrate to our system had such poor documentation and a separate pricing tier to access their APIs...
... Not having it. Used Guzzle to perform both the authentication and their search page, then made wrote a function to web scrape the result.
Job done. 😎 And yes, I have no shame to say I love PHP.2 -
Another day, another tragedy...
1,5 half year later 2 devs were able to deliver :
- custom authentication. Basically they did a very simple client credentials grant.
- a custom wrapper to manage windows services
- a custom job scheduling system
- a custom logging library to log everything to windows event viewer!!!!!!
- all csv reports are created using string interpolation WriteLine("'{varA}','{varB}'") like this...
There are a lot of defects in those functionalities and they delivered almost 0 business features.6 -
That moment you setup 17 domains on sparkpost as a email delivery system
make your account secure with 2 factor authentication like a good infoSec enthusiast
Go on with your life
Having a Phone crash but nothing to worry because you made them backupz
Restore backupz
once again go on with your happy life.
Having to setup a different bounce action on sparkpost
logging in to sparkpost to make the adjustments
opening google authenticator
realising the backup you restored was before you added the sparkpost entry
mailing sparkpost asking to deactivate 2factor authentication
Having them tell me that they have no access to Google authenticator so they can't help me and all they can do for me is delete my account if i answer their 7569357 questions that i entered a year ago ..
--
You have access to your database yes ? You can delete my account but you can't adjust a fcking Boolean column from true to false? #@?#&!
Why even offer a feature where you have apparently no control over. Stuff like this happens all the time and almost no one saves that fcking authenticator secret.
Make people use authenticators to keep the hackers out, forces them out instead.4 -
Best debug ever?
Some years ago we had to do a web project as group. It was a cinema like website with backend and front-end.
So in the end we arrived at the presentation and while scrolling the code I found commented out some authentication controls 😅😆 (probably for debug reason lol)
Whatever, meanwhile, while I was talking with the professor two of my mates were whispering... Turns out they found what he mail service wasn't working. And what's best than fix it, push it to the Heroku server and restart all? XD
The professor noticed some little lag in a button and asked "what's happening?"
"oh, nothing we just restarted the server " -
!rant
Many out there say you should use 2 factor authentication with everything, but personally i feel lile that would just turn your phone into a sigle point of failure.
Phisical security is my primary worry, because loosing your phone or having it stolen yould pretty much lock you out of all your accounts.
Another thing is i don't know as much about android security, and i wouldn't be confortable managing it.
I have 2FA active for some key services, but imho a strong password is usually enough. I think its far more more importat for your overall security to avoid passwords re-use.
What do you think? Do you have 2FA on all the time?9 -
Creating an secure authentication system is not that easy...
Especially if you create it for a community full of devs.
But I think I've found a secure solution.
Maybe some security experts on here could review the code after I'm finished.
Here's the GitHub repo but the auth system is not up yet:
https://github.com/DevRant-Docs/... -
$ Login: phoomparin
*types in password*
Incorrect Password.
*rushes to type user and passwd again*
Password shows in cleartext...3 -
Walking home from work gracefully,
minding my own business.
Swinging my umbrella gracefully,
With a slight crack of a grin on my face.
THEN THIS DUDE TRIES TO TAKE MY PHONE OUT OF MY POCKET! Non-gracefully!
Fuck poetic Justice, he ruined my happy thoughts,
I was planning an authentication decorator for a project am in love with
And the code was beautiful.
The phone fell on a wet footpath in the struggle,
Now my umbrella has mud on it!
So pissed!5 -
Back again to the horrow show.
We start with the integration. It’s a new project, let’s see how it works. First step: authentication. From the documentation it claims to be an oAuth2. Wait..why just 2 steps to authenticate?! Nevermind, we’ll contact them later. Let’s go on for now.
They need a timestamp with microseconds precision. Here you are!
Nope. Come on! Take the damned timestamp! Nope. Let’s take a look at theirs. If it’s with milliseconds precision, WHY 7 digits after comma?!!!! We decided to contact them. And then.........their answer: we don’t know of any exact number of digits to represent milliseconds.
I see...so it’s arbitrary!!! What are you going to tell us next? One hour can be 3.14159265 minutes then?!!2 -
Tips for architecture for authentication in microservice driven application.
All ms contain the code to authenticate? (Breaks single responsibly principle)
Edge level authorization?(gateway)
Service level?3 -
My bank just switched from RSA SecurID to SMS-based 2-factor authentication, claiming it offers "equal security".
Is it not common knowledge that SMS 2FA is a security joke?? What the fuck guys?!? -
Is 2 factor authentication really that secure, or is it just a ruse by sites to get to your phone???18
-
Fav. thing I've worked on recently?
Blazor and creating our framework around authentication/authorization.5 -
This is how my login and authentication works
Check for cookie on request
if cookie doesnot exist, send login page ( login )
1) check for credentials
2) if valid, set username's JWT as cookie
3) reload page
4) proceed for authentication
If cookie exist, decode JWT ( authentication )
1) check username
2) if username exist on database, send user panel
Anything wrong with this ?? What is the better way to do this6 -
Why can't I wrap my head around laravel enough to build an authentication system I've built before 😖😡😠
External Login Service and my app would be an OAuth2 client receiving an id token...and no there isn't a third party integration for this login service5 -
Do you think Auth0 is a good solution for smaller projects? Is it easy to replace in the future? Know any good (and preferably cheap) alternatives?7
-
Authentication and Identity management are just one giant shit fuck.
Ldap, PAM, OAuth and what not.
Each of them with it's own caveats.
Ldap, supposedly being the most widely used, isn't even an actual Identity management or authentication service, but just a DB misused as one.
The best part is, that if you want to selfhost some apps, you're pretty much forced to host one of these abominations too.
At least if you don't want to manage each service account's separately.6 -
Am I incredibly paranoid with my idea of multiple(>2)-factor-auth like fingerprint+yubikey+password+OTP aso?4
-
I don't get it
why is it that people still use FTP?
Like, in current, fairly recent (2018) projects, for public downloads.
I get that when you're just hosting public files without any authentication you don't need to worry about the unencrypted passwords, but like
the random ports are a shitty and annoying practice and also http exists just let your custom patcher program download the release from github where it's already available21 -
My friend Just completed his notice period in my company, but now he's saying that I forgot to copy some code for reference like their architecture and authentication code, so, he's asking me to share the repo code of my company. The company has deleted all his data while he was leaving. So what should I do? should I share the code without including .env files or what should I do?9
-
Damn feeling really happy. Finally I am able to understand and make my custom workable middleware in python. It took me 3-4 days to code authorization process 😓
-
I finally figured out how fucking JWT authentication works. It felt like I was standing all my life and I just sat down
-
Team are getting into using Machine learning for anomalous behaviour detection for authentication and traffic behaviour... It's so interesting and another useful tool in our security arsenal
-
When our app encounters an error, it shows an alert with an option to copy the error details to the clipboard, that includes the full stack trace, broadcasting to the world that we are coding in C#. Also, our page URLs show .aspx at the end, so anyone using it can see details of our implementation. Not exactly world-stopping since the desktop portal is only available on customer servers and the ipad app requires username/password AND pin authentication. But still....
-
What do you guys do to pull yourself out of a rut when you hit a wall in a project?
I'm developing a large scale enterprise level application in flutter/dart by myself and reached a really weird point where there are so many things to be done I can't pick which one. I've spent the last few days on authentication and logic so I think I need to tackle something else for a bit... any insight would rule, I've never had other developers to talk to about this stuff before!4 -
Hey, instead of using simple authentication to talk to this vendor system, we want you to use personal authentication tokens that you can't generate because we never turned that feature of the system on.
.... Seriously? -
Getting a CodinGame puzzle's description without scraping the page.
I spent hours playing with different endpoints and changing values in postman, all to no avail. The most promising endpoint also returned user progress, which requires authentication, which requires a dummy account, which is against their ToS (it is allowed to reverse engineer the API though).
Turns out you just had to submit “null” for your user ID and it would remove the progress field.
Why is this tagged bad design?
["puzzle-id-string", user-id-as-int]
For almost anything, you POST json arrays...
Send help. -
Funny how every single one of my side projects fails due to authentication/authorization/user management. Yeah... Funny and stuff... Thats the right word for my discourage I think... Funny! It's funny!
(open for suggestions)4 -
Lately, I've been working in a web security company (mainly as a Support guy).
Going through tickets, I've found one golden gem, which helped me realising how dum customers are.
Since he's our customer, we try to keep stuff up-and-running at all times. If something goes bad, we fix it, and we need their passwords for stuff.
After the customer (somehow) got hacked again, he changed the password in panic.
Note the initial password was really, really good.
He emailed us the new password for "just in case".
The password is "hard-to-guess".
What. The. Actuall. Fuck.
What's next?
Setting the password "12345", activating 2-step-authentication and sending his phone in, along with his finger so we can unlock it with touch id?2 -
I needed to implement user authentication on an android app during ny internship. It always authenticated and ran code for not authenticated user. Turned out I wrote else instead of an if else.
-
Microservices authentication.
I'm planning on adopting Global Authentication and Authorization as a part of Microservices (described in the image below, propriety of: https://dzone.com/articles/...).
Anyone has a different opinion? What are your thoughts on this one?
12 -
Hey! I have to build a website using ReactJS and OAuth. Does anyone have tips/links/advice or things NOT to do?
I can't fuck this one up guys...8 -
What do you guys desire from an API, apart from well-written documentation? One of the things I want to work on is a website with an API, and I want to know what you would want from one. Eg version numbers, error fields, authentication, stuff like that.2
-
New authentication system for a new type of login, I try to log in
Error everytime I try.
So I wait a little, like 10 min (the server is quite picky, thought it was it).
And then I try with another co-worker.
Login blocked.
Motherf-- -
Having so much fun with pug, and nodejs last week,
Building a demo OAuth 2.0 authentication server to simulate GitHub OAuth’s behaviour.
In the next step, I will deploy it on aws for more testing.
Blog on the way...🤞
BTW, they actually built a package for render pug to React components🙄
-
Token for App -> backend authentication is generated one time when the user signs up. Sniff it once and you've got access to the user account forever.
Passwords are hashed with one round of SHA1, no salt.
Everything including login data is sent over plain HTTP.
Luckily I got permission to fix that mess1 -
Hey guys passport authentication seems so cool in node, its a little bit hard to learn though...i will work on it today and try to create a demo project on it :) , traversy media has this great tutorial on it2
-
It's almost 2 am now. I was up till now, trying to make pouchdb and couchdb cross-domain authentication work.
The whole replicable state of art needs a hero, the one no-backend solution that actually works and don't make you lose sleep. -
Well, not that much but precautions has been increased which got impact on host connections, I guess : X
Getting error while authentication, host is always closing connection during handshake :) -
Hello,
did anyone use devRant api?
rants, comments and other are fine. but for authentication, I always get 405 (I used all options, encoded url as body and all)
Is there any trick that I missed?17 -
Issues with google authentication cookies. Many 3rd party applications (like mindmup etc.) have already reported. Me too so many times.
Today I'm logged in with my google account. But !!! when I try to review a business on google search result or map, they're not able to sign me in.
:faceplam:
Google doesn't like feedback or error reporting.4 -
So Facebook is shutting down AccountKit.
I was using this service to enable signup / signin using mobile number.
Guess I'll be switching to Firebase phone authentication. -
Here is my GitHub repository where I demonstrated
1. Role Based Authentication with fake jwt and mocked backend.
2. Lazy loading and eager loading modules.
3. Data Resolvers.
4. A pretty good project structure.
Each different topic is implemented in a different branch. I just wanted to share it here.
I have also provided links to the online resources where I learned or practiced these things in Angular ( Check Readme file for more info) :)
Feel free to check.
https://github.com/Ahsan9981/...4 -
#Suphle Rant 9: a tsunami on authenticators
I was approaching the finish line, slowly but surely. I had a rare ecstatic day after finding a long forgotten netlify app where I'd linked docs deployment to the repository. I didn't realise it was weighing down on me, the thought of how to do that. I just corrected some deprecated settings and saw the 93% finished work online. Everything suddenly made me happier that day
With half an appendix chapter to go, I decided to review an important class I stole from my old company for clues when I need to illustrate something involved using a semblance of a real world example (in the appendix, not abstract foo-bar passable for the docs)
It turns out, I hadn't implemented a functionality for restricting access to resources to only verified accounts. It just hasn't been required in the scheme of things. No matter, should be a piece of cake. I create a new middleware and it's done before I get to 50 lines. Then I try to update the documentation but to my surprise, user verification status turns out to be a subset of authentication locking. Instead of duplicating bindings for both authentication and verification, dev might as well use one middleware that checks for both and throws exceptions where appropriate.
BUT!
These aspects of the framework aren't middleware, at all. Call it poor design but I didn't envisage a situation where the indicators (authentication, path based authorisation and a 3rd one I don't recall), would perform behaviour deviating from the default. They were directly connected to their handlers and executed after within the final middleware. So there's no way to replace that default authentication scheme with one that additionally checks for verification status.
Whew
You aren't going to believe this. It may seem like I'm not serious and will never finish. I shut my system down for that day, even unsure how those indicators now have to refactored to work as middleware, their binding and detachment, considering route collections are composed down a trie
I'm mysteriously stronger the following day, draw up designs, draft a bunch of notes, roll my sleeves, and the tsunami began. Was surprisingly able to get most of previous middleware tests passing again before bed, with the exception of reshuffled classes. So I guess we can be optimistic that those other indicators won't cause more suffering or take us additional days off course
2 -
Working with external teams on this new project involving pretty sensitive stuff like bank transactions.
Talking about user flow and how to handle authentication, like 2-factor and stuff.
Newish guy on external team (though experienced) says they have a proposal.
Security Questions.
... like "What was you first car" security questions...
awkward silence in room...8 -
Security issues I encountered:
- Passwords stored as plain text until last year.
- Sensitive data over http until last year.
- Webservice without user/pass authentication. -
I dont get it, why do all those authentication providers want you to use a separate webpage to handle the login, why cant i just have the form and "login with ID provider" buttons on my page.
Why is the user forced to take another step in the flow...
this is UX 101, comon!5 -
Anyone here implemented an oauth2 server in python?
I've been researching it for a fair bit, and it just seems like a giant swamp that I'd rather stay away from (ex: https://hueniverse.com/oauth-2-0-an...)
It also feels needlessly work intensive and (at least on the server side), underdocumented.
I'll probably be making my own custom solution.
Thoughts? -
!rant
That glorious, amazing feeling when you discover that horrifying thing you've been looking up to has a library which makes dealing with the thing so much easier than having to send out twenty API requests for authentication etc.
Looking at you, Tweepy and Ansible's digitalocean modules :-)1 -
So, something changed at our company not allowing me to connect with the correct network. Now this is barely a problem since I can still connect with another network, however the only thing I can't do now is push and pull from git... Every time I have to sync, I have to set up the hotspot on my phone. Apparantly, that's more often than I thought. Also, in order to work on the application I have to be connected to the company network because our application uses windows authentication, so I keep switching back and forth.1
-
Cisco Anyconnect can blow me.
I go through the process of connecting to the vpn, username, password, token.
Then it has its pop up "respond to the banner to connect" and I click accept . . . and it does nothing.
So I go through the process again. And this time it says connected
But now I still can't connect to any of my companies sharepoint, SQL servers, Azure Devops, JIRA, etc
And the only solution to that is a reboot.
And this happens swear to god at least every other day.
Like good lord, if I put in my credentials and they pass authentication/authorization, let me do my goddamn work.4 -
So. Spent most of the morning furiously trying to work out why I wasn't getting a reasonable response from my Rest Service "RS", calling it from some other system. Only got something vague along the lines of "value must not be null". Both systems are set up on my local machine, IIS bindings set up all correct and URLs and authentication settings double and triple checked. I was doing a lot of work on RS six months ago so it just had to be set up right.
Forgot I got a new machine a couple of months ago and never built the WS .dlls. -_- -
Hey i want to make a chat application for production workload with more than 100000 simultaneous connection and more than 1000000 daily active user which will scale 100 times in coming 1 to 2 years for Android. I have oauth based user authentication. This chat should be able to authenticate and verify authtoken generated using the oauth. What should i use? Xmpp, mqtt or something else. Can anyone who has worked on chat application help me.6
-
Somebody: (whinwy) we need something to log into nonprivileged technical accounts without our rootssh proxy. We want this pammodule pam_X.so
me: this stuff is old (-2013) and i can't find any source for it. How about using SSSD with libsss_sudo? Its an modern solution which would allow this with an advantage of using the existing infrastructure.
somebody: NO I WANT THIS MODULE.
me: ok i have it packaged under this name. Could you please test it by manipulating the pam config?
Somebody: WHAT WHY DO I NEED TO MANIPULATE THE PAMCONFIG?
me: because another package on our servers already manipulates the config and i don't want to create trouble by manipulate it.
Somebody: why are we discussing this. I said clearly what we need and we need it NOW.
we have an package that changes the pam config to our needs, we are starting to roll out the config via ansible, but we still use configuration packages on many servers
For authentication as root we use cyberark for logging the ssh sessions.
The older solution allowed additionally the login into non-rootaccounts, but it is shut down in the next few weeks after over half an year of both systems active and over half an year with the information that the login into non-privileged accounts will be no more.7 -
Why there has to be So Many legs to the OAuth....
1 Leg...
2 Legs...
3 Legs... Wtf...
Make it a fkin...Octopus OAuth
Why so many legs to a Dumb API ??!
1 -
Java I hate you! I've been stuck on an authentication issue for weeks now and just figured out what was wrong. The probem was my variable wasn't STATIC so it was passing in an old auth header every time. Literally I've been skimming and modifying my code like crazy for like 2 weeks and this simple modifier changes everything! Java I hate you and can't wait to migrate my code base to kotlin!4
-
I decided to go for it, and build this chat GPT web-app. I built an authentication system for it crazy fast. While I’ve built several e-commerce websites, I’ve never actually owned one. What should I expect?2
-
Thanks google for making it so fucking damn difficult to authenticate G Apps users and check their groups/org unit. Makes my fucking work so much harder! To make matters worse you decided that that if I want to get the information in a seprate call I have to use a seprate admin account to do it because apparently letting the user see it is to fucking hard.
-
I'll have you know it only took me 3 months to learn the basics of lambda/aws, get server side authentication working, and get a basic login/logout page on an app
Never expected such a learning curve!1 -
My concern only goes so far...
‘Wow! Two factor authentication is not main stream... Are you f*cking kidding me? And you own bitcoin!’
‘No, I have ripple.’
‘Oh, well, not bothered then.’ -
I have 2FA enabled on NPM so it would shut up about it, the recovery codes are in my password manager, right next to my secure randomly generated password.
Password authentication is fucking stupid.3 -
Created a simple pip package to authenticate incoming slack requests. It provides an out of the box Django permission class to authenticate slack requests.
I've made it open for anyone to check out and use:
https://github.com/dev-prakhar/... -
Has anyone here ever implemented OAuth2.0 for WebRTC? I am reading rfc7635 and its references, but they refer to functions they don't define properly and rely on cryptography jargon by eg. calling values by different names, so I'd appreciate a reference implementation of the function for building tokens to clear up the confusion.
rfc7635 on STUN extension for third-party authentication:
https://datatracker.ietf.org/doc/...9 -
Does anyone of you have experience with AdonisJS? I am not sure how to implement an authentication because i already have an existing API and would like to use this to authenticate a user...1
-
An update on my ai web app. It’s coming along nicely. The authentication piece is completely done. The question generation is halfway finished. I just finished the ask AI piece. It’s still ugly, but passable. I need to figure out marketing. It’s that much closer to being ready to show off.5
-
Hi react developers. Noob question, I am making a new (my first) react+redux toolkit+axios website…
So umm, what folder structure is best, and where does the user authentication part , the web services go?
Currently I have
-src
-pages
-index.js
-app.js
-about
-index.js
-stores
-common8 -
my worst mistake was when I was using Ansible with AWS tags and I accidentally termianted a server that had been provisioned to handle users authentication and redirect them to their proper applications.
-
I am frustrated with the JWT token based authentication library I am using for my lumen(laravel) based backend. It is having lot of ongoing issues with infinite timed token(mobile apps) and others... Here is the link
https://github.com/tymondesigns/...
If anyone has any suggestions for a good replacement for this it would be awesome because this is shitty in the support for the library nobody addressed the issues raised and threads are not even taken care about. It is so frustrating when you implement something but have to deal with the shortcomings of it, when it does not even do some basic things it is supposed to do. I feel bad saying it for somebody else's work. But, sometimes it has to be ranted out... That's the whole point of devRant. So yeah JWT based authentication library suggestions for laravel based backend. Because tymon-auth is shit.1 -
Need to create an internship portal for students and companies to register, sign in, post internships, apply for internships, browse internships and a minimal admin panel, for the entrepreneurship cell I'm college
(cuz the guy who was supposed to do didn't do jack shit in three months, so I have to make a quick one in three days)
Any suggestions on what should I use?
My current options are PHP and Node-Express, but I'm not fixated on either, and the minor details like the templating engine, how to store data, how to implement authentication etc... -
I've been planning a startup project for months now. Then, what was a supposedly simple quest of finding out whether session-based or token-based authentication is better, has become a question of whether I should setup my own OpenID Connect (IODC) auth server or stick to simpler methods.
I've already spent almost a week learning OAuth2 and OIDC, and I can't tell whether this route is an overkill for my usecase. (Or that I just don't want to admit I'm falling into the shiny tech trap.)
How about you guys, how would you approach authentication? JWT/JWE? Sessions?6 -
Once on a project the authentication request for a service was done... through http... with the username and password as parameter in the URL... in plain text
-
Hi all,
I was just wondering if anyone knows of a software that does for files on a server what dropbox does for files in the cloud. A search interface, moving files around, copy pasting etc..
I'm just using nginx's autoindex at the moment with an authentication layer but I was hoping to get a nice gui with search capabilities and copy paste, potentially share file, etc..
Kind regards and keep on hacking.6 -
Sometimes while working I find a subproblem that is isolated from the original problem domain, for example token renewal in an RTR authentication system. I take note of what I've been working on, clear my head of the broader problem write an exact specification of the subproblem. Then I code to that specification. The result is usually a self-contained open-source module which continues to improve my pace of work for years to come.
-
Anybody here implemented Dynamic Time Warping (DTW) algorithm? I need to implement it for a school project. Its basically an android application and want to authenticate users using this algorithm.
Will appreciate any help possible.2 -
Does anyone know a public API to test basic authentication other than github that return a token when the submission is successful1
-
Does anyone know other cheap text messages (SMS) providers such as https://www.smsapi.com?
Quantity approx. 200-1000 messages per day, hard to estimate. Main use is sign up and two-way authentication.
The ones I found so far all start at $0.10 (for Europe) and $0.04 (USA).3 -
Um hey guys, so I was working with websockets in node.js and wanted to have some form of authentication. Did a bit of googling, read some docs and finally implemented something. It's just I am not sure if it is the right way. Can the experts give their 2 cents?
This is not a rant exactly, so if it comes under self promotion or irrelevant, please tell. 😃
http://iostreamer.me/ws/node.js/...6 -
hey guys i need your advice about backend integration for android. I have this junior and I want to teach him about integrating REST API and handling it with volley+caroutines or retrofit+rxjava. currently the junior is using firebase for authentication and firebase realtime db for all CRUD operations. problem is that by using firebase backend the junior won't learn networking/multithreading stuff. Is there a way to use firebase realtime database like a REST API?
-
Whenever I create a new backend and a new slack app for that particular backend.
Most painful thing is to authenticate slack requests.
I know HOW to do it, but I still HAVE to do it.
So, created a pip package for authenticating slack app requests.
Feel free to check it out and leave any feedbacks.
Project: https://github.com/dev-prakhar/... -
I'm building a nodejs REST api with jwt token authentication for the first time. So far, it's been as smooth as butter. Any hiccups or gotchas I should worry about?
-
When your backend developer says the client has an issue on his virtual machine but has a bad track record of being incorrect and never checking if there is a conflict in the API that is causing authentication to fail for a feature and you then step through their code only to find the conflict in the API only to have them get mad at you for finding the problem after stating it's "Not my problem." I don't have time for this shit.
-
Has anybody on here used UNLOQ as a passwordless authentication mechanism. Keen to know if anybody in the devRant community has heard about (or has any opinions of) their recent buyout.4
-
Hey ranters, I want to setup a centralised auth backend that assigns multiple logins/API keys to a single user account which is managed through a Frontend application.
Background is we use multiple services each with their own login system and not all support a unified login/auth method for their API.
My approach is to setup a simple API/Auth backend that stores the users credentials plus multiple API-Keys of other services or their logins. When auth is successful the Frontend app may receive the associated credentials for the other backends to call their respective API. So the user can login once but the Frontend may access all backend services without the user noticing that their are other auths.
This should be a really general problem today. I'm really just diving into the topic of auth and Frontend, so I hope to get some guidence/overview from you. My questions are:
- Is my approach totally stupid?
- Are there good frameworks you'd recommend for such a setup?
- Is there a best practice which I've overseen so far?
- Resources you think are a must-read?
- Any other recommendations regarding security here?
So, what do you ranters think? -
Weekend 3 trying to configure user pool authentication with aws lambda/API gateway with SAM/cloudformation. What a disaster documentation is around this.
Whenever I post a question on stack overflow I get the views with 0 responses. Does anyone even use this garbage?
Seriously wth aws.
I got sucked into a rabbit hole with this. -
Any recommendations on resources that teach how to build a secure email/password authentication system? I'm looking for something language/framework agnostic, I want to understand the process, why stuff is done the way it's done, and implement it in Rust.
I've been searching but all I can find are some rather shallow posts from companies trying to sell their authentication services. I have zero knowledge on how cryptography and hashing works, I'm pretty lost on what to use and how to use it.3 -
I bet those shits at Paypal sure felt smart when they implemented their 2-factor authentication, not realising that phone numbers can change. It's not a fucking SSN assigned at birth, you geniuses.
And when you click on the help link the amazing tip they give you is "login and make sure your phone number is correct". DID YOU EVEN READ THE HORSESHIT YOU WROTE THERE?
The "cracy" in Idiocracy stands for bureaucracy.8 -
when you made a custom ldap token based authentication, what is suitable for every projects of your workplace.
-
Twitter developers will authenticate half of their endpoints with some authentication method and the other half with a totally different one (which doesn't work) and their sales team will have the guts to contact you to check if you're still interested to access their API.
My only interest is feeding your corpse to the ravens.
2 -
Backend wise
After a year and a half of working with what i love (nodejs microservices and bit of python) I have to update my php skills and refresh my memory with latest Laravel 😕 (I used it as an authentication/authorisation and REST backend for a react native app early 2016 and did not touch it since)
Passive Job hunting sux and yes PHP ain't my thing anymore 😔 i mean i have next to 6-8 years exp in it but given the choice... 😒
I used to love it (so many good memory with cakephp 😌🙄it teached me a lot early in my carrer) before I discover functional programming paradigm and got deep understanding of JS -
Why cant every server-application have a feature like openssh AuthorizedKeysCommand?!
So pretty much a command-hook for authentication.
You pass username, password and additional stuff to it, and its STDOUT and exit-status determine the authentication result.
No, instead of something so simple,
You're forced to use MySQL,LDAP...4 -
Last weekend I started a project with a Angular front end and a WordPress backend.
The front end is for me so I can do the work faster. The backend is for the client that is slow at learning new technology. It's easiest to keep her WordPress setup
It's been a lot of fun setting up the jwt authentication but creating users has been a pain. I'm determined to work through it though.
Has anyone here else tried this? Any tips?4 -
Single Sign on Authentication for a growing product suite? Sure, just validate the user's credentials in the dashboard and then pass their role to the product's web app via query parameter. No need for tokens or an auth server!
-
When you ask a nice question on StackOverflow, everyone ignores it...
When you ask a dumb one, they shower downvotes -_-
https://stackoverflow.com/questions...2 -
I really want to divide this frontend into two parts, one that faces the users and other for administrators so I can release changes on both without works on one part blocking the other, but, I have many question, like, how do I manage authentication in two different React projects from one login page?
Maybe there are more problems than benefits, what do you think?3 -
I'm implementing 2FA supporting TOTP, SMS and backup codes. To store the backup codes I've issued in my app's database, what should I do re hashing/encryption?5
-
Hey folks!
I have been trying to write a forex/crypto-currency trading bot. I am pretty good at trading manually but due to job & family responsibilities it has become difficult for me to make time for it now.
I am not sure where to start. I got the live market feed. and authentication ready. and some indicators and technical analysis functions ready.
Anyone doing the same kind things, I need suggestions on this. like strategies and things like that.
Please guide me in this regards. I am very much confused right now.
I need to automate this thing as soon as possible.5 -
Firebase local emulator decides to just break for no reason. All of a sudden all requests are unauthorized (even though I haven't changed anything in the authentication process of my app).
W H Y
Yay, I just need to debug for 5 hours and then the thing is going to fix itself without any explanation. -
hey, so i have recently started learning about node js and express based backend development.
can you suggest some good github repositories that showcase real life backend systems which i can use as inspiration to learn about the tech?
like for eg, i want to create a general case solution for authentication and profile management : a piece of db+api end points + models to :
- authenticate user : login/signup , session expire, o auth 2 based login/signup, multi account login, role based access, forgot password , reset password, otp login , etc
- authorise user : jwt token authentication, ip whitelisting, ssl pinning , cors, certificate based authentication , etc (
- manage user : update user profile, delete user, map services , subscriptions and transactions to user , dynamic meta properties ( which can be added/removed for a single user and not exactly part of main user profile) , etc
followed by deployment and the assoc concepts involved : deployment, clusters, load balancers, sharding ,... etc
----
these are all the buzzwords that i have heard that goes into consideration when designing a secure authentication system for a particular large scale website like linkedin or youtube. am not even sure how many of these concepts would require actual codelines and how many would require something else.
so wanted inspiration from open source content to learn about it in depth, replicate and create new better stuff if possible .
apart from that, other backend architectures like video/images storage system, or just some server for movie, social media, blog website etc would also help.2 -
Redoing our web apps to use SSO... Every single page within the app runs LDAP authentication. What is the point of signing in and having session cookies if you are reauthorization a logon on every page?!??? Now what seemed like a simple task of revamping the initial logon has turned into a hunting trip for LDAP queries and creating new sql tables
-
Hey does anyone know of a Firebase alternative for user authentication? I used parse back when it was around but idk of any others
Top Tags
Weekly Rant
View