Good Morning!, its time for practiseSafeHex's most incompetent co-worker!

Todays contestant is a very special one.

*sitcom audience: WHY?*

Glad you asked, you see if you were to look at his linkedin profile, you would see a job title unlike any you've seen before.

*sitcom audience oooooooohhhhhh*

were not talking software developer, engineer, tech lead, designer, CTO, CEO or anything like that, No No our new entrant "G" surpasses all of those with the title ..... "Software extraordinaire".

*sitcom audience laughs hysterically*

I KNOW!, wtf does that even mean! as a previous dev-ranter pointed out does this mean he IS quality code? I'd say he's more like a trash can ... where his code belongs

*ba dum tsssss*

Ok ok, lets get on with the show, heres some reasons why "G" is on the show:

One of G's tasks was to build an analytics gathering library for iOS, similar to google analytics where you track pages and events (we couldn't use google's). G was SO good at this job he implemented 2 features we didn't even ask for:

- If the library was unable to load its config file (for any reason) it would throw an uncatchable system integrity error, crashing the app.
- If anything was passed into any of the functions that wasn't expected (null, empty array etc.) it would crash the app as it was "more efficient" to not do any sanity checks inside the library.

This caused a lot of issues as some of the data needed to come from the clients server. The day we launched the app, within the first 3 hours we had over 40k crash logs and a VERY angry client.

Now, what makes this story important is not the bugs themselves, come on how many times have we all done something stupid? No the issue here was G defended all of this as the right thing to do!

.. and no he wasn't stoned or drunk!

G claimed if he couldn't get the right settings / params he wouldn't be able to track the event and then our CEO wouldn't have our usage data. To which I replied:

"So your solution was to not give the client an app instead? ... which also doesn't give the CEO his data".

He got very angry and asked me "what would you do then?". I offered a solution something like why not have a default tag for "error" or "unknown" where if theres an issue, we send up whatever we have, plus the file name and store it somewhere else. I was told I was being ridiculous as it wasn't built to track anything like that and that would never work ... his solution? ... pull the library out of the app and forget it.

... once again giving everyone no data.

G later moved onto another cross-platform style project. Backend team were particularly unhappy as they got no spec of what needed to be done. All they knew was it was a single endpoint dealing with very complex model. There was no Java classes, super classes, abstract classes or even interfaces, just this huge chunk of mocked data. So myself and the lead sat down with him, and asked where the interfaces for the backend where, or designs / architecture for them etc.

His response, to this day frightens me ... not makes me angry, not bewilders me ... scares the living shit out of me that people like this exist in the world and have successful careers.

G: "hhhmmm, I know how to build an interface, but i've never understood them ... Like lets say I have an interface, what now? how does that help me in any way? I can't physically use it, does it not just use up time building it for no reason?"

us: "... ... how are the backend team suppose to understand the model, its types, integrate it into the other systems?"

G: "Can I not just tell them and they can write it down?"

**
I'll just pause here for a moment, as you'll likely need to read that again out of sheer disbelief
**

I've never seen someone die inside the way the lead did. He started a syllable and his face just dropped, eyes glazed over and he instantly lost all the will to live. He replied:

" wel ............... it doesn't matter ... its not important ... I have to go, good luck with the project"

*killed the screen share and left the room*

now I know you are all dying in suspense to know what happened to that project, I can drop the shocking bombshell that it was in fact cancelled. Thankfully only ~350 man hours were spent on it

... yep, not a typo.

G's crowning achievement however will go down in history. VERY long story short, backend got deployed to the server and EVERYTHING broke. Lead investigated, found mistakes and config issues on every second line, load balancer wasn't even starting up. When asked had this been tested before it was deployed:

G: "Yeah I tested it on my machine, it worked fine"

lead: "... and on the server?"

G: "no, my machine will do the same thing"

lead: "do you have a load balancer and multiple VM's?"

G: "no, but Java is Java"

... and with that its time to end todays episode. Will G be our most incompetent? ... maybe.

Tune in later for more practiceSafeHex's most incompetent co-worker!!!

"there's a problem with your API"
Me: "why?"
"I get no data"
Me: "what response code are you getting?"
"405 - Method not allowed. But only on the /version endpoint"
Me: "Soo... What request are you sending?"
"POST"

WHY THE FUCK WOULD YOU SEND A POST REQUEST TO AN ENDPOINT THAT **GETS** THE VERSION OF MY API???!!!!

Me: "Read the documentation. It's there for a reason"

The GET /users endpoint will return a page of the first 13 users by default.

To request other pages, add |-separated querystring with the limit and offset, as roman numerals enclosed in double quotation marks. Response status is always equal to 200, plus the total count of the resource, or zero when there's an error.

You can include an array of friends of the user in the result by setting the request header "friends" to the base64-encoded value of the single white pixel png.

Other metadata is not included by default in responses, but can be requested by appending ?meta.json to any endpoint, which will return an xml response.

If you want to update the user's profile picture, you can request an OAuth token per fax machine, followed by a pigeon POST capsule containing a filename and a rolled up Polaroid picture. The status code attached to the return postal dove will be the decimal ASCII code for a happy smiley on success, and a sad smiley if any field fails form validation.

-- Every single external REST API I've ever worked with.

Me when viewing a line of PHP where the previous developer add "sleep(5)" to an Ajax endpoint with the comment "Sleep for 5 seconds so the ajax loading icon is visible to users".

FML.

Sorry if I make a typo, my hands a still a little shaky, just had to stop myself from crying.

This morning I came in, opened my email, saw an automated response from Jira saying .... saying ..... saying the backend team provided details about their new endpoint.

After a year of screaming, they finally did it. It was so beautiful I fell to the floor and wept like a baby.

Thank you all for your support through this difficult time. Together we can accomplish anything!!!

Storytime!

Manager: Hey fullstackchris, the maps widget on our app stopped working recently...

Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...

Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)

Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?

Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!

Dev: 🤦‍♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)

Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...

Terminal: grep results in, CMS codebase!

Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!

Long story short:

The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.

WITH A GOOGLE MAPS API KEY.

JUST CHILLING IN PLAINTEXT.

Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷‍♂️

Oh, and it's only Monday. 😎

Cheers!

It's official, I am quitting...

Boss walks in today while we busy discussing how to write up the new endpoint we need from the api and tells us there is too much discussion and as only woman can multitask, Dumi is the only person that can be productive...

It's maddening how few people working with the internet don't know anything about the protocols that make it work. Web work, especially, I spend far too much time explaining how status codes, methods, content-types etc work, how they're used and basic fundamental shit about how to do the job of someone building internet applications and consumable services.

The following has played out at more than one company:

App: "Hey api, I need some data"
API: "200 (plain text response message, content-type application/json, 'internal server error')"
App: *blows the fuck up

*msg service team*

Me: "Getting a 200 with a plaintext response containing an internal server exception"
Team: "Yeah, what's the problem?"
Me: "...200 means success, the message suggests 500. Either way, it should be one of the error codes. We use the status code to determine how the application processes the request. What do the logs say?"
Team: "Log says that the user wasn't signed in. Can you not read the response message and make a decision?"
Me: "That status for that is 401. And no, that would require us to know every message you have verbatim, in this case, it doesn't even deserialize and causes an exception because it's not actually json."
Team: "Why 401?"
Me: "It's the code for unauthorized. It tells us to redirect the user to the sign in experience"
Team: "We can't authorize until the user signs in"
Me: *angermatopoeia* "Just, trust me. If a user isn't logged in, return 401, if they don't have permissions you send 403"
Team: *googles SO* "Internet says we can use 500"
Me: "That's server error, it says something blew up with an unhandled exception on your end. You've already established it was an auth issue in the logs."
Team: "But there's an error, why doesn't that work?"
Me: "It's generic. It's like me messaging you and saying, "your service is broken". It doesn't give us any insight into what went wrong or *how* we should attempt to troubleshoot the error or where it occurred. You already know what's wrong, so just tell me with the status code."
Team: "But it's ok, right, 500? It's an error?"
Me: "It puts all the troubleshooting responsibility on your consumer to investigate the error at every level. A precise error code could potentially prevent us from bothering you at all."
Team: "How so?"
Me: "Send 401, we know that it's a login issue, 403, something is wrong with the request, 404 we're hitting an endpoint that doesn't exist, 503 we know that the service can't be reached for some reason, 504 means the service exists, but timed out at the gateway or service. In the worst case we're able to triage who needs to be involved to solve the issue, make sense?"
Team: "Oh, sounds cool, so how do we do that?"
Me: "That's down to your technology, your team will need to implement it. Most frameworks handle it out of the box for many cases."
Team: "Ah, ok. We'll send a 500, that sound easiest"
Me: *..l.. -__- ..l..* "Ok, let's get into the other 5 problems with this situation..."

Moral of the story: If this is you: learn the protocol you're utilizing, provide metadata, and stop treating your customers like shit.

Guys i guess i did it.. more than a year ago i started developing an API.. every admin of it could create new endpoints through the webui.. for rach endpoint you can create an own auth system.. a local company just fucking bought my shit.. a fucking simple API for 12k€.. im kinda proud now because i am only 18

Security decided to update our PCs with endpoint protection. It's blocking all connections to and from localhost.

It's been a productive day.

Such enterprise. Much security.

I realize I've ranted about this before, but...

Fuck APIs.

First the fact that external services can throw back 500 errors or timeouts when their maintainer did a drunk deploy (but you properly handled that using caching, workers, retry handlers, etc, right? RIGHT?)...

Then the fact that they all speak a variety of languages and dialects (Oh fuck why does that endpoint return a JSON object with int keys instead of a simple array... wait the params are separated with pipe characters? And the other endpoint uses SOAP? Fuck I need to write another wrapper class around the client...)

But the worst thing: It makes developers live in this happy imaginary universe where "malicious" is not a word.

"I found this cloud service which checks our code style" — hmm ok, they seem trustworthy. Hope they don't sell our code, but whatever.

"And look at this thing, it automatically makes database backups, just have to connect to it to DigitalOcean" — uhhh wait...

"And I just built this API client which sends these forms to be OCR processed" — Fuck... stop it... there are bank accounts numbers on those forms... Where's that API even located? What company?

* read their privacy policy *

"We can not guarantee the safety of your personal data, use at your own risk [...] we are located in Russia".

I fucking hate these millennial devs who literally fail to get their head out of the cloud.

Somehow they think it's easier to write all these NodeJS handlers and layers around some API, which probably just calls ImageMagick + Tesseract on the other side.

If I wasn't so fucking exhausted, I'd chop of their heads... but they're like hydra, you seal one privacy breach and another is waiting to be merged, these kids just keep spewing their crap into easy packages, they keep deploying shitty heroku apps... ugh.

😖

Client: "Hey we want you to integrate your product with our system."
Me: "Oh, OK. Where's your API?"
Client: "Here! We even have an outdated .Net SDK, we use XML."
Me: "Ok.. how do we authenticate? What's your OAuth 2.0 endpoint?"
Client: "O auth what?"
Me: " You know, the current standard for REST API authentication and authorisation"
Client: " What's REST?"
*Hungs up*

Had a job interview recently that went well besides one little disagreement... and it has made me question my sanity. Tell me if I'm wrong.

They asked the difference between a GET and POST request.

Wow, that's an easy one, they're giving me a break, I thought to myself.

I said "GET is used to retrieve data from a server, whereas POST is used to add data to a server, via it's body, which a GET lacks" or something like that.

They were like "ya mostly, but GET can be used to enter data into the server too. We were just looking for the body thing."

And I'm like.... yeah, you could do that, but that's not what it's meant for.

They mention stuff about query parameters and I hold steady that GET and POST are different because GET has a specific purpose. Otherwise, we wouldn't need the "method" part of an HTTP request at all. We could just either include a body or not include a body.

I ended it with "Well, POST implies that you are adding data to a server, and GET implies you are querying data from the server. When I'm reading documentation, that's how I quickly determine what an endpoint does."

My confidence was a little shaken at this point. Crazy what two people with (I assume at least) 10+ years of experience telling you you're wrong will do to your confidence.

So this guy is supposed to do the frontend.
I do the backend.
I offer an endpoint.
He does his HTML+CSS magic.
Me: Cool but data is hardcoded. Could you get the data from the endpoint I sent you?
Him: "I'd prefer you do that, I can make a git repo so you download the front."

... So you don't do frontend, you just write pretty layouts. And I have to actually write the frontend logic? Go f yourself.

Long story short, I'm unofficially the hacker at our office... Story time!

So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)

So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.

Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.

As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.

So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.

It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.

Writing more infrastructure than product.

Look, my application requests and transforms data from a single external API endpoint, it's just one GET request...

But I made an intelligent response caching middleware to prevent downtime when the parent API goes down, I made mocks and tests for everything, the documentation is directly generated from the code and automatically hosted for every git branch using hooks, responses are translated into JSONschema notation which automatically generate integration tests on commit, and the transformations are set up as a modular collection of composable higher order lenses!

Boss: Please use less amphetamine.

Once I had to do a 'hands on' pair programming session for a position I applied for... Together with the lead dev we would switch coding every 15 minutes It was somewhat of a horror story...

The assignment was to implement an password reset flow, connecting it to the api and then handling the entire password reset flow, in Angular becahs ye know has to be Angular...

After drafting the ui and setting up the click events, I wanted to hookup the api calls, but then it was time to switch around...

The fucktard dev first started to adjust my classmappings to be more in line with his preference, without touching the css classnames... Ok... Micro managing ... Check...

So after breaking the styles, he wrote the fetches to the api endpoints and that was his 15 minutes of shame...

I continued only to find out the endpoints we were using had errors in them and would not return anything workable...

The dev said he'd tested the endpoint before and it worked, but clearly it didn't...

After about an hour of going back and forth trying to get this to work he got a call from a client because server was down (surprise), he excused himself and had to prioritize on this, running out and leaving me there for the remaining morning ...

I just sat there waiting for the HR checkout talk, only to lean towards rejecting the position...

Fucking waste of time, and in the end the feedback was they doubted MY TECHNICAL SKILLS ... And wouldn't make me an offer 😂👍 nice story bro...

K THX BAI!

Somebody asked me my API doc.
I don't have any API at all.

I will lie, and I'll write a swagger specification in few hours and I'll send them.

They will try to read it and understand, and after maybe a week, when they will ask for testing and endpoint I'll pretend to be on holiday for 2 weeks.

3-4 weeks gone already, I checked they should be on holiday by then. Only then, I'll answer with a fake endpoint with fake data.

I'll get another 2 weeks if I'm lucky.
When they discover about fake data, I'll say there is a bug.

In total if I play well, I have 2/2.5 months to implement some kind of API server with some more or less true implementation.

Thanks to Swagger. Swag

* How other sites charge for a domain name
- The domain (abc.com) is available
---- Price => $14

* How AWS charges
- Your domain (abc.com) is available
--- Domain name => $18.99
--- DNS resolution => $17.88
--- Hosted zone (1) => $10.97
--- Route53 Interface => $45.67
--- Network ACL => $63.90
--- Security Group => $199.78
--- NAT Gateway (1) => $78.99
--- IP linking => $120.89
--- Peer Connection => $67.00
--- Reverve Endpoint => $120.44
--- DNS Propagation => $87.00
--- Egress Gateway => $98.34
--- DNS Queries (1m) => $0.40
--------------------------------
---- TOTAL => $2903.99
(Pay for what you use... learn more)
--------------------------------

Series of events between me (Mi) and dude in office (DIO).

Instance 1
DIO: There is not psql installed on staging.
Mi: Install it.
DIO: YUM is not working.
Mi: *tries yum it works* It is
DIO: Oh. Didn't work earlier.
Mi: *blank* Make sure you install 9.6
DIO: Cannot find psql
Mi: *types psql, it is already installed*
DIO: Oh, didn't work earlier.

Instance 2
DIO: Made this change to the API, the endpoint is not returning the right value
Mi: *restarts server, shit starts working*
DIO: I am pretty sure I did that, don't know what happened.

Instance 3
DIO: Cannot alter role to give login to this db user.
MI: *runs alter role db_user with login* works
DIO: Don't know why it wasn't working before.

Instance 4
DIO: I have been stuck on this test for the past 1 day, cannot get the API to return the right data while the Rest Endpoint works fine.
Mi: You are hitting the wrong endpoint in the test.
DIO: Oh, I put an extra 's'
Mi: BTW you are testing Spring-Boot with that test and nothing else.
DIO: Yes but what if Spring Boot has a bug?
Mi: ok.

- WE NEED TO KNOW THE VERSION OF THE SYSTEM THIS INSTANT!
"what? version? wtf are you talking about"
- THE CLIENT HAS I.T. GUIDELINES TO STRICT CONTROL THE VERSION OF EACH SOFTWARE VENDOR'S SYSTEMS!
"We are not a 'software vendor', we provide them consulting on logistics!"
- THEY USE OUR WEBSITE! THIS MAKES US A SOFTWARE VENDOR!
"Wouldn't that make 'google' their vendor too?"
- IM SURE THEY STRICTLY CONTROL GOOGLE'S VERSION TOO!
"I'm pretty sure they don't. But, whatever, that do answers the question of what they want. Some paperwork jockey wants a meaningless number to fill a form, let's give'em one"

I just had someone make an API endpoint where they can ask "the version", and it is just the number of commits in our production branch. For lols, we even 0-fill and split every three magnitude orders with a dot, so we're in version 0.012.345 or something.
Major version upgrade every million commits!

Fuck those guideline-parrots who are unaware that words sometimes have meaning, and sometimes not.

The nightmare continues.

Currently dealing with a code review from a “principal” dev (one step above senior), who is unironically called a “legendary dev” by some coworkers. It’s painfully obvious he didn’t read the code, and just started complaining and nitpicking.

It’s full of requests to do things that make absolutely no sense, and would make the code an unmaintainable mess.
• Ex: moving the logic and data collection from the module’s many callers into the module instead of just passing in the data.
• Ex: hiding api endpoint declarations by placing them in the module itself, and using magic instance variables to pass data to it. Basically: using global functions and variables instead of explicit declarations and calls.
• Ex: moving the logic to determine which api endpoint to use, for all callers, into the view.

More comments about methods being “too complex” (barely holds water) right next to comments saying “why are these separate? merge them together!”

Incredulously asking how many times I’m checking permissions and how ridiculous it all is. (The answer? Twice.)

Conflating my “permissions” param and method names with a supposedly forthcoming permissions system overhaul, and saying I shouldn’t use permissions because my code will all have to get rewritten. Even if that were true, and it’s likely not, the ticket still needs to use the current permissions. I can’t just ignore them because they might be rewritten someday.

Requests to revert some code cleanup because the reviewer thought the previous heavily-nested and uncommented versions (with code duplication) were easier to read. Unsurprisingly, he wrote them.

On the same ticket, my boss wants me to remove all styling and clientside validation, debouncing, and error messages from a form. Says “success” and “connection failed” messages are good enough. The form in question sends SMS and email using arbitrary user input for addresses. He also says it shouldn’t be denounced on the server, and doesn’t want me to bother checking permissions. Hello, spam!

Related: the legendary dev reviewer says he can’t think of a reason why we would want to disable the feature for consumers, so I should remove the consumer feature flag.

You can’t make this stuff up.

Today's highlights include:

The offshore team has put code gems in production featuring the example code generated on project startup that you're supposed to delete or overwrite, an API endpoint that just returns the value 5, and various debugging console.logs. it's a delight reading their code.

My boss also forgot the meeting he called me in for so I've been sitting here waiting for 20 minutes when I could have gone home. I'm glad it's friday

Task:
- Replace a 4 year old PHP API.
Old API:
- PHP script writing PHP scripts to /var/www/ for every endpoint needed
- Answers everthing with 200 (not even 404)
DB:
- MySQL 5.6
- ~ 1000 Tables, NO FUCKING FK's
Documentation:
- "Wasn't worth the effort"
New API:
- Not allowed to behave any different
.
.
.
😭

API endpoint 1: needs dates in utc formatting

API endpoint 2: needs dates formatted yyyy-mm-dd

There was maybe one of the coolest methods of apply for a job. There was a company in Sydney on linkedin on the apply href for the job was pointing to localhost (might of been a accident) so you had to find their website and with the trailing url get to the page then they said to send OPTIONS request to a endpoint here you got a link to a api doc to where you send a POST to apply for a job they had a example body to use. So sending the Post request with with postman required headers so looking more into the doc it gave the headers needed. Now the example body for the post had some errors in it and once they are fixed you can then submit the request.

NOW thats the way to find competent developers shame I'm not one of the.

Pro Tip: if you're building a developer REST API, don't forget to add a sample response to each endpoint. I don't want to have to test each one when I'm building my integration, I'd rather build my model in one go with the documentation displayed on a second monitor.

They've literally left me with nothing to do. I'm doing nothing. I can't be happy doing nothing.

To illustrate the chaos: Everyone on the team was trying to figure out some defect. No one knows what is going on in the code. It's unlike anything I've ever seen.

I found an API call with a misspelled endpoint. It was wrong since the code was written two months before. There's no way it ever worked. Obviously no one tested the code because they would have immediately seen that the call returned a 404 every time.

I fixed it. That was my only PR in about a month. It was literally one character.

The next week that PR got reverted. Apparently the app works better if the API call fails. No one said what goes wrong if the request is made, just that it "causes problems."

That's how bad it is. No one knows why anything does or doesn't work. People write code that doesn't work, never test it, and the application works better in some unspecified way if that code never gets executed.

The last straw for me was when an architect told us that if we want to improve our skills we need to learn how to read and debug stuff like this.

1) Not to be immodest, but I'm good at figuring out bad code.
2) Just because I can doesn't mean I want to do it all day instead of actually developing software
3) He trivialized the really important skill, not making a mess like this in the first place. If his idea of skill is to sling crap without tests at the wall and then debug it, how is he an architect?

I tried really hard but I can't keep a good attitude. I don't want to become toxic, but why would I consider working that way? I try my best to be good at this. Writing decent code means a lot to me. It should mean a lot to them. Their code is costing them hundreds of thousands of dollars. Maybe millions.

I can't write good code and add value if all I do is debug bad code.

So I'm out. I'm going to another project. Have a nice life.

Assigned to a new project team..

Using git, in a creative way. So.. "master" is "dev" branch, usually. Everyone can push their branch to dev server .. so it's "dynamic for us". Production branch is whatever, as long as the branch has the release version. Sometimes, the release comes from "master".. that mean "dev" in normal geek..

That's just Git. The source code is a saturated spagetti of Entity framework and Caliburn. It is littered with antipatterns, especially basebean. Holy Christmas and Easter that baseclass do a lot of stuff that has no place as a base class ..

Fucking frameworks, I'm gonna start to evangelize frameworks as the no1 antipattern.

MS SQL as the main DB, but is dumped to json FILES through a scheduled task to increase read performance on web.

There is a soap endpoint to expose the json files, fml..

I am assuming I was placed here to improve stuff, I have never in my life seen anything like this before.

There is a special place in hell for this repository

Really just an average week.
Just feel I need a bit of venting. (:

@meet: (monday)
- mgr: we need video transcoding and VOD ASAP.
- dev: on what server? It's expensive, especially without a GPU.
- mgr: prod is beefy. Put it there.
- dev: everything else is gonna crawl then.
- mgr: you have till the end of this week.

@demo (Friday)
- dev: k, it's ready.
- mgr: Why is everything slow??!
- dev: transcoding. Expensive.
- mgr: Why do we transcode? Never said I wanted transcode!
Can't we upload to YT?
- dev: ...yes. But will then each customer that wants VOD will need to setup YT studio and provide an endpoint and stream key.
- mgr: OK. But we're now behind schedule because of this and the customers will not be pleased.
- dev: oh, didn't know we're into gaming.
- mgr: ???
- dev: nvm, see you Monday.

...
Later Friday evening
...
*ding* mgr has added 5 new tasks to your list.
*ding* mgr subtracted 30 points from you.
reason: deadline over due.

Ya ya, the usual shenanigans.
Time to mute for the weekend.

Auth Endpoint:

user name and password correct:
- response 200: with session key and profile info
user name and password incorrect:
- response 200: blank

smh

"We use WSDL and SOAP to provide data APIs"
- Old-fashioned but ok, gimme the service def file
(The WSDL services definition file describes like 20 services)
- Cool, I see several services. In need those X data entities.
"Those will all be available through the Data service endpoint"
- What you mean "all entities in the same endpoint"? It is a WSDL, the whole point is having self-documented APIs for each entity format!
"No, you have a parameter to set the name of the data entity you want, and each entity will have its own format when the service return it"
- WTF you need the WSDL for if you will have a single service for everything?!?
"It is the way we have always done things"

Certain companies are some outdated-ass backwater tech wannabees.
Usually those that have dominated the market of an entire country since the fucking Perestroika.

The moment I turn on the data pipeline, those fuckers are gonna be overloaded into oblivion. I brought popcorn.

My own personal hell was a html page that had a script tag that called a rest endpoint that sent back a text block of JavaScript that was then dynamically executed to redirect the user to a php 3 page that was the exact same thing as the original page but with an extra bit of css to make the buttons blue and slightly rounded

You can’t make this shit up

Fuck (some of) you backend developers who think regurgitating JSON makes for a good API.

"It's all in JSON. iOS can read JSON, right?"
A well-trained simian can read JSON, still doesn't mean it can do something with it. Your shitty API could be spitting out fucking ancient Egyptian for all I care, just make it be the same ancient Egyptian everywhere!

Don't create one endpoint that spits out the URL for the next endpoint (completely different domain, completely different path structure). Are you fucking kidding me?

As if that wasn't enough, endpoints receive data structured in one way, but return results in another!! "It's all JSON", but it's still dong.

How do I abstract that, you piece of shit? Now I have to write ever so slightly different code in multiple places instead of writing it only once.

How the fuck do I even model that in a database?

Have a crash course on implementing APIs on the client side and only come back when you're done.

Morons.

!rant
I'm an idiot. I freely admit this. I spent a solid 3 hours on a new endpoint in a WCF service, only to have it looked upon and told to fix it. I knew that the service I was calling didn't work like that. I did, I knew it. I didn't think about it while coding the endpoint, but I knew it. At least the changes only needed to happen in one file, and only took about 25 minutes with tests and all. But damn it, I knew better. I looked at my buddy, straight in the eye, and told him "Told you I was an idiot." He laughed, I laughed, the table laughed, we killed the table. It was a great time!

Isn't it just nice to throw away hours of work because you were given wrong requirements?

I worked late last night to finish a project with an incoming deadline, and for what? That's right, for fucking nothing. Hours wasted. Just because I was told the form was to be submitted to an endpoint that I would receive later on.

Turns out that what I actually need to do is embed some form from a third-party service. So the form that I already implemented (with styles and logic) isn't needed. What's worst, I have to redo all the styles to match this embed form.

Thank you so much for that. 🖕Never again will I work late. I should have known better by now...

Securing a php endpoint:

if($_GET['secret'] != "qwerty") {
die();
}

So we have an API that my team is supposed send messages to in a fire and forget kind of style.

We are dependent on it. If it fails there is some annoying manual labor involved to clean that mess up. (If it even can be cleaned up, as sometimes it is also time-sensitive.)

Yet once in a while, that endpoint just crashes by letting the request vanish. No response, no error, nothing, it is just gone.

Digging through the log files of that API nothing pops up. Yet then I realize the size of the log files. About ~30GB on good old plain text log files.

It turns out that that API has taken the LOG EVERYTHING approach so much too heart that it logs to the point of its own death.

Is circular logging such a bleeding edge technology? It's not like there are external solutions for it like loggly or kibana. But oh, one might have to pay for them. Just dump it to the disk :/

This is again a combination of developers thinking "I don't need to care about space! It's cheap!" and managers thinking "100 GB should be enough for that server cluster. Let's restrict its HDD to 100GB, save some money!"

And then, here I stand trying to keep my sanity :/

Partner of ours claimed they are going to update their api. No breakage. My hopes were low and they did not disappoint.

Soon after the new version of their api went live, of course, loads of breakage. And the email contact with them is really fun.

Me: "Hello, since your update we get the issue A. Here's the complete communication."

Them: "We did not change the existing behavior. You are doing X wrong. Repeat that one call during the step and you should be fine."

Me: "Thank you, if I repeat the call, it does indeed work, albeit slower, since we are now repeating calls. Furthermore, our application was consuming your api for years and we did not change anything. So why is that step necessary now? Only after your update do our logs show errors from your API. And by the way, we now also have a issue with B. Why is that?"

Them: "Oh that's because your query the endpoint with "Fnord", try "Baz".

Me: "Yes, I do know that we query it with "Fnord" as that is what a previous endpoint of yours is responding to us. Why are we getting "Fnord"? What request do I have to make to get a "Baz" back?"

It feels like a game of wackamole. Squash one issue, ten more will pop up. I am one step away from becoming active-aggressive.

Let’s see I suppose the most pissed off I’ve been at work would be....

Being blamed for a clients mistake when their newsletter email settings where being changed over to a new mailing system but during the change over they wanted to still send out mail using the old list. So a single endpoint was kept in place so they could send one last newsletter out after it was approved as part of the migration and they were to inform us when they were done so we could change that endpoint over.

Several months later when everyone had long forgotten about it, the client tried to send another mass mail out using the old endpoint and complained when no emails had been sent.

I was blamed for making this mistake even though management approved the fucking old endpoint to be left in place at the clients request against my concerns that someone’s going to forgot about this and I was never informed to swap it over.

I quit on the spot and walked out the door after that.

Ok, so our team is responsible for writing an app that consumes an API written by the client's team (I refuse to call it a "REST" API, despite their claims). On one of the clarification meetings we are discussing an endpoint that accepts a (logically) unique field multiple times, even though an entity is already registered in the system with that unique identifier. Our proposal would be that this API of theirs should not happily accept duplicates as many times as there are bits on a 4TB hard drive, rather it should signal an error.

The response we got is this: Due to the Separation of Concerns principle they thought that it should be our app's responsibility to not send a request if an entity with said field is already in the system. Thus there's no need for the backend to validate this.

I didn't hear the next part, because I had to collect my headphones from the other side of the room where they were flung in rage.

Just released version 1 of my first API! For this project I did everything the way I wanted to, no shortcuts! I documented the shit out of every endpoint and parameter. Everything is throughly tested and it’s dockerized. I also have metrics for each endpoint (with Grafana in the frontend, which I love) as well as alerts in case it would go down for some reason.

I prepared all of this before deploying it out into the wild and damn, it feels so good. Probably no one will use it but I don’t care. It’s one of those projects where you have to force yourself to go to bed at 2 AM.

Just some thoughts. Don’t really have any techie friends so figured maybe someone here recognizes that feeling. Also I wrote it in Python, such a pleasant language.

What kind of fucktard thought it was a good idea to include html in their API endpoint? 3€ per 1000 requests? YOU should be the one paying me to deal with this shit. Even enforcing class classnames...

Sometimes I wished people had a REST endpoint to query their (mental) status ....

Not ONLY does the new code a coworker wrote straight up not work (and they somehow managed to merge it to master) but it also broke an entirely unrelated endpoint due to an abstraction they tried to make. Very clear they didn't even run their code at all.

Really loving the instant legacy code being added to our new project by devs who think they are too good to follow our peer review process, yum... today I found out that there are two different implementations of an API endpoint that does the same thing running in prod, in two different places, because the guy who wrote the second one wasn't aware that the first one existed and didn't let a second developer look at it before he pushed it to master.

"It works on our end", the sentence that made me lose my shit.

I've been working on a project were we're supposed to integrate an API into our system.

When trying to get some user id's (UUID) from said API, we got a type-error in the response (???), so I called their integration support and asked what the fuck they were doing (not really, i was kinda calm at this point).

The answer I got was following:

Integration guy: "Uh, bro, like, I don't even know, it's probably on your end"

Me: "We literally used this endpoint with the same parameters yesterday, and got a result we expected. I noticed you updated your API this morning, did you make any major changes?"

Integration guy: "Yeah we changed the type of user id from string to number"

Me: "So, you changed the type of a UUID (uuid4) from string to number? How did you not think that would be an issue? I can see in your forums that everyone else is having the same issue."

Integration guy: "Nah, it's probably a bug in your code, it works on our end"

Me in my mind: *IT WORKS ON YOUR END?!? IT DOESN'T FUCKING MATTER IF IT WORKS ON YOUR END, FUCKTARD.*

What I actually said: "Uhm, I'm not sure if works on your end either, I'm not even sure how this change made it to production. But hey, thanks I guess, bye."

WHY AM I NOT ABLE TO YELL AT PEOPLE WHEN THEY ARE BEING RETARDED???

But really though, when you're maintaining an API, you shouldn't fucking care if things work on your end in your dev environment. What matters is how it works in production, for the end user/users.

And I know that 99% of cases it's the users fault by entering the wrong parameters or trying to request with wrongly setup auth and what not, but still.

Don't ASSUME nothing's wrong on your end. It's your fucking job to fix the issues.

And guess what? The problem was on their side.
I'm going fucking bald.

I feel like Coronavirus related API endpoints should only be made available using SOAP

To all the data engineers in here: WTF is going on in your field?

I've worked closely with a dozen data engineers in the last 5 years (and talked to friends and internet strangers about this and get similiar responses), mine if them seem to know how to use a computer!

They don't understand git, ORMs, best practices, how to use a terminal, DAGs (important for using modern ETL scheduling tools like airflow and prefext), etc

Guys with 10 years of experience on their resume and they can't wrap a model into a flask app with 1 endpoint. They'll reference local files on their machine in w jupyter notebook and are shocked it won't work on other computers!

Spent a lot of time designing a proper HTTP (dare I even say RESTful) API for our - what is until now a closed system, using a little-known/badly-supported message-over-websocket protocol to do RPC-style communications - supposedly enterprise-grade product.

I make the API spec go through several rounds of review with the rest of the dev team and customers/partners alike. After a few iterations, everybody agrees that the spec will meet the necessary requirements.

I start implementing according to spec. Because this is the first time we're actually building proper HTTP handling into the product, but we of course have to make it work at least somewhat with the RPC-style codebase, it's mostly foundational work. But still, I manage to get some initial endpoints fully implemented and working as per the spec we agreed. The first PR is created, reviews are positive, the direction is clear and what's there already works.

At this point in time, I leave on my honeymoon for two weeks. Naturally, I assume that the remaining endpoints will be completed following the outlines/example of the endpoints which I built. When I come back, the team mentions that the implementation is completed and I believe all is well.

The feature is deployed selectively to some alpha customers to start validation testing before the big rollout. It's been like that for a good month, until a few days ago when I get a question related to a PoC integration which they can't seem to get to work.

I start investigating and notice that the API hasn't been implemented according to the previously agreed upon spec at all. Not only did the team manage to implement the missing functionality in strange and some even broken ways, they also managed to refactor my previously working endpoints into being non-compliant.

Now, I'm a flexible guy. It's not because something isn't done exactly as I've imagined it that it's automatically bad. However, I know from experience that designing a good/clear/future-proof API is a tricky exercise. I've put a lot of time and effort into deliberate design decisions that made up the spec that we all reviewed repeatedly and agreed upon. The current implementation might also be fine, but I now have to go over each endpoint again and reason about whether the implementation still fulfills the requirements (both soft and hard) that we set out to meet.

I'm met with resistance, pushback and disbelief from product management and dev co-workers alike when I raise the concern that the API might actually not be production-ready (while I'm frantically rewriting my integration tests and figuring out how the actual implementation works in comparison to what was spec'ed).

Oh, and did I mention that product management wants to release this by end-of-week?!

Facebook API...

Facebooks "graph" or API's in general fucking stink donkey dick.

Their implementation of oAuth is horrible.. 3 different tokens, which can be either short or long lived, for fetching a facebook page feed (the clients own facebook page)
To that you add a clientID and a ClientSecret.

Great... after painstakingly reading confusing documentation and itching your head... You get it to work.

Then they, without notice, makes a breaking change of deprecate an endpoint you were using.. Jesus..

And all the support you can get comes from a "community group" which may or may not reply with a generic link to their documentation...

So ok here it is, as asked in the comments.

Setting: customer (huge electronics chain) wants a huge migration from custom software to SAP erp, hybris commere for b2b and ... azure cloud
Timeframe: ~10 months….

My colleague and me had the glorious task to make the evaluation result of the B2B approval process (like you can only buy up till € 1000, then someone has to approve) available in the cart view, not just the end of the checkout. Well I though, easy, we have the results, just put them in the cart … hmm :-\
The whole thing is that the the storefront - called accelerator (although it should rather be called decelerator) is a 10-year old (looking) buggy interface, that promises to the customers, that it solves all their problems and just needs some minor customization. Fact is, it’s an abomination, which makes us spend 2 months in every project to „ripp it apart“ and fix/repair/rebuild major functionality (which changes every 6 months because of „updates“.

After a week of reading the scarce (aka non-existing) docs and decompiling and debugging hybris code, we found out (besides dozends of bugs) that this is not going to be easy. The domain model is fucked up - both CartModel and OrderModel extend AbstractOrderModel. Though we only need functionality that is in the AbstractOrderModel, the hybris guys decided (for an unknown reason) to use OrderModel in every single fucking method (about 30 nested calls ….). So what shall we do, we don’t have an order yet, only a cart. Fuck lets fake an order, push it through use the results and dismiss the order … good idea!? BAD IDEA (don’t ask …). So after a week or two we changed our strategy: create duplicate interface for nearly all (spring) services with changed method signatures that override the hybris beans and allow to use CartModels (which is possible, because within the super methods, they actually „cast" it to AbstractOrderModel *facepalm*).
After about 2 months (2 people full time) we have a working „prototype“. It works with the default-sample-accelerator data. Unfortunately the customer wanted to have it’s own dateset in the system (what a shock). Well you guess it … everything collapsed. The way the customer wanted to "have it working“ was just incompatible with the way hybris wants it (yeah yeah SAP, hybris is sooo customizable …). Well we basically had to rewrite everything again.
Just in case your wondering … the requirements were clear in the beginning (stick to the standard! [configuration/functinonality]). Well, then the customer found out that this is shit … and well …

So some months later, next big thing. I was appointed technical sublead (is that a word)/sub pm for the topics‚delivery service‘ (cart, delivery time calculation, u name it) and customerregistration - a reward for my great work with the b2b approval process???

Customer's office: 20+ people, mostly SAP related, a few c# guys, and drumrole .... the main (external) overall superhero ‚im the greates and ur shit‘ architect.
Aberage age 45+, me - the ‚hybris guy’ (he really just called me that all the time), age 32.
He powerpoints his „ tables" and other weird out of this world stuff on the wall, talks and talks. Everyone is in awe (or fear?). Everything he says is just bullshit and I see it in the eyes of the others. Finally the hybris guy interrups him, as he explains the overall architecture (which is just wrong) and points out how it should be (according to my docs which very more up to date. From now on he didn't just "not like" me anymore. (good first day)
I remember the looks of the other guys - they were releaved that someone pointed that out - saved the weeks of useless work ...

Instead of talking the customer's tongue he just spoke gibberish SAP … arg (common in SAP land as I had to learn the hard way).
Outcome of about (useless) 5 meetings later: we are going to blow out data from informatica to sap to azure to datahub to hybris ... hmpf needless to say its fucking super slow.
But who cares, I‘ll get my own rest endpoint that‘ll do all I need.

First try: error 500, 2. try: 20 seconds later, error message in html, content type json, a few days later the c# guy manages to deliver a kinda working still slow service, only the results are wrong, customer blames the hybris team, hmm we r just using their fucking results ...
The sap guys (customer service) just don't seem to be able to activate/configure the OOTB odata service, so I was told)
Several email rounds, meetings later, about 2 months, still no working hybris integration (all my emails with detailed checklists for every participent and deadlines were unanswered/ignored or answered with unrelated stuff). Customer pissed at us (god knows why, I tried, I really did!). So I decide to fly up there to handle it all by myself

ME: Here's an endpoint to get all the textual info about the entity. And this one fine endpoint is to fetch entity's files

FrontEnd: This is no good. I need all entity info in a single JSON

ME: but files could be quite heavy, are you sure you wan...

FE: Yes, Just give me all the info in a single JSON

ME: okay... I hope you know what you're doing..

ME: <implemented as requested>

ME: <opens a webpage with 2 files attached>
Browser: <takes 30 seconds to open a page and downloads 30MB of data in the JSON>

ME: As mentioned before, your approach is a performance killer

FE: No worries, we'll fix that in the next version. First let's see if anyone will be using this feature at all - maybe it's not even worth working on

ME: <thinking> I know I would NOT be using an app if it takes over half a minute to open up a chat channel. FFS I wouldn't even be using Slack if it took 30 seconds to open some other conversation, because for some reason it wanted to fetch all the uploaded files along with all the messages each time a channel is clicked on.....

ME: <thinking> this project is doomed :(

New Avatar item and no update? Are the items in the avatar builder fetched from the api? Would be an interesting endpoint for my api docs.
Will do research.

The Instagram API sucks a Lot.

Why the fuck I've to login with my account using OAuth2 to get posts of a PUBLIC account, it's so hard to make an authentication endpoint that doesn't require the user to enter his credentials in order to access PUBLIC content?

Fucking piece of shit

This is the last part of the series
(3 of 3) Credentials everywhere; like literally.

I worked for a company that made an authentication system. In a way it was ahead of it's time as it was an attempt at single sign on before we had industry standards but it was not something that had not been done before.

This security system targeted 3rd party websites. Here is where it went wrong. There was a "save" implementation where users where redirected to the authentication system and back.

However for fear of being to hard to implement they made a second method that simply required the third party site to put up a login form on their site and push the input on to the endpoint of the authentication system. This method was provided with sample code and the only solution that was ever pushed.

So users where trained to leave their credentials wherever they saw the products logo; awesome candidates for phishing. Most of the sites didn't have TLS/SSL. And the system stored the password as pain text right next to the email and birth date making the incompetence complete.

The reason for plain text password was so people could recover there password. Like just call the company convincingly frustrated and you can get them to send you the password.

Be me

Have a company wide incident happen during on call

Say you're rolling back a change in a service that might have been the cause

Have someone laugh and say that change was just a new endpoint and completely unrelated

Be embarrassed

Have a senior director point out the code change that was the issue

Embarrass yourself in front of the entire company (it impacted everyone)

But hey atleast it wasn't my change

Today I told 3 devs that they either get their shit together or they can pack their things and look for a job.

I can get easily pissed, but it's rather rare for me to get to that point easily.

Now my dear friends, can you guess what they did?

I give you a hint...

They made a test suite validating a network library.

So we have roughly 200 plus lovely splitted tests, neatly put in a directory structure - lovely organization.

(I might have written in the ticket that as a requirement... Cause I know my lil hellspawns)

But as I started looking at some tests, there was always something missing...

Network library...

So we needed to create an endpoint... And handle of course the tests communication with the endpoint *somewhere*.

I'd guess you know already what these mofos did...

Yeah. We have one class.... That handles all tests endpoints... Via different methods... Plus additional methods like utility functions....

The ticket was easy they said.

Me chewing their heads off was easy too.

Jesus Christ, I really doubt sometimes that some devs are able to go to a toilet.

Maybe thats the reason some wear baggy pants - easier to hide the pampers.

*rolls eyes*

The company considers the project manager I work with to be the best. After working with him, I consider him to be everything that is wrong with project management.

This PM injects himself into everything and has a way of completely over-complicating the smallest of things. I will give an example:

We needed to receive around 1000 rows of data from our vendor, process each row, and host an endpoint with the data in json. This was a pretty simple task until the PM got involved and over complicated the shit out of it. He asks me what file format I need to receive the data. I say it doesnt really matter, if the vendor has the data in Excel, I can use that. After an hour long conversation about his concerns using Excel he decides CSV is better. I tell him not a problem for me, CSV works just as good. The PM then has multiple conversations with the Vendor about the specific format he wants it in. Everything seems good. The he calls me and asks how am I going to host the JSON endpoints. I tell him because its static data, I was probably going to simply convert each record into its own file and use `nginx`. He is concerned about how I would process each record into its own file. I then suggest I could use a database that stores the data and have an API endpoint that will retrieve and convert into JSON. He is concerned about the complexities of adding a database and unnecessary overhead of re-processing records every time someone hits the endpoint. No decision is made and two hours are wasted. Next day he tells me he figured out a solution, we should process each record into its own JSON file and host with `nginx`. Literally the first thing I said. I tell him great, I will do that.

Fast forward a few days and its time to receive the payload of 1000 records from the Vendor. I receive the file open it up. While they sent it in CSV format the headers and column order are different. I quietly without telling the PM, adjust my code to fit what I received, ran my unit test to make sure it processed correctly, and outputted each record into its own json file. Job is now done and the project manager gets credit for getting everything to work on the first try.

This is absolutely ridiculous, the PM has an absurd 120 hours to this task! Because of all the meetings, constant interruptions, and changing of his mind, I have 35 hours to this task. In reality the actual time I spent writing code was probably 2-3 hours and all the rest was dealing with this PM's meetings and questions and indecisiveness. From a higher level, he appears to be a great PM because of all the hours he logs but in reality he takes the easiest of tasks and turns them into a nightmare. This project could have easily been worked out between me and vendor in a 30 min conversation but this PM makes it his business to insert himself into everything. And then he has the nerve to complain that he is so overwhelmed with all the stuff going on. It drives me crazy because this inefficacy and unwanted help makes everything he touches turn into a logistical nightmare but yet he is viewed as one of the companies top Project Managers.

One of my first projects involved a python server. This was before I even knew about CD/CI, so we were updating by ssh-ing in, pulling, and killing the process.

My solution? Make an endpoint that pulls the repo and intentionally crashes the server to restart it. We used it for two years.

Making an API REST endpoint in laravel, adding this just for the fun XD

Instructions on how to become suicidal:

- Create an API controller for the /file/ path
- Add an empty endpoint for POST /file/upload (will write it later!)
- Forget about this endpoint at some point
- Later, create a page for /file/upload
- GET /file/upload returns page
- POST /file/upload returns empty 200

Pure psychological horror for like an hour Googling why the fuck my razor page is returning empty responses and my breakpoint on OnPost is not fucking hitting even if I copy and paste example code from the ms website

Oh yeah, that controller.

Was writing a functional test in AdonisJS that queries an API endpoint with data and my test stays red with a dainty `expected 500 to equal 200` assertion failure.

In frustration, I yelled "What must I fuchen do to get my 500 to become a 200". Then my dev friend, an absolute fuchen genius tells me, "Subtract 300." I hope the prat stays debugging his code for a week!!

Boss: Where should i put this piece of code so the android app will work correctly?
Me: Maybe here and we run some tests.
Boss: What? You built the app so you have to know where I should write the code for the endpoint and your app will work. No time for tests. And no update.

Fuck you boss.

Companies that create APIs and then update them but fail to update the documentation, to a point where the syntax doesn't even remotely resemble how it originally was, or even give the location of where the new endpoint is.
WHY MUST YOU MAKE MY LIFE HELL

Neat! Someone made a JSON endpoint for COVD19 numbers.

I'm working on a laptop in the shop and Explorer crashes. I try restarting it, and get RPC endpoint call errors. On reboot, I get this.

Russian roulette but 3 will probably crash instead of 1.

Being the only dev in charge of the project, makes you the one to be blamed for.

The God saviour, shiny armoured back end developer that joined the "team" (only me) to help into this new project Just Said in a meeting:

- "I wont code anything for this new project, I can't get the point of It"

So every meeting was
- "why feature X is not ready?"
- "I'm waiting the endpoint for It"
- "well, then mock It"

Now I fucking give up.
One month mocking things and "presenting" features that don't even exist.

When I was really new to JavaScript, I wanted to create an image gallery with images which I stored in a MySQL database. Well, I did not really had a clue how to load all the image sources into my JavaScript to load the images. I also didn't know much about fetching an endpoint of my website to get the data asynchronously.

I also wasn't a good database architect at that time and my database had an image table wich was for the gallery. Within this table there were multiple columns for one image slider (there should be multiple sliders on one page in the gallery (I know... 🤢)).

So I ended up writing an PHP loop wich printed Javascript loops for each row in my images table. Within my JavaScript loop I created the sliders and set the images.

In my defense I can say: It worked. 😅

It hurts to remember this. And I hope you won't judge me.

// My First Rant

We have a developer that almost everyone adjust to what he want to avoid talking or working with him.

I have office mates that doesn't want to give tasks to him just to avoid working with him.

Even our devOps guy just did what he want so he would stop talking.

One bad experience of our devOps guy with him is that his infrastructure or other AWS stuff was blame why his APIs is not working. It turns our that his url for the database has FUCKING SPACES.

Not sure if a good practice but he wants the base url of our Endpoint to be set in environment variables instead of having DEV/PROD/TESTING and base the endpoint from there.

He said that he was given permission to study a language but he doesn't even ask for permission.

Received feedback on a task I made for a job interview (I didn't get a technical interview).

The task was easy with nothing special about it that made me think if that's what the job is like, I don't want to work there. It was a simple web page with search functionality. I did the task anyway.

The feedback I got was useless. It said that I made a complex and an over-engineered solution.
What I made, mind you, was a one endpoint API and a single Vue.js component instead of using jQuery to update the results. That's it. OVER-ENGINEERED!

Complete waste of time.

Can someone help me settle an argument with a coworker?

So let's say there is a REST interface that returns a PDF representation of an resource...but it requires the authorization header in order to authorize that you have access to the document in question.

And let's say there is a link on the page that redirects to this endpoint to serve up the document. He thinks you can add a header to the HTTP request that goes out when you click on the link (a regular old anchor tag) with onclick without making an xhr call.

I told him that you would have to use an xhr call to add headers, and that even then you would receive a byte stream back, which without using a blob and an object url or a data uri you wouldn't be able to display it in a new tab or start a download.

Regardless he went on to tell me I was wrong. The next day he said he had done it. I asked him to show me, and he said "oh it's at home", and then proceeded to ridicule me in front of my architect. He always pulls this one up's man ship bullshit and I hate it. And I am pretty sure he's wrong.

Few years ago as a junior android dev with couple years of self taught experience of working in startups I submitted a simple android app assignment for a junior android dev role. Assignment had only like 8 requirements so I followed them to the letter. That didn't end well.

App was simple just 3 screens. Login screen with username and password input fields, login button.

Had to call a login endpoint after login button was clicked, redirecting to home screen, calling items endpoint, displaying a list of items and when an item was clicked passing item data and redirect to item details screen.

Needless to say big swinging dick senior was not impressed. UI was not perfect, I forgot to display a loading animation when fetching data, didnt handle back button properly.

I agreed with some points but other comments were clearly just nitpicking: his preferred variable naming conventions, his opinions on architecture that was not up to his standard (official google arch at the time was not up to his standard).

He also was mad that app wasn't prepared for release to googleplay (another out of the ass requirement). Like I would prepare a 3 screen app for prod release that he will forget ever existed after 20min of his review.

Lots more of nitpicking, encapsulation this encapsulation that, omg now hes shocked that there are a few warnings after the project is built.

Regardless my self confidence was destroyed at that point and after few more negative experiences I dropped android dev alltogether for a couple years and switched to game dev.

After game dev ran its course I went back to android dev and found a supportive place where I could grow.

Looking back, they were actually hiring atleast a mid level for a junior position but I was grilled as a senior. The guy literally didnt wrote any single positive thing in that review about my code even tho my senior peers said my project was decent back then, its just that I didnt handle a few edge cases and that's all.

I looked up the guy in linkedin, turns out hes a uni dropout who posts all books that he red about software dev in his education section of his linkedin profile. Found a bunch of other narcissistic stuff on his profile. Guy was a fucking idiot. Even if I worked under him it would have probably sucked.

Learned some important lessons I guess. Always get a second, 3rd and 4th opinion and dont take criticism too seriously. Always check what kind of person is providing feedback.

The world: we found a cure for AIDS.
Hacker news: I don't see a RESTful api endpoint for that, so it's useless.

Strap in...

- Previous employer
- 3rd party partner firm
- integration link between both over SOAP
- Both sides riddled with poor code and messed up political structures (partner firm CEO is an investor in my employer)
- Doing a deployment to update to https (I know)
- Keep http endpoint live
- Other side starts shitting itself
- Diagnose
- Not us
- feelsgoodman.tiff
- Get angry email
- Explain not us
- Back and forth
- Tell client it’s “irrelevant” on https issue, it’s their side that’s gone wrong
- Get angry reply with boss cc’d about how nothing is “irrelevant” for the client
- We all had to have a make up meeting and meal
- Client was calm and reasonable, all agreed we just snapped and it wouldn’t happen again
- 2 weeks later
- Their system shits itself again and suddenly we’re on the hook
- BA on my team (smarmy little bastard) constantly fucking me off
- Get so close to actually screaming and hitting him

So yeah. I don’t tend to hold that a job is more important to me than my dignity.

I have and will never hold my tongue for the sake of a job, I’m not gonna put up with people shouting / belittling / backstabbing etc.

Kinde messed up my first contract.

I am a senior frontend dev who until now worked only on full time gigs. For the first time I picked up a short term gig of 1 week that consisted of 2 packages and I wanted to share my mistake that I made so hopefuly its useful to you.

So last week I started working on this gig. First package went through fine, I delivered in 2 days and collected the first half of the payment.

However I messed up with the second package. Not messed up the implementation per say, but I didnt manage the communication well.

Before implementing it I raised a discussion about a missing backend endpoint that is required to implement the perfect solution. Client got cold feet, had a discussion with his manager and now decided to postpone the second package and even got mad at me that I already did and pushed half of the work of the second package without waiting for his decision from his manager. So now obviously Im not getting paid for half of the work of the second package (I dont mind, I should have waited for clients response), anyways it took me like 20min to implement so thats fine.

My takeaways:

1. As a short term contractor you are hired to solve a concrete problem. Scope out what you can, agree on a task list and stick to it. Anything out of scope will cost the client extra.

2. Your priority is to get paid. Not to deliver the perfect solution that confuses the client and potentially can impact your delivery. If he wants something and you see its only a half of what he really needs, deliver it anyways. Keep that idea of improvement for the future. More work for future = more invoices = more money. I know its not ethical but your priority should be to get paid and in order to do that you need to deliver. Dont shoot yourself in the foot with unnecesseraly overcomplicating things.

Me: The dev agency didn’t follow best practices. They only implemented front end validation on the form. The form submits to a public endpoint, so bots don’t have to go through our site to submit the form. That’s why our database is still filled with $1 donation transactions. I honestly recommend telling this to the dev agency and request that you not be charged for the extra work needed to do this right.

Manager: They charge $95/hr and they’re billing for 8 hours already.

[Aside: The agency’s task was to implement a $10 minimum on the form, do some text changes, and deploy.]

Me: I would expect work to be done according to accepted best practices. It’s really a half done job.

Manager: But they were very helpful when we had that payment processing emergency. They stayed late to help us. We shouldn’t push this in case we need their help again. Can you do the backend validation? [We are in US and agency is in Lithuania.]

Me: 🤬😩😑🤐[To myself: This wouldn’t have happened if the fundraising team hadn’t panicked and would only wait until I came back from my one day of PTO.]

TLDR; I was editing the wrong file, let's go to bed.

We have this huge system that receives data from an API endpoint, does a whole bunch of stuff, going through three other servers, and then via some calculation based on the data received from the UI, and data received from the endpoint, it finally sends the calculated fields to the UI via websocket.

Poor me sitting for over 4 hours debugging and changing values in the logic file trying to understand why one of the fields ends up being null.

Of course every change needs a reboot to all the 4 servers involved, and a hard refresh of the UI.

I even tried to search for the word null in that file, but to no avail.

After scattering hundreds of console logs, and pulling my hair out, I found out that I am editing the wrong file.

I guess it's time for some sleep.

We have a new hire, and he doesn't know much so he is receptive when given feedback on better ways to handle a situation...Or at least, he appears that way. Until the next time and he didn't listen at all.

Today I'm working on the front end to match his API calls. I ask him about a list of options for one of the fields, as he didn't provide that info initially. No worries, there was a lot, easy to miss. He responds with a list of ~100 options, which he copied and pasted from, I'm assuming, their documentation. I tell him that's too many options to hard code, as there is an easy chance to have an error or for there to be one added or deleted, and ask if there is an API endpoint to get the list.

He then asks if I need the key and value, or just key. I tell him if he needs the value(human readable) then he can send me just the value, otherwise both. He says he just needs the key, so I let him know that I need both then, as the value is human readable. He says okay.

He proceeds to make the endpoint, I test it. Then I look at the code he wrote. Not only did he not send me both, he just sent the keys, but he hard coded all 100 keys as opposed to making the call to the external API.

fuck u aws

all that money and u can't read idiot proof documentation for me to have SQS connect to a VPC endpoint to read a message

also fuck u search algorithms for not handing me an easy bake solution to what is a not a novel situation

also fuck me for being unable to git gud

When you're trying to find out from what API endpoint a page gets it's data from, put breakpoints on every endpoint, but none hit a breakpoint when the page loads.

This is the story of the API documentation.
Which btw I couldn't find on the producent's website anywhere. I had the pdf shared with me by a coworker.

I knew the api was fucked up the moment I looked at endpoint documentation.

GET params? WHERE, ORDERBY etc. Literally make a SQL select in a GET request.

Returned stuff? The whole thing. Not some DTO, you literally get everything you can get.
Eg if you get IP in your response, you get it in several formats: dotted form, as hex, and as int. In 3 different json fields.

Oh, and regarding IP - one would imagine you can use masks or prefixes for subnets, right? Nope. The only param you can use there is the subnet size. So you have to calculate the power of 2 every time you want to make a request.

That's from the endpoint documentation. But what about some general info on the API, before all that?

As I was looking for something, I decided to read that intro and general info about the API.

Okay, so there was a change log between API versions. "removed [endpoint which sounds like correct REST design], please use [this generic thing with SQL-like GETs]"... Several of them.

And there was also this sentence which said that the API is not restful, "it's REST-like". <facepalm>

If it was a bad attempt at REST API, I would let it go. But this sentence clearly showed they knew they did everything wrong. And the changelog showed they didn't stop there, they were actively making it worse.

# Retrospective as Backend engineer

Once upon a time, I was rejected by a startup who tries to snag me from another company that I was working with.
They are looking for Senior / Supervisor level backend engineer and my profile looks like a fit for them.
So they contacted me, arranged a technical test, system design test, and interview with their lead backend engineer who also happens to be co-founder of the startup.

## The Interview

As usual, they asked me what are my contribution to previous workplace.
I answered them with achievements that I think are the best for each company that I worked with, and how to technologically achieve them.

One of it includes designing and implementing a `CQRS+ES` system in the backend.
With complete capability of what I `brag` as `Time Machine` through replaying event.

## The Rejection

And of course I was rejected by the startup, maybe specifically by the co-founder. As I asked around on the reason of rejection from an insider.

They insisted I am a guy who overengineer thing that are not needed, by doing `CQRS+ES`, and only suitable for RND, non-production stuffs.

Nobody needs that kind of `Time Machine`.

## Ironically

After switching jobs (to another company), becoming fullstack developer, learning about react and redux.
I can reflect back on this past experience and say this:

The same company that says `CQRS+ES` is an over engineering, also uses `React+Redux`.
Never did they realize the concept behind `React+Redux` is very similar to `CQRS+ES`.

- Separation of concern
- CQRS: `Command` is separated from `Query`
- Redux: Side effect / `Action` in `Thunk` separated from the presentation
- Managing State of Application
- ES: Through sequence of `Event` produced by `Command`
- Redux: Through action data produced / dispatched by `Action`
- Replayability
- ES: Through replaying `Event` into the `Applier`
- Redux: Through replay `Action` which trigger dispatch to `Reducer`

---

The same company that says `CQRS` is an over engineering also uses `ElasticSearch+MySQL`.
Never did they realize they are separating `WRITE` database into `MySQL` as their `Single Source Of Truth`, and `READ` database into `ElasticSearch` is also inline with `CQRS` principle.

## Value as Backend Engineer

It's a sad days as Backend Engineer these days. At least in the country I live in.
Seems like being a backend engineer is often under-appreciated.
Company (or people) seems to think of backend engineer is the guy who ONLY makes `CRUD` API endpoint to database.

- I've heard from Fullstack engineer who comes from React background complains about Backend engineers have it easy by only doing CRUD without having to worry about application.
- The same guy fails when given task in Backend to make a simple round-robin ticketing system.
- I've seen company who only hires Fullstack engineer with strong Frontend experience, fails to have basic understanding of how SQL Transaction and Connection Pool works.
- I've seen company Fullstack engineer relies on ORM to do super complex query instead of writing proper SQL, and prefer to translate SQL into ORM query language.
- I've seen company Fullstack engineer with strong React background brags about Uncle Bob clean code but fail to know on how to do basic dependency injection.
- I've heard company who made webapp criticize my way of handling `session` through http secure cookie. Saying it's a bad practice and better to use local storage. Despite my argument of `secure` in the cookie and ability to control cookie via backend.

Can't get over how many big companies get away with poor/no documentation for their own APIs. The past week i have been working with a large insurance company that only via email threads explained what endpoint to send files to and what username I could use to get this to work.

I also worked with a major courier service last month that only had a two page document for all their methods and one of the pages was explaining the transportation of data via imagery haha.

How far off can you implement a feature?

Task: Update add one feature to this endpoint and add test(s) for the new feature

What happened
* Correct endpoint
* Add 2 wrong features
* Remove one important feature
* Do not the requested feature
* Write a test that doesn't actually test the feature for the wrong endpoint

Intern be like: looks fine to me. Pls review and merge

IoT device endpoint: public fixed IP, raw TCP socket, no auth at all

Okay, one after another. They like to piss me off, apparently.

Coleague knows something isn't possible with current state of some api and pushes phone to me so I can maybe figure out what to reply to client. I dry-typed in "Its not possible" gave him phone and said "boom done, you know it aint possible"

Okay, TL;DR she got pissed that I am pissed that this BS is thrown at me and I dont want to participate in promissing something I know is undeliverable.

So she told me to go to PM/PO *kind of guy but not rly* with that problem. He aint technical by any mean. We are small company and for some reason this guy has more bearoucratic approach than I thought is possible to fit in one human.

Anyway. Well, apparently we will have meeting what are our options.
It all beginned that one guy promissed other guy undeliverable feature....

And becouse someone couldn't use his fucking brain it's pushed onto me, or I need to figure out how to do it. You cant without introducing safety flaw, period, it's that fuckin' simple.

But nooo, we will have god-knows-how-long meeting, that will bring exacly 0 value, as fking allways, and all I want now is just fucking focus on my fucking code becouse, ya know, I have timeline to follow, I dont have time to all that BS.

And to give you context, while keeping the stuff I cant share secret, imagine you have an API, that is just 'facade' of backend API, and layer of security. And they want to add authoritative endpoint to the facade API. Kind of endpoint "yes, you got paid".

Bravo, big brain, it will not work without like huge-as-fuck vunrability...

IDIOTS

How to not get pissed? Any protips?

Once i worked on an application which has very long form and submit to a soap endpoint (post). I felt my life was so pointless when testing after i made changes. So I automated the testing by generating post request so i can just run it.

I filled the user name with Brandon Boyd, Alan Turing or Ryan Gosling. And it increments like Boyd1, Boyd2.

Once my colleague found a bug, the data never get saved but all the boyds persists. He knew it was me, who uses that kind of name

My barbaric manager (was involved) kind of pointed his finger at me. I sweat a bit though i couldn't find logical explanation why Boyds stay. but turned out someone changed the sqlscript.

in 2017 i published my first website. it was basically a remake of google's translation telephone, because google shut it down. unfortunately, the translation api costs money, so rather than pay, i set up a gscript api endpoint that translates it for me.

apparently when you use gscript, translation is free. this was back when i was 14, which is crazy to think about.

Jan: hello endpoint x is missing
April: hello endpoint x is still missing

Working on an Android app for a client who has a dev team that is developing a web app in with ember js / rails. These folks are "in charge" of the endpoints our app needs to function. Now as a native developer, I'm not a hater of a web apps way of doing things but with this particular app their dev teams seems to think that all programming languages can parse json as dynamically as javascript...

Exhibit A:

- Sample Endpoint Documentation
* GetImportantInfo
* Params: $id // id of info to get details of
* Endpoint: get-info/$id
* Method: GET
* Entity Return {SampleInfoModel}

- Example API calls in desktop REST client
* get-info/1
- response
{
"a" : 0,
"b" : false,
"c" : null
}
* get-info/2
- response
{
"a" : [null, "random date stamp"],
"b" : 3.14,
"c" : {
"z" : false,
"y" : 0.5
}
}
* get-info/3
- response
{
"a" : "false" // yes as a string
"b" : "yellow"
"c" : 1.75
}

Look, I get that js and ruby have dynamic types and a string can become a float can become a Boolean can become a cat can become an anvil. But that mess is very difficult to parse and make sense of in a stack that relies on static types.

After writing a million switch statements with cases like "is Float" or "is String" from kotlin's Any type // alias for java.Object, I throw my hands in the air and tell my boss we need to get on the phone with these folks. He agrees and we schedules a day that their main developer can come to our shop to "show us the ropes".

So the day comes and this guy shows up with his mac book pro and skinny jeans. We begin showing him the different data types coming back and explain how its bad for performance and can lead to bugs in the future if the model structure changes between different call params. He matter of factually has an epiphany and exclaims "OHHHHHH! I got you covered dawg!" and begins click clacking on his laptop to make sense of it all. We decide not to disturb him any more so he can keep working.

3 hours goes by...

He burst out of our conference room shouting "I am the greatest coder in the world! There's no problem I can't solve! Test it now!"

Weary, we begin testing the endpoints in our REST clients....

His magic fix, every single response is a quoted string of json:

example:
- old response
{
"foo" : "bar"
}
- new "improved" response
"{ \"foo\" : \"bar\" }"

smh....

New twist on an old favorite.

Background:
- TeamA provides a service internal to the company.
- That service is made accessible to a cloud environment, also has a requirement to be made available to machines on the local network so you can develop against it.
- Company is too cheap/stupid to get a s2s vpn to their cloud provider.
- Company also only hosts production in the cloud, so all other dev is done locally, or on production non-similar infra, local dev is podman.
- They accomplish service connectivity by use of an inordinately complicated edge gateway/router/firewall/message translator/ouija board/julienne fry maker, also controlled by said service team.

Scenario:
Me: "Hey, we're cool with signing requests using an x509 cert. That said, doing so requires different code than connecting to an unsecured endpoint. Please make this service accessible to developer machines and lower environments on the internal network so we can, you know, develop."
TeamA: "The service should be accessible to [cloud ip range]"
Me: "Yes, that's a production range. We need to be able to test the signing code without testing in production"
TeamA: "Can you mock the data?"
Me: "The code we are testing is relating to auth, not business logic"
TeamA: "What are you trying to do?"
Me: "We are trying to test the code that uses the x509 you provide to connect to the service"
TeamA: "Can you deploy to the cloud"
Me: "Again, no, the cloud is only production per policy, all lower environments are in the local data center"
TeamA: "can you try connecting to the gateway?"
Me: "Yes, we have, it's not accessible, it only has public DNS, and only allows [cloud ip range]"
TeamA: "it work when we try it"
Me: "Can you please supply repro steps so we can adjust our process"
TeamA: "Yes, log into the gateway and try issuing the call from there"
Me: (╯°□°)╯︵ ┻━┻

tl;dr: Works on my server

I recently have been delegated the responsibility of managing a 4 people team by planning the sprints, scheduling tasks, and in general "take charge" (as said by the boss).

What bothers me is there is this "developer" with a heavily toxic attitude, who feels he is above all laws and knows everything just because he joined some months ago all of us.

He is basically a human linter. When he code reviews, you can get away with any major mistake if your linting and indentation (and all that shit) is according to "his standards".

A new guy recently joined the team and was given an overwhelming task by the boss just to test whether he belongs here. (Again, wrong, in my opinion). He didn't know any of the technologies he needs to work on to complete that task but he still learnt them and got a working product. Albeit not according to our God's "standards".

Cut to the chase, the asshole dev is now mocking him in PR comments and demeaning him in every discussion. As a "team lead", what should I do? If I let it go, it'll make the environment toxic and I don't want him to get away with it. If I do take any action, I don't want to be seen as as pussy who can't take such minor insults. Please advise.

PS. The asshole developer once wrote a "friend request accept" API endpoint in such a way that when any single person accepts a request, that'll cause all pending requests (from any person to any person) get accepted. Fucked up the DB queries basically. This is just to give a perspective on what I'm dealing with here.

Gotta love it when everything works flawlessly with the test API endpoint and credentials, but when I try to go live, there's suddenly a ton of additional configuration to get the third-party APIs working.

Why the fuck do you even provide a testing environment, if it's completely different from the live one?

when your teammate finds the existing endpoint that returns what you need after you frankenstein some dumbass shit from other existing endpoints that you managed to find

fuck me

Sometimes i wonder what kind of shit for brains do these morons use when they secretly change the API endpoint and still flood my inbox with emails that users can't login.

I was working on a thing at work which routes http requests from one endpoint and port to several local services.
I was halfway done when I noticed I just wrote a primitive reverse proxy.

Anyway, I'm calling it GRID, Gateway for REST Interface Distribution.

It's capable of dynamically attaching new routes and services and removing those during runtime via inbuilt typescript compilation service.

Each "runtime module" defines several routes which may have a middleware function (express.js style), which gets executed before forwarding the request to the local service.

I don't know why, but I'm kinda proud of this one; Feels like I made something actually useful for once.

Gonna maybe add a webUI with the monaco editor to write typescript modules without needing VSCode...

Also I may implement a load balancing system for scalability.

It comes with a cli too.

Gonna put it on github and post it here once I'm done with v1.

Let's say you're working on a web application, and you notice that one of the pages is not displaying the correct data. You investigate further and realize that the data is being retrieved from an API endpoint, but for some reason, the API is returning the wrong data.

You start looking into the code that calls the API and notice that it's passing in the correct parameters, so you dig deeper into the API code itself. After hours of poring over the code, you finally discover that the bug is caused by a typo in the database query that the API is using to retrieve the data.

You fix the typo and think the problem is solved, but then you realize that the data is still not displaying correctly on the page. After even more investigation, you discover that the bug is actually being caused by a caching issue on the client side.

At this point, you're feeling incredibly frustrated and overwhelmed. You've spent hours trying to track down this bug, and it feels like every time you think you've found the root cause, another issue pops up. This is just one example of the many challenges that developers face on a daily basis.

Okay I'm doing the whole leetcode bs, interviewing with a faang like company.

I'm genuinely curious to see if their engineers are actually any good. It seems backwards to me to hire someone based on something they most likely know by heart.

It's like trying to stress test an API by calling a cached endpoint. It will look fast AF, and it will be, but it won't compute shit.

Anyway, if I get the job and the engineers aren't crappy, then I'll forever stfu about how lame this is. But if I get the job and the devs are crappy, oh boy you'll hear me for a long time.

API response.
For a week been working with my project manager remotely.
Then yester night had a tough one.
Me:Please send me the API endpoint so that can test it and see the response.
Him:On my side all is set just consume the response.
Me:As a practice I did first test the API using postman and the response was okay.
Me:As I had already prepared my Retrofit code to consume and parse the response I head to it.
Me:Fast forward 20 minutes into the application I realise getting some unexpected errors thanks to the guy who didn't follow my response format.
Me:I call him asking him to check how he formatted the response .
Him:He claims he formatted it as requested .
Me: Double check my work and am damn right and now raise my voice as I talk to him again and requests him to send me a screenshot of his response and I send mine.
From the screenshots turns out his response is okay as he is working from a damn localhost and my response was coming from the live server.
Feel like strangling him for wasting my previous 30 minutes

How do you counter DOS attack? I have one online service where an idiot just calls curl command to one endpoint.

Although my service is working and server performance is not affected, I found it annoying.

Cloudflare could be a solution, the reason I did not use before is user might have to wait a few seconds before seeing the app, but if no choice then.

Has any of you reached a point that you want to resign from work because of a client?

We are dealing with a client at work that uses the app for prototyping instead of making designers create wireframe, imagine the amount of code to write,edit, remove, write it again and yet there is always something isn't right from the client point of view.

What is even worse backend guys screw the server and I am the one to be blamed for errors: 5xx
I even get blamed for error 400 (bad request) when that request passes tests but out of a sudden server returns 400, when you hit refresh the exact same moment of error and server decides to return data and stop throwing error 400.

I also get blamed for server fails to return data from a search endpoint, and if server throws 403 for a public endpoint.

This isn't a rant or getting out of my system but I need opinions, I've been working on this project for a year, with complete mess from either client or backend team, if any of you is instead of me, what would you do?

I'm not a complete guy either, but that situation is just beyond my abilities to handle.

Spending the day sending emails back and forth with your client because they can't be bothered to prepare a single overview of what properties the endpoint expects, and instead expect you to piece it together from 6 PDFs of which at least 2 contain contradicting information, another is outdated, and the last one seems to have been exported from word and is missing half the content.

Fun times!

oh dear Lord, the live spaghetti stopped working this morning.

ColdFusion endpoint throws a 503, fuck knows why, entire front end demon spaghetti web app is stuck in a loading screen.

Whoever architected this application is an idiot.

Just wanted to code some better public transportation route calculator (better ux) and found out that the pt company offers an API.

EVERY FUCKING REQUEST HAS TO BE SENT AGAINST THE SAME FUCKING ENDPOINT IN A POST REQUEST WITH THE ORIGINAL REQUEST AS FUCKING XML IN THE FUCKING BODY. At least they offer xsd files... BUT THATS NO FUCKING HELP. At least not that much of a help. AND THE DOCUMENTATION DOES NOT STATE A SINGLE FUCKING EXAMPLE OF HOW TO USE THAT FUCKING ENDPOINT. I FOUND THIS OUT BY SENDING RANDOM REQUESTS TO THE ENDPOINT TRYING TO REVERSE ENGINEER THE EXISTING FUCKING FRONTEND AND NOW I NOTICED THAT 80% OF THE FUCKING DOCUMENTED FEATURES ARE DISABLED BECAUSE: NOT FUCKING SUPPORTED!!!

MAAAN WHY DO YOU DO THIS.

Alternatively I'd use the GTFS files they provide but THEY ARE FUCKING INCOMPLETE AND DONT STICK TO THE EXISTING STANDARD GOOGLE DEFINED... They also offer a different propietary format... BUT THATS FUCKING UNDOCUMENTED AND FUCKING INCOMPLETE...

Asked a provider for an endpoint that returns customer usage

Provider sends back an endpoint that takes 1 minute to return one days worth of data for 1 customer and asks we limit concurrency to 3... we have 3000+ customers with them

(1 minute * 3000 customers) / 3 = 16 hours to pull yesterday's numbers

Hope we don't get behind

Me: Ok, we'll implement that message tech. But since the clients are servers in that architecture and can't speak IPv6 we've to use a dedicated VPN so the endpoint is able to connect to the servers (clients). Since we have limited network resources we should use VPN cert-encryption and send the actual data plain to save at least some overhead.

Boss: Ok! Let's do it!

Next day.

Boss: Hey! I talked to a guy from that message tech. Their encryption is certified. We should use that instead and get rid of the VPN to save the overhead!

Me: *unable to say a word*

What in "VPN in that architecture is mandatory" is unclear?

Well, I assume we'll kill the architecture then... Fun Time!

API endpoint returns data on thing with id number you specify

request data on certain id numbers

gives response data on different id than what you requested

how fucking horrifying

we depend on this thing, but we don't own it at least

I have to add an endpoint to integrate an API and I want to vomit when I think about this major security issue they introduce.

What type of prehistoric dumbass thought GET requests with username and password in the query parameters is a good idea to burden your partner with.

In Django code, looking at a class for caching REST calls. The cache is using Redis via Django's cache layer. In order to store different sets of parameters, each endpoint gets a "master" cache, that lists the other Redis keys, so they can be deleted when evicting the cache. Something isn't right, though. The cache has steadily increased in size and slowed down since 2014 even though many events clear the whole thing!

... And then it hit me. Nothing empties the list of cache keys. Nothing. So it has been growing endlessly since 2014. And everytime it grows, cache eviction gets a little more expensive, network traffic increases a little more, and cache evictions get a little slower.

Fixing this bug took things that were taking routinely an entire minute to complete and made them take a couple seconds.

So we have this team that deploys some code. We had a change in that code that "we" forgot about. Turns out, a dev on our team decided it would be cool to rename an endpoint. Why? Great question. Because. So this code gets deployed, but the call to that endpoint didn't get deployed. System 2 tries to call the endpoint, 404. We roll back, we're searching, after like an hour, we find it. We go to TFS to see who did it. The dev grabs my keyboard and starts checking diffs, somehow managing to skip their commit (from 5 months earlier). I take back my keyboard and *surprise* it was the commit that was skipped. WTF? Why did you rename that endpoint? What do you mean you didn't do it? It has your name right there!

Everyone in this team calls everything a team effort, but once I start offering my help, they be like "no, I can do it. I know more than you".

Hmm. yeah, but you (sysadmin) use jQuery and vanillajs mixed. For example: $('#hello') and document.getElementById('hello').
Also you put console.logs everywhere, I don't mind putting console.logs in development, but not in production.
Oh and he copies the libraries to every folder that needs it, so there are at least 12 jquery libs in this project and the version is not even the same. Lol.... Please slap me to death.

There is another networkadmin that calls himself a (python) developer. He doesn't agree with my simplicity.

His work (just an example, changed names but you get the idea)
"A notebook that is used by x-department"

Model: Notebook
endpoint: department-notebooks

Model: DepartmentConfigs
Endpoint: notebook-department-configs
You won't believe what he put in 'department'configs, it's literally hardware vendor, model, versions.

Like... really? What the hell you doing man?!
Just have these models for example: device, department, vendor, product, category

We do not only have notebooks, but also servers, routers, switches and more.

His argument of having configs in the name is that they do more complex things. Hmm, I don't see it in the code and the data is messed up:
Microsoft, microsoft, micro soft.

He fixed it by hardcoding it in a select box. Mickysoft isn't the only vendor, fuck you!

fuck this team, fuck these people

Another fucking rant, a story was assigned to me. But that stupid fake developer worked on it immediately and message me he fixed it already. I guess he won't let me touch his baby.

Everything is just piling up. This team and people aren't fun at all.

16 files (!) to create a rest endpoint that does nothing (returns an empty wrapper message).

WTF spryker? are you fucking kidding me?

Using an api: ok, this url (.../xml/endpoint) gives me an xml-document. Oh, and there is a node whose text contains html markup, interesting.
Using the same endpoint, but requesting json: yep, that's the same data, there even is this big html string and... why is this string in a json object wrapped inside "<![CDATA[...]]>"?

If i ever see a courtroom from the inside i'll plead insanity.

Fuck api docs which are blatantly wrong. Wasted several hours on building an API client with pagination according to the api docs.

Turns out the actual implementation did not follow its own spec / api doc and returns values without pagination. And some objects are not objects but arrays.

I mean, next time I build an API client, I'll just fire a dozen requests on the endpoint, see what it wants and see what I get and maybe guess right what it actually does.

After two weeks of isolation, talking to my GraphQL endpoint almost feels like talking to a human.

Fuuuuuuuuu....uuuuuck!!
My net went down..in the middle of a fuckin update.. then my phone data took forever to fuckin locate our vpn endpoint..
Who said WFH is stress free?! O.o
I wanna go back to da office😭😭😭😭😭

Wrote some unit tests to check for 404 errors that called a fake endpoint key...

Months later create that same endpoint key for unrelated reasons and spend a half hour trying to figure out WHY ON EARTH the 404 tests are all failing...

🤦‍♂️

When I hit the endpoint from Postman it works. When I hit the endpoint from my application that pushes data to the endpoint it doesn't work, returning a 404 status code. I KNOW the endpoint is there and operational and that both Postman and my application have the same endpoint configured, letter for letter.

So lost. So confused. What the hell is going on.

I decide to install Fiddler to monitor the traffic to see if I can see anything helpful.

I initiate the request again from the application and immediately see that the request size is huge. BAM. It immediately hits me, the payload to the endpoint is too big and the server is "rejecting" it with a 404. I post a smaller request with the application and it works fine.

Yay, saved by Fiddler.

Why does the endpoint default to 404 in such scenarios. The definition of 404: "the client was able to communicate with a given server, but the server could not find what was requested"

In my case, the 404 returned was a red herring. I understand that the substatus code gives more information on why the 404 was returned, in my case the request size being too big, but 404 in general feels like the wrong status code to return because the endpoint IS there. It made me troubleshoot the wrong thing.

Thanks, IIS.

the api endpoint for retrieving user-data in an alexa skill might as well be api.eu.amazonalexa.com WITH .EU
this is not as good documented as it should be and did cost me several hours until i saw it by accident analyzing the request-data another time...
you´re welcome.

Past month I had been working on a JSON hierarchy construction from flat rows returned by query where some bugfuck had introduced pagination for some damn reason, I never gave a flying duck to this till I get a email from one of the clients who supposedly made a complete hierarchy and my endpoint wasn't returning some hierarchy after some levels.

Frustrated that my service layer there is a bug, I debug to realise only certain rows are getting sent back from the query and ebullient from this fact , I put the bug on the DB person and walk off for a smoke.

After a smooth drag , I realise while closing the email on my phone that this client had entered 10 on pagesize which would indeed just return 10 rows. *Facepalm* I didn't even need to debug all this and now I had to a face a db person I just plastered a bug on. BAHHUMBUG

My conversation with Avalara support (API for taxing):
Me: Hey I'm implementing your API for a client. The requests are going through, I get a valid response back but all goods are taxed with $0. Can you please give me a hint what I might be missing?
Sup: You're using Salesforce Commerce Cloud, requests might be blocked through their firewall
Me: I don't think so, here are some sample requests and responses I just created. The object returned matches the one in your API Doc.
Sup: This isn't a system controlled by us, no support.
Me: So how in the world can it be you don't control your own endpoint?

Seriously, if you don't want to help, next time just say fuck you...

GraphQL fans, please read the whole rant until you jump in the comments.

I get it, when you have multiple data sources (that aren't always proper databases), your stuff is relevant.

But most of the people use GraphQL when they have a single database. In that case, native joins are always faster than GraphQL dataloader N + 1 BS you have. It takes less time and less code to go to the backend and write an endpoint for the frontend with a DB query than write several GraphQL ones on the frontend and then combine the data with imperative JS. It will work faster too.

So why the fuck should I use GraphQL at all?

is soo cool when people is up to joke around with my bad jokes.

-- Talking with a coworker about a new button in a results table --

dude: hey jhon, I'll name the button 'SHOW RESULTS' and the endpoint will be named that too. cuz there is a 'SHOW STATS' already

me: dunno, use something more meaningful, this is about unparsed results, right? so what about...

me: unparsed results ? unparsed stats ?

me: another one bites the dust? show must go on?

me: innuendo?

me: pick one 8D . But I think innuendo is pretty descriptive

dude: ok

me: seriously, 'show unparsed stats'

dude: got it

-- then the dude sends me the screenshot --

me: LOL, 8D

me: you got my respect man (_ _)

For the love of god, why in the world are coworkers so prone to overflow with pointless informations? I don’t care about which db you use when I am a frontend, just tell me the f*cking endpoint to use ffs! Nor I care about the FE framework when I’m working on the be and most of all I don’t care about the reason behind a formula you use to calculate a freaking param, give me the goddamn formula or its name 🙄

Please tell me I’m not the only one getting triggered by coworkers explaining useless things, cause lately it’s so annoying

Domain Drive Design question:

I am working on a simple case to teach how to apply DDD, my case is as follows:
Simple forum with Author, Moderator and Users.

I am using Dotnet core for this. I am not sure how and where I should implement authorization:
1. Author can edit his posts only
2. Moderator edits any post

In dotnet core, we handle roles, policies in the api layer, and its per endpoint, I have an identity layer which handles accounts, registering roles and policies in database.

But I'm not sure if I should or how to handle authorization based on permissions in application layer.

I once had to fix a webservice endpoint another developer added that accepted any file from the public internet and loaded it directly onto an NFS file mount with the rest of the site's image assets and then inserted a record of the file into SQL via a hand-stitched query with parameters from the endpoint.

I was working for a large enterprise company at the time... I was very disappoint.

Trying to use a coworker's new API endpoint and I keep getting an "OAuth2 Bearer Token missing" error, despite triple-checking that I set the Authorization header correctly... finally dig into the source code and I find out that all their endpoints require that the bearer token be put into the request body. The fuck?

Working with a SOAP endpoint. I know it is some .NET server due to the style of stacktrace on exceptions. Nice, a framework where I can expect some type safety granted by static types. I build some xsl to transform the SOAP wsdl files into classes and structs to interact with the endpoint. Works out perfectly.

Plottwist!

Elements which are defined in the xsd/wsdl with maxOccur=unbounded and minOccur=0 should represent a simple collection of this type. Therefore does my implementation expect a collection of this type. But no. The shipped SOAP client in my stack ignores the definition and simply deserializes the SOAP response into T and not a collection of T.

Where the duck are the types when they are defined all over the place?

Didn't find a proper API to send chat messages to an MSTeams channel.
Didn't want to rely on third party tools.

Creates webhook endpoint, promptly creates my own API using JSON cards and requests to said endpoint.
Didn't know how why it worked but it did.

Our original backend codebase used so-called "clean architecture" and really put the Java back in JavaScript (actually TypeScript, but hopefully you get my meaning).

For every endpoint I want to create, our design needs at least two classes that are basically callable singletons. If my understanding doesn't fail me, it could have been simple old functions... I think?

Do webhooks have some data structure standart, or it's just HTTP POSTing on a specified endpoint with JSON?

at one point in time, i had to work with a really junior backend team, they used javascript and neo4j as the database for an in-house developed community forum because "graph databases made sense" in the eyes of their tech lead

turns out that the team struggled quite a bit with it, and had some "unexpected complexity" problems when i asked them to add filters and sorting on the post endpoints

in the end, the "solution" they gave me was an endpoint that spewed ALL the posts so i could sort it in the front end

had they kept the same relational database they were using for the rest of the whole project, i'm quite sure it wouldn't take much to implement that (and their architecture was really performatic)

as a side project i rebuilt the whole forum in a weekend, but using postgresql as database, and it worked nicely, i even added some unit tests just for fun

gave myself a really big slap in the face after that, though

Working for a startup building a device / app that let you answer your landline phone on your mobile, and get notifications of missed calls etc.

While developing I purposely didn't secure the endpoint that controlled push notifications.

I waited for the boss to sign up, went to the DB and stole his token. From time to time i'd send a request telling him he missed a call from his wife or son.

... then kicked back and watched the madness and frustration ensue.

How 2018 brings an aww bug.

At my company, we've a reporting application. Which kind of provides analysis of client's weekly business. When you open the application it shows their business trend starting from Sunday to day of week.

As usual their is an endpoint to get the data basis on start date. As soon as date changed to 1st Jan, it stopped showing data. Given that it was a long weekend, no one was available from the tech. Support team got tremendous amount of tickets for this. Later on Tuesday while debugging we got to know while forming the date in the application the logic was like this

- get current year
- get the date and month on start of week

Combine these 2 and request the data. All the time it was fetching data starting from 31 Dec 2018.

😒😒😒

"Oh yeah I made a new endpoint, and I just pushed the logic for it wherever I wanted without following any of the project's guidelines or structure. I didn't write any tests or documented it anywhere either. I kinda felt there was already an endpoint for it (there was) but I couldn't be assed looking for it in the documentation"
Die.

ah yes. have to add the permission for literally any specific endpoint on AWS for my root user... love it

- music
- music
- music (sometimes I ask myself if these Spotify Artist-Radios have an endpoint.🤔)
- and sometimes take a break for answering my girlfriend's *ss long textmessages. :p

So I was reverse proxying this new Social network app's API and saw an interesting endpoint

It was a websocket relaying what each live user's doing every 2.5s, to power the "xyz typing" under a post, or a simple online/idle.
The app's "live posts" ie most-recently created posts was also powered by it since they knew each user's state (instead of a periodic API call)

The performance is good even tho it's a new company + enough users

but now im curious how prevelant state-management is using such websockets .-.

if not taxing, i might move any API call which ive to ping every 15s or less to a live WS

When integrating our system with a 3rd party company to use their billing system, we had a Hangouts chat so we could ask things about their documentation, API, etc...

Me: *explain the problem and how I tried to solve it without success, and proceed to ask 3 things*

*2h of silence*

3rd.p: Good Morning
Me: Good Morning
*another 2h of silence*

Me: ...and?
*1h of silence*

3rd.p: *answer randomly one of the questions*
Me: ok, and the other two questions?

*silence until the next day*

Me: ???
3rd.p: *answer one question and says that the other will never happen*
Me: but... I've just sent a request to your backend and it happened!!!

*2h of silence*

3rd.p: No, you are reading this wrong, we didn't respond that
Me: This is the endpoint i'm calling and the request's payload, send this to your backend.

*silence until the next day*

(and this continues to almost 2 months to complete the integration that should not need more than 1 week)

I don't get why the company where I work is pushing a new cloud platform to create website with.

So yesterday I dove in a website(that an intern made) to make a search and filter on some items.

I thought sure, just finished a website with a lot of search thingies and filters.

But this intern wrote 500 lines of code to just get items from an API endpoint. Dude really why??? Ok, your cool an all and you definitely have skills, but this is just ridiculous.

Burned an day on the piece of shit, while this is in an stupid cloud platform. Without even es6 to write JavaScript. I could have write the whole thing in react In just one day!!

Just work locally on your machine and put you code in a git repo. And deploy when finished. That how I like to work, but no this company wants to keep pushing this cloud platform.

For fucks sake, just let me code! And don't let me use vs or that stupid cloud platform.

Today I spent 9 hours trying to resolve an issue with .net core integration testing a project with soap services created using a third party soap library since .net core doesn't support soap anymore. And WCF is before my time.

The tests run in-process so that we can override services like the database, file storage, basically io settings but not code.

This morning I write the first test by creating a connected service reference to generate a service client. That way I don't need to worry about generating soap messages and keeping them in sync with the code.

I sent my first request and... Can't find endpoint.

3 hours later I learn via fiddler that a real request is being made. It's not using the virtual in-process server and http client, it's sending an actual network request that fiddler picks up, and of course that needs a real server accepting requests... Which I don't have.

So I start on MSDN. Please God help me. Nope. Nothing. Makes sense since soap is dead on .net core.

Now what? Nothing on the internet because above. Nothing in the third party soap library. Nothing. At this point I question of I have hit my wall as a developer.

Another 4 hours later I have reverse engineered the Microsoft code on GitHub and figured out that I am fucked. It's so hard to understand.

2 more hours later I have figured out a solution. It's pure filth..I hide it away in another tooling project and move all the filth to internal classes :D the equivalent of tidying your room as a kid by shoving it all under the bed. But fuck it.

My soap tests now use the correct http client with the virtual server. I am a magician.

My workplace is still using xml based configuration, and non-spring boot projects.

So every spring boot tutorial I find feels like "Look at how easy you can get this running" and then it's just actually a toy you can't get into production.

Also it kind of bugs me that you need to be online to actually be able to initialize/create a spring boot project and every single tutorial says so.
You can make a local network m2 repository, but can one make a spring initializer service?

Either way, migrating every single project to Spring boot is a no-no,

And I'm stuck with like 5 prototypes of SSO integration from which only 2 work, and the other 3 have their own problems.

One does redirect to the login and all, but the SAML endpoint gets 404 on response when you log in.

One is on OpenID Connect, but I would need to update the project from Spring 3 to Spring 5 to get it working, which upon attempting to do seems to break everything else.

One has an external library handling the security context just the way we are accustomed to, but it only does a 401 forbidden when you go without logging in and I'm starting to think it is actually one of those that require you to extract the token or something manual like that, which wouldn't work for us

The other two are spring boot tutorials that worked out of the box, both SAML and OpenID, still can't use those for the main projects.

I'm tired of dealing with this configuration hell, been two months at this, I want to get features done as usual, not be stuck configuring stuff that might or might not work.

Rant aside, I think I figured I need to use a different Security adapter, but I needed to vent.

Deciding to make the website I'm working on a one pager with calls to API.

Why did I decide to make such an extensive API. 😅

API functionality includes:
user endpoint:
- log in/out
admin endpoint:
- edit user
- create/delete user
- create (sub)menu categories
- create items (install/test/image)
image endpoint:
- create image (of machines in array)
- restore image (of machines in array)
install endpoint
- install machines (Windows/Linux)
test endpoint
- auto-test (array of machines)
- test (array of machines, test)

Then the machine endpoint:
- if action in table then do action

So my endpoint management has started flagging up tiktok as containing malware, specifically hiddad.b can anyone confirm this? Anyone got a decent antivirus on their android ?

Most actual GraphQL explanation:

1. Still uses your xhr/fetch/axios on FE
2. Just sends all the requests to single endpoint
3. On BE uses its own resolution schema to call proper controller to handle the request, rather than relying on router for that

That's all!

Just another useless layer of abstraction with its learning curve, tricks and bugs as ORMs are

You know what sucks?

APIs with the latest data, but without the latest endpoints.

What the fuck? You did the data, why not the endpoint??

> Client: Could you check for me where did they[code authors] put logic for this and that
> Sure!

> okey, api endpoint here, hmm
> oh sure here is the database access
> where tf is some logic....
> fml, am I blind, lets check frontend
> FUCK
> it's there
> it's on frontend
> and backend just puts it into database, no checks
> FU0!@#% )(#*%)H )F+#+!!@!

> *to client* We need to talk about future of this project.

For everybody wondering what's the new endpoint is..

/api/me/subscribed-feed

you can also provide an `filter`, which is comma-seperated with the possible values:
- posted
- commentedOn
- liked

"View more suggested users" does NOT load more. It simply doesn't show everything from the response.

Develop all my lambda function, create endpoint for what i need, set up CORS to * time of development... And chrome fuck me with CORS preflight ERROR. What the actual fuck with this shit security easily bypassable...

Me: its enough for today. Change project folder 😐

How the fuck is Firebase still a thing? I just spent hours debugging a random "not authorised" error, only to find out you need to enable a deprecated API even if you're only using the new (recommended) one. Do they tell you about it? Fuck no, they keep it disabled by default, they tell you to only use the new API, and they make it pretty much impossible to find the deprecated API you need to enable without a direct link.

And why the fuck does the official SDK send image URL as { "imageUrl": "http://..." }, when the endpoint expects it to be { "image": "http://..." }? Why the fuck does the documentation mention both options interchangeably, while only the latter one actually works?

So i just saved myself like a day of work.

My boss wanted me to make a new endpoint for a webpage I'm working. Ok, spend yesterday afternoon planning it out.

Come in this morning, ready to write it. Look through our api docs. Turns out we have almost the exact endpoint i need, minus 1 simple field. Add the field (1 line of code).

Everything is looking good, I'm a day ahead of where i planned to be. I just wish my boss had told me of the endpoint earlier.

Planning and good docs pay off.

I built an api to sync data between two systems. It is simple, if I have new data to send, I call their api with data. If success, get Json response back or error if not.

Today the guy from other side asked me for "acknowledgement" endpoint. I was literally WTF?

He explained me very clear, when I call their api, it can be either success or fail, so for those success or fail, he will send the response to my "ACKNOWLEDGEMENT ENDPOINT" to tell me if success or not.

*facepalm*