I used to work for a company that had a main website and a lightweight app. LW app was distributed to partners and added to other sites using an iframe.

Someone decided a requirement was to retain the shopping cart for anonymous users. Some dev thought the best way to do that was to issue auth cookies to anonymous users.

The auth cookie issued by the LW app was actually for the main site. A few users for LW app decided to just come to main site to make a purchase. Since they already had an auth cookie (issued from LW app), they were never prompted to log in, create an account, or use guest checkout on the main site. They were still able to complete their order and we had their shipping address, but we didn’t have their email address so we couldn’t contact them about their order.

Customer service had no way to email customers if something went out of stock or if there was a product recall. CS would have to call these customers and ask for email addresses. Good luck getting anyone to answer or return a call nowadays. Customers were asking where their confirmation email was. The admin website was polluted with “users” that had the placeholder email for non-logged in users.

This happened because of a combination of an understaffed and overextended engineering department. Of course when something goes bad it’s going to be bad.

Fuck you windows 10. Fuck you private keys. Fuck you tortoise git. Fuck you git bash. Fuck you cygwin. Want 3x hours of my life back. Had an auth problem... Had to reinstall all the above on windows to connect to my private repo. Took me 5 minutes to connect after reinstalling all the tools. Grrrrrrr. And I'll never know why it wouldn't connect apart from fatal protocol error: bad line length character..I tried ever stack overflow answer... I nearly bricked my gitlab CE...and it was windows being a motherslut

Fucking christ this year is a fucking shitfest:

- wpa2 krack
- "DUHK Attack Lets Hackers Recover Encryption Key Used in VPNs & Web Sessions"
- "Hacker Hijacks CoinHive's DNS to Mine Cryptocurrency Using Thousands of Websites"
- "Bad Rabbit: New Ransomware Attack Rapidly Spreading Across Europe"

My fucking router didn't yet get patched, my fucking phone is outdated and I can't change to my patched one because devrant just shits the bed in extended desktop mode. Windows 8.1 loses support in 3 months, rendering my last chance of using it on my surface pro done, making me use windows 10 with its fucking shit ass not optimized tablet interface. I have just fucking constant paranoia what else could be hacked tomorrow, nothing is fucking safe anymore for fucks sake. I even went as far as implement 3 step auth and intrusion detection on my shitty ass VPS nodes, fucking give me a break you fucking assholes.

How do you get over the bad times? I keep having to work with shitty legacy systems that were written in perl and flash in the 90s, but my boss keeps telling me "No" on redoing some of the bigger stuff even though it is really needed. I mean, that is your goal here, right? Rebuilding this POS? FFS you still stored passwords in plain text twoo weeks ago! But no, you's rather dig around in Perl than upset some random user because his fucking interface looks different.

But then I also have to work with another system that I could redo in Cake/Laravel in two weeks (it's literally getting and writing data to one table, so two views and user auth), and the previous dev just... made a huge mess. I mean, why would you need to post data asynchronously when it's this one stupid form ? Just do a regular form submit? And the system is really not suitable for extending, because everything is in the database, EVERYTHING! Like, html form inputs? So to add a simple input to the template I have to create a new input type in the types table and then add that to the form structure table? Only to have the input checked by fucking regex? REGEX! Why? Seriously, this is not some high end CMS that needs this level of code reusability No. This is a simple fucking form.

And I can't get it to work. No documentation of course. No comments, either. All of this makes me feel like I'm just the shittiest dev ever. I feel dumb, and useless. Haven't turned on my private PC in weeks because I see no reason to work on any of my own stuff.

I used to have a job, working with Magento and Wordpress. And yeah, it was horrible, it was chaos, but it was fun and I was great at it. I bent that motherfucking system to fit my needs. People respected my opinion, they were convinced I could program this and that, and I proved them right. Did I make mistakes? Hell yeah. Did I give up? Fuck no!

But now, I just feel like I can't even write a simple fucking form any more. I'm just so close to giving up on development as a whole, even though I love it so much.

why is every auth provider utter and complete shit?

why are docs and tutorials that try to teach auth so complete shit?

No wonder there are so many security holes everywhere, nobody bothers to make it simple for the next person.

Next time people that cry about security/bad auth, and work in that field, this one is for you:

I am new to c and cpp.
I used to exploit my college's competitive programming platform cus it had a bad architecture and almost no auth checks.
For every ajax request, they weren't sending auth tokens or any form of identification and ran all the programs without any logs and on the main thread and as root.. wtf, right?
But recently they've changed something to the site and I cannot run bash commands using system() call.
Is there any other way to execute bash commands using c and cpp.
I already configured a miner in their server but then they re-deployed it cos someone forked bomb the shit out of it.
I'm a noob in c and cpp btw!

Today, I started a new project with Rails. I used always an own auth implementation, now I thought I'll give devise a try. Hell... the documentation is bad, really really bad. I really don't know why people are using this and don't write this by themselves. Anyway, I kicked devise and write it again by myself.

So I'm going to work on a project with a webapp and mobile applications. I look at this monstrosity that sends username and pass as plain json and there is almost no sparation of concerns, along with very little documentation. Please save me

Everything hurts. Starting from DevRant preventing me from making separate posts except I wait two hours. I'm infuriated at such a stupid rule like wtf is it supposed to achieve ffs? I'll just merge both rants into this

Next are the discriminatory fucks on reddit. I hate this platform for a number of reasons but the one currently on my nerves right now is the warped stigma against contributions from users with site rep below a certain threshold. How do myopic freaks like this make it to a position of authority?? Being knowledgeable in a given field is not exclusive to reddit users who were able to amass a ton of upvotes. It automatically excludes everyone with potential to stir valuable discourse. Just cuz they're not well liked on the platform

Basically, you earn points on cheap subs, come leverage them on the "prestigious" leagues, where those animals could lynch you. This isn't even hypothetical. Several times, all the visitors on a thread would launch a vendetta on a user (usually the OP), mass downvoting all their content on that thread. They're like wild beasts feasting on carcass

The next group absolutely pissing me off are organisations that use 2fa. How did this crazy design get so popular?? It makes absolutely no sense cuz in the event of losing my device or if the dev to whose device it was tied to leaves, you're fucked. You'll lose all your accounts. You're always calling some colleague holding the phone for codes. You need to snap barcodes on one phone and scan on auth app. Everything about it is so frustrating and painful

I was forced by github to use sms for 2fa. I'm already reluctant about working on this project but I drag myself to the system and try to sign in. Turns out the security conscious dickheads let me view my secret gists without being signed in, but they won't send the 2fa code. I faintly recall a mail that it was getting deprecated. So after what felt like eternity in perdition, I manage to setup the app type 2fa but what if I lose the phone or it's formatted?? I'm locked out! So so stupid. One of my banks sends OTPs to my line. The other doesn't. But a useless organization hosting my OSS that nobody wants to use is bent on ruining my life with their insane security measures. So So daft. What's with the excessive paranoia?? Same goes for facebook. Just send an alert to my mail if ip or location is suspicious and I'll click a confirmation mail. What if my screen is bad and I'm trying to login on another device?? How don't they think of all this before tying authentication to a physical device for christ's sakes?????

And then there's the horrible customers I've been getting on my fledgling business, along with a supplier as well. One requests for location, implying seriousness. Then ghosts. Another one wants to buy a commodity for less than half its price. How do you bargain from 330k to 150k? I rallied around for an alternative at 170k just to make sales. At the end of the day, he only wants the one for 330k. I wish I could take my skin off and black out. I'm so tired and cranky. I woke up so early today to be productive but everything I've met ever since has been nothing but pain and sorrow

Firebase is a fucking piece of dog shit.

Testing is so bad and complicated to set up, I've spent two days trying to write ONE fucking simple test with an auth middleware via expressjs. Why firebase doesn't mock my dung, you pieces of shit. Even the documentation is all spread out, it's difficult and terrible to follow. I would rather build my own backend because of all the workarounds I have to make because of your limited SHIT product. Even the type libraries are shit, import Timestamp? NOPE. YOU HAVE TO IMPORT FIREBASE TO IMPORT A TIMESTAMP. Learn to define types, shitty google devs. You all suck, thanks for making shitty clients sdk's.

I hope this piece of shit gets deprecated and my clients stops using it.

Mongodb CEO and the developer who build this shit for brains interface should be tarred and feathered. Almost 90minutes in and I cannot connect to anything other than error codes. What in the actual fuck is your job other than to make it difficult for a "free tier" user to connect?
"connect ECONNREFUSED 127.0.0.1:27017"

Oh ok another 20 minutes of work and you give me a bland beige error code like "```TLS/SSL is disabled. If possible, enable TLS/SSL to avoid security vulnerabilities.```"... um ok how do I enable it for your site, your database or on my computer... oh wait you don't say shit do you?

So now I'm fully 81 minutes into this shit show and all I get for error codes are these really descriptive gems 'getaddrinfo ENOTFOUND cluster0.hudbd.mongodb 'dot' net` comes up if I choose `mongo` with "connection string scheme" above it or `bad auth : Authentication failed'