So I got the job. Here's a story, never let anyone stop you from accomplishing your dreams!

It all started in 2010. Windows just crashed unrecoverably for the 3rd time in two years. Back then I wasn't good with computers yet so we got our tech guy to look at it and he said: "either pay for a windows license again (we nearly spend 1K on licenses already) or try another operating system which is free: Ubuntu. If you don't like it anyways, we can always switch back to Windows!"

Oh well, fair enough, not much to lose, right! So we went with Ubuntu. Within about 2 hours I could find everything. From the software installer to OpenOffice, browsers, email things and so on. Also I already got the basics of the Linux terminal (bash in this case) like ls, cd, mkdir and a few more.

My parents found it very easy to work with as well so we decided to stick with it.

I already started to experiment with some html/css code because the thought of being able to write my own websites was awesome! Within about a week or so I figured out a simple html site.

Then I started to experiment more and more.

After about a year of trial and error (repeat about 1000+ times) I finally got my first Apache server setup on a VirtualBox running Ubuntu server. Damn, it felt awesome to see my own shit working!

From that moment on I continued to try everything I could with Linux because I found the principle that I basically could do everything I wanted (possible with software solutions) without any limitations (like with Windows/Mac) very fucking awesome. I owned the fucking system.

Then, after some years, I got my first shared hosting plan! It was awesome to see my own (with subdomain) website online, functioning very well!

I started to learn stuff like FTP, SSH and so on.

Went on with trial and error for a while and then the thought occured to me: what if I'd have a little server ONLINE which I could use myself to experiment around?

First rented VPS was there! Couldn't get enough of it and kept experimenting with server thingies, linux in general aaand so on.

Started learning about rsa key based login, firewalls (iptables), brute force prevention (fail2ban), vhosts (apache2 still), SSL (damn this was an interesting one, how the fuck do you do this yourself?!), PHP and many other things.

Then, after a while, the thought came to mind: what if I'd have a dedicated server!?!?!?!

I ordered my first fucking dedicated server. Damn, this was awesome! Already knew some stuff about defending myself from brute force bots and so on so it went pretty well.

Finally made the jump to NginX and CentOS!

Made multiple VPS's for shitloads of purposes and just to learn. Started working with reverse proxies (nginx), proxy servers, SSL for everything (because fuck basic http WITHOUT SSL), vhosts and so on.

Started with simple, one screen linux setup with ubuntu 10.04.

Running a five monitor setup now with many distro's, running about 20 servers with proxies/nginx/apache2/multiple db engines, as much security as I can integrate and this fucking passion just got me my first Linux job!

It's not just an operating system for me, it's a way of life. And with that I don't just mean the operating system, but also the idea behind it :).

--- HTTP/3 is coming! And it won't use TCP! ---

A recent announcement reveals that HTTP - the protocol used by browsers to communicate with web servers - will get a major change in version 3!

Before, the HTTP protocols (version 1.0, 1.1 and 2.2) were all layered on top of TCP (Transmission Control Protocol).
TCP provides reliable, ordered, and error-checked delivery of data over an IP network.
It can handle hardware failures, timeouts, etc. and makes sure the data is received in the order it was transmitted in.
Also you can easily detect if any corruption during transmission has occurred.
All these features are necessary for a protocol such as HTTP, but TCP wasn't originally designed for HTTP!
It's a "one-size-fits-all" solution, suitable for *any* application that needs this kind of reliability.
TCP does a lot of round trips between the client and the server to make sure everybody receives their data. Especially if you're using SSL. This results in a high network latency.
So if we had a protocol which is basically designed for HTTP, it could help a lot at fixing all these problems.
This is the idea behind "QUIC", an experimental network protocol, originally created by Google, using UDP.

Now we all know how unreliable UDP is: You don't know if the data you sent was received nor does the receiver know if there is anything missing. Also, data is unordered, so if anything takes longer to send, it will most likely mix up with the other pieces of data. The only good part of UDP is its simplicity.
So why use this crappy thing for such an important protocol as HTTP?
Well, QUIC fixes all these problems UDP has, and provides the reliability of TCP but without introducing lots of round trips and a high latency! (How cool is that?)

The Internet Engineering Task Force (IETF) has been working (or is still working) on a standardized version of QUIC, although it's very different from Google's original proposal.
The IETF also wants to create a version of HTTP that uses QUIC, previously referred to as HTTP-over-QUIC. HTTP-over-QUIC isn't, however, HTTP/2 over QUIC.
It's a new, updated version of HTTP built for QUIC.

Now, the chairman of both the HTTP working group and the QUIC working group for IETF, Mark Nottingham, wanted to rename HTTP-over-QUIC to HTTP/3, and it seems like his proposal got accepted!
So version 3 of HTTP will have QUIC as an essential, integral feature, and we can expect that it no longer uses TCP as its network protocol.

We will see how it turns out in the end, but I'm sure we will have to wait a couple more years for HTTP/3, when it has been thoroughly tested and integrated.

Thank you for reading!

!rant

This was over a year ago now, but my first PR at my current job was +6,249/-1,545,334 loc. Here is how that happened... When I joined the company and saw the code I was supposed to work on I kind of freaked out. The project was set up in the most ass-backward way with some sort of bootstrap boilerplate sample app thing with its own build process inside a subfolder of the main angular project. The angular app used all the CSS, fonts, icons, etc. from the boilerplate app and referenced the assets directly. If you needed to make changes to the CSS, fonts, icons, etc you would need to cd into the boilerplate app directory, make the changes, run a Gulp build that compiled things there, then cd back to the main directory and run Grunt build (thats right, both grunt and gulp) that then built the angular app and referenced the compiled assets inside the boilerplate directory. One simple CSS change would take 2 minutes to test at minimum.

I told them I needed at least a week to overhaul the app before I felt like I could do any real work. Here were the horrors I found along the way.

- All compiled (unminified) assets (both CSS and JS) were committed to git, including vendor code such as jQuery and Bootstrap.
- All bower components were committed to git (ALL their source code, documentation, etc, not just the one dist/minified JS file we referenced).
- The Grunt build was set up by someone who had no idea what they were doing. Every SINGLE file or dependency that needed to be copied to the build folder was listed one by one in a HUGE config.json file instead of using pattern matching like `assets/images/*`.
- All the example code from the boilerplate and multiple jQuery spaghetti sample apps from the boilerplate were committed to git, as well as ALL the documentation too. There was literally a `git clone` of the boilerplate repo inside a folder in the app.
- There were two separate copies of Bootstrap 3 being compiled from source. One inside the boilerplate folder and one at the angular app level. They were both included on the page, so literally every single CSS rule was overridden by the second copy of bootstrap. Oh, and because bootstrap source was included and commited and built from source, the actual bootstrap source files had been edited by developers to change styles (instead of overriding them) so there was no replacing it with an OOTB minified version.
- It is an angular app but there were multiple jQuery libraries included and relied upon and used for actual in-app functionality behavior. And, beyond that, even though angular includes many native ways to do XHR requests (using $resource or $http), there were numerous places in the app where there were `XMLHttpRequest`s intermixed with angular code.
- There was no live reloading for local development, meaning if I wanted to make one CSS change I had to stop my server, run a build, start again (about 2 minutes total). They seemed to think this was fine.
- All this monstrosity was handled by a single massive Gruntfile that was over 2000loc. When all my hacking and slashing was done, I reduced this to ~140loc.
- There were developer's (I use that term loosely) *PERSONAL AWS ACCESS KEYS* hardcoded into the source code (remember, this is a web end app, so this was in every user's browser) in order to do file uploads. Of course when I checked in AWS, those keys had full admin access to absolutely everything in AWS.
- The entire unminified AWS Javascript SDK was included on the page and not used or referenced (~1.5mb)
- There was no error handling or reporting. An API error would just result in nothing happening on the front end, so the user would usually just click and click again, re-triggering the same error. There was also no error reporting software installed (NewRelic, Rollbar, etc) so we had no idea when our users encountered errors on the front end. The previous developers would literally guide users who were experiencing issues through opening their console in dev tools and have them screenshot the error and send it to them.
- I could go on and on...

This is why you hire a real front-end engineer to build your web app instead of the cheapest contractors you can find from Ukraine.

So I was hired about 4 months or so in this companty, we will name it 'Derp & Co.'

The first task they want me to do was to 'clean' an android app that, for what they told me:

- Previous dev fired. said that tasks have been done but totally a lie.
- Took a fully week of 2 fellows coworkers to 'undo' the mess.
- And for the last but not least, zero documentation, like ZERO.

So, I clone the repo, install android studio, blah blah blah, get hands to the pile of code and jesus...

- The whole app was working with a gargantuan json, there was no use of POJOs at all. Objects are for normies.
- A masive copy/paste code, like 'I will need this here, crtl-c... ctrl-v, DONE!'
- Threads are free, isn't it? let's just put a thread whenever I desire to make an HTTP request and not reuse code at all.

So... with this on mind, my first task is to make proper objects:
- Coworker: 'Sorry dev, we don't have documentation for this, you must debug the code to se what the server will send to you'.
- Me: 'Real?'

Shit... ok. So I first try to figure out how the hell is made my gargantuan json. A month was entirely lost to unravel this data and implement Objects, improve their code, reuse code, etc. but at the very end:

- coworker: 'Good job dev, when the POJOs are done, we can focus on the next task, whe have to define a new DATA MODEL because the one we are using now is not good at all'.

*note: the app is on production and working with all the previous 'features' and today it still on use on some enviroments.

- Me: 'Wait... this is a joke, now you want to define new data models? This should have been done in first place!' <WTF face>
- Coworker: 'I don't think so dev, Mr. boss have this list with things to improve on the app an this is the order of do the tasks'.

Mr. boss is on vacations, two days after he came back:

- Mr boss: 'Coworker said that you have been working with POJOs, is that right?'
- Me: 'Yes'
- Mr boss: 'Why? Did not see the need of a new data model?'
- Me: 'I told that to him, but he insist on "the order" of the list.
- Mr. boss <facepalm>

This is one of the few tales i have from 'Derp & Co.'

PS: Sorry if i made a mistake on writing, english is not my first language and maybe I have done some mistakes.

HTTP return codes cheat sheet :
1** : Hold on
2** : Here you go
3** : Go away
4** : You fucked up
5** : I fucked up

Background: I'm not drunk yet, BUT I'M WORKING ON IT.

okay.

I just finished a second sprint on my React app. The first was to build a merchant onboarding flow. The second was to do substantial cleanup as I learned more about react/redux, and to create a "supply order" flow -- basically purchasing marketing materials and services. I finished that in a week, and I'm pretty proud. api-guy wanted it done in a day. i laughed. he probably could have, but it would have been a copy of the code in a new repo with some lines changed.

ANYWAY. it's all done and It's super pretty and works amazingly well. It has both the onboarding flow and the ordering flow, with a nice pop-out sidebar for navigation, namespaced actions, etc. Everything is pretty clean. I even added a cart to the ordering (despite everyone telling me not to) because wtf, what if someone wants to order TWO items? dumbasses. So I made that. it's sexy.

Anyway, it's all done and shiny and fancy and wonderful and I'd *love* to share screenshots if only it didn't give away where I worked. :<

... but the point of the rant!

After the first sprint, I made a copy of the repo so I could rework it and add more functionality without touching the original. (Hey! That's what a branch is for, right? Why didn't I branch it up?
well, read on)

I knew we were going to have multiple separate flows for this app: onboard, ordering, merchant tools, admin tools, support, etc. So, I wrote its server portion (the webpack builder + http server) so it would serve the same app at whatever url the user hit, and set a cookie containing that host+url. This allows the app to serve different content (basically showing/hiding content) based on the URL and future login roles. If someone hits /order, it would hide everything but the order flow. If they're a merchant, it would show all the merchant views plus ordering, etc.

tl;dr This way I can use the same codebase for multiple sites, drastically simplifying development, branding, and what have you. This new app could obv also be a drop-in replacement for the original onboarding project because of the above.

HOWEVER. this apparently isn't good enough for api-guy. He's terrified that adding/updating future components will affect all the existing content somehow.

so.

now we have three repos for basically the same codebase. 1) onboard aka "surfboard", 2) ordering, 3) merchant tools, aka "ferrari" (the "future" app).

Except.
1) "surfboard" is a very old version of the code. 3) "ferrari" is also old, since 2) "ordering" has newer content in it now.

... and somehow this is better?
fuck if i can figure out how.

His reasoning is "well, you won't be touching surfboard or ordering for 6 months, so now you don't have to worry about it." Sure, except, you know, it'll be a pain in the ass in 6 months now when I have a crapton of code and branding to redo. ffs.

Oh. We also have three Heroku pipelines for these three repos. for the same codebase.

and now you know why i'm drinking.

Yesterday the web site started logging an exception “A task was canceled” when making a http call using the .Net HTTPClient class (site calling a REST service).

Emails back n’ forth ..blaming the database…blaming the network..then a senior web developer blamed the logging (the system I’m responsible for).

Under the hood, the logger is sending the exception data to another REST service (which sends emails, generates reports etc.) which I had to quickly re-direct the discussion because if we’re seeing the exception email, the logging didn’t cause the exception, it’s just reporting it. Felt a little sad having to explain it to other IT professionals, but everyone seemed to agree and focused on the server resources.

Last night I get a call about the exceptions occurring again in much larger numbers (from 100 to over 5,000 within a few minutes). I log in, add myself to the large skype group chat going on just to catch the same senior web developer say …
“Here is the APM data that shows logging is causing the http tasks to get canceled.”

FRACK!

Me: “No, that data just shows the logging http traffic of the exception. The exception is occurring before any logging is executed. The task is either being canceled due to a network time out or IIS is running out of threads. The web site is failing to execute the http call to the REST service.”

Several other devs, DBAs, and network admins agree.

The errors only lasted a couple of minutes (exactly 2 minutes, which seemed odd), so everyone agrees to dig into the data further in the morning.

This morning I login to my computer to discover the error(s) occurred again at 6:20AM and an email from the senior web developer saying we (my mgr, her mgr, network admins, DBAs, etc) need to discuss changes to the logging system to prevent this problem from negatively affecting the customer experience...blah blah blah.

FRACKing female dog!

Good news is we never had the meeting. When the senior web dev manager came in, he cancelled the meeting.

Turned out to be a hiccup in a domain controller causing the servers to lose their connection to each other for 2 minutes (1-minute timeout, 1 minute to fully re-sync). The exact two-minute burst of errors explained (and proven via wireshark).

People and their petty office politics piss me off.

FKING. LANDLORD. FKING LANDLORD THINKS MY LAN CABLE SLOWS THE FKING INTERNET BACK TO THE 1990s.

- Prologue
I'm renting at a place that looks good af. But the fking wifi is so slow, 80% of the time you can't even send an empty http request.

- Chapter 1
Okay, maybe it's my laptop. *plugs in cable*. Now the requests fail 10% of the time. Better than nothing. 2 hours later, gets a text saying other housemates are having slow internet because of me. FUCK. Unplugs, LAN cable, uses mobile data and cries to sleep.

- Chapter 2
Tries again after a few days. Barely uses the internet (I'm only using it to play games, not even download it and I used more than this with a 2mbps internet). No videos, no music, just small data exchange with a low ping. GETS A FKING TEXT AGAIN

- CHAPTER 3
My sis comes over and complains that the net is slow af. Plugs in LAN cable while no one is around, everything is fine. Sis leaves, I roll up my end of the LAN cable in my room but leave the cable plugged in on the outside of the room. Next morning, it's unplugged. Plugged it back in before I go to work and when I come back, guess what? ITS FKING UNPLUGGED. AGAIN. AND IM NOT EVEN USING IT.

SOMEONE PLEASE STOP ME FROM GOING ON A RAMPAGE SHOVING THE FKING CABLE AND THE ROUTER UP PEOPLE'S ASSES. LAN FUCKING CABLES DONT SLOW THE INTERNET BACK TO THE PREVIOUS CENTURY. ESPECIALLY WHEN THEY'RE NOT EVEN PLUGGED IN ON THE OTHER SIDE. FUCK.

6:38pm, Tasklist for today:

- Debug website #1 - DONE
- Debug website #2 - DONE
- Launch a new website on a new domain - DONE
- Install SSL - DONE
- Test e-commerce section - DONE
- activate HTTP/2 for that domian (first time, once it worked it felt rewarding) - DONE
- set up 30 emails on said domain, send out emails on how to reset their passwords - DONE
- play Half life for 40 minutes - DONE
- Download GOT S06E09 - DONE
- cater all emails from clients... - DONE

proudest and most productive day of my life, really

The solution for this one isn't nearly as amusing as the journey.

I was working for one of the largest retailers in NA as an architect. Said retailer had over a thousand big box stores, IT maintenance budget of $200M/year. The kind of place that just reeks of waste and mismanagement at every level.

They had installed a system to distribute training and instructional videos to every store, as well as recorded daily broadcasts to all store employees as a way of reducing management time spend with employees in the morning. This system had cost a cool 400M USD, not including labor and upgrades for round 1. Round 2 was another 100M to add a storage buffer to each store because they'd failed to account for the fact that their internet connections at the store and the outbound pipe from the DC wasn't capable of running the public facing e-commerce and streaming all the video data to every store in realtime. Typical massive enterprise clusterfuck.

Then security gets involved. Each device at stores had a different address on a private megawan. The stores didn't generally phone home, home phoned them as an access control measure; stores calling the DC was verboten. This presented an obvious problem for the video system because it needed to pull updates.

The brilliant Infosys resources had a bright idea to solve this problem:

- Treat each device IP as an access key for that device (avg 15 per store per store).
- Verify the request ip, then issue a redirect with ANOTHER ip unique to that device that the firewall would ingress only to the video subnet
- Do it all with the F5

A few months later, the networking team comes back and announces that after months of work and 10s of people years they can't implement the solution because iRules have a size limit and they would need more than 60,000 lines or 15,000 rules to implement it. Sad trombones all around.

Then, a wild DBA appears, steps up to the plate and says he can solve the problem with the power of ORACLE! Few months later he comes back with some absolutely batshit solution that stored the individual octets of an IPV4, multiple nested queries to the same table to emulate subnet masking through some temp table spanning voodoo. Time to complete: 2-4 minutes per request. He too eventually gives up the fight, sort of, in that backhanded way DBAs tend to do everything. I wish I would have paid more attention to that abortion because the rationale and its mechanics were just staggeringly rube goldberg and should have been documented for posterity.

So I catch wind of this sitting in a CAB meeting. I hear them talking about how there's "no way to solve this problem, it's too complex, we're going to need a lot more databases to handle this." I tune in and gather all it really needs to do, since the ingress firewall is handling the origin IP checks, is convert the request IP to video ingress IP, 302 and call it a day.

While they're all grandstanding and pontificating, I fire up visual studio and:

- write a method that encodes the incoming request IP into a single uint32
- write an http module that keeps an in-memory dictionary of uint32,string for the request, response, converts the request ip and 302s the call with blackhole support
- convert all the mappings in the spreadsheet attached to the meetings into a csv, dump to disk
- write a wpf application to allow for easily managing the IP database in the short term
- deploy the solution one of our stage boxes
- add a TODO to eventually move this to a database

All this took about 5 minutes. I interrupt their conversation to ask them to retarget their test to the port I exposed on the stage box. Then watch them stare in stunned silence as the crow grows cold.

According to a friend who still works there, that code is still running in production on a single node to this day. And still running on the same static file database.

#TheValueOfEngineers

I'm thinking about doing a live coding stream on twitch this saturday, late afternoon or evening (CET).
I've never done a live stream before.

Do you have any suggestions or interests?
I'm thinking about something like a small RESTful API with Angular4/TypeScript (frontend, single page application) and CraftCMS/PHP (backend) with somebasic theory about HTTP requests / response, redirecting, data transfer and interfaces et cetera...

The duration will be around 2-4 hours, maybe longer if I have enough Mate & Beer.

But it's all just an idea at the moment. 😉

I will create an empty project for the stream on my Github and push to it during streaming, so you can pull it live or later.

Just debugged an angularjs app for 2 hours to find out that I spelled "response" "reponse" as an http get request success callback function argument. I hate my life.

Look ma, HTTP/2!

And it's retarded!

Gaming community of mine launched their slick new website with their new "ticket system" where people could put in tickets to get help by volunteers.

2 hours and an approval by one of the admins later I managed to inject forge http request into literally every form on that side. Modify permissions, delete users, edit tickets, put invalid values into every attribute of them... In other words break everything.
Turns out the whole thing was coded as a first time project by a person who has no clue about web development and noone is in charge of anything really. There are no requirements, no beta testing, no version control or backups, but at least they had a hard deadline. 🤣

Still not sure if I wanna fix their shit and do it properly or just enjoy seeing it crash and burn.

Why is it that pretty much zero package & framework maintainers understand semantic versioning?

1. If you do a complete rewrite of your package, but the resulting API is identical, you don't need to bump to the next major version. As a user, I'm thankful for your increased performance or cleaner internal code, but it doesn't really affect my update process.

2. If your package required some-framework 6.0.0, and now ALSO supports some-framework 7.0.0 but is still compatible with 6.0.0, you don't need to bump to the next major version. As a user, I can now upgrade the framework, and know that the package will keep working, but otherwise it doesn't really affect me.

3. Following your versioning along with the framework/language version is super annoying, especially if your library really doesn't need to differentiate between framework versions because it's not actually utilizing new framework functionality.

4. On the other hand, if you stop supporting a certain language, framework or shared library version, or change the public methods, exceptions, fields, etc, you MUST bump to a new major version.

Yet everyone gets this wrong.

For example, many of Laravel's underlying subpackages (for collections, filesystem, database, config, http, mail, etc) do not change their code in a breaking way, or do not even change at all between major framework versions.

Yet they follow along with the major framework version.

Now if someone makes a library "laravel-elasticsearch" which uses the support libraries and collections from laravel, they need to update their package to move along with the versions as well, and often they choose to number their library along with the framework in turn.

This means that to update the framework, you also need to update over 9000 dependencies.

FOR NO FUCKING REASON. THE ONLY CHANGE IN THOSE FUCKING DEPENDENCIES IS TO UPDATE COMPOSER.JSON TO BE COMPATIBLE WITH THE FUCKING FRAMEWORK.

Meanwhile, Laravel itself breaks repeatedly on minor/patch version updates, because breaking changes slip through their review process.

Ugh.

Inmates are trying to take over the asylum again.

Got a message from the web team manager deeply concerned because since switching to the new logging framework, the site is significantly slower.

She provided no proof or any data to what 'significantly slower' means.

#1 The 'new logging' has been in place and logging for 5 years. We only recently depreciated the ILogger interface ('new' ILogger interface only has 1 method instead of 5)
#2 The 'old logging' was modified 5 years ago, so even if you were using the 'old' interface, the underlying implementation is still the same.

She tried to push the 'it wasn't this slow before' argument, so I decided to do some fact based analysis.
Knowing they deployed their logging changes couple of weeks ago, I opened up AppDynamics, looked at the average call time to Splunk (along with a few other http calls they are doing)
- caching services - 5ms
- splunk - 30ms
- Order Service - 350ms
- Product Data Service -525ms

Then I look at the data they are logging, for the month of June, over 5 million messages. At 30ms each, that's almost 42 hours spent logging errors...yes errors. Null reference exceptions, Argument exceptions, easily fixable stuff.

So far for the month of July (using the 'new' logging), almost 2.5 million errors. Pretty close so far with June's numbers.

My only suggestion was to fix the bugs in their code so they don't log so many errors.

Her response.."Can we have one of our developers review your logging code? We believe we can find ways to optimize the http requests"

Oh good Lord. I'm not a drinking man..but ...I might start.

The company I am currently working for is partnering with another startup. Nothing special about that. We should integrate their API into our system. I wasn't involved in the process when it came to checking there API and if it would work with our Systems. The Person who did that already left the company so I was left behind with some internal documentation. In that Documentation is already written that API is basically trash....

After I started integrating the API I found more and more flaws in the design. They are not sending any responses that would help, when a param is missing or the authentication isn't correct, only 500's . I got some documentation from the partner company so i thought it will be fine as long as the Documentation would be accurate. Turns out the documentation isn't even close to be up to date. Wrong content types wrong endpoints, wrong naming. Basically we could not work with that. We shortly contacted the partner Company. After a few WEEKS we got a response that they updated the Documentation what was right but still not everything was correct. At this point I lost my mind. I researched a little bit about them, the company is founded from 2 young people who basically came strait out of the University and doest have any experience or idea how to build an API. I investigated a little bit there websites.

They have an Admin panel on the base domain from their API but it is only accessible via HTTP. Like WTF , They use HTTP for an Admin Panel this must be a joke right?

They use Cloudflare without a HTTP to HTTPS redirection ???

I really had not that much time to research in there website but if I find these things in 5 minutes I don't want to know what I can find in like an hour.

At the end we will still use them as partners because surprise surprise our company already sold the product that uses their API.

I know that I will be the person who has to help fixing this shit when it breaks and it will break 1000% JUST FUCK THIS SHIT. FUCK THE PARTNER COMPANY. FUCK THERE API.

Fucking shit, this university's website is so damn slow! Basically Every Semester, every student need to enroll to certain classes in University Website.

But the Infrastructure is not enough to handle such a big amount of students, we have approx. 7000 students enrolling at the same fucking time.

And here i am can't enroll to any class at all this semester. Fuck such a waste of time. This always been a thing since they digitalize enrolling system.

I don't want this to happen again. The student always be a victim since they cannot handle the request. Now, as a dev, i want to propose something better to optimize the server, i have some connection to pass some bureaucracy. I am going to do some brainstorming and I will need some solution.

Here some data i gather when i am mad from my univ infrastructure division :
1. The Server is a simple Local Server Forwarded to the Internet.
2. The Server use Windows Server 2007.
4. Web Server Using Microsoft IIS
3. The Website built using ASP.NET
4. The connection is not SSL encrypted (yes its fucking use the http)
5. Hardware Spec (not confirmed officialy, i got this information from my professor) :
- Core i5 4460
- 4 GB Ram
- 1 Gbit NIC

I will summon some expert here and i hope want to help me(us all) out.

Apart from having a baby which is the hardest in the world，i think the hardest project is to learn to code.

I studied philosophy and anthropology but gamed a lot. Me and a good mate decided to work together and he told me hed teach me coding.

The guy is a genius but he is a reckless rebel genius who tells everybody to fuck off.

So，after 1 year in a half of intense coding where i had to learn linux， networks， and im not shitting you html and css as well and of course javascript.

He has now put me on， for the last 2 month， in charge of our front end backoffice. I have to design forms that do the right http requests，do the unit testing， play with redux-form， react-redux and he has thrown me into the basic java backend so i can begin working with entites and how i serve the data and link it to the database and even create tables.

Every time i fail hemakes me remake everything.

I actually came on devrant to study the dev community (i always gamed a lot but this is a whole different community). The dev community is pretty awesome and unique.

Anyhow， i remember when i saw him as me to complete an exercise and i didnt event know which words were the reserved language ones and those i could use myself. It was like fucking magic.

So here I am reinventing the wheel making an HTTP server in C.
Finished implementing HTTP/1.1 and WebSockets support and now I find out the current thingy is HTTP/2.
Well that's fine, I'll add support for that later. In fact I kinda dig it since it uses binary conventions instead of plain text ones.
I dig a little bit and find out there already is an HTTP/3 going around which uses UDP.
Why me.

I think that two criterias are important:

- don't block my productivity
- author should have his userbase in mind

1) Some simple anti examples:

- Windows popping up a big fat blue screen screaming for updates. Like... Go suck some donkey balls you stupid shit that's totally irritating you arsehole.
- Graphical tools having no UI concept. E.g. Adobes PDF reader - which was minimalized in it's UI and it became just unbearable pain. When the concept is to castrate the user in it's abilities and call the concept intuitive, it's not a concept it's shit. Other examples are e.g. GEdit - which was severely massacred in Gnome 3 if I remember correctly (never touched Gnome ever again. I was really put off because their concept just alienated me)
- Having an UI concept but no consistency. Eg. looking at a lot of large web apps, especially Atlassian software.
Too many times I had e.g. a simple HTML form. In menu 1 you could use enter. In menu 2 Enter does not work. in another menu Enter works, but it doesn't submit the form it instead submits the whole page... Which can end in clusterfuck.
Yaaayyyy.
- Keyboard usage not possible at all.
It becomes a sad majority.... Pressing tab, not switching between form fields. Looking for keyboard shortcuts, not finding any. Yes, it's a graphical interface. But the charm of 16 bit interfaces (YES. I'm praising DOS interfaces) was that once you memorized the necessary keyboard strokes... You were faster than lightning. Ever seen e.g. a good pharmacist, receptionist or warehouse clerk... most of the software is completely based on short keyboard strokes, eg. for a receptionist at a doctor for the ICD code / pharmaceutical search et cetera.
- don't poop rainbows. I mean it.
I love colors. When they make sense. but when I use some software, e.g. netdata, I think an epilepsy warning would be fair. Too. Many. Neon. Colors. -.-

2) It should be obvious... But it's become a burden.

E.g. when asked for a release as there were some fixes... Don't point to the install from master script. Maybe you like it rolling release style - but don't enforce it please. It's hard to use SHA256 hash as a version number and shortening the hash might be a bad idea.

Don't start experiments. If it works - don't throw everything over board without good reasons. E.g. my previous example of GEdit: Turning a valuable text editor into a minimalistic unusable piece of crap and calling it a genius idea for the sake of simplicity... Nope. You murdered a successful product.
Gnome 3 felt like a complete experiment and judging from the last years of changes in the news it was an rather unsuccessful one... As they gave up quite a few of their ideas.

When doing design stuff or other big changes make it a community event or at least put a poll up on the github page. Even If it's an small user base, listen to them instead of just randomly fucking them over.
--
One of my favorite projects is a texteditor called Kate from KDE.

It has a ton of features, could even be seen as a small IDE. The reason I love it because one of the original authors still cares for his creation and ... It never failed me. I use Kate since over 20 years now I think... Oo

Another example is the git cli. It's simple and yet powerful. git add -i is e.g. a thing I really really really love. (memorize the keyboard shortcuts and you'll chunk up large commits faster than flash.

Curl. Yes. The (http) download tool. It's author still cares. It's another tool I use since 20 years. And it has given me a deep insight of how HTTP worked, new protocols and again. It never failed me. It is such a fucking versatile thing. TLS debugging / performance measurements / what the frigging fuck is going on here. Take curl. Find it out.

My worst enemies....

Git based clients. I just hate them. Mostly because they fill the niche of explaining things (good) but completely nuke the learning of git (very bad). You can do any git action without understanding what you do and even worse... They encourage bad workflows.
I've seen great devs completely fucking up git and crying because they had really no fucking clue what git actually does. The UI lead them on the worst and darkest path imaginable. :(

Atlassian products. On the one hand... They're not total shit. But the mass of bugs and the complete lack of interest of Atlassian towards their customers and the cloud movement.... Ouch. Just ouch.

I had to deal with a lot of completely borked up instances and could trace it back to a bug tracking entry / atlassian, 2 - 3 years old with the comment: vote for this, we'll work on a Bugfix. Go fuck yourself you pisswads.

Microsoft Office / Windows. Oh boy.
I could fill entire days of monologues.
It's bad, hmkay?

XEN.
This is not bad.
This is more like kill it before it lays eggs.
The deeper I got into XEN, the more I wanted to lay in a bathtub full of acid to scrub of the feelings of shame... How could anyone call this good?!?????

So here's is the thing.
For some weird reason I decided to work at a VC funded startup. For 15k year,(I live in a really poor country).

So, let me describe the hell I'm in now, and if for some good grace you happen to be hiring, please consider saving me from the horror that's ahead.

Company got funded 5 months ago, main owners are, an economist and a civil engineer with no programming habilities whatsoever.

They took 1 month to assemble "a killer team", with no hiring expertise they handpicked a CTO that came in 1 month later and took a month of vacation in his first month of work.

He didn't do any specification of the system that needs to be built.

The 2 naive owners hired the rest of this "killer team".

The team is good, but have no appreciation of planning.

They've built and rebuilt the backend system twice, once in graphql and the second with plain http (is not real rest, just a http api), in front of, guess what a mongo database.

This mongo DB is not only one, but 7, because we have 7 microservices, and each has its own database.

After some time, they decided to fire their CTO, and hire one more programmer(that's me), because the CTO wasn't doing anything.

The app has 3 parts, the app per se, a business version, and a help desk, guess what the helpdesk just appeared last week on the radar.

Long story short, we have one month to deliver what couldn't be built in 5.

When I decided to work for these people, I did not imagine the kind of clusterfuck that I was getting into.

It took me 1 month to realize the whole situation, now, I really would like to see some help from the deities of any religion, not for the project, that project is doomed.

It's how I'll pay the bills after that clusterfuck collapses that worries me.

Now in the startup no one is talking about how stupid the whole situation is. Or how far back we are. And at this point there's very little that could be done about it, I have a feeling that it could still be accomplished, but it's fading day after day.

I will do my best to live the best of this experience, and do as the musicians in the Titanic and keep playing the music even after knowing the Titanic is sinking.

I don't know what you did yesterday, but i did make my company throw away 2 months of progress.
It all started in the beginning, since that i've made numerous complaints about the workflow or code and how to improve it. I've been told off every time, and every time i either told the boss who agreed in the end or wrote code to prove myself. Everything was a hassle and my tasks weren't better.
Team lead: you'll do X now, please do that by making Y.
Me: but Y is insecure, we should do Z.
Team lead: please do Y
Later it turns out Y is impossible and we do Z in the end...
Team lead: please do W now
Me, a few days later: i've tried and their server doesn't give http cors headers, doing W in the browser is impossible
Team lead, a few days later: have you made progress on W?
Me: * tells again it's impossible and uploads code to prove it *
Team lead: * no response *

After that i had enough. Technically i still was assigned to do W, but i used my time to look over the application and list all the things wrong with it. We had everything, giant commits, commented out code, unnecessary packages, a new commit introduced packages that crashed npm install on non-macs, angularjs-packages even though we use angular, weird logic, a security bug, all css in one file even though you can use component-specific css files...

I sent that to my boss, telling him to let the backend-guys have a look at it too and we had a meeting about this. I couldn't attend but they agreed with me completely. They decided to throw away what we have already and to let one of the backend-guys supervise our team. I guess there will be another talk with the team lead, but time will tell.
It feels so good having hope to finally escape this hellish development cycle of badly defined task, bad communication and headache-inducing merges.

Crazy... Hm, that could qualify for a *lot*.

Craziest. Probably misusage or rather "brain damaged" knowledge about HTTP.

I've seen a lot of wild things when devs start poking standards, but the tip of the iceberg was someone trying to use UTF-8 in headers...

You might have guessed it - German umlauts. :(

Coz yeah. Fucktard loved writing everything in german, so why not write custom header names in german.

The fun thing is: It *can* work, though the usual sane thing is to keep it in ASCII range for the obvious reason that using UTF-8 (or ISO-8859-1, which is *not* ASCII) is a gamble you gonna loose.

The fun game was that after putting in a much needed load balancer between services for monitoring / scaling etc suddenly *something* seemed off.

It took me 2 days and a lot of Wireshark hoola hooping to find out why, cause the header was used for device detection aka wether it's a bot or not. Or in the german term the dev used: "Geräte-Art".

As the fallback was to assume a bot, but only rate limit based on IP, only few managed to achieve the necessary rate limit to get blocked.

So when I say *something* seemed off, I really mean a spooky kind of "sometimes IP blocked for seemingly no reason at all".

Fun stuff. The dev btw germanized everything. Untangling the code base was a lot of non fun. -.-

Http/2 server push is really cool. Like, really fucking cool. Those researchers at google really got this right. I hate how they handle their users but I have to say they really make good use of the money they get by selling us for kettle.

I actually never felt the need to scream at a co-worker so let's talk about that time a co-worker screamed at me instead.

tl;dr : some asshole boss screamed and threatened me because someone else's project was shit and didn't work.

Context: I was in my third year of school internship (graded) and my experience is C, C++, C#, Python all in systems programming, no web.

I was working as an intern for a shit company that was selling a shit software to hospitals (though not medically critical, thank God) the only tech guy on site was the DBA (cool guy) the product was maintained by a single dev in VB from his house, the dude never showed up to work (you'll understand why) and an other intern who couldn't dev shit.

I was working with the DBA on an software making statistical analysis from DB exports, worked nice, no problems here if we forget the lack of specs or boundaries (except must work in ieShit).

The other intern was working on something else (don't ask me what it is) I just remember it was in GWT before the community revived it. His webapp was requesting the company http server for a file instead of having one of it's java servlet to fetch it (both apps ran on sane server) which caused a lot of shit especially CORS error. That guy left (end of contract) and leaves his shit as is, boss asked me to deploy the app, I fiddle with it to see if it works and when I find out it doesn't then that asshole starts screaming at me in front of every other employee present, starts threatening to burn me in the tech world and have me thrown out of my school for no goddamn reason than the other dude's project doesn't work.

After the screaming I leave and warn my school immediately.

I guess that's why the other dev never came to work.

I had three weeks of internship left, that I did from home and worked probably less than 2 hours a day so suck it asshole.

Still had a good grade because I was reviewed by the DBA and he was happy with the work I did.

It was only later that I realized that what he did was categorizing as harassment (at least in France) and decided that never again this would happen without a response from my lawyer.

I explained last week in great detail to a new team member of a dev team (yeah hire or fire part 2) why it is an extremely bad idea to do proactive error handling somewhere down in the stack...

Example
Controller -> Business/Application Logic -> Infrastructure Layer

(shortened)

Now in the infrastructure layer we have a cache that caches an http rest call to another service.

One should not implement retry or some other proactive error handling down in the cache / infra stack, instead propagate the error to the upper layer(s) like application / business logic.
Let them decide what's the course of action, so ...
1) no error is swallowed
2) no unintended side effects like latency spikes / hickups due to retries or similar techniques happens
3) one can actually understand what the services do - behaviour should either be configured explicitly or passed down as a programmed choice from the upper layer... Not randomly implemented in some services.

The explanation was long and I thought ... Well let's call the recruit like the Gremlin he is... Gizmo got the message.

Today Gizmo presented a new solution.

The solution was to log and swallow all exceptions and just return null everywhere.

Yay... Gizmo. You won the Oscar for bad choices TM.

Thx for not asking whether that brain fart made any sense and wasting 5 days with implementing the worst of it all.

Strap in...

- Previous employer
- 3rd party partner firm
- integration link between both over SOAP
- Both sides riddled with poor code and messed up political structures (partner firm CEO is an investor in my employer)
- Doing a deployment to update to https (I know)
- Keep http endpoint live
- Other side starts shitting itself
- Diagnose
- Not us
- feelsgoodman.tiff
- Get angry email
- Explain not us
- Back and forth
- Tell client it’s “irrelevant” on https issue, it’s their side that’s gone wrong
- Get angry reply with boss cc’d about how nothing is “irrelevant” for the client
- We all had to have a make up meeting and meal
- Client was calm and reasonable, all agreed we just snapped and it wouldn’t happen again
- 2 weeks later
- Their system shits itself again and suddenly we’re on the hook
- BA on my team (smarmy little bastard) constantly fucking me off
- Get so close to actually screaming and hitting him

So yeah. I don’t tend to hold that a job is more important to me than my dignity.

I have and will never hold my tongue for the sake of a job, I’m not gonna put up with people shouting / belittling / backstabbing etc.

In today's episode of kidding on SystemD, we have a surprise guest star appearance - Apache Foundation HTTPD server, or as we in the Debian ecosystem call it, the Apache webserver!

So, imagine a situation like this - Its friday afternoon, you have just migrated a bunch of web domains under a new, up to date, system. Everything works just fine, until... You try to generate SSL certificates from Lets Encrypt.

Such a mundane task, done more than a thousand times already... Yet... No matter what you do, nothing works. Apache just returns a HTTP status code 403 - Forbidden.

Of course, what many folk would think of first when it came to a 403 error is - Ooooh, a permission issue somewhere in the directory structure!

So you check it... And re-check it to make sure... And even switch over to the user the webserver runs under, yet... You can access the challenge just fine, what the hell!

So you go deeper... And enable the most verbose level of logging apache is capable of - Trace8. That tells you... Not a whole lot more... Apparently, the webserver was unable to find file specified? But... Its right there, you can see it!

So you go another step deeper and start tracing the process' system calls to see exactly where it calls stat/lstat on the file, and you see that it... Calls lstat and... It... Returns -1? What the hell#2!

So, you compile a custom binary that calls lstat on the first argument given and prints out everything it returns... And... It works fine!

Until now, I chose to omit one important detail that might have given away the issue to the more knowledgeable right away. Our webservers have the URL /.well-known/acme-challenge/, used for ACME challenges, aliased somewhere else on the filesystem - To /tmp/challenges.

See the issue already?

Some *bleep* over at the Debian Package Maintainer group decided that Apache could save very sensitive data into /tmp, so, it would be for the best if they changed something that worked for decades, and enabled a SystemD service unit option "PrivateTmp" for the webserver, by default.

What it does is that, anytime a process started with this option enabled writes to /tmp/*, the call gets hijacked or something, and actually makes the write to a private /tmp/something/tmp/ directory, where something... Appeared as a completely random name, with the "apache2.service" glued at the end.

That was also the only reason why I managed fix this issue - On the umpteenth time of checking the directory structure, I noticed a "systemd-private-foobarbas-apache2.service-cookie42" directory there... That contained nothing but a "tmp" directory with 777 as its permission, owned by the process' user and group.

Overriding that unit file option finally fixed the issue completely.

I have just one question - Why? Why change something that worked for decades? I understand that, in case you save something into /tmp, it may be read by 3rd parties or programs, but I am of the opinion that, if you did that, its only and only your fault if you wrote sensitive data into the temporary directory.

And as far as I am aware, by default, Apache does not actually write anything even remotely sensitive into /tmp, so...

Why. WHY!
I wasted 4 hours of my life debugging this! Only to find out its just another SystemD-enabled "feature" now!

And as much as I love kidding on SystemD, this time, I see it more as a fault of the package maintainers, because... I found no default apache2/httpd service file in the apache repo mirror... So...

It's a tie between 3 things for me.

1. md5 hashed passwords
2. post variable concatenated into sql with no checks
3. admin login over http

sad thing is that all 3 was one website I redid a few years ago

Sorry, need to vent.

In my current project I'm using two main libraries [slack client and k8s client], both official. And they both suck!

Okay, okay, their code doesn't really suck [apart from k8s severely violating Liskov's principle!]. The sucky part is not really their fault. It's the commonly used 3rd-party library that's fucked up.

Okhttp3

yeah yeah, here come all the booos. Let them all out.

1. In websockets it hard-caps frame size to 16mb w/o an ability to change it. So.. Forget about unchunked file transfers there... What's even worse - they close the websocket if the frame size exceeds that limit. Yep, instead of failing to send it kills the conn.

2. In websockets they are writing data completely async. Without any control handles.. No clue when the write starts, completes or fails. No callbacks, no promises, no nothing other feedback
3. In http requests they are splitting my request into multiple buffers. This fucks up the slack cluent, as I cannot post messages over 4050 chars in size . Thanks to the okhttp these long texts get split into multiple messages. Which effectively fucks up formatting [bold, italic, codeblocks, links,...], as the formatted blocks get torn apart. [didn't investigate this deeper: it's friday evening and it's kotlin, not java, so I saved myself from the trouble of parsing yet unknown syntax]

yes, okhttp is probably a good library for the most of it. Yes, people like it, but hell, these corner cases and weird design decisions drive me mad!

And it's not like I could swap it with anynother lib.. I don't depend on it -- other libs I need do!

GWT.
Let me explain:
Tl;dr : someone fucked up, I took shit, it was a gwt project. In a sense I don't hate GWT because of the framework itself but because how I was introduced and forced to "work" with it.

Context:
Was working as a paid intern at a small company there were 3 devs 2 interns and one senior employee that only worked from home handling the shit ton of legacy VB6 code he wrote over several year and a boss with no technical knowledge. (Other unimportant people as well)
I was working with their DBA (cool dude) because I was writing statistic and report generating software.

Story:
The other intern was tasked of doing a gwt app that was supposed to use a input file.
Rather than asking the user to upload it with a file picker (I guess they exist in gwt I didn't got to dig in the framework) he was trying to load the file with a http request directed at the same host the app was running on.
It did not work.
Then his contract was other and the app was left in an unfinished state.
The boss then tried to have the app deployed, the remaining dev dodged the bullet invoking some bullshit because he was clearly incapable of doing it.
So it fell on me, couldn't deploy the app because it was not even close to working.
Tried to fix things and make it work.
Turns out he thought it would take me 3h to deploy when I clearly explained that the other guy didn't finish the app.
Boss got mad, threatened to ruin my studies and my future career.
Couldn't because my uni had my back.
Didn't want to see me anymore.
Couldn't break my contract.
Told me to work from home for the end of my internship.
I got 3 weeks early vacation and got paid, fuck him, fuck GWT, fuck his company.
Still got well marked for the internship as my supervisor was the DBA who was happy with my work.

Morality:
Don't let your intern unsupervised, don't let your main dev work from home when you don't know shit, don't piss me off and send me work from home.

So client wants an android app that implements some legacy Epson printer SDK, works on a chinese Windows device with an android Emulator on it, connects to local Webservice that had to be configurated and ran (local Network) , sends and tracks data, if Server down then handle it on the Client and reconnect as soon as Server up, running own TCP Server on Android device that listens for specific http requests, which make the android connect to an Epson printer to start printing. The stuff that is being printed? A png file that has to be converted to a Bitmap, a QR Code that has to be generated by the bugged base64 encrypted stuff coming via http in (webserver-> Android TCP server)
Dont forget the Software Design (MVP), documentation, research etc.. Im about to finish the app , its my 5th day on this Project, the 6th day was planned to be full testing. Client Calls me and ask me how far I am, I reply, he says ok. 30 minutes later he tells me he wont pay me next time that much because this work should take 3 days, or even 2. "A senior Android developer could do this in 2 days"... When i sent him my notices he called me a liar, his webdev has alot of experience and told him it should take 2-3 days...ffs

I used to be a sysadmin and to some extent I still am. But I absolutely fucking hated the software I had to work with, despite server software having a focus on stability and rigid testing instead of new features *cough* bugs.

After ranting about the "do I really have to do everything myself?!" for long enough, I went ahead and did it. Problem is, the list of stuff to do is years upon years long. Off the top of my head, there's this Android application called DAVx5. It's a CalDAV / CardDAV client. Both of those are extensions to WebDAV which in turn is an extension of HTTP. Should be simple enough. Should be! I paid for that godforsaken piece of software, but don't you dare to delete a calendar entry. Don't you dare to update it in one place and expect it to push that change to another device. And despite "server errors" (the client is fucked, face it you piece of trash app!), just keep on trying, trying and trying some more. Error handling be damned! Notifications be damned! One week that piece of shit lasted for, on 2 Android phones. The Radicale server, that's still running. Both phones however are now out of sync and both of them are complaining about "400 I fucked up my request".

Now that is just a simple example. CalDAV and CardDAV are not complicated protocols. In fact you'd be surprised how easy most protocols are. SMTP email? That's 4 commands and spammers still fuck it up. HTTP GET? That's just 1 command. You may have to do it a few times over to request all the JavaScript shit, but still. None of this is hard. Why do people still keep fucking it up? Is reading a fucking RFC when you're implementing a goddamn protocol so damn hard? Correctness be damned, just like the memory? If you're one of those people, kill yourself.

So yeah. I started writing my own implementations out of pure spite. Because I hated the industry so fucking much. And surprisingly, my software does tend to be lightweight and usually reasonably stable. I wonder why! Maybe it's because I care. Maybe people should care more often about their trade, rather than those filthy 6 figures. There's a reason why you're being paid that much. Writing a steaming pile of dogshit shouldn't be one of them.

to;dr: school, raspi, spoofing, public status screen, funny pictured.

So. At school we had these huge ass 2/3 TVs displaying some information such as which teacher is ill, which lessons won't take place and some school related news. Standard stuff.

They worked using a raspberry pi attached to the TV fetching a website over http every now and then.

Using nmap I discovered that these pi's were in the same network as the pupils devices: Sweeeet.

After trying some standard passwords at the ssh port and not succeeding I came up with something different: A spoofing attack.

I would relay all traffic from those pi's through my device, would replace all images with a trollface picture (I know I know) and flip all text upside down.

Chaos, annoyed faces and laughter.
It was beautiful.

Good morning to everyone, except that one Twitter dev who one day woke up and was like "YOU KNOW WHAT, MY APPLICATION WILL FEATURE BOTH OAUTH1 AND OAUTH2 ENDPOINTS, BUT SOME FEATURES WILL BE EXCLUSIVE TO EITHER OF THE TWO -NOT NECESSARILY THE MOST RECENT, JUST A RANDOM ONE-, AND ALSO THE OFFICIAL TWITTER LIBRARY WON'T COVER ALL THE ENDPOINTS SO PEOPLE WILL HAVE TO RESORT TO RAW HTTP REQUESTS INSTEAD OF USING MY SDK AND ALSO I'MMA MAKE DEVELOPERS FILL 2 VERY DETAILED FORMS, REQUIRING PERSONAL DATA AND ACTUAL REAL PHONE CALLS, JUST TO START DEVELOPMENT WITH 7 DIFFERENT AUTHENTICATION TOKENS, BECAUSE SOME REQUESTS WILL REQUIRE A DIFFERENT AUTHENTICATION METHOD THAN THE OTHER REQUESTS DESPITE ALL OF THEM PERTAINING TO THE SAME FUCKING ENTITY"

Does anyone even run their applications over HTTP/2 ?

Am I the only developer in existence who's ever dealt with Git on Windows? What a colossal train wreck.

1. Authentication. Since there is no ssh key/git url support on Windows, you have to retype your git credentials Every Stinking Time you push. I thought Git Credential Manager was supposed to save your credentials? And this was impossible over SSH (see below). The previous developer had used an http git URL with his username and password baked in for authentication. I thought that was a horrific idea so I eventually figured out how to use a Bitbucket App password.

2. Permissions errors
In order to commit and push updates, I have to run Git for Windows as Administrator.

3. No SSH for easy git access
Here's where I confess that this is a Windows Server machine running as some form of production. Please don't slaughter me! I am not the server admin.
So, I convinced the server guy to find and install some sort of ssh service for Windows just for the off times we have to make a hot fix in production. (Don't ask, but more common than it should be.)
Sadly, this ssh access is totally useless as the git colors are all messed up, the line wrap length and window size are just weird (seems about 60 characters wide by 25 lines tall) and worse of all I can't commit/push in git via ssh because Permissions. Extremely aggravating.

4. Git on Windows hangs open and locks the index file
Finally, we manage to have Git for Windows hang quite frequently and lock the git index file, meaning that we can't do anything in git (commit, push, pull) without manually quitting these processes from task manager, then browsing to the directory and deleting the .git/index.lock file.

Putting this all together, here's the process for a pull on this production server:
Launch a VNC session to the server. Close multiple popups from different services. Ask Windows to please not "restart to install updates". Launch git for Windows. Run a git pull. If the commits to be pulled involve deleting files, the pull will fail with a permissions error. Realize you forgot to launch as Administrator. Depending on how many files were deleted in the last update, you may need to quit the application and force close the process rather than answer "n" for every "would you like to try again?" file. Relaunch Git as Administrator. Run Git pull. Finally everything works.

At this point, I'd be grateful for any tips, appreciate any sympathy, and understand any hatred. Windows Server is bad. Git on Windows is bad.

IT CAN'T BE THAT HARD

1) A CONTROLLER RETURNS HTTP RESPONSES, computed using data received from
2) A SERVICE\MANAGER\YOURMOTHER, which fetches data from a DB\external service\whatever

LITERALLY 2 FUCKING STEPS. I'LL TAKE THAT "SENIOR" IN YOUR TITLE AND CHISEL IT ON YOUR FOREHEAD SO YOU'LL REMEMBER WHAT YOU'RE SUPPOSED TO BE WHEN YOU COMMIT THIS FUCKING GARBAGE

Very eventful day, please see enclosed several smaller rants.

===================

My college's systems are shit and not only do they use HTTP for everything, even the stores and financial aid purchase system, they have homebrew JS shit for PGP site encryption (nifty...), but they exchange the PRIVATE KEYS instead of the public keys. Over HTTP. Not even HTTPS. Also if you log in more than 10 times in 24 hours it's supposed to lock you out of your account until you call... except it locks EVERYONE out. Found this out when on campus, trying to get my textbooks, when suddenly everyone had login lockouts because i'm a "paranoid bastard" and "afraid of idiot college students" for not telling a PUBLIC PC to remember the one password (enforced by password auto-sync across all their shit, not ideal, no) guarding my SUPER-SENSITIVE FINANCIAL AND ACADEMIC DATA... among the other hundreds of issues this college has. I now see why this college is the only one I can afford...

===================

Can't pass-through raw DVD drive access to VMs as VM managers crash when I try (yes, even QEMU...) so i've gotta install Windows on a shitty 80GB laptop HDD for literally one quick project. On the bright side, if my theory proves correct, you'll no longer need modchips for PS2s.

===================

Found a couple odd lines in my xscreensaver config:

GetViewPortIsFullOfLies:False
nice: 10
pointerHysteresis: 10

the first 2 I can't seem to figure out what do, and the last taught me a new word. Fun!

===================

that's it, it's over, why are you still here

So an app I use for real-time train schedules broke last week and the official app is really slow, UI is bloated/bad devs.

I figured out the HTTP calls so started writing my own, spent 2 days and basic functionality works but...

Now the other app is working again...

Feels like wasted effort now :(

SO MAD. Hands are shaking after dealing with this awful API for too long. I just sent this to a contact at JP Morgan Chase.

-------------------
Hello [X],
1. I'm having absolutely no luck logging in to this account to check the Order Abstraction service settings. I was able to log in once earlier this morning, but ever since I've received this frustratingly vague "We are currently unable to complete your request" error message (attached). I even switched IP's via a VPN, and was able to get as far as entering the below Identification Code until I got the same message. Has this account been blocked? Password incorrect? What's the issue?

2. I've been researching the Order Abstraction API for hours as well, attempting to defuddle this gem of an API call response:

error=1&message=Authentication+failure....processing+stopped

NOWHERE in the documentation (last updated 14 months ago) is there any reference to this^^ error or any sort of standardized error-handling description whatsoever - unless you count the detailed error codes outlined for the Hosted Payment responses, which this Order Abstraction service completely ignores. Finally, the HTTP response status code from the Abstraction API is "200 OK", signaling that everything is fine and dandy, which is incorrect. The error message indicates there should be a 400-level status code response, such as 401 Unauthorized, 403 Forbidden or at least 400 Bad Request.

Frankly, I am extremely frustrated and tired of working with poorly documented, poorly designed and poorly maintained developer services which fail to follow basic methodology standardized decades ago. Error messages should be clear and descriptive, including HTTP status codes and a parseable response - preferably JSON or XML.
-----

This whole piece of garbage is junk. If you're big enough to own a bank, you're big enough to provide useful error messages to the developers kind enough to attempt to work with you.

Finally upgraded my webserver and php modules to support HTTP/2 ^^ Everything works fine.

Found out devrant.com doesn't support it though. @dfox

*laughing maniacally*

Okidoky you lil fucker where you've been hiding...

*streaming tcpdump via SSH to other box, feeding tshark with input filters*

Finally finding a request with an ominous dissector warning about headers...

Not finding anything with silversearcher / ag in the project...

*getting even more pissed causr I've been looking for lil fucker since 2 days*

*generating possible splits of the header name, piping to silversearcher*

*I/O looks like clusterfuck*

Common, it are just dozen gigabytes of text, don't choke just because you have to suck on all the sucking projects this company owns... Don't drown now, lil bukkake princess.

*half an hour later*

Oh... Interesting. Bukkake princess survived and even spilled the tea.

Someone was trying to be overly "eager" to avoid magic numbers...

They concatenated a header name out of several const vars which stem from a static class with like... 300? 400? vars of which I can make no fucking sense at all.

Class literally looks like the most braindamaged thing one could imagine.

And yes... Coming back to the network error I'm debugging since 2 days as it is occuring at erratic intervals and noone knew of course why...

One of the devs changed the const value of one of the variables to have UTF 8 characters. For "cleaner meaning".

Sometimes I just want to electrocute people ...

The reason this didn't pop up all the time was because the test system triggered one call with the header - whenever said dev pushed changes...

And yeah. Test failures can be ignored.
Why bother? Just continue meddling in shit.

I'm glad for the dev that I'm in home office... :@

TLDR: Dev changed const value without thinking, ignoring test failures and I had the fun of debunking for 2 days a mysterious HAProxy failure due to HTTP header validation...

With a recent HAProxy update on our reverse proxy VM I decided to enable http/2, disable TLS 1.0 and drop support for non forward-secrecy ciphers.

Tested our sites in Chrome and Firefox, all was well, went to bed.

Next morning a medium-critical havock went loose. Our ERP system couldn't create tickets in our ticket system anymore, the ticket systems Outlook AddIn refused to connect, the mobile app we use to access our anti-spam appliance wouldn't connect although our internal blackboard app still connected over the same load balancer without any issues.

So i declared a 10min maintenance window and disabled HTTP/2, thinking that this was the culprit.

Nope. No dice.
Okay, i thought, enable TLS 1.0 again.

Suddenly the ticket system related stuff starts to work again.

So since both the ERP system and the AddIn run on .NET i dug through the .NET documentation and found out that for some fucking reason even in the newest .NET framework version (4.7.2) you have to explicitly enable TLS 1.1 and 1.2 or else you just get a 'socket reset' error. Why the fuck?!

Okay, now that i had the ticket system out of the way i enabled HTTP/2 and verified that everything still works.

It did, nice.

The anti-spam appliance app still did not work however, so i enabled one non-pfs cipher in the OpenSSL config and tested the app.

Behold, it worked.

I'm currently creating a ticket with them asking politely why the fuck their app has pfs-ciphers disabled.

And I thought disabling DEPRECEATED tech wouldn't be an issue... Wrong...

So I just spent 2 hours debugging a script that fetches data from an API. Thats all it was supposed to do. Http get some data.

It wasnt working and was giving a "parse error". Worked fine in browser.

So it turns out it was using http 0.9 (first documented http version, defined in 1991) and wasnt sending any headers. And js cant do no headers...

So yea I now have to write a tcp / http 0.9 client in js

tldr: my classmates suck and I hate them
We study cs in school, and my classmates are super dumb.
Here is an example from today:
The task: build an http server in python, using sockets.

My classmates: writes everything in the main function, uses try-expect for everything and every error possible, nothing works, nothing worked after a week.
Me: properly separated to different functions, used goddam regrx to get data from requests, used asyncio to make sure it can handle multiple requests at the same time, everything worked after 2 hours.

But, and here is the problem, after I finish they ask me a bunch of dumb, 'Just Google it dude' questions and they call me condescending because I get mad after the second hour of teaching them the same thing.
Once they told me:"you think you are a better programmer then us" and I just want to say this out loud: I AM A BETTER PROGRAMMER THEN THEM, THEY ARE THE PERFECT EXAMPLE OF HOW YOU SHOULDN'T DO ANYTHING AND I HATE THEM.
That's it, I'm done. I feel much better now.
PS: it's okay to suck at programming, but please stop thinking that everyone who's better than you is condescending.

I built my first web server literally from scratch (standard socket lib) today! In Python <3.
It is able to execute php and get the stdout to use it in the Python script afterwards and make use of parallel connections.

Now to the real rant...
I am using HTTP/1.1. I want to use h2 (aka HTTP/2) tho. I am stuck on this. Found the papers to the specs of the h2 and spdy protocols, but they are not really helpful.

Is anyone good in this field? Please let me know :/

Today I spent 9 hours trying to resolve an issue with .net core integration testing a project with soap services created using a third party soap library since .net core doesn't support soap anymore. And WCF is before my time.

The tests run in-process so that we can override services like the database, file storage, basically io settings but not code.

This morning I write the first test by creating a connected service reference to generate a service client. That way I don't need to worry about generating soap messages and keeping them in sync with the code.

I sent my first request and... Can't find endpoint.

3 hours later I learn via fiddler that a real request is being made. It's not using the virtual in-process server and http client, it's sending an actual network request that fiddler picks up, and of course that needs a real server accepting requests... Which I don't have.

So I start on MSDN. Please God help me. Nope. Nothing. Makes sense since soap is dead on .net core.

Now what? Nothing on the internet because above. Nothing in the third party soap library. Nothing. At this point I question of I have hit my wall as a developer.

Another 4 hours later I have reverse engineered the Microsoft code on GitHub and figured out that I am fucked. It's so hard to understand.

2 more hours later I have figured out a solution. It's pure filth..I hide it away in another tooling project and move all the filth to internal classes :D the equivalent of tidying your room as a kid by shoving it all under the bed. But fuck it.

My soap tests now use the correct http client with the virtual server. I am a magician.

It looks like serving http/2 with Nginx is pretty easy. I want to move to that with my websites.
Do you have any experience with switching? Good or bad?

In last episode of "How SystemD screwed me over", we talked about Systemd's PrivateTMP and how it stopped me from generating SSL certificates.

In today's episode - SystemD vs CGroups!

Mister Pottering and his team apparently felt that CGroups are underused (As they can be quite difficult to set up), and so decided to integrate them into SystemD by default. As well as to provide a friendlier interface to control their values.

One can read about these interactions in the manual page "systemd.resource-control"

All is cool so far. So what happened to me today?

Imagine you did a major system release upgrade of a production server, previously tested on a standalone server. This upgrade doesn't only upgrade the distribution however, it also includes the switch from SysVInit to SystemD. Still, everything went smooth before, nothing to worry now then, right? Wrong.

The test server was never properly stress-tested. This would prove to be an issue.

When the upgrade finishes, it is 4 AM. I am happy to go to bed at last. At 6 AM, however, I am woken up again as the server's webservices are unavailable, and the machine is under 100% CPU load. Weird, I check htop and see that Apache now eats up all 32 virtual cores. So I restart it, casting it off to some weird bug or something as the load returns to normal.

2 hours later, however, the same situation occurs. This time, I scour all the logs I can, and find something weird - Many mentions that Apache couldn't create a worker thread? That's weird.

Several hours of research and tinkering later, I found out the following:
1 - By default, all processes of a system that runs SystemD are part of several CGroups. One of these CGroups is the PID CGroup, meant to stop a runaway process from exhausting all PIDs/TIDs of a system.

This limit is, by default, set to a certain amount of the total available PIDs. If a process exhausts this limit, it can no longer perform operations like fork().

So now, I know the how and why, but how should I solve this? The sanest option would be to get a rough estimate of just how many threads the Apache webserver might need. This option, though, is harder, than apparent. I cannot just take the MaxRequestsWorkers number... The instance has roughly double the amount of threads already. The cause being, as I found out, the HTTP/2 module, which spawns additional threads that do not count towards this limit. So I have no idea what limit to set.

Or I could... Disable the limit for just the webserver via the TasksAccounting switch. I thought this would work. And it did seem to... Until I ran out of TIDs again - Although systemctl status apache2.service no longer reported the number of tasks or a task limit of the process, the PID CGroup stayed set to the previous limit. Later I found out that I can only really disable the Task Accounting for all the units of a given slice and its parents.

This, though, systemctl somewhat didn't make apparent (And I skimmed the manual, that part was my fault)

So... The only remaining option I had was to... Just set the limit to infinite. And that worked, at last.

It took me several hours to debug this issue. And I once again feel like uninstalling systemd again, in favor of sysvinit.

What did I learn? RTFM, carefully, everything is important, it is not enough to read *half* the paragraph of a given configuration option...

Oh, and apache + http/2 = huge TID sink.

I hate this feeling.

Changing stuff with a greamripers scythe around my neck called doubt because the available data isn't too convincing.

Then having to go big or nothing as it is an ecosystem change (e.g. changing the cipher suites of TLS, changing protocol - e.g. HTTP 1.1 to 2) so it needs to be consistent as otherwise fun stuff could happen (fun as in the grim reaper cuts off my neck except a few centimeters and plays "now your head is off, now your head is on" ).

To top it off - just few seconds after the change has happened people coming up in the support channel.

My hands are - mysteriously - not sweaty then. Rather cold.

Lil prayer to the heavens and getting the whiskey bottle...

Opening an ongoing discussion in support channel....

And they're discussing whether the page needs to have an additional arrow for going back to the last page or if the default page navigation is enough.

Constantly using @all so everyone gets pissed off due to being pinged every few seconds in a channel that was meant for emergency support.

Now my hands go from a dark red to a bright red, my nostrils flare out, my adrenaline goes through the roof and I literally wanna murder people....

Those days.

I hate those days.

And I hate the timing of some people...

Like they're deliberately fucking with me without knowing it, like the universe told them explicitly to do so just to fuck with me.

*gooozfraba*

And of course, everything else is fine and running smooth like butter, except that said discussion now goes on in a total flamewar so I get even more pings.

Sucks to be in management.

You have way to many rooms where people can annoy you.

To top it off - after being grumpy and pissed and angry for people just annoying the fuck out of me, I have to mediate.

Yeah. Cause the usual person is on vacancy.

*slowly strangling the whiskey bottle like homer does with bart*

Turns out after 15 mins listening to enraged UX designer vs Frontend Team Lead that UX designer meant a completely different thing - uploaded wrong screenshot, whole discussion was unnecessary.

*Nah. Fuck it. Drinking whiskey*

Reminding everyone what the fucking frigging support channel is meant for and that penis fights aka who got the longest schlong don't belong there....

"Yeah it was a mistake, but it wasn't so bad"
...

You pinged fucking 32 people like it was the end of the world, you ignorant fucktwads.

For over 5 mins.

For fucking frigging nothing except your tiny dicks and shitty egos.

*Second round of whiskey*

Back to work after a wasted half hour.

What says monitoring?

Ah. Everything's working.

At least luck hasn't failed me.

Good server. Brave server.

Then I hear this lil voice in my head: no.

The servers know your personality.

They're afraid. Terrified.

Somehow that thought makes me giggle always...

Childish? Maybe. But it helps on those days.... Funnily enough, remaining 3 hours noone said anything in any chat channel.

"I wonder why, I wonder how...."... *hum*

The frontend developers in my company are the reason why I have anxiety. Here are few things that grinds my knees:
1) for a long time in projects, they deleted the auth token from their storage without integrating the logout api. They thought why use an API for that. :)
2) most of them had no clue that form fields could accept javascript as inputs and work as XSS vulnerabilities. This actually happened with a client, he got so fucking pissed.
3) One of them asked me to convert a PATCH request to DELETE cos fuck REST and HTTP methods.

For fuck’s sake. I need to get out of this place.

So, I browse to a video livestream and an annoying ad starts before the livestream is shown. Furthermore, the page jumps around because of a cookie notification that also blocks some UI elements at the top.

Note: this is the website of a public (government-paid) national news website with very high standards and a good reputation.

Action 1: refresh page; I hope the ad is skipped. Nope, annoying ad restarts. Page jumps around again because of the cookie notification.

Action 2: accept cookies to remove notification blocking the top UI (it's OK, I know it can't actually save any cookies on my machine). Instead of some nice JS doing it for me in the background, the page refreshes because you know, HTTP requests and whatnot.

Annoying ad restarts again... FML 🤬

Lessons to be learned from this for any web dev: these annoyances can and *will* exponentially get worse if used simultaneously against your users, instead of being used to help or inform your users.

As a user of you website, I want to watch a livestream. I don't care what stupid legislation forced you to shove a fucking cookie notification in my face. Make sure it is not annoying me to the point that I close you website and take minutes to rant about it!

Also, give me the freedom of choice to watch an ad or not. You and I both know that some ads simply are not for me. Better save yourself and myself the bandwidth.

And go get good at web development. You're a news site. That's more than just text and images. If you want great apps, social media coverage, videos, live streams, blogs, etc. go get some better web devs. Your current web frontend devs only qualify to get fired.

"What is HTTP/2?"
Quote from the web infra/ops team lead supporting us :(

The world must truly hate me.

I refactored my code a lot in order to easily integrate different APIs endpoints but then I can't use the one I specifically did this for, because of TLS errors.
My browsers all agree that it's fine, but curl and the 2 http libraries I tested can't fetxh any data.

END ME!

Would be interested to hear if anyone is using HTTP/2 and on which framework. Anyone have experience with Python - what is the community package compatibility like? Thanks!

Fucking retard Liferay.....

At least 2 users (one inour team and another at client's) are claiming they've successfully opened a portlet view multiple times at day X. And a month later it stopped working.

I open up Liferay's (tomcat's) localhost_access.log and can see all the portlet requests at day X have returned http:400

Normally I would consider the human factor and rule this as a human error, assuming they were connected to another environment, another server, etc. But since this is The Fucking Liferay - I'm not that fast in trusting even logs :(

Who the fuck made this piece of shit....

Okay so.

I have a docker instance with 2 running apps. Normally one of them is just a proxy to the other one, so a http req to app0 is redirected to app1 and the same with response.

This works perfectly on bare machine, i can just rewrite the ip in the config file and it works. Now my boss decided that yeah docker is absolutely needed for this software so i have to containerize it.

Thing is docker seems to break local ips? I cant use localhost/, nor assigned ip. Is there a way i can debug this, or what should i look up??? Im lost, this is devops afaik and im far from devops.

Im building an API with NancyFx (HTTP stuff) and mobgoDB (database). i had very strage errors when starting queres. and after 2 fucking days if debugging i found it!
accidentally I wrote somewhere in a custom type conversion "ObjectId" i stead of "OwnerId".

F M L
"""""""""
#MongoDB #NancyFx #CSharp/.Net

Doesn’t it bother anyone else that both HTTP/2 and HTTP/3 were both SPDY and QUIC at Google first? Yeah I know ideas have to “come from somewhere” and I guess it’s not really any different than the AT&T/Bell Labs/MIT of the past; but something doesn’t feel right.

Rant/question:
httpDoSmth1().subscribe(x =>
...then(y =>
httpDoSmth2(x).subscribe(z =>
//do smth with z
return z
)
)
)
Isn't this (not my code) callback hell all over again? The 2. http call expects results from the 1. http call. I feel like this could be solved cleaner using async await/switchMap/etc. ... but not like this.

So I’m going through a CKAD course. There is a section about checking the status of our Pods or the application running in it through Readiness/Liveness Probes— they mostly use an HTTP test, but there is a TCP option as well. My question is, how will the TCP test work on HTTP/2 given that it does not have TCP (it rather uses QUIC)? Sorry if this is a dumb question.

Has anyone maybe a link to HTTP security topics in general?

I find often breadcrumbs, like in several different attack possibilities, but nothing comprehensive.

Mostly regarding HTTP 1.1 / HTTP 2 (h2c) and proxying.

I'm currently unclogging an whole ecosystem of proxies, endpoints, edge nodes and so on...

My knowledge is limited and it's frustrating to Google cause seemingly I get always just pieces of the puzzles but not a collection -.-

(Looking for specific information, e.g. regarding attacks like H2C Smuggling, HPACK attacks, stuff regarding Cookies / Headers / Encoding... But please not spread over several dozen pages where it becomes frustrating to read the same shit over and over again without learning something new :( )

!Rant
Hell yeah, I love that feeling! I have absolutely no idea about working with the LEMP stack (nginx in particular) and I'm slowly figuring out how to get it working. Even tho I just noticed that chrome doesn't support npn for http/2 and that I am still up (GMT+1) I wanna continue working in this project. Man, I love that feeling <3

I'm teaching a couple of classes where students (~18 years old) work on their own projects. I just deleted two of those from my machine: one Angular and one Spring Boot, but just boilerplate. Together, they were about 500 MB. I spent 2-3 hours working on a little Go tool to make concurrent HTTP requests and to report statistics on the response time. The entire repository is roughly 500 kB in size, but solves a genuine problem. My students have a bloat ratio of 1000 compared to me as a baseline, but my stuff actually does things. Today, I programmed prime factorization in PHP for some load tests (mod_php vs. PHP-FPM). The PHP script is 1148 bytes long (but the file system reports 4 kB). My students could learn more from such a script than from their overblown "projects", but "PHP sucks" I hearsay, so let's bloat on.

I want to learn about the most important network protocols (HTTP 1/1.1/2, SSH, IMAP, SMTP, IMAP...) but reading the RFCs is extremely time consuming and probably not necessary for someone which doesn't need to implement these protocol.
Do you know more concise resources where I can learn more about the topic?

I recently started working on laravel. As the community says it was easy to get along with the framework and its methodologies. But then i had to do multiple login with framework in same domain.

Oh man, i spent a week to make it work. All those guards and middlewares realted to login was driving me crazy. The concept was clear, but somehow the framework was like "You! I shall make you spend a week for my satisfaction". The project demo was nearing and i was doing all kind of stuff i found. Atlast after continous tries it worked. Never in my 4+ years as a developer i had to face such an issue with login.

So here is how it works,if anyone faces the same issue:
(This case is beneficial if you're using table structures different from default laravel auth table structures)

1. Define the guards for each in auth.php
Eg:
'users' => [
'driver' => 'session',
'provider' => 'users',
],
'client' => [
'driver' => 'session',
'provider' => 'client',
],
'admin' => [
'driver' => 'session',
'provider' => 'admins',
],

2. Define providers for each guards in auth.php
'users' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
'table' => '<table name>', //Optional. You can define it in the model also
],
'admins' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
],
'client' => [
'driver' => 'eloquent',
'model' => <Model Namespace>::class,
],

Similarly you can define passwords for resetting passwords in auth.php

3. Edit login controller in app/Http/Controller/Auth folder accordingly
a. Usually this particular line of code is used for authentication
Auth::guard('<guard name>')->attempt(['email' => $request->email, 'password' => $request->password]);
b. If above mentioned method doesn't work, You can directly login using login method
EG:
$user = <model namespace>::where([
'username' => $request->username,
'password' => md5($request->password),
])->first();
Auth::guard('<guard name>')->login($user);

4. If you're using custom build table to store user details, then you should adjust the model for that particular table accordingly. NOTE: The model extends Authenticatable
EG
class <model name> extends Authenticatable
{
use Notifiable;

protected $table = "<table name>";

protected $guard = '<guard name>';

protected $fillable = [
'name' , 'username' , 'email' , 'password'
];

protected $hidden = [
'password' ,
];

//Below changes are optional, according to your need
public $timestamps = false;
const CREATED_AT = 'created_time';
const UPDATED_AT = 'updated_time';

//To get your custom id field, in this case username
public function getId()
{
return $this->username;
}
}

5. Create login views according to the user types you required

6. Update the RedirectIfAuthenticated middleware for auth redirections after login

7. Make sure to not use the default laravel Auth routes. This may cause some inconsistancy in workflow

The laravel version which i worked on and the solution is for is Laravel 6.x