Hacking/attack experiences...
I'm, for obvious reasons, only going to talk about the attacks I went through and the *legal* ones I did 😅 😜

Let's first get some things clear/funny facts:
I've been doing offensive security since I was 14-15. Defensive since the age of 16-17. I'm getting close to 23 now, for the record.

First system ever hacked (metasploit exploit): Windows XP.
(To be clear, at home through a pentesting environment, all legal)
Easiest system ever hacked: Windows XP yet again.

Time it took me to crack/hack into today's OS's (remote + local exploits, don't remember which ones I used by the way):
Windows: XP - five seconds (damn, those metasploit exploits are powerful)
Windows Vista: Few minutes.
Windows 7: Few minutes.
Windows 10: Few minutes.
OSX (in general): 1 Hour (finding a good exploit took some time, got to root level easily aftewards. No, I do not remember how/what exactly, it's years and years ago)
Linux (Ubuntu): A month approx. Ended up using a Java applet through Firefox when that was still a thing. Literally had to click it manually xD
Linux: (RHEL based systems): Still not exploited, SELinux is powerful, motherfucker.

Keep in mind that I had a great pentesting setup back then 😊. I don't have nor do that anymore since I love defensive security more nowadays and simply don't have the time anymore.

Dealing with attacks and getting hacked.

Keep in mind that I manage around 20 servers (including vps's and dedi's) so I get the usual amount of ssh brute force attacks (thanks for keeping me safe, CSF!) which is about 40-50K every hour. Those ip's automatically get blocked after three failed attempts within 5 minutes. No root login allowed + rsa key login with freaking strong passwords/passphrases.

linu.xxx/much-security.nl - All kinds of attacks, application attacks, brute force, DDoS sometimes but that is also mostly mitigated at provider level, to name a few. So, except for my own tests and a few ddos's on both those domains, nothing really threatening. (as in, nothing seems to have fucked anything up yet)

How did I discover that two of my servers were hacked through brute forcers while no brute force protection was in place yet? installed a barebones ubuntu server onto both. They only come with system-default applications. Tried installing Nginx next day, port 80 was already in use. I always run 'pidof apache2' to make sure it isn't running and thought I'd run that for fun while I knew I didn't install it and it didn't come with the distro. It was actually running. Checked the auth logs and saw succesful root logins - fuck me - reinstalled the servers and installed Fail2Ban. It bans any ip address which had three failed ssh logins within 5 minutes:
Enabled Fail2Ban -> checked iptables (iptables -L) literally two seconds later: 100+ banned ip addresses - holy fuck, no wonder I got hacked!

One other kind/type of attack I get regularly but if it doesn't get much worse, I'll deal with that :)

Dealing with different kinds of attacks:

Web app attacks: extensively testing everything for security vulns before releasing it into the open.
Network attacks: Nginx rate limiting/CSF rate limiting against SYN DDoS attacks for example.
System attacks: Anti brute force software (Fail2Ban or CSF), anti rootkit software, AppArmor or (which I prefer) SELinux which actually catches quite some web app attacks as well and REGULARLY UPDATING THE SERVERS/SOFTWARE.

So yah, hereby :P

Funny story about the first time two of my servers got hacked. The fun part is how I noticed it.
So I purchased two new vps's for proxy server goals and thought like 'I can setup fail2ban tomorrow, I'll be fine.'

Next day I wanted to install NginX so I ran the command and it said that port 80 was already in use!

I was sitting there like no that's not possible I didn't install any server software yet. So I thought 'this can't be possible' but I ran 'pidof apache2' just to confirm. It actually returned a PID! It was a barebones Debian install so I was sure it was not installed yet by ME. Checked the auth logs and noticed that an IP address had done a huge brute force attack and managed to gain root access. Simply reinstalled debian and I put fail2ban on it RIGHT AWAY.

Checked about two seconds later if anyone tried to login again (iptables -L and keep in mind that fail2ban's default config needs six failed attempts within I think five minutes to ban an ip) and I already saw that around 8-10 addresses were banned.

Was pretty shaken up but damn I learned my lesson!

It's maddening how few people working with the internet don't know anything about the protocols that make it work. Web work, especially, I spend far too much time explaining how status codes, methods, content-types etc work, how they're used and basic fundamental shit about how to do the job of someone building internet applications and consumable services.

The following has played out at more than one company:

App: "Hey api, I need some data"
API: "200 (plain text response message, content-type application/json, 'internal server error')"
App: *blows the fuck up

*msg service team*

Me: "Getting a 200 with a plaintext response containing an internal server exception"
Team: "Yeah, what's the problem?"
Me: "...200 means success, the message suggests 500. Either way, it should be one of the error codes. We use the status code to determine how the application processes the request. What do the logs say?"
Team: "Log says that the user wasn't signed in. Can you not read the response message and make a decision?"
Me: "That status for that is 401. And no, that would require us to know every message you have verbatim, in this case, it doesn't even deserialize and causes an exception because it's not actually json."
Team: "Why 401?"
Me: "It's the code for unauthorized. It tells us to redirect the user to the sign in experience"
Team: "We can't authorize until the user signs in"
Me: *angermatopoeia* "Just, trust me. If a user isn't logged in, return 401, if they don't have permissions you send 403"
Team: *googles SO* "Internet says we can use 500"
Me: "That's server error, it says something blew up with an unhandled exception on your end. You've already established it was an auth issue in the logs."
Team: "But there's an error, why doesn't that work?"
Me: "It's generic. It's like me messaging you and saying, "your service is broken". It doesn't give us any insight into what went wrong or *how* we should attempt to troubleshoot the error or where it occurred. You already know what's wrong, so just tell me with the status code."
Team: "But it's ok, right, 500? It's an error?"
Me: "It puts all the troubleshooting responsibility on your consumer to investigate the error at every level. A precise error code could potentially prevent us from bothering you at all."
Team: "How so?"
Me: "Send 401, we know that it's a login issue, 403, something is wrong with the request, 404 we're hitting an endpoint that doesn't exist, 503 we know that the service can't be reached for some reason, 504 means the service exists, but timed out at the gateway or service. In the worst case we're able to triage who needs to be involved to solve the issue, make sense?"
Team: "Oh, sounds cool, so how do we do that?"
Me: "That's down to your technology, your team will need to implement it. Most frameworks handle it out of the box for many cases."
Team: "Ah, ok. We'll send a 500, that sound easiest"
Me: *..l.. -__- ..l..* "Ok, let's get into the other 5 problems with this situation..."

Moral of the story: If this is you: learn the protocol you're utilizing, provide metadata, and stop treating your customers like shit.

Every step of this project has added another six hurdles. I thought it would be easy, and estimated it at two days to give myself a day off. But instead it's ridiculous. I'm also feeling burned out, depressed (work stress, etc.), and exhausted since I'm taking care of a 3 week old. It has not been fun. :<

I've been trying to get the Google Sheets API working (in Ruby). It's for a shared sales/tracking spreadsheet between two companies.

The documentation for it is almost entirely for Python and Java. The Ruby "quickstart" sample code works, but it's only for 3-legged auth (meaning user auth), but I need it for 2-legged auth (server auth with non-expiring credentials). Took awhile to figure out that variant even existed.

After a bit of digging, I discovered I needed to create a service account. This isn't the most straightforward thing, and setting it up honestly reminds me of setting up AWS, just with less risk of suddenly and surprisingly becoming a broke hobo by selecting confusing option #27 instead of #88.

I set up a new google project, tied it to my company's account (I think?), and then set up a service account for it, with probably the right permissions.

After downloading its creds, figuring out how to actually use them took another few hours. Did I mention there's no Ruby documentation for this? There's plenty of Python and Java example code, but since they use very different implementations, it's almost pointless to read them. At best they give me a vague idea of what my next step might be.

I ended up reading through the code of google's auth gem instead because I couldn't find anything useful online. Maybe it's actually there and the past several days have been one of those weeks where nothing ever works? idk :/

But anyway. I read through their code, and while it's actually not awful, it has some odd organization and a few very peculiar param names. Figuring out what data to pass, and how said data gets used requires some file-hopping. e.g. `json_data_io` wants a file handle, not the data itself. This is going to cause me headaches later since the data will be in the database, not the filesystem. I guess I can write a monkeypatch? or fork their gem? :/

But I digress. I finally manged to set everything up, fix the bugs with my code, and I'm ready to see what `service.create_spreadsheet()` returns. (now that it has positively valid and correctly-implemented authentication! Finally! Woo!)

I open the console... set up the auth... and give it a try.

... six seconds pass ...

... another two seconds pass ...

... annnd I get a lovely "unauthorized" response.

asjdlkagjdsk.

> Pic related.

So, some time ago, I was working for a complete puckered anus of a cosmetics company on their ecommerce product. Won't name names, but they're shitty and known for MLM. If you're clever, go you ;)

Anyways, over the course of years they brought in a competent firm to implement their service layer. I'd even worked with them in the past and it was designed to handle a frankly ridiculous-scale load. After they got the 1.0 released, the manager was replaced with some absolutely talentless, chauvinist cuntrag from a phone company that is well known for having 99% indian devs and not being able to heard now. He of course brought in his number two, worked on making life miserable and running everyone on the team off; inside of a year the entire team was ex-said-phone-company.

Watching the decay of this product was a sheer joy. They cratered the database numerous times during peak-load periods, caused $20M in redis-cluster cost overrun, ended up submitting hundreds of erroneous and duplicate orders, and mailed almost $40K worth of product to a random guy in outer mongolia who is , we can only hope, now enjoying his new life as an instagram influencer. They even terminally broke the automatic metadata, and hired THIRTY PEOPLE to sit there and do nothing but edit swagger. And it was still both wrong and unusable.

Over the course of two years, I ended up rewriting large portions of their infra surrounding the centralized service cancer to do things like, "implement security," as well as cut memory usage and runtimes down by quite literally 100x in the worst cases.

It was during this time I discovered a rather critical flaw. This is the story of what, how and how can you fucking even be that stupid. The issue relates to users and their reports and their ability to order.

I first found this issue looking at some erroneous data for a low value order and went, "There's no fucking way, they're fucking stupid, but this is borderline criminal." It was easy to miss, but someone in a top down reporting chain had submitted an order for someone else in a different org. Shouldn't be possible, but here was that order staring me in the face.

So I set to work seeing if we'd pwned ourselves as an org. I spend a few hours poring over logs from the log service and dynatrace trying to recreate what happened. I first tested to see if I could get a user, not something that was usually done because auth identity was pervasive. I discover the users are INCREMENTAL int values they used for ids in the database when requesting from the API, so naturally I have a full list of users and their title and relative position, as well as reports and descendants in about 10 minutes.

I try the happy path of setting values for random, known payment methods and org structures similar to the impossible order, and submitting as a normal user, no dice. Several more tries and I'm confident this isn't the vector.

Exhausting that option, I look at the protocol for a type of order in the system that allowed higher level people to impersonate people below them and use their own payment info for descendant report orders. I see that all of the data for this transaction is stored in a cookie. Few tests later, I discover the UI has no forgery checks, hashing, etc, and just fucking trusts whatever is present in that cookie.

An hour of tweaking later, I'm impersonating a director as a bottom rung employee. Score. So I fill a cart with a bunch of test items and proceed to checkout. There, in all its glory are the director's payment options. I select one and am presented with:

"please reenter card number to validate."

Bupkiss. Dead end.

OR SO YOU WOULD THINK.

One unimportant detail I noticed during my log investigations that the shit slinging GUI monkeys who butchered the system didn't was, on a failed attempt to submit payment in the DB, the logs were filled with messages like:

"Failed to submit order for [userid] with credit card id [id], number [FULL CREDIT CARD NUMBER]"

One submit click later and the user's credit card number drops into lnav like a gatcha prize. I dutifully rerun the checkout and got an email send notification in the logs for successful transfer to fulfillment. Order placed. Some continued experimentation later and the truth is evident:

With an authenticated user or any privilege, you could place any order, as anyone, using anyon's payment methods and have it sent anywhere.

So naturally, I pack the crucifixion-worthy body of evidence up and walk it into the IT director's office. I show him the defect, and he turns sheet fucking white. He knows there's no recovering from it, and there's no way his shitstick service team can handle fixing it. Somewhere in his tiny little grinchly manager's heart he knew they'd caused it, and he was to blame for being a shit captain to the SS Failboat. He replies quietly, "You will never speak of this to anyone, fix this discretely." Straight up hitler's bunker meme rage.

Long story short, I'm unofficially the hacker at our office... Story time!

So I was hired three months ago to work for my current company, and after the three weeks of training I got assigned a project with an architect (who only works on the project very occasionally). I was tasked with revamping and implementing new features for an existing API, some of the code dated back to 2013. (important, keep this in mind)

So at one point I was testing the existing endpoints, because part of the project was automating tests using postman, and I saw something sketchy. So very sketchy. The method I was looking at took a POJO as an argument, extracted the ID of the user from it, looked the user up, and then updated the info of the looked up user with the POJO. So I tried sending a JSON with the info of my user, but the ID of another user. And voila, I overwrote his data.

Once I reported this (which took a while to be taken seriously because I was so new) I found out that this might be useful for sysadmins to have, so it wasn't completely horrible. However, the endpoint required no Auth to use. An anonymous curl request could overwrite any users data.

As this mess unfolded and we notified the higher ups, another architect jumped in to fix the mess and we found that you could also fetch the data of any user by knowing his ID, and overwrite his credit/debit cards. And well, the ID of the users were alphanumerical strings, which I thought would make it harder to abuse, but then realized all the IDs were sequentially generated... Again, these endpoints required no authentication.

So anyways. Panic ensued, systems people at HQ had to work that weekend, two hot fixes had to be delivered, and now they think I'm a hacker... I did go on to discover some other vulnerabilities, but nothing major.

It still amsues me they think I'm a hacker 😂😂 when I know about as much about hacking as the next guy at the office, but anyways, makes for a good story and I laugh every time I hear them call me a hacker. The whole thing was pretty amusing, they supposedly have security audits and QA, but for five years, these massive security holes went undetected... And our client is a massive company in my country... So, let's hope no one found it before I did.

The 5 whys

So.. we cant deploy

Why? > We had to take our deployment tool offline
Why? > Because random people from the internet started deployments
Why? > Because we had no authentication and so it was publicly available
Why? > Boss said auth was no priority (we told him every day)
Why? > ¯\_(ツ)_/¯

Request from a senior backend dev in a previous company:

Talking to the team thats responsible for the auth API's is such a pain. For this new API can we just not add any auth to it? Its only going to return details about who the email address belongs too. Like name, address, date of birth, car registration etc. No one will care about that, and it will be easier for mobile to integrate right?

Holy fuck nvidia. Why the fuck you want me to login to your fucking app in order to download a fucking driver. You also want me to click a fucking link that you sent to my email for verification on every fucking login? Why on earth someone would stole my fucking nvidia account? To see which drivers I use? What the fuck nvidia? Oh wait. DO YOU DARE ASK ME TO SETUP TWO FACTOR AUTH TO SECURE MY ACCOUNT?!? What the fuck? Even if I put my credentials online no one would care to login my fucking nvidia account. Just let me download my fucking driver!

Worst security issue : being able to make a money transfer with no auth and changing freely the bank account in the POST params...

Dev excuse : "I didn't know my job was also to take care about security."

For the love of god, I spent 2,5 hours debugging why Minecraft from the windows store doesn't work...

The game just shows a red message telling you it didn't work.

I checked the logs, nothing just warnings

I re-installed the game, nothing, same error

Updated java and all parts of the store, nothing....

Obviously I had to install Something called the "xbox identity Provider"... You know... On a PC... For a distinctly PC game to work... Installed by the store... And the provider is also on the store... But it doesn't auto-install with the game

Ever since you migrated to the Microsoft Auth the login experience is awful (I ranted about that already)

How about you do the bare fucking Minimum of an User experience and Install the fucking dependencies when I re-installed something your fucking store??!!!

The fucking bare minimum that every package manager ever created fucking has as a basic requirement?! Are you kidding me?

Rename your fucking services so they make sense and please don't waste everyone's time by having both shitty logs and no dep management for your own apps... Fucks sake

soo.. yeah.. I've just solved an annoying bug using only chatgpt.

My first commit in this new project. And it's based on chatgpt.

Literally just saved me from days of reading through kafka docs, auth mechanisms and other stuff. And no, the google did not provide me with a proper answer/hints. The only hint was "the configuration might be wrong". Well alright, but I was NOT using any configuration in the first place...

Fun times ahead :) I might even consider the pro version if it keeps delivering like that.

Today my grandmother called and told me she wasnt able to login to her account for her ISP. Alright, maybe shes confused about the passwords as we had to change it recently. No, turns out they still have this "oh sorry you typed your password incorrect three times, so we will lock your account and your granny have to do the 2 hour telephone queue"

You and your fucking outdated auth practise can go and kindly fuck yourself. Fix this shit before I get real mad.

5 stages of failing WIFI connectivity on Linux

This morning I woke up my laptop to start my work day. I have 2 very important meetings today, so I better get all prepared.

"Wifi connection failed"
Syslog says:
- wpa_supplicant: wlp9s0: SME: Trying to authenticate with <MAC>
- kernel: wlp9s0: authenticate with <MAC>
- kernel: wl9s0: send auth to <MAC> (try 1/3)
- kernel: wl9s0: send auth to <MAC> (try 2/3)
- kernel: iwlwifi: Not associated and the session protection is over already...
- kernel: wl9s0: send auth to <MAC> (try 3/3)
- kernel: wl9s0: authentication with <MAC> timed out

#### DENIAL #####

No biggie, let's try another AP (I have 3). All 3 failed to connect. Fine, let's try my phone's hotspot! FAILED!!!!!

w00t.... okay, let's restart the router... but failing to connect to a phone hotspot is already a worrying sign.

Wifi connection failed

wtf.. disable and re-enable wifi

Wifi connection failed

#### ANGER #####

the fuuuuuuck. Maybe my router is dead. But my phone connects to it, no fuss. My personal lappy also connects there easily.

wtf... Does that mean I'm about to lose my uptime?? Come one!! It's Linux - there MUST be something I could do! I don't see processes hanging in D state so the radio must be fine - it's gotta be a software issue!

ChatGPT – type all the log entries manually, via phone (that took a while...). Nothing useful there: update firmware, restart NetworkManager, etc.

#### BARGAINING #####

Alright... How about a USB dongle? Plug it in and wifi connects immediately! Yayyy!!! But that's only b/g/n and I'd very much like to have ac. It works well as a limping backup, but not something I'd use for the meetings.

rfkill block/unblock all the radios. No change. USB dongle connects right away but the PCIe adapter keeps throwing notifications at me with failure messages. It's annoying, to say the least.

So I've already tried
- restarting the router(s)
- disabling/reenabling the radios
- multiple APs
- suspending/waking again several times
- praying

#### DEPRESSION #####

The only thing I haven't tried yet is the most cruel one - restarting the laptop. But that's unfair... It's LINUX! How could it disappoint me. I have so many tmux sessions open, so many unsaved leafpad notes, terminal histories with oh so comfy ^r and ! retriggers all ready and waiting to be executed...

#### ACCEPTANCE #####

But I can't miss the meeting. So I slowly start closing off apps, starting with the least important ones, trying to preserve as much history and recent commands as I can. I'm gonna lose my uptime, that's the inevitable obvious truth... Linux has failed me. Or maybe it's a hardware issue... I can't be sure until I restart.

I must reboot.

#### A NEW HOPE #####
Hold on.. What if... What if before restarting I try to reload the Intel wifi kernel module? Just for the giggles. I've got nothing to lose anyway...

rmmod iwlmvm
rmmod iwlwifi
modprobe iwlwifi
modprobe iwlmvm

*WiFi Connected*

YESSSS!!!!!!!!! My uptime is saved!
403 days and counting! YEAH BABY!!!

Linux is the best!

I'm convinced no one really understands OAuth2, probably not even the creators.

Every blog, articles and tutorial, you have people saying don't do this, don't do that. Basically, no one agrees on a single implementation.

Want to use passwords for auth in a first party system you fully own? Apparently, that's unsafe.
Hmmm, what about magic links for passwordless auth? Also not safe you say?
Okay, I believe Okta just wants people to use their services, nothing else.

Holy fuck is learning new frameworks frustrating.

I'm trying to setup a simple fucking flutter app and all their tutorials are basic shit with no auth/complex routing.

Any feature of flutter that's not in a tutorial has absolute shit documentation with 0 examples on how to use it.

Material app has like 20 properties and if you click on something like on generate there is shit for knowing what the fuck it's expecting.

Stackoverflow has a ton a code but that's just it, code. I have absolutely no idea how they generate the code they have from the documentation on the site. They must have been following flutter from the start.

Ahhhhh! 😠

I used to work for a company that had a main website and a lightweight app. LW app was distributed to partners and added to other sites using an iframe.

Someone decided a requirement was to retain the shopping cart for anonymous users. Some dev thought the best way to do that was to issue auth cookies to anonymous users.

The auth cookie issued by the LW app was actually for the main site. A few users for LW app decided to just come to main site to make a purchase. Since they already had an auth cookie (issued from LW app), they were never prompted to log in, create an account, or use guest checkout on the main site. They were still able to complete their order and we had their shipping address, but we didn’t have their email address so we couldn’t contact them about their order.

Customer service had no way to email customers if something went out of stock or if there was a product recall. CS would have to call these customers and ask for email addresses. Good luck getting anyone to answer or return a call nowadays. Customers were asking where their confirmation email was. The admin website was polluted with “users” that had the placeholder email for non-logged in users.

This happened because of a combination of an understaffed and overextended engineering department. Of course when something goes bad it’s going to be bad.

Call it mental disorder. Sickness. Masochism or just bein a demented individual...

But I used to work with classic ASP. Yes, my JS ran on servers before it was cool (I am the original tech hipster) and I was writing VBScript with it as well because why the fuck not?

And
I
LIKED IT.

Kinda miss it to be honest. Shit was simple as fuck, the downside of it was the "fuckLibrariesAndDoShitByHand.asp" mentality and consequence of using old tech....but I liked it.

Tutorials for that shit had to teach you damn near everything in one book, not just how to code it, but how to really work with servers on the bare minimum and one would learn sooo much. Now a days most books be like "this is how you do yo auth tokens..because all y'all mofockas should know this shit by now" NO mofocka! Our books was all about "aaaallrighty dipshit, this shit here is auth, and in order to bla bla blah" THOROUGHT AS FUCK B.

So yeah......i had fun, by far not my first choice on new shit, but shit was fun.

Sign in with Apple...

* Nobody tells you that a app group can consist of a maximum of 6 apps.
* Nobody tells you that suddenly a key id is needed for constructing the signing key for signing the client_secret when other keys are added in the dev portal.
* Apple gives you email and name only (and i mean only) the first time a customer uses Sign In With Apple.
* You have no chance to reset your user during development in a way to try a fresh auth. So either create separate app ids or separate apple ids.

Sounds like fun, right?

For the last 20 years, there's one thing I've not been able to do reliably:

Share a folder on a windows computer.

Why the fuck can I write /etc/smb.conf from scratch with a blindfold on and make it securely work from all client devices including auth & acl, but when I rightclick and share on windows it's either playing hide and seek on the network (is it hiding behind //hostname/share? No? Maybe in the bushes behind the IP addresses?), or it's protected by mysterious logins requiring you to sacrifice two kittens a day.

Yes, finally it works! One windows update later... aaaand it's gone.

JUST GIVE ME A FUCKING CONF AND A MAN PAGE, MICROSOFT. I DON'T CARE THAT YOU'RE ORALLY PLEASING ALL THESE MALWARE RIDDEN GUISLUTS ON THE SIDE, JUST GIVE ME A FUCKING TEXT FILE TO STORE AND EDIT.

TL;DR my first vps got hacked, the attacker flooded my server log when I successfully discovered and removed him so I couldn't use my server anymore because the log was taking up all the space on the server.

The first Linux VPN I ever had (when I was a noob and had just started with vServers and Linux in general, obviously) got hacked within 2 moths since I got it.
As I didn't knew much about securing a Linux server, I made all these "rookie" mistakes: having ssh on port 22, allowing root access via ssh, no key auth...

So, the server got hacked without me even noticing. Some time later, I received a mail from my hoster who said "hello, someone (probably you) is running portscans from your server" of which I had no idea... So I looked in the logs, and BAM, "successful root login" from an IP address which wasn't me.

After I found out the server got hacked, I reinstalled the whole server, changed the port and activated key auth and installed fail2ban.
Some days later, when I finally configured everything the way I wanted, I observed I couldn't do anything with that server anymore. Found out there was absolutely no space on the server. Made a scan to find files to delete and found a logfile. The ssh logfile. I took up a freaking 95 GB of space (of a total of 100gb on the server). Turned out the guy who broke into my server got upset I discovered him and bruteforced the shit out of my server flooding the logs with failed login attempts...

I guess I learnt how to properly secure a server from this attack 💪

I wrote an auth today.

Without frameworks. Without dependencies. Without under-the-hood magic. Without abstract pluggable adaptor modules for the third-party auth library with 63 vulnerabilities and 1252 GitHub issues. Without security vulnerabilities showing up in NPM log. Without dependency of a dependency of a dependency using md5 and Math.random() under the hood for historical reasons, and now we're fucked, because this is the only lib for our framework, and we have no time to write our own replacement. Without all that shit.

Rock-solid, on top of scrypt. Stateless and efficient.

It felt amazing.

IoT device endpoint: public fixed IP, raw TCP socket, no auth at all

Let's talk about the cargo cult of N-factor authentication. It's not some magic security dust you can just sprinkle onto your app "for security purposes".

I once had a client who had a client who I did server maintenance for. Every month I was scheduled to go to the site, stick my fingerprint in their scanner, which would then display my recorded face prominently on their screens, have my name and purpose verified by the contact person, and only then would the guards let me in.

HAHA no of course not. On top of all of that, they ask for a company ID and will not let me in without one.

Because after all, I can easily forge my face, fingerprints, on-site client contact, appointment, and approval. But printing out and laminating a company ID is impossible.

---

With apologies to my "first best friend" in High School, I've forgotten which of the dozens of canonicalisations of which of your nicknames I've put in as my answer to your security question. I've also forgotten if I actually listed you as my first best friend, or my dog - which would actually be more accurate - and actually which dog, as there are times in my High School life that there were more tails than humans in the house.

I have not forgotten these out of spite, but simply because I have also forgotten which of the dozen services of this prominent bullshit computer company I actually signed up for way back in college, which itself has been more than a decade ago. That I actually apparently already signed up for the service before actually eludes me, because in fact, I have no love for their myriad products.

What I have NOT forgotten is my "end of the universe"-grade password, or email, or full legal name and the ability to demonstrate a clear line of continuity of my identity from wherever that was to now.

Because of previous security screwups in the past, this prominent bullshit company has forced its users to activate its second, third, and Nth factors. A possibly decade-old security question; a phone number long lost; whatever - before you can use your account.

Note: not "view sensitive data" about the account, like full name, billing address, and contact info. Not "change settings" of the account, such as changing account info, email, etc. Apparently all those are the lowest tier of security meant to be protected by mere "end of the universe"-grade passwords and a second factor such as email, which itself is likely to be sold by a company that also cargo cults N-factor auth. For REAL hard info, let's ask the guy who we just showed the address to "What street he lived in" and a couple others.

Explaining this to the company's support hotline is an exercise in...

"It's for your security."

"It's not. You're just locking me out of my account. I can show you a government ID corroborating all the other account info."

"But we can't, for security."

"It's not security. Get me your boss."

...

"It's for security."

Boss: so we've got to call an app to verify data in this project. But I've got no more info and I'm on holiday next week. Please contact GuyA next week.
Me: ok I guess?
*writes email to GuyA*
GuyB: GuyA is on holiday please hold the line
*1 week later*
GuyA: we need more time it's not ready yet
*2 weeks later?
Me: so?
GuyA: yeah it's ready here's the wsdl etc your client already has the password
*1 week later*
Me: yeah so I got the data but the api says my auth isn't working
GuyB: yeah your user isn't activated on the test system. I'm gonna forward that and come back at you
*1 week later*
GuyA: so we're going live in about 2 weeks hows testing going?
Me: well I'm still waiting for the response and activation
*suddenly it works*
Me: yeah so auth is working but i can't find any data. Is there any special test data?
GuyA: oh no there is NO test data on the test system. You need to wait for GuyB but he us not here today...
Me: are you fking kidding Me?????

... no response since then and it's been days....

PouchDB.

It promised full-blown CRDT functionality. So I decided to adopt it.

Disappointment number one: you have to use CouchDB, so your data model is under strict regulations now. Okay.

Disappointment number two: absolutely messed up hack required to restrict users from accessing other users’ data, otherwise you have to store all the user data in single collection. Not the most performant solution.

Disappointment number three: pagination is utter mess. Server-side timestamps are utter mess. ANY server-side logic is utter mess.

Just to set it to work, you need PouchDB itself, websocket adapter (otherwise only three simultaneous syncs), auth adapter (doesn’t work via sockets), which came out fucking large pile of bullshit at the frontend.

Disappointment number four, the final one: auth somehow works but it doesn’t set cookie. I don’t know how to get access.

GitHub user named Wohali, number one CouchDB specialist over there, doesn’t know that either.

It also doesn’t work at Incognito mode, doesn’t work at Firefox at all.

So, if you want to use PouchDB, bear that in mind:
1. CouchDB only
2. No server-side logic
3. Authorization is a mess
4. Error logs are mess too: “ERROR 83929629 broken pipe” means “out of disk space” in Erlang, the CouchDB language.
5. No hosting solutions. No backup solutions, no infrastructure around that at all. You are tied to bare metal VPS and Ansible.
6. Huge pile of bullshit at frontend. Doesn’t work at Incognito mode, doesn’t work at Firefox.

New twist on an old favorite.

Background:
- TeamA provides a service internal to the company.
- That service is made accessible to a cloud environment, also has a requirement to be made available to machines on the local network so you can develop against it.
- Company is too cheap/stupid to get a s2s vpn to their cloud provider.
- Company also only hosts production in the cloud, so all other dev is done locally, or on production non-similar infra, local dev is podman.
- They accomplish service connectivity by use of an inordinately complicated edge gateway/router/firewall/message translator/ouija board/julienne fry maker, also controlled by said service team.

Scenario:
Me: "Hey, we're cool with signing requests using an x509 cert. That said, doing so requires different code than connecting to an unsecured endpoint. Please make this service accessible to developer machines and lower environments on the internal network so we can, you know, develop."
TeamA: "The service should be accessible to [cloud ip range]"
Me: "Yes, that's a production range. We need to be able to test the signing code without testing in production"
TeamA: "Can you mock the data?"
Me: "The code we are testing is relating to auth, not business logic"
TeamA: "What are you trying to do?"
Me: "We are trying to test the code that uses the x509 you provide to connect to the service"
TeamA: "Can you deploy to the cloud"
Me: "Again, no, the cloud is only production per policy, all lower environments are in the local data center"
TeamA: "can you try connecting to the gateway?"
Me: "Yes, we have, it's not accessible, it only has public DNS, and only allows [cloud ip range]"
TeamA: "it work when we try it"
Me: "Can you please supply repro steps so we can adjust our process"
TeamA: "Yes, log into the gateway and try issuing the call from there"
Me: (╯°□°)╯︵ ┻━┻

tl;dr: Works on my server

Pentesting for undisclosed company. Let's call them X as to not get us into trouble.
We are students and are doing our first pentest at an actual company instead of assignments at school. So we're very anxious. But today was a good day.
We found some servers with open ports so we checked a few of them out. I had a set of them with a bunch of open ports like ftp and... 8080. Time to check this out.
"please install flash player"... Security risk 1 found!

System seemed to be some monitoring system. Trying to log in using admin admin... Fucking works. Group loses it cause the company was being all high and mighty about being secure af. Other shit is pretty tight though.

Able to see logs, change password, add new superuser, do some searches for USERS_LOGGEDIN_TODAY! I shit you not, the system even had SUGGESTIONS for usernames to search for. One of which had something to do with sftp and auth keys. Unfortunatly every search gave a SQL syntax error. Used sniffing tools to maybe intercept message so we could do some queries of our own but nothing. Query is probably not issued from the local machine.

Tried to decompile the flash file but no luck. Only for some weird lines and a few function names I presume. But decompressing it and opening it in a text editor allowed me to see and search text. No GET or POST found. No SQL queries or name checks or anything we could think of.

That's all I could do for today. So we'll have to think of stuff for next week. We've already planned xss so maybe we can do that on this server as well.

We also found some older network printers with open telnet. Servers with a specific SQL variant with a potential exploit to execute terminal commands and some ftp and smb servers we need to check out next week.

Hella excited about this!

If you guys have any suggestions let us know. We are utter noobs when it comes to this.

Your three-second password retry delay is far more likely to annoy users than preventing a brute-force attack.

If you insist on a retry delay, let the user enter a password five times without any delay. This would make no difference in the grand scheme, the trillions of retries needed for a brute-force attack, and guessing a password takes longer than three seconds of thinking anyway.

Another alternative is a tenth of the password retry delay but one added character. One added character slows down a brute-force attack by at least sixty-two (62) times, so one more character but a tenth of the password retry delay would still mean more than six (6) times the protection against brute-forcing.

On Linux, the password retry delay can thankfully be reduced by changing a value inside /etc/pam.d/common-auth or /etc/pam.d/login (out of scope for this post, you can search online for more details).

How do you get over the bad times? I keep having to work with shitty legacy systems that were written in perl and flash in the 90s, but my boss keeps telling me "No" on redoing some of the bigger stuff even though it is really needed. I mean, that is your goal here, right? Rebuilding this POS? FFS you still stored passwords in plain text twoo weeks ago! But no, you's rather dig around in Perl than upset some random user because his fucking interface looks different.

But then I also have to work with another system that I could redo in Cake/Laravel in two weeks (it's literally getting and writing data to one table, so two views and user auth), and the previous dev just... made a huge mess. I mean, why would you need to post data asynchronously when it's this one stupid form ? Just do a regular form submit? And the system is really not suitable for extending, because everything is in the database, EVERYTHING! Like, html form inputs? So to add a simple input to the template I have to create a new input type in the types table and then add that to the form structure table? Only to have the input checked by fucking regex? REGEX! Why? Seriously, this is not some high end CMS that needs this level of code reusability No. This is a simple fucking form.

And I can't get it to work. No documentation of course. No comments, either. All of this makes me feel like I'm just the shittiest dev ever. I feel dumb, and useless. Haven't turned on my private PC in weeks because I see no reason to work on any of my own stuff.

I used to have a job, working with Magento and Wordpress. And yeah, it was horrible, it was chaos, but it was fun and I was great at it. I bent that motherfucking system to fit my needs. People respected my opinion, they were convinced I could program this and that, and I proved them right. Did I make mistakes? Hell yeah. Did I give up? Fuck no!

But now, I just feel like I can't even write a simple fucking form any more. I'm just so close to giving up on development as a whole, even though I love it so much.

why is every auth provider utter and complete shit?

why are docs and tutorials that try to teach auth so complete shit?

No wonder there are so many security holes everywhere, nobody bothers to make it simple for the next person.

Next time people that cry about security/bad auth, and work in that field, this one is for you:

My neighbor asked me if I could make him a program for managing the wifi connection to his kids devices. Basically, he wants to be able to turn wifi on/off on selected devices, on demand. I know how to de-auth ALL devices temporarily, but that's not the goal. He asked because I am always looking for new ideas to work/practice on. And no, this isn't a vague post to try and get info on hacking into my neighbors wifi, lol... I set it up and have all the credentials. Is this within reach?

They say that runing the same command over and over again is a sign of insanity.

LIKE HELL IT IS!!!

I've been running `terraform apply` for the last hour (trying to dump an EKS token in plain-text, because my k8s-related providers failed to auth to the cluster), and miraculously the problem went away. Now the error is no more.

Insanity?

I beg to differ!

Narf!

Fuck Apple with two pineapples in the ass. 99€ per fucking year to tell me how the fuck should the access to my app be. I damn require users to sign up. I only need email and country. Not a single other piece of data. My app is not a goddamn catalogue or boutique. No free content, free app but each user needs to Auth themselves. You fucking telling me y pay 99€ so you decide how the access to my app should be?

Cunt Apple should rot in 10 day old humid shit and let devs be owners of their apps and hard work. Clowns.

The frontend developers in my company are the reason why I have anxiety. Here are few things that grinds my knees:
1) for a long time in projects, they deleted the auth token from their storage without integrating the logout api. They thought why use an API for that. :)
2) most of them had no clue that form fields could accept javascript as inputs and work as XSS vulnerabilities. This actually happened with a client, he got so fucking pissed.
3) One of them asked me to convert a PATCH request to DELETE cos fuck REST and HTTP methods.

For fuck’s sake. I need to get out of this place.

I'm currently in a bit of a predicament.
Here's the deal:
I want to separate my back-end from my front-end code a bit more (currently PHP code is mixed up with all the HTML, Javascript etc.. basically: front-end and back-end are one).
The question here is: how should I go about this?

In my current project, I have written some javascript code with jQuery that checks whether the user is logged in or not (checks for an auth token and UID to be present in the cookies).
However, this results in the page (in this case a dashboard that only logged in users should see) being visible for a moment before the user is redirected to the login page...

How could I go better about this (No, I won't use AngularJS for this)?

Fucking google 2 step auth and their lack of customer service.

I have my account setup with my phone and a backup email account. No backup keys, since I only found out about those today! Thanks for letting me know this late in the game -.-

And yet. After I made a clean install of the os on my laptop. Tried to log back into my account. I am not getting text messages or emails to my backup emails (even though its allegedly sent.... And no its not in the junk mail) to validate my 2 factor auth.... Like fuck you!!!

If you gonna give us the ability to fort knox our accounts. At the bare minimum have some customer support to at least be train to answer a phone and tell me if your servers are having an issue or something. Im so in the fucking dark here and cant access shit.

I am new to c and cpp.
I used to exploit my college's competitive programming platform cus it had a bad architecture and almost no auth checks.
For every ajax request, they weren't sending auth tokens or any form of identification and ran all the programs without any logs and on the main thread and as root.. wtf, right?
But recently they've changed something to the site and I cannot run bash commands using system() call.
Is there any other way to execute bash commands using c and cpp.
I already configured a miner in their server but then they re-deployed it cos someone forked bomb the shit out of it.
I'm a noob in c and cpp btw!

I wanted to show our DBA an example of a web api using .net core 3 in regards of how easy it is to create such things. The reason? he has been wanting to get back into programming after many years of just sticking to dba related stuff. The dude has talent and brains, he had worked years ago as a delphi dev and a vb6 dev and we had the same employer at one point, none of this man's apps have been faced out on account of how complete they are and easy to maintain for other devs was after he left. Regardless of the ancient tech stacl, the man shows ample promise and well.

Thing is, the apps I make on the Microsoft stack usually tend to C#, and my frontends are using TS, so I am more on the curlt bracket side of things and he said he was to convert my app(very basic crud example, but with auth, authorization and everything in between to plug into the frontend) to VB.NET. I thought it wouldn't be that much of a problem but apparently microsoft does not hold templates for webapi for vb.net

I thought it was shitty. VB gave Microsoft a lot of developer market back in the VB6 days, and even though I really love c# I see no reason why they would just say fuck you like that to vb.net. Shit still polls pretty high in terms of dev popularity and you can apply the same design ideas to VB without much effort.

I just think this is very shitty from Microsoft's part. Much like how Apple is forcing people to adapt to Swift when there is a huge amount of obj c out there.

I dislike when companies shift focus on tech stacks like that.

Dialogflow documentation is ABSOLUTE TRASH. Trying to run the example code? It gives you a super helpful error: `Unexpected error determining execution environment`. Uh, yes, indeed. What it means? IT MEANS THAT YOU PROVIDED NO CREDENTIALS. Because, as we all know, providing no credentials should end in an error of 'determining execution environment', of fucking course.
You want to know how to provide credentials? Think again, all examples in the ENTIRE DOCUMENTATION assume that you're running the code... from their servers. Seriously. You wanna know how to authenticate your shit? NOT IN THIS DOCUMENTATION, LOSER. You want to know what exactly is happening when you're initializing your client with `new dialogflow.SessionsClient()`? Good luck, documentation is on another platform. For .NET. Because fuck you.
Also, you think you can store your auth info in a neat .env file? THINK AGAIN, because google is above such petty things as industry standards, you're getting a .json file and you're gonna like it, HAVE FUCKING FUN.

Dear google, die in a fire.
Sincerely yours.

Using grafana together with tinc+promotheus, has been a blast.

Initially I wanted to get into ELK with Kibana and all that, but that required 8G of ram, the instructions to get it running in the open source "mode" was nearly non-existent, together with all the ready docker compose stacks out there simply not working or the images being broken.

I'm sure I could've managed around most of those issues, but the fact it is as hungry as gitlab, made it a literal no-go for the usual server resources my clients host or my own scaled down server recently.

Thankfully I remembered that there's grafana and me having experimented some time ago with tinc, so I can have very lightweight beat'esque prometheus agents deployed listening on tinc local net only, with the typical nginx auth and some whitelists to all of the servers I host and all those of my clients.

The dashboard creation was especially great in grafana (tbf promotheus does actually most of it), literally what I always wanted out of those "complicated" solutions, that do it all, but have no proper query language, complex documentation, heavy collectors with no properly named data points, expensive resource runtimes, ..

with grafana I can just easily put dashboards into folders, create users to look only at certain stats or even dashboards (opened up some interesting contracts actually, because now I can also offer proper monitoring for all things delivered), easily drag and drop around stuff to fit more information (most others fix you to a small 3x2 grid, a too big grid for a TV or simply non resizable tiles, making that one counter take up an entire row) and resize to my hearts desire

tinc of course allows me to easily create private networks that are resistant to failure across any region and the routing is done for me, so I don't have to run around it all that much either

P.S: a damn tiny fly went into one of my now 4 monitors and died right in the middle, because I thought it's just some dirt and I pressed it in while trying to wipe it off, so that monitor now serves as the top most on a vesa mount

This is the story of me discovering devRant by accident.
---
I have never meddled with php before and I never intended to do so. For some reason, I accepted this consulting and chose Ci4 as the framework. All hell broke lose on my life. I could be a fucking idiot or the framework is a real ass wipe.

The setup took me hours and when I tried adding myth/auth, the real shit hit the giant fucking fan. WHAT THE FUCK PHP AND CI4? I tried all the weird fucking suggestions from the internet and you still fucked me in the ass with a bigger stick EVERY FUCKING TIME. I spent an whole night figuring you out and now I have my real job to login to with NO FUCKING SLEEP. You royally fucked my night and also my day without an ounce of A FUCKING CLOSURE.

Once I figure this out, Imma fuck the fucking project dealer and throw the weird ass shit on his ugly ass face and yell "FUCK YOU".

I am so depressed that this made me find an app to rant about it like a maniac.

-BrainlessIdiot

I had a pretty good year! I've gone from being a totally unknown passionate web dev to a respected full stack dev. This will be a bit lengthy rant...
Best:
- Got my first full time employment dev role at a company after being self-taught for 8+ years at the start of the year. Finally got someone to take the risk of hiring someone who's "untested" and only done small and odd jobs professionally. This kickstarted my career, super grateful for that!
- Started my own programming consulting company.
- Gained enough confidence to apply to other jobs, snatched a few consulting jobs, nailed the interviews even though I never practiced any leet code.
- Currently work as a 99% remote dev (only meet up in person during the initialization of some projects.) I never thought working remotely could actually work this well. I am able to stay productive and actually focus on the work instead of living up to the 9-5 standard. If I want to go for a walk to think I can do that, I can be as social and asocial as I want. I like to sleep in and work during the night with a cup of tea in the dark and it's not an issue! I really like the freedom and I feel like I've never been more productive.
- Ended up with very happy customers and now got a steady amount of jobs rolling in and contracts are being extended.
- I learned a lot, specialized in graph databases, no more db modelling hell. Loving it!
- Got a job where I can use my favorite tools and actually create something from scratch which includes a lot of different fields. I am really happy I can use all my skills and learn new things along the way, like data analysis, databricks, hadoop, data ingesting, centralised auth like promerium and centralised logging.
- I also learned how important softskills are, I've learned to understand my clients needs and how to both communicate both as a developer and an entrepeneur.
Worst:
- First job had a manager which just gave me the specifications solo project and didn't check in or meet me for 8 weeks with vague specifications. Turns out the manager was super biased on how to write code and wanted to micromanage every aspect while still being totally absent. They got mad that I had used AJAX for requests as that was a "waste of time".
- I learned the harsh reality of working as a contractor in the US from a foreign country. Worked on an "indefinite" contract, suddenly got a 2 day notification to sum up my work (not related to my performance) after being there for 7+ months.
- I really don't like the current industry standard when it comes to developing websites (I mostly work in node.js), I like working with static websites (with static website generators like what the Svelte.js driver) and use a REST API for dynamic content. When working on the backend there's a library for everything and I've wasted so many hours this year to fix bugs and create workarounds related to dependencies. You need to dive into a rabbit hole for every tool and do something which may work or break something later. I've had so many issues with CICD and deployment to the cloud. There's a library for everything but there's so many that it's impossible to learn about the edge cases of everything. Doesn't help that everything is abstracted away, which works 90% of the time but I use 15 times the time to debug things when a bug appears. I work against a black box which may or may not have an up to date documentation and it's so complex that it will require you to yell incantations from the F#$K
era and sacrifice a goat for it to work properly.
- Learned that a lot of companies call their complex services "microservices". Ah yes, the microservice with 20 endpoints which all do completely unrelated tasks?

Well, thanks for nothing, twitch/chromecast.

While planning my (personal) server I just seem to pile up more and more things to do/consider. Basically, for now I just want to have rclone, nextcloud and jellyfin, plus some usenet stuff later on. But I want to have the whole installation and configuration automated as far as possible, since I'll at first it will run in a test environment and needs to be migrated to another server at a point, possibly even another OS. So I suppose that means docker, docker-compose and Chef (any better options?). I want SSL: Traefik. User management / auth? RADIUS, LDAP. SSO? keycloak. I also need to deal with virtual hosts. And probably much more..

Since I just have basic Linux knowledge and have no real experience with any of the other technologies, I feel a bit lost. I just got to the abovementioned software due to some ddg research. I don't mind digging deep, I want to learn (which is half the reason for this project), but it's not easy to the the best way to set this up.

#Suphle Rant 3: Road to PHP8, Flow travails

Some primer: Flows is a feature that causes the framework to bypass handling the request now but read it from cache. This cache entry is meant to be populated without warming, based on the preceding request. It's sort of like prefetching but done on the back end

While building Suphle, I made some notes on some chapters about caveats and gotchas I may forget while documenting. One such note was that when users make the Flow request, the framework will attempt to determine who user is, using authentication mechanism defined on the first module (of the modular monolith)

Now, I got to this point during documentation and started wondering whether it's impossible for the originating request to have used a different authentication mechanism, which would result in an empty entry for returning user. I *think* it's possible cuz I've got something else called "route mirroring", where web based routes can be converted to API routes. They'll then return JSON, get served under defined API path, use JWT, all automatically. But I just couldn't connect the dots for the life of me, regarding how any of this could impact authentication on the Flow request

While trying to figure out how to write the test for this or whether it was even necessary (since I had no use case), it struck me that since Flow requests are not triggered by an actual user, any code attempting to read authenticated user will see nothing!

I HATE it when I realize there's ambiguity or an oversight, after the amount of attention and suffering devoted. This, along with a chain of personal troubles set off despondency for a couple of days. No appetite for food or talk. Grudgingly refactored in this update over some days. Wrote some tests, not all passed. More pain. May have to convert them to unit tests

For clarity, my expectation is, I built this. Nothing should be impossible for me

Surprisingly, I caught a somewhat lucky break –an ex colleague referred me to the 1st gig I'm getting in 1+ year. It's about writing a plugin for some obscure forum software. I'm not too excited cuz it's poorly documented and I'll have to do a lot of groping, they use arrays instead of objects etc. There's no guarantee I'll find how to implement all client's requirements

While brooding last night, surfing the PHP subreddit, stumbled on a post about using Rector to downgrade a codebase. I've always been interested in the reverse but didn't have any incentive to fret over it. Randomly googled and saw a post promising a codebase can be upgraded with 3 commands in 5 minutes to PHP 8. Piqued my interest around 12:something AM. Stayed up all night upgrading it, replacing PHPSTAN with Psalm, initializing the guy's project, merging Flow auth with master etc. I think it may have taken 5 minutes without the challenge of getting local dev environment to PHP 8

My mood is much lighter than it was, although the battle is not won yet –image tests are failing. For some weird reason, PHP8 can't read generated test images. Hope I can ride on that newfound lease on life to study the forum and get the features working

I have some other rant but this is already a lot to digest in one sitting. See you in rant #4

Getting the angular interceptor working the way I want has proven to be a pain for me. I try to update an auth token, which returns a promise that has to be transformed to an observable again. based on that, redirect to a login page, in case of 401. But nothing works! Either infinite page reload because of the login() promise function of the auth provider or no reaction at all after a router redirect. 😤

Hey guys i am a javascript web developer who loves his stack lot sadly in my internship i was forced to learn php and Laravel and build a full stack website with auth cruds with predefined templates in less than two weeks .
i have to say Laravel sucks comparing it to something like aspnet, Nestjs, Nextjs or Express i found myself overwhelmed with learning in a very short period and what makes things worst is the fact that no one in the agency i am in is helping or speaking with me i asked help from a Senior guy and he was like "i am too busy"...
I also can't quit since this internship is for school purpose so yes rip for me

Work! Terribile doubt about our project 😭i will leave this company if we do not come up with an adult solution 😔

We are working for another Company, they asked to add a web app to their project.

We made frontend and backend, we make user auth to their api, then call their api (place order, get orders etc), passing their auth token to their services.

Which Means that our endpoints are not really protected (i think) and if we add an endpoint that does not use their api, the only way to secure them Is to take the token, validate It by calling for example get /order of the api and if It fails just discard the request....too slow?

my colleagues do not want to put a serious auth they Just want to use the company api and leave the rest open...

And the customer Just asked to use some other api functionality, but that api has another auth... How do we pur them togheter? The last api want the id of the user to do machine ti machine auth

It Is my 6th month here no one thaught me anything, i think i'll Just leave ..or am i Just experiencing the developer Daily work?😔

So, need to secure some requests.
I decided on going passwordless on the website but I want to have an API too.

I am reviewing auth0.
I am also not sure if I can secure the same endpoints as private and public differently, so the private is used by the backend with no auth and the public with auth.

Wold you guys help me with some reading material?

Following an interview, I've been tasked with creating a "simple address book" webapp with Laravel and Vue.js.
There isn't much in the spec, with the only requirements being the use of Bootstrap, no auth, and inclusion of pagination and searching.
This is very easy with Laravel and my question to the community is how much further do I go with this?
Should I add alphabetical pagination alongside laravel pagination? What about a nice material ui?

I sent a design from Dribble to the employer and asked if making the app look fancy would be worth my time. He said I'm free to use any front end design and lib that I want if I'm able to demonstrate my use of them in code review, and he also said that the project "was only intended to take you a couple hours" which it would if I weren't to add a fancy ui.

So, shall I just make a simple app with Bootstrap tables, add responsiveness and keep the css semantic for brownie points, or go all out and spend a day or two making it beautiful? There is one other candidate so I have competition.

One user could report that the data they saw didn't make sense. Turns out there was a one-off hardcoded caching detail for one of our services that cached based on a search query (yes, the entire query was the key) and before any auth checks. The system would return the results owned by whoever asked first, no matter who asked after that point.

There's "Oh dear but we all make mistakes" and there's surrender cobra. This is what PRs are for.

Anyone herr tried API Platform?

I know I know. Generic ass name but that is what the framework is called.

Its in php, it contains a lot of goodies from(try and guess...no?? Ok I'll tell ya) the Symfony platform(go figure right) so if you are familiar with Laravel or well....Symfony then I guess that you will be good to go. I ain't...so fuck me because I only know Laravel.

Either way the concepts are very simple. Configs is donde almost entirely with YAML, i dunno how to feel about that, not used at writing routes on yaml, but the framework is thus far quite powerful. About to test jwt auth so wish me luck!

Sometime I feel, god forget to write proper toggle command for me.

For others it is random, for me it is static. One sad life. Only hope is system run out of memory because it is recursion with no ending.

here is the dev-rant
After fucking with Laravel Passport for 3 days, I finally manage to find a way to do multi auth.

Yeah! dude I am the guy who is going to write a tutorial for that. So, you must -- this rant.

There's no official integration (package) for JWT in Java Spring?

I am new to Java Spring and want to create a simple RESTful server with JWT auth. Checked many tutorials, all of them involved creating your own JWT middleware to retrieve JWT token from incoming request and validate it using some 3rd party JWT library like jwtk/jjwt.

I am surprised this is not as simple as including a Spring JWT package and it would work out of box. I used to write a similar site using Python/Django, and for that adding JWT support is quite simple as adding "xxx.middleware.JWTAuthMiddleware".

Single Sign on Authentication for a growing product suite? Sure, just validate the user's credentials in the dashboard and then pass their role to the product's web app via query parameter. No need for tokens or an auth server!