Meeting with asshole partner company CEO at restaurant.

Me: "I'm a bit worried about the bugs in your API. There are some ways to retrieve privacy sensitive info from public endpoints"

CEO: "Well, we're a rapidly growing startup!"

Me: "Uh... so?"

CEO: "So... Move Fast and Break Things! Priority is to improve our API further, and we'll fix bugs as they show up"

Me: "Maybe you should stop trying to emulate Zuckerberg in your management style. You know that even Facebook themselves admitted that their slogan was a retarded mistake"

Waiter shows up at table. CEO orders some overly expensive fish salad.

CEO: "Well, they have done something right... they're worth billions"

Waiter asks me: "And you sir, have you made your choice?"

Me: "Do you serve popcorn?"

CEO: "Popcorn for lunch?"

Me: "No, for your congressional hearing"

Dear me,

We have noticed you uploaded files to a public github with your API keys in plaintext.

Please proceed to bang head against desk until you have learned your lesson.

Sincerely me.

"Don't deploy on Friday" is a public admittance that your company either has no CI/CD pipeline, or that all your devs are retarded rhesus monkeys who only wipe their ass if the product manager wrote it as a spec.

If the saying was: "Don't port your whole API to GraphQL on a Friday", or "Don't switch from MySQL to Postgres on a Friday", I would agree.

But you should be able to do simple deploys all the time.

I deployed on Christmas & New Year's eve. I've deployed code while high on LSD, drunk-peeing 2 liters of beer against a tree after a party. I've deployed code from the hospital while my foot was being stitched up. On average, we deploy our main codebase about 194 times a week.

If you can't trust your deploys, maybe instead of posting stupid memes about not deploying on Fridays, you should fix your testing & QA procedures.

If devRant ever opens up a public API I'm gonna build a dating app

Storytime!

Manager: Hey fullstackchris, the maps widget on our app stopped working recently...

Dev: (Skeptical, little did he know) Sigh... probably didn't raise quota or something stupid... Logs on to google cloud console to check it out...

Google Dashboard: Your bill.... $5,197 (!!!!!!) Payment method declined (you think?!)

Dev: 😱 WTF!?!?!! (Calls managers) Uh, we have HUGE problem, charges for $5000+ in our google account, did you guys remove the quota limits or not see any limit reached warnings!?

Managers: Uh, we didn't even know that an API could cost money, besides, we never check that email account!

Dev: 🤦‍♂️ yeah obviously you get charged, especially when there have literally been millions of requests. Anyway, the bigger question is where or how our key got leaked. Somewhat started hammering one of the google APIs with one of our keys (Proceeds to hunt for usages of said API key in the codebase)

Dev: (sweating 😰) did I expose an API key somewhere? Man, I hope it's not my fault...

Terminal: grep results in, CMS codebase!

Dev: ah, what do we have here, app.config, seems fine.... wait, why did they expose it to a PUBLIC endpoint?!

Long story short:

The previous consulting goons put our Angular CMS JSON config on a publicly accessible endpoint.

WITH A GOOGLE MAPS API KEY.

JUST CHILLING IN PLAINTEXT.

Though I'm relieved it wasn't my fault, my faith in humanity is still somewhat diminished. 🤷‍♂️

Oh, and it's only Monday. 😎

Cheers!

tl;dr: spent 12 hours creating an api for a job interview challenge. Got rejected after 4 weeks with no real feedback, and all I can do is rant!

So I was in the interview process with a company that was a great fit for my background.

Got through a couple of phone screens, and was given a coding challenge consisting of writing a web API with a couple of endpoints and a filter function.

I'm like, ok no problem, I happen to have created apis for some mobile apps in the past, and I pick Django rest framework to get the job done.

Implemented it on a Sunday, wrote a medium size Readme.md and some unit tests and submit. Took almost four weeks and a partial resubmission to get a rejection with no specific feedback.

Now I'm shamelessly butthurt and I have nothing else to do but rant! Worse part is I looked back at the code and in my opinion is solid AF, so I put it on my public GitHub cause fuck it!

A programmer once explained Nietzsche like this:
A long time ago, god created the world, but forgot to leave a developer documentation, thus the whole world was like legacy code...
And humans are like the end user of this world, and some among them spent time studying it, using the Moral API, hoping to get a result of "http 200 ok" from our world for the peace of mind. But the true operation of this world is still yet unknown...
As time passes, humans begin to find that in Moral API, good and evil are two base classes, and all the other moral properties (like ethic, justice and stuff) are just other classes based on those two classes through multiple inheritance.
One day, when programmer Nietzsche was observing the world's runtime behavior, he came up with a question:
"Did god really use good and evil as base classes? Could it be that they are actually derived classes?"
Most of the world is currently in the favor of mankind, and god must've wrote individual user cases for it's end users, he thought.
This made Nietzsche thinking: if end users are considered into two cases: the strong and the weak, how would the world be designed base on its user story?
Let's think about the strong, they can bully the weak as they please, and there's nothing the weak can do to stop them. In this case whether the Moral API exists or not doesn't fulfill the need of the strong.
But when it comes to the weak, Nietzsche thinks that because the weak cannot fight the strong, they need to belittle bullying and praise the strong for being nice. When the weak does this, it covers their powerless state to some extent, making them look somehow equal to the strong by being capable of commenting.
God might have coded the Moral API to fit the weak's requirement, also adding some public methods for the weak to comment on the strong. If the strong takes care of the weak, they call him nice and good, if the strong bullies people, they call him bad and evil.
That's when Nietzsche realized, that good and evil are both derived classes from the weak, and the base class should be the strong and the weak.
Then he started a series of studies about the Moral API, and got some thesis that persuaded lots of other end users...

Public service announcement: Do not get married to your language, tools, or way of doing things. If there's an easier solution to something, try it before dismissing it. No language is perfect, and dumping everything on the responsibility of an API or framework can cause more headache then solve it.

Case in point: I love Java for backend programming, but node.js is a better solution to frontend programming then depending on JSP's and HTML within the same Java project. Less things go wrong and it's easier to debug issues.

There is no best programming language. Only best practices and using the right tool for the right job.

#exceptC++fuckthatlanguage

:^)

Working on a funny/new api/service (will be a public one) and I'm only now realizing how important good security is but especially:

The amount of time that goes into securing an api/application is too goddamn high, I'm spending about 90 percent of my time on writing security checks 😅

Very much fun but the damn.

My colleagues broke down our AWS account by hard coding the AWS access API keys and pushing the same code to a public repository. This took down our system for nearly 3 days.

I think I will ship a free open-source messenger with end-to-end encryption soon.

With zero maintenance cost, it’ll be awesome to watch it grow and become popular or remain unknown and become an everlasting portfolio project.

So I created Heroku account with free NodeJS dyno ($0/mo), set up UptimeRobot for it to not fall asleep ($0/mo), plugged in MongoDB (around 700mb for free) and Redis for api rate limiting (30 mb of ram for free, enough if I’m going to purge the whole database each three seconds, and there’ll be only api hit counters), set up GitHub auto deployment.

So, backend will be in nodejs, cryptico will manage private/public keys stuff, express will be responsible for api, I also decided to plug in Helmet and Sqreen, just to be sure.

Actual data will be stored in mongo, rate limit counters – in redis.

Frontend will probably be implemented in React, hosted for free at GitHub pages. I also can attach a custom domain there, let’s see if I can attach it to Freenom garbage.

So, here we go, starting up modern nosql-nodejs-react application completely for free.

If it blasts off, I’m moving to Clojure + Cassandra for backend.

And the last thing. It’ll be end-to-end encrypted. That means if it blasts off, it will probably attract evil russian government. They’ll want me to give him keys. It’ll be impossible, you know. But they doesn’t accept that answer. So if I accidentally stop posting there, please tell my girl that I love her and I’m probably dead or captured

Manager: I want the front ends to be more dumb, too much logic is happening on the frontend.

Me: both of the sites are just multi step forms, I’m confused about the complexity part.

Manager: yea but don’t we have a bunch of third party api calls?

Me: we have 4 and they are public facing apis.

Manager: yea, make a new api and move this api calls to the backend and I want both frontend teams to send the same shape payload.

Me: but…

Manager: oh and I don’t like how the business team does the a/b testing and splitting traffic, let’s move that to the backend as well.

Me: but… that a/b testing platform they use in ran by another team and they have a full set of features for business analytics…

Manager: yea let’s just replicate those features and move them to the backend.

Me: but it’s a product!

Manager: look! You are the best backend engineer we got! I know you can do this!

Me: I lead the frontend teams…

Manager: ….

Manger: good news we are giving you a promotion with raise you are now a senior engineer.

Me: I confused but happy… I think..

So… I released v2.0.0 of devRant UWP a few weeks ago.
Then I got a lot of reports of problems on Windows 10 Mobile and older (than 1809) versions of Windows 10 on Desktop.
I decided to resubmit v2.0.0-beta16 to the store, and try to find the issue in the update… I didn't find it.
The code seems the same as the working version (at least the part I try to test is 100% equal).

So it seems I fucked up the vs project.

This means that to find the issue I can spend weeks to search it over and over inside the latest project (using shitty emulators of older Windows 10 builds to debug it), or I could just restore it to the old v2.0.0-beta16 (released in august) and implement again every single new feature and fix (something like 5 new features, dozens of improvements, changes and bug fixes).

In any case, this will require a lot of time (which I don't have at this moment).
I'm really sorry for this inconvenience, I know some of you use my client daily (~3.000 users I guess), I'm really glad someone likes it, and thanks a lot for the awesome reviews and feedback, but stable v2 (v2.1.0 at this point) will be available not earlier than in February.

Probably some of you have already download v2.0.0 while it was available in the store, and maybe it works on your device (please let me know in the comments below if you did, how is it going, and also if you like the new features and improvements).

After this epic fail, and more than 1 year (way too much) of v2 public beta, I want to throw the current project in the trash, and start it from scratch.
Which means I will start to work on v3 as soon as you will see v2.1.0 in the store, making it faster, lighter and with better support for the latest Windows 10 (Fluent Design and not) features, dropping the support for the very old UWP API.

Thanks for your attention.

Have a good day (or night)!

Got pretty peeved with EU and my own bank today.

My bank was loudly advertising how "progressive" they were by having an Open API!

Well, it just so happened I got an inkling to write me a small app that would make statistics of the payments going in and out of my account, without relying on anything third-party. It should be possible, right? Right?

Wrong...

The bank's "Open API" can be used to fetch the locations of all the physical locations of the bank branches and ATMs, so, completely useless for me.

The API I was after was one apparently made obligatory (don't quote me on that) by EU called the PSD2 - Payment Services Directive 2.

It defines three independent APIs - AISP, CISP and PISP, each for a different set of actions one could perform.

I was only after AISP, or the Account Information Service Provider. It provides all the account and transactions information.

There was only one issue. I needed a client SSL certificate signed by a specific local CA to prove my identity to the API.

Okay, I could get that, it would cost like.. $15 - $50, but whatever. Cheap.

First issue - These certificates for the PSD2 are only issued to legal entities.

That was my first source of hate for politicians.

Then... As a cherry on top, I found out I'd also need a certification from the local capital bank which, you guessed it, is also only given to legal entities, while also being incredibly hard to get in and of itself, and so far, only one company in my country got it.

So here I am, reading through the documentation of something, that would completely satisfy all my needs, yet that is locked behind a stupid legal wall because politicians and laws gotta keep the technology back. And I can't help but seethe in anger towards both, the EU that made this regulation, and the fact that the bank even mentions this API anywhere.

Seriously, if 99.9% of programmers would never ever get access to that API, why bother mentioning it on your public main API page?!

It... It made me sad more than anything...

Why is it that pretty much zero package & framework maintainers understand semantic versioning?

1. If you do a complete rewrite of your package, but the resulting API is identical, you don't need to bump to the next major version. As a user, I'm thankful for your increased performance or cleaner internal code, but it doesn't really affect my update process.

2. If your package required some-framework 6.0.0, and now ALSO supports some-framework 7.0.0 but is still compatible with 6.0.0, you don't need to bump to the next major version. As a user, I can now upgrade the framework, and know that the package will keep working, but otherwise it doesn't really affect me.

3. Following your versioning along with the framework/language version is super annoying, especially if your library really doesn't need to differentiate between framework versions because it's not actually utilizing new framework functionality.

4. On the other hand, if you stop supporting a certain language, framework or shared library version, or change the public methods, exceptions, fields, etc, you MUST bump to a new major version.

Yet everyone gets this wrong.

For example, many of Laravel's underlying subpackages (for collections, filesystem, database, config, http, mail, etc) do not change their code in a breaking way, or do not even change at all between major framework versions.

Yet they follow along with the major framework version.

Now if someone makes a library "laravel-elasticsearch" which uses the support libraries and collections from laravel, they need to update their package to move along with the versions as well, and often they choose to number their library along with the framework in turn.

This means that to update the framework, you also need to update over 9000 dependencies.

FOR NO FUCKING REASON. THE ONLY CHANGE IN THOSE FUCKING DEPENDENCIES IS TO UPDATE COMPOSER.JSON TO BE COMPATIBLE WITH THE FUCKING FRAMEWORK.

Meanwhile, Laravel itself breaks repeatedly on minor/patch version updates, because breaking changes slip through their review process.

Ugh.

I've been so pissed off so many times, I thought I should divide them into categories.
- Pissed off at a fellow dev: I told him to use a constant instead of a hardcoded number.
He changed this: obj.method(3);
to this:
public static final int three = 3;
obj.method(three);
- Pissed off at management: I once got a $10 yearly raise.
- Pissed off at a client: They rejected our design proposal because the text was in spanish and they didn't speak spanish. It was lorem ipsum text.
- Pissed off at code: I once had to refactor a 500 line legacy jsp script with HTML, CSS, JS and Java completely intertwined.
- Pissed off at Twitter: They changed their API the day of our go-live, breaking all of their widgets, forcing us to move the go-live date and making me work an additional 8 hours after a week with almost no breaks.
- Pissed off at travel and logistics: They sent me to a hotel in Mexico City 2.5 hours away from the client's office.

Fun times...

[Image:Android Emulator Api 27(google play)]
It is in the public emulator now.Good job google employee😃

HAHAHAHAHAHA! He set a method public because its for public API. Yup you wasted your phd. 🤦🏻‍♂️

When you accidentally push an API key to a public git repo :'(

The Instagram API sucks a Lot.

Why the fuck I've to login with my account using OAuth2 to get posts of a PUBLIC account, it's so hard to make an authentication endpoint that doesn't require the user to enter his credentials in order to access PUBLIC content?

Fucking piece of shit

So after 6 months of asking for production API token we've finally received it. It got physically delivered by a courier, passed as a text file on a CD. We didn't have a CD drive. Now we do. Because security. Only it turned out to be encrypted with our old public key so they had to redo the whole process. With our current public key. That they couldn't just download, because security, and demanded it to be passed in the fucking same way first. Luckily our hardware guy anticipated this and the CD drives he got can burn as well. So another two weeks passed and finally we got a visit from the courier again. But wait! The file was signed by two people and the signatures weren't trusted, both fingerprints I had to verify by phone, because security, and one of them was on vacation... until today when they finally called back and I could overwrite that fucking token and push to staging environment before the final push to prod.

Only for some reason I couldn't commit. Because the production token was exactly the same as the fucking test token so there was *nothing to commit!*

BECAUSE FUCKING SECURITY!

It began when I was tasked with creating a better and more engaging experience for our new Facebook page. This was in Facebook's early days, so there were not really any "best practices". We were making it up as we went along. I decided one way would be to game-ify things, since gaming, at the time, was a Big Deal on Facebook and people were starting to use it to build customer funnels.

Grasping for low-hanging fruit, I decided a Tetris variant around our topic would be fun. I had to hire a dev because at the time I was a static HTML web developer just getting into social media management. I knew nothing about game development or how to use Facebook's API for such things.

Long story short, we got about $10,000 (FB app devs came at a premium then) into the project when I came across a very recent article about the history of Tetris games. It said that even though Tetris had once been considered for all intents to be public domain due to it being created by a Russian coder during the Cold War, it had just been acquired by an IP protection entity that was charging royalties for any variant of Tetris created from a specific date onward and paying the original developer. So, even though I thought I had been thorough in my initial permissions checking, it turned out we were gonna be in deep doo-doo with licensing fees and restrictions if we released this game to the public.

I had to call my boss and admit my error. She was FURIOUS and really gave me an ass-chewing over it. I then had to call the marketing person whose budget I'd been slaving away at wasting. She was a bit more forgiving (her budget was in the millions). Then I had to call the corporate legal department and explain what was going on. They told me to immediately pay any outstanding hours, then fire the dev but not before getting him to send me all code and assets, deleting his copy, and then, upon my receipt of those assets, deleting MY copy so that nothing of it ever existed. And I was supposed to say _nothing_ to the dev about why he was being let go, so that there would be no "trail" leading back to this fiasco. (The dev hounded me for weeks asking what he'd done wrong. It killed me that I was bound and gagged by corporate legal and couldn't tell him.)

I was in so much trouble. I was literally in tears over it. I'd never wasted that much money in my life. That incident pretty much sealed my fate as far as any trust my bosses ever put in me again (not much at all). I was a bit of a pariah in a lot of ways for the next 5 years whereas I had come onto the team as a young social media rockstar at first.

After that, and a couple of other bad scenarios that were less my fault and more due to a completely dysfunctional management and reporting structure, they eventually "transferred" me to another team. Which was really just a way of getting rid of me by sending me to a department that was already starting to outsource overseas and lay people off. It was less messy that way. I was in the first set of layoffs.

Since then, I've had a BIG fear of EVER joining a large corporation EVER again. I prefer to work for small businesses now, even if I get paid less. Much less stressful from an office politics and impact of mistakes standpoint.

Does Devrant have a public API?
I'm trying to write an extension for my Vscode so I can read posts while working without having to launch the mobile app.

That's it, where do I send the bill, to Microsoft? Orange highlight in image is my own. As in ownly way to see that something wasn't right. Oh but - Wait, I am on Linux, so I guess I will assume that I need to be on internet explorer to use anything on microsoft.com - is that on the site somewhere maybe? Cause it looks like hell when rendered from Chrome on Ubuntu. Yes I use Ubuntu while developing, eat it haters. FUCK.

This is ridiculous - I actually WANT to use Bing Web Search API. I actually TRIED giving up my email address and phone number to MS. If you fail the I'm not a robot, or if you pass it, who knows, it disappears and says something about being human. I'm human. Give me free API Key. Or shit, I'll pay. Client wants to use Bing so I am using BING GODDAMN YOU.

Why am I so mad? BECAUSE THIS. Oauth through github, great alternative since apparently I am not human according to microsoft. Common theme w them, amiright?

So yeah. Let them see all my githubs. Whatever. Just GO so I can RELAX. Rate limit fuck shit workaround dumb client requirements google can eat me. Whats this, I need to show my email publicly? Verification? Sure just go. But really MS, this looks terrible. If I boot up IE will it look any better? I doubt it but who knows I am not looking at MS CSS. I am going into my github, making it public. Then trying again. Then waiting. Then verifying my email is shown. Great it is hello everyone. COME ON MS. Send me an email. Do something.

I am trying to be patient, but after a few minutes, I revoke access. Must have been a glitch. Go through it again, with public email. Same ugly almost invisible message. Approaching a billable hour in which I made 0 progress. So, lets just see, NO EMAIL from MS, Yes it appears in my GitHub, but I have no way to log into MS. Email doesnt work. OAuth isn't picking it up I guess, I don't even care to think this through.

The whole point is, the error message was hard to discover, seems to be inaccurate, and I can't believe the IRONY or the STUPIDITY (me, me stupid. Me stupid thinking I could get working doing same dumb thing over and over like caveman and rock).

Longer rant made shorter, I cant come up with a single fucking way to get a free BING API Key. So forget it MS. Maybe you'll email me tomorrow. Maybe Github was pretending to be Gitlab for a few minutes.

Maybe I will send this image to my client and tell him "If we use Bing, get used to seeing hard to read error messages like this one". I mean that's why this is so frustrating anyhow - I thought the Google CSE worked FINE for us :/

Guys, what the fuck.

Today i was doing some consistancy checks accross the board after update made for one of our core systems that manages money. Yeah, real, live money.

I have hidden from public payment processor with simple API etc. So one of my checks, gate has same balances as gate's internal account on core blinked red. Okay well, fuck, thats really really shitty situation to be in. I guess my gate is fucked up some way.

Okay, debug mode on, maintainence mode on, quick look at DB, oh shit, client payed 4 times 15k eur without any txn on core system... SHIT! postman... Fuck, postman ofc wont start, quick google, fixing postman, tention in me grows, becouse its really rough and tough fuckup on my side, and got call. That moment when you know someone already knows is for me apogeum of stress that just skyrocketed from calm morning to mad morning.. Okay, i pick up phone, and I hear that one client payed (using core system app) and got strange message, YES I KNOW, im working on it.. Wait, you say that core system gave them odd message??? I will check it out. Finally fixed postman, 3 requests and I know its bug on core system.

Why, why in the motherfucking blody world anyone would push critically bugged update to system that just sends api callbacks "yes, he payed" when someone didnt pay...

Fuck im stressed and pissed, but at same time reliefed its not my personal fuckup (yeah, I solo wrote that gate, but externally audited code and all they had to say that some cosmetic linting should be done)

Ok so I have done some work with crypto currency mining pools and recently a client requested for me to make a splash page that showed data from multiple instances of these pools APIs. I went to find some documentation for this open source api and to my surprise there is none. I thought of querying the public API from the clients side and it worked, however it's so slow that the data shows up roughly 20 seconds after the page loads.

Easy fix right? Make a PHP server get the data every 5 seconds, cache it and serve the data with the page and use a websocket for live updates! Until I found out that there is no practical way in this garbage framework to get the damn API data without making an HTTP request or mutilating the original source code. I'm so done with this garbage framework. It literally loads pages based on a page and action parameter on the index.php. I quit.

Ok c++ professionals out there, I need your opinion on this:
I've only written c++ as a hobby and never in a professional capacity. That other day I noticed that we have a new c++ de developer at the office of which my first impression wasn't the greatest. He started off with complaining about having to help people out a lot (which is very odd as he was brought in to support one of our other developers who isn't as well versed in c++). This triggered me slightly and I decided to look into some of the PRs this guy was reviewing (to see what kind of stuff he had to support with and if it warranted his complaints).

It turns out it was the usual beginner mistakes of overusing raw pointers/deletes and things like not using various other STL containers. I noticed a couple of other issues in the PR that I thought should be addressed early in the projects life cycle, such as perhaps introduce a PCH as a lot of system header includes we're sprinkled everywhere to which our new c++ developer replies "what is pch?". I of course reply what it is and it's use, but I still get the impression that he's never heard of this concept. He also had opinions that we should always use shared_ptr as both return and argument types for any public api method that returns or takes a pointer. This is a real-time audio app, so I countered that with "maybe it's not always a good idea as it will introduce overhead due to the number of times certain methods are called and also might introduce ABI compability issues as its a public api.". Essentially my point was "let's be pragmatic and not religiously enforce certain things".

Does this sound alarming to any of you professional c++ developers or am I just being silly here?

Just gonna leave this here because I am too lazy to write a proper article for my website:
If anyone is trying to create a Vue.js website with Node.js backend do NOT use express-vue, it is unnecessarily complicated and broken. Instead use this method I found.
You will need:
- IntelliJ IDEA / WebStorm / other IDE supporting multiple modules per project and tasks
- Nodejs and npm
- vue-cli

Step by step:
1. Create new empty project
2. Add your frontend module using vue-cli generator
3. Add your backend module using Express generator
4. Run npm build in your frontend module once
5. Move or remove public folder in your backend module
6. Create a symlink from your backend module root called public pointing to dist folder in your frontend module root
7. Make sure to add "Run npm build" from frontend module to your "bin/www" task (default task for Express module)
8. Enjoy developing your REST API in Node/Express and your frontend in Vue.js with single-file components and it being served by the same server that is providing the backend.
(Since they are separate modules and you are not mixing webpack and Node/Express you can add ts-loader, stylus-loader, pug-loader or any other loaders without screwing anything up)

For deployment you just need to copy the contents of dist into public on the server. (and not upload the symlink)

Does devrant have a public api? Tempted to write an atom plugin so I can pretend to work, but actually rant.

Any other Screeps players here?

for the people running into a "Screeps is not defined":
Screeps is a MMO RTS where you code your "army" to do stuff in Javascript (a la NodeJS).
Code how your harvesters should behave, how your soldiers should behave, how your builders should behave etc. etc.

So far, it is quite a fun game, tho my (Intel Nehalem based) laptop has issues handling it (thanks to a awfully slow GPU...) so it's difficult to play for me at the moment (I'm on holiday, my home PC is a LOT faster).
It costs about 15 euro on steam, and if you're into this stuff, it's well worth it.
Just make sure you finish the tutorial first... I didn't and I regretted it when I bought the game (it's a huge pain in the buttocks to get started if you don't understand the API and such).

Currently just playing on my own localhosted private server to discover how the game works and such, but will be setting up a public server later down the road to play with others.
Tho it would be nice if Screeps would allow for "team-based" gameplay as well so it'll be slightly harder for early players to bully the newer ones.

Fuck LinkedIn
Fuck their closed API
Microsoft always steals your PRIVATE info, but is scared of us using their PUBLIC info
Fucking morons
I can just use selenium and still have all the info I need
Then why the fuck would you close API to approved only
Can't you just track the traffic????

Public REST (-inspired) API. Should I skip numeric IDs because it's easy for consumers to snoop around?

Example:

POST api/foo
201 Created api/foo/69

Uh, I'll get 68 just because I can. Hopefully it returns Unauthorized, unless we some kind of bug.

Is it just security by obscurity if I use, like, guids or something instead of sequental IDs?

How come something works absolutely perfectly in dev but not in prod?
I was making a desktop app in election js and everything is working perfectly. No problem at all. But then I create the installer/distributable and nothing shows on the screen. And out of curiosity, I wanted to see the error log and it shows an unknown error, I didn't even know from what thing the error is being generated. And after I fixed that, another problem came with Asana Api. I mean, if it's a public API, why do you have to block it with cors? I hate cors!
And after all of it, there's more to it. I mean, why can't you just show the errors in dev?

Why doesn't Twitter have a public API without authentication for simple stuff, such as reading tweets. One can do that without logging in on the website, why shouldn't code be able to do it.

If your site uses angular or react or some other piece of shit framework to load the data after the site has fucking loaded, make a public fucking api because i cant parse your shitass website from source.

Just wanted to code some better public transportation route calculator (better ux) and found out that the pt company offers an API.

EVERY FUCKING REQUEST HAS TO BE SENT AGAINST THE SAME FUCKING ENDPOINT IN A POST REQUEST WITH THE ORIGINAL REQUEST AS FUCKING XML IN THE FUCKING BODY. At least they offer xsd files... BUT THATS NO FUCKING HELP. At least not that much of a help. AND THE DOCUMENTATION DOES NOT STATE A SINGLE FUCKING EXAMPLE OF HOW TO USE THAT FUCKING ENDPOINT. I FOUND THIS OUT BY SENDING RANDOM REQUESTS TO THE ENDPOINT TRYING TO REVERSE ENGINEER THE EXISTING FUCKING FRONTEND AND NOW I NOTICED THAT 80% OF THE FUCKING DOCUMENTED FEATURES ARE DISABLED BECAUSE: NOT FUCKING SUPPORTED!!!

MAAAN WHY DO YOU DO THIS.

Alternatively I'd use the GTFS files they provide but THEY ARE FUCKING INCOMPLETE AND DONT STICK TO THE EXISTING STANDARD GOOGLE DEFINED... They also offer a different propietary format... BUT THATS FUCKING UNDOCUMENTED AND FUCKING INCOMPLETE...

Today I wrote a python messenger bot which listens to only one command;
get ip
It then replies with its public IP address. I figured this would be the easiest hotfix until I fix my dynamic DNS client.

Now thinking of it I could also make an "update domain" command for doing the API call, and then link the two with a loop and minute delay. Marvelous.

Here in my country banks doesn't have a public API to access your bank account extract, 3 years later we make some bots to extract these data to an API

Hello,

I have gone through all the options that your public API has for syncing data, and i can now officially say that stripping an iFrame of a Google Drive page would be better than the piece of shit mutation methods you have come up with.

Most sincerely,
A fucking annoyed dev that just wasted about 4 hrs on your shit.

I'm trying to convert a legacy .NET Framework web api to .NET Core, the project and its supporting libraries are in awful conditions and to make things worse at a certain point someone has the genius idea of introducing Uncle Bob's "Clean" Architecture into a part of it so stuff which could simply look like this

public string doStuff(string input){
// Do the stuff
return output;
}

becomes a convoluted mess like this

public class StuffDoerRequest {
public string Input{get;set;}
}

public class StuffDoerResponse {
public string Output{get;set;}
}

public interface IStuffDoer {
public StuffDoerResponse Execute(StuffDoerRequest request);
}

public class StuffDoer {
public StuffDoerResponse Execute(StuffDoerRequest request) {
// Do the stuff
return new StuffDoerResponse() {
Output = actualFuckingOutput;
}
}
}

Edit: sorry for the lack of indentation, apparently DevRant trims leading whitespace

Visual content ID system with a public API

For some reason I keep over engineering stuff to the point I spend 2 hours thinking the best way to do something. I'm making the backend for a project of mine and I wanted somewhat decent error handling and useful error responses. I won't go into detail here but let's say that in any other (oo) language it would be a no-brainer to do this with OOP inheritance, but Rust does OOP by composition (and there's no way to upcast traits and downcasting is hard). I ended up wasting so much time thinking of how to do something generic enough, easily extendable and that doesn't involve any boilerplate or repeated code with no success. What I didn't realize is that my API will not be public (in the sense that the API is not the service I offer), I'm the only one who needs to figure out why I got a 400 or a 403. There's no need to return a response stating exactly which field had a wrong value or exactly what resource had it's access denied to the user. I can just look at the error code, my documentation and the request I made to infer what caused the error. If that does not work I can always take a quick look at the source code of the server to see what went wrong. So In short I ended up thrashing all the refactoring I had done and stayed with my current solution for error-handling. I have found a few places that could use some improvement, but it's nothing compared to the whole revamp I was doing of the whole thing.

This is not the first time I over engineer stuff (and probably won't be the last). I think I do it in order to be future-proof. I make my code generic enough so in case any requirements change in the future I don't have to rewrite everything, but that adds no real value to my stuff since I'm always working solo, the projects aren't super big and a rewrite wouldn't take too long. In the end I just end up wasting time, sanity and keystrokes on stuff that will just slow down my development speed further down the road without generating any benefits.

Why am I like this? Oh well, I'm just glad I figured out this wasn't necessary before putting many hours of work into it.

Instagram new API app submission models is a piece of crap ..
Mostly developers can not get applications approved ..
Public data should be accessible to developera

So there is this project of my firm that is comepletly dependant on Facebook api, I've actually told it many times to managers at first but they've just waved their hands over it.

Now what didn't happen. Facebook data leak and the api being taking down ..juust a week before the project going public.

Our app is still not reviewed and not able to access the so vital api and there are actually many similar projects getting published (even Facebook Local greatly rivals to our app, actually killing it because they have native data... And we don't have any. )

I told them again. "Nah we will have this and this feature that makes it soo exceptionall."

And you are sitting here thinking if the salary you have asked for is still good enough to stay or to run away.

(Well, I am still getting some coding experience from this so that's why I stay, and oh yeah I have the backend repo only for myslef because except the frontend dev no managers knows what git is. This is how freedom feels. )

Does devRant have a public API?

Here is a personal project I've been working on lately. It's not public, but just wanted to share. It's a custom chatbot I created using a LAMP stack. Its built on top of a framework called Program-O to handle the knowledgebase storage and processing along with some basic NLP. I added the web speech api functionality myself so it supports recognition as well as speech synthesis. Anyways, pretty proud of this one.

Yesterday, the Project Manager forwarded an email from a staff member who worked on a donations campaign. Staff member was confused about a Cloudflare challenge that appeared before the user was sent to the donation page. It’s a less than 5 second JavaScript check. He thought it looked fishy.

I had to explain that it’s a security measure that’s been up for almost a month. PM knows this but left it to me to explain because ownership of the site is on me. The donations page and api gets hit by a lot of bots because it’s a public api and there are no security measures like captchas to deter the bots. I’m inheriting this website and I didn’t build it.

Staff member says other staff want to know if the Cloudflare page can be customized so it looks more legit. Um, Cloudflare is a widely known legit service. Google it.

A few thoughts pop into my head:

1. Engineering communicated to stakeholders about the Cloudflare messaging a month ago.

2. Wow, stakeholders don’t share relevant info with their staff who aren’t on these emails.

3. Woooow, stakeholders and staff don’t look at the website that often.

Is there any documentation on what is public API or not?

@dfox or is reverse engineering the calls allowed?

Public GitHub repos with API creds left in them (face palm) check your repos before pushing!!

I love Mikrotik. Just fucking love them. I also love my residential fiber service. Small company. Synchronous 125M service. No caps. Bandwidth is always there.

BUT... They use PPPOE (seriously guys?), and the IP changes on *every single re-connect*. Also: no IPv6 support. I know. I don't need it. But I want it.

Enter DNSMadeEasy's DDNS, Hurricane Electric's 6to4 tunnel service, and my Routerboard AH100x4. I wrote a script that runs on the router whenever my IP changes. It updates my DDNS record, updates my 6to4 tunnel IP using HE's API, and updates my local 6to4 interface's IP.

It just works. My public IPv4 may change, but the /48 IPv6 networks on my LAN side stay fully routeable.

Oh the joys of working with an Enterprise customer.

Background:
Discussion about service architecture with me, development architect (ArchDev) and integration architect (ArchInt). The topic arises of needing to access int. segment systems for a public facing cloud application.

Me: so we'll just need a s2s vpn and then we can just create a route and call the services normally.
ArchDev: sounds good to me, it will take a few months to get that set up
ArchInt: we done need that, we can just use the gateway and then route all the requests through the ESB.
Me: 😕 do you mean the service gateway?
ArchInt: (drops bomb) no, we decide that all API should be implement in ESB, so ESB will handle traffic
Me: *pauses, steps up to the whiteboard, does latency math* setting aside the fact that isn't how ESB's work, that will add at least 700ms latency to each request.
ArchInt: well that is fine for enterprise, things not usually as fast in enterprise you must expect slowdown to be safe
ArchDev: *starts updating resume on the ladders
Me: 💀🔫

Progress on my blog (incocast) goes smoothly, even implemented a basic rss feed. Currently the blog is Service Layer only (because I still have to create a front-end)

It might even be interesting to open some api calls to the public... I don't know yet.. Maybe..

Either way the next thing to implement is a commenting system! :)

The positive side of EnvVars...
So a couple of weeks ago I moved all api keys and db passwords to environmental variables on the server so that I didn't have to keep worrying if I'm live in my test environment.

Earlier I shat myself after an apt-get upgrade broke php and apache somehow decided it's a great idea to serve all .php files as plain text. I was super relieved to find no confidential information (apart from logic) was made public.

I think the following is all in my head, or I am heading towards an office rivalry situation between my tech lead and me.

characters :
me : a no nonsense android guy who is sometimes very blunt when requested for unwarranted demands. i am also realising that i have been a bit too arrogant, as i come up with a lot of counter questions too fast (not related to story tho)

tech lead : an android guy who has been android dev for a total of 4 years (same as me), 3 of them in current company and somehow got promoted to TL

story: I find this guy to be too much political, delegating a lazy bum, and i kinda called him out in public , once during a discussion where other folks were also kinda calling him out and another time when we were having a small meeting of 3 people. he in turn has taken some actions (like giving me a lower kpi, not giving me appropriate data for doing some work and then asking about it in public, casually ignoring my leave requests) which looks he is taking out a revenge.

at first time i called him out in a discussion where everyone was getting against his havit of giving buttery responses to his boss (who occasionally joins our standups) . he says "we are on track" while we are already dependent on him to provide data/decisions.
he then says to us to do it faster , and when the work does not get completed ( because how it could be, without him doing his job), he blames it on devs.

i called him out on a similar but different topic of him making last moment task additions when we are already on brim with our planned tasks.

on second time i called him out on him not looking into the current task enough as he was expecting me to take decisions on my own.
the decision was about how a screens ui will be populated and there was no api payload available that would match the ui . i created 2 mock api jsons which would appropriately load that screen but was not sure if the 2 apis would be enough for the screen and wondered whete some missing data will come from?
this task is a long one, nd i did took a decision, but he should had validated them to make sure we are on track. the issue came when i took some questions to him and instead of answering them , he blamed on me not being mature enough to work without the data!

All things aside, I am on my weary ends with thins guy. He is my boss and holds incredible powers over me, but he is incredibly incompetent and his habits of delay, delegation and blaming is making my work life worse. I don't wanna leave this job too, because as much as i hate it, its currently one of the major names in industries and giving a solid power to my resume

Welp. I think I witnessed a new job application hack. Someone listed my team’s general engineering email address for their Employee Referral.

That email address is listed publicly, but I’m pretty sure no one on my team told the applicant to list it as a referral contact. I suspect someone got the email from a Slack workspace. I had posted a job listing, in a threaded comment someone had complimented my employer’s public API, and I shared our engineering email and said we’d love to see what he builds.

It looks like someone else from that Slack saw this and decided to list the engineering email as an employee referral. I get that employee referral can mean different things to different people and it might be someone who’s new to job searching and doesn’t know better.

For my employer’s online application, an employee referral requires a name and email address for the employee. I’m curious what the applicant listed for the employee referrer’s name. Wonder if it was my name. If it is, guess I have to give my manager a heads up and tell him that I do not know this applicant.

This occurrence is a new one for me and I don’t think it’s happened to us before. And it’s not really a good tactic to get a resume read at my workplace. Where I work, my manger reviews the resumes and tells HR who he wants to set up calls with. It’s not HR or an ATS that screens resumes and sends them to my manager.

My friend said I should make some of my old dead projects public (after removing passwords or api keys) even if they were badly done at least to show growth and development to recruiters.

I don't know though, I had a ton of random projects most I didn't bother with good practices assuming I'd be the only person to see the code, or telling myself I'd fix it later though eventually letting the project die for various reasons

should I really make bad projects public or should I keep them private waiting for a slim possibility of me reviving them.

Worked from 09:00-00.00+ every day for 6 days straight, then for about 4 hours that Sunday (including over public holidays which were that week).

Clients agreed release date based on some interviews with publications, which meant the previous target date was moved up 2 weeks as they were pushing marketing for this new date.

Aside from having to implement a new 3rd party API which touched ~35% of the system there was a lot more that needed to be finished before release (including an entire user flow that was at the mercy of a 3rd party).

Safe to say I took a day or two off the week after.

Today we picked an old (6 months old) iOS project back to add some features. We clone repo and run `pod install` to pull the dependencies.

There seems to be a bug with FBSDKCoreKit (facebook SDK) and the only solution is to delete the Podfile.lock

if we do this, it will pull the new version of every dependency, and the public API of each dependency is broken. Meaning we have to spend about 18 hours+ just to make this shit compile.

Fuck this shit!!

Hey where can I get access to the devrant API? GitHub readme said it isn't officially public yet but people are still using it. Just had a few for projects I wanted to try.

Create a nice documentation website for a library we have at work.
Complete with examples, public api, and search engine.
Then I can die happily.

I've read that DevRant has a public API...

Does anyone know what the URL is, please?

Dear Instagram api, why do you need to review my app/client for displaying public posts by people? I mean people public-ed them.

Where in the fuck is the devRant public API documentation!?

Hey devs, I'm working on a API for public because I'm bored, it's handy thing like an IP endpoint that says your IP, I'm looking for some more ideas so if you have things that are handy tell me and I implement them

So this week should be interesting. I am working on a (potentially) very large project for my current client and need to build a service that somewhat replicates the functionality of heroku (in that it needs to be able to load an app built in one of several languages, and spin it up in a docker container).

Unlike Heroku, however, each application also needs to be able to have a list of public and private (internal only) API routes listed and be able to dynamically route requests to the correct routes on in those containers. (Sorry if this is confusing)

Does this sound challenging and amazing? Absolutely! Do I think I may be in over my head? Yes, yes I do.

Has anyone ever built or worked with something similar?

So I've been fiddling around a bit with Minecraft mod packs lately, and I've noticed two things. A. there seems to be no good mod pack launcher/manager and B. Curse Forge sucks and has no public API. Corporate bullshit with FTB and Overwolf... So I've been thinking about building a modding platform and making it open source and accessible for everyone. So a few questions for the ones of you who have done modding, or are just interested:

- Is there already a good platform?
- Would it be feasible with mod pack licences and what not
- Would the modding community welcome another platform?
- Is there a good launcher to integrate with?

I've been working for so long with API integrations and one part of that is security. We perform ssl key exchanges for 2-way verification and a large percent of those partners provides me with their own pkcs12 file which contains their private and public keys! What's the sense of the exchange!? I think they just implement it just to boast that they "know" how ssl works,

Still as a scholar who has had his intership I decided that I was finally confident enough in my ability to apply for a small part-time programming job. I had an internship at a cool exhausting place with tons of expertise and I've proven myselve over there. So now I wanted a job on the side. Nothing special, just something that would make a little money with programming instead of washing dishes at the restaurant.

So I started at this small internet based startup (2 or 3 progammers) as a backend-oriented programmer. The working hours were amazingly compatible with my school schedule.

The lead dev also sounded like a smart guy. He had worked as a backend guy for years and had code running on verry critical public infrastructure that if it were to fail we'd be evacuated from our homes.

As a first asignment I got an isolated task to make an importer for some kind of file format that needed integration. So I asked for access to the code. I didn't get it since they were going to re-do the entire backend based on the code I wrote. I just needed to parse the file in a usable object structure. So I found out that the file format was horrible and made a quite nice set of objects that were nice. At the end of the first week or so I asked if I could get access to the code again, so I could integrate it. Answer was no. The lead dev would do that. I could however get access to my private repository.

Next week a new intern was taken to build a multiplatform responsive app. Only downside was that all the stuff he had ever done was php based websites. It wasn't going anywhere anytime soon, but I figured that that was where internships were for. So I ended up helping him a lot and taught him some concepts of OOP and S.O.L.I.D. and the occasional 30 minute rants of IndexOutOfRangeException, ArgumentException and such.

So one day he asked me how to parse a json string and retrieve a specific field out of it.
I gave him something like the following to start with:
"
JObject json;
if(!JObject.TryParse(jsonString, out json))
{
//handle error
}
string value;
if(!json.tryget("foo", out value).../// code continues
"

but then the main dev stepped in and proposed the following since it wouldn't crash on an API change:
"
dynamic json = new JObject(jsonString);
string value = json.myJsonValue;
"

After me trying to explain to him that this was a bad choise for about 15 minutes because of all kinds of reasons I just gave up. I was verry mad that this young boy was forced to use bad programming pracises while he was clearly still learning. I know I shouldn't pick up certain practises. But that boy didn't.

Almost everytime the main dev was at the office I had such a mindboggling experience.

After that I got a new assignment.
I had to write another xml file format parser.
Of course I couldn't have any access to our current code because... it was unnecesary. We were going to use my code as a total replacement for the backend again.
And for some reason classes generated from XSD weren't clear enough so after carefull research I literally wrapped xsd generated code in equivalent classes.

At that moment, I realized I made some code that was totally useless since it wasn't compatible with any form of their API or any of the other backend code. (I haven't seen their API. I didn't have access to the source.) And since I could've just pushed them generated XSD's that would've produced thesame datastructure I felt like I was a cheat. I also didn't like that I wasn't allowed to install even the most basic tooling. (git client or, Ide refactoring plugins, spelling checker etc...)

Now I was also told that I couldn't discuss issues with the new guy anymore since it was a waste of my valuable time, and they were afraid that I taught him wrong concepts.

This was the time that my first paycheck came in so I quitted my job.
I haven't seen any of the features that I've worked on. :)

Google...

Public reset API for every online food service?

That would be a great idea, if you consider running a cronjob every day witch randomly selects items form your FavoriteFoodArray.

Just discovered a public API that support perpage parameter.
Immediately try 99999
And……… it works!
Getting everything in one go!
Good dev on the other side

Does anyone know a public API to test basic authentication other than github that return a token when the submission is successful

So I'm new to NestJS, Node, etc. and I just noticed that the guy working on the API made every request call a different service class, instead of using a single service class. For example.

get() {
return await this.getObj.run()
}

post(myDto){
return await this.storeObj.run()
}

update(myDtoUpdate){
return await this.updateObj.run()
}

And I'm not sure why. He's also injecting the request into those classes, instead of passing the DTO to the method call. I mean, it's still injecting the data into it I guess, but it seems so roundabout. Something like this:

public constructor(
@Inject(REQUEST) private request: Request,
){}

I'm scared, but I'm not sure if it's just my own ignorance or a sixth sense telling me that this is gonna be a mess.

Have you seen APIs implemented this way? I can see the benefit of dividing the code into smaller classes, but it just seems overkill to me, specially when there's a big chance that code will be repeated (getting an entity by ID when updating it, for example).

I'm still in time to kill this with fire before a new monster is born though, so that's something.

How do i show a profile pic from s3 bucket?

One way is to fetch it from backend and send it to frontend as a huge blob string. This is how i made it currently and it works.

.... what if i want to frequently get the profile image? Am i supposed to send a separate API request to the backend every time? What if I need to show the profile picture 100 times then that means I will have to send 100 requests to the backend API?

...... or even worse, what if I need to fetch a list of images from the S3 bucket for example, a list of posts that contain images or a card with the list of profile images of multiple users? If I need to display 100 posts, each post containing one image, That means I would have to separately call 100 API request to fetch 100 images…

That is fucking absurd.

Of course I can make it so that it saves that URL to that image as a public setting but the problem is the URL will be the exact URL to the S3 bucket, including the bucket name, the path and the file name as well as the user information such as the user ID. this feels like it is a huge security risk

What the fuck am I supposed to do and how am I supposed to properly handle display images which are supposed to be viewed publicly?

Hey guys, I'm looking for some feedback for a new website I launched socialfeedapi.com. It provides quick and easy API access to any Instagram media feed (for any public username or hashtag). Is this something that you guys think will be useful in the dev world? Is it just me, or has anyone here tried to gain access to an Instagram feed and was frustrated in doing so? Thanks in advance!

So, need to secure some requests.
I decided on going passwordless on the website but I want to have an API too.

I am reviewing auth0.
I am also not sure if I can secure the same endpoints as private and public differently, so the private is used by the backend with no auth and the public with auth.

Wold you guys help me with some reading material?

Hello devrant people.. I have joined today. I am a software QA and I like to create little web applications by self learning. I like to use rest API which are free and public.

Fucking taiga wasting my day.

Client asked to set up a private taiga (taiga.io, some open source Jira alternative).

All goes fine and dandy until you need to link domain user creation to taiga user creation.

Seems I have to choose between having public registration (allows to programmatically create users, but also randoms to sign up) or use their private registry API that asks for a fucking token that is supposed to be returned from their membership/invitation API, that, guess what, doesn't return any bloody token. You can only get the token on the Django admin control panel.

Guess I'll have to end setting up LDAP or integrating with their existing gitlab, but this gig is already starting to smell, and we are close to the weekend 😡

I'm trying out some stuff I read. I have rich domain models with private fields. In order to create EF core entities my domain models create snapshots with public properties.

So 3 models - domain, snapshot, entity.

Now I am thinking about introducing a fourth for the API.

This seems mental and that I have misunderstood something. Automapper might help clean this up.

Mexico just got for a big earthquake and people is organizing a lots of ways to help.
> Some guys started a webpage and they are adding useful information and data for the people. They create a repo on GitHub to improve information.
> Mexican devs start discussing which technology is better for solving imaginary problems about escalate the servers, concurrency, creating a CMS, creating a public API, tokens for publishing the API... Instead of using something quick like firebase or some Trello to just publish info.

If someone tries using "multipart/form-data" as only content type for their PUBLIC API ENDPOINTS again I am going to find them and choke them to death.
And if your documentation says you are using something else (application/x-www-form-urlencoded) I am doing it twice.
JSON apis should be standard.

EDIT: I had to fire up BurpSuite proxy, after almost an hour I accidentally switched the body type - voilà