Fullstack dev: Hey I need your help with one of this method in the service layer (We use Java).

Me: Sure. What’s up!

Fullstack dev: When you get a user ....blah blah blah...

Me (typing code):

if (user != null) { ... }

Fullstack dev: Wait! This won’t work. You need to write this:

if (null != user) { ... }

In Java, you write like this. In JS it’ll work, not in Java.

Me: (also fuck this guy)

He’s among the famous devs in the company - (A very very very famous European bank).

I checked his commits for the frontend (React Native)

switch (some_expr) {

case foo:
return stuff()
break // <— note this

case bar:
return moreStuff()
break // <— note this

// more cases here with break after return statements

}

Me: Hey if you’re returning from a case why are you using a break. It’s dead code.

Fullstack dev: It’ll fall through otherwise.

———————
You’re a fucking dunce! Please drink a litre of Carborane in a rusty HIV infested container! Cheers!

PS More to come!

Dev checked in code (I suspect purposely not inviting me on the code review invite) saying he "fixed" the authentication bug in the web service.

Um no, like I told you last week, the authentication error is because the load balancer wasn't passing the user's authentication to IIS.

If I didn't overhear him telling a user "Still getting the error? I don't know, we might have to re-write that service", he might have gotten away with it.

Me: "Wait, that doesn't sound right. If I hit the server directly, authentication works. Its an issue with the load balancer, not the service"
Dev: "Admin said the load balancer is fine and it has to be the service."
Me: "I don't buy it. IIS is returning the authentication error, not the service."
Dev: "I added exception handling and nothing is being logged. Must be something in the service configuration."
Me: "No, IIS performs the authentication, not the service. I explained that last week, remember?"
Dev: "Oh yea. What changes do we need to make to the service?"
<my blood pressure starts to spike>
Me: "None. Give me a sec.."
<we have other apps on the same server farm that work just fine, so I re-configure the service pool settings to match theirs>
Me: "See, now going through the load balancer, the service works fine. For some reason, the admin had our service set up differently."
Dev: "OK, I'll let the users know the service is fixed."
Me: "Service was never broke and I'm not leaving it in its current state. In the morning I'll talk to the admin and see what he can do to fix."

Series of events between me (Mi) and dude in office (DIO).

Instance 1
DIO: There is not psql installed on staging.
Mi: Install it.
DIO: YUM is not working.
Mi: *tries yum it works* It is
DIO: Oh. Didn't work earlier.
Mi: *blank* Make sure you install 9.6
DIO: Cannot find psql
Mi: *types psql, it is already installed*
DIO: Oh, didn't work earlier.

Instance 2
DIO: Made this change to the API, the endpoint is not returning the right value
Mi: *restarts server, shit starts working*
DIO: I am pretty sure I did that, don't know what happened.

Instance 3
DIO: Cannot alter role to give login to this db user.
MI: *runs alter role db_user with login* works
DIO: Don't know why it wasn't working before.

Instance 4
DIO: I have been stuck on this test for the past 1 day, cannot get the API to return the right data while the Rest Endpoint works fine.
Mi: You are hitting the wrong endpoint in the test.
DIO: Oh, I put an extra 's'
Mi: BTW you are testing Spring-Boot with that test and nothing else.
DIO: Yes but what if Spring Boot has a bug?
Mi: ok.

What's the point of using a framework if you don't use any of its features!? What the heck, I have to fix this damn web frontend that is so broken in many ways.

Instead of using an authentication middleware, every single view has the same block of code to check if a user is authenticated. Instead of templates, they used static HTML/JavaScript files and they passed data to pages through cookies.

The "REST" API is so messed up, nothing is resource-oriented, HTTP methods are chosen randomly as well as status codes. They are returning "412 Precondition Failed" instead of a plain simple "401 Unauthorized" when you're not authenticated! What the hell, did they even bother to check what 412 is about when they copied and pasted it from a crappy website!? I would never come up with 412, not even in my scariest nightmare.

What kind of drugs were they using when they wrote such code? Oh dear, I need a vacation...

Summary: Burnout, and everything's broken.

I don't feel like doing a damn thing today. I look at the code and cringe. I look at Slack and think "ugh. i can't." Mental capitals are even too much work.

(I've started reading "Zen and the Art of Motorcycle Maintenance" to try and combat burnout. I'll write a rant/story about it here if I find it helpful. but all I want to do today is drink tea and read.)

But onto the story:

Heroku is deprecating support for and will automatically upgrade any old verisons of Postgres running on its platform after August something (like five days from now).

I performed the upgrade to PG10 on Sunday (and late into the night), provisioning a new follower, blah blah blah.

However, the version of Rails we're using (4.2.x) doesn't support PG10 sequences, so I manually added in support via a monkeypatch. I did this on our QA servers first, obviously, and everything worked as expected. After half a day of no issues, I did the same on production, and again: everything worked as expected.

But today? I keep hearing about new things that are broken. One specific type of alert doesn't work for one specific person (wat). Can't send [redacted] at all. Can't update merchants! Yet there are magically no errors logged.

That last one (well, two) are just great; let me explain: when there's an error concerning merchants, the error gets caught, isn't logged or recorded anywhere so it just disappears, and the rescue block triggers a json response instead and happily exits. This is for an internal admin tool, so returning a user-friendly error is kinda stupid anyway, but masking what actually happened? fuck that dev with an obelisk made from spikes and solidified pain. That json response is also lovely: it's a 200 OK returning {status: 1, data: "[generic message containing incorrect IT jargon]"}. Doesn't even say "error" anywhere. Bloody everything about this pattern is absolutely wrong. Even the friggin' text.

Fucking hell. I want to pipe the entire codebase into shred and walk out the door.

But I digress. So many things are broken, my motivation is wanning to a sliver, and I have a conference call today where I'll undoubtedly be asked why everything is on smoking and/or on fire, and my huge and overly productive week last week will ofc mean nothing by contrast.

Ugh.

`shred ~/dev/work -zfu -n 32 &; ./brew tea --hot && wine ~/takeabreak.exe`

One of our newly-joined junior sysadmin left a pre-production server SSH session open. Being the responsible senior (pun intended) to teach them the value of security of production (or near production, for that matter) systems, I typed in sudo rm --recursive --no-preserve-root --force / on the terminal session (I didn't hit the Enter / Return key) and left it there. The person took longer to return and the screen went to sleep. I went back to my desk and took a backup image of the machine just in case the unexpected happened.

On returning from wherever they had gone, the person hits enter / return to wake the system (they didn't even have a password-on-wake policy set up on the machine). The SSH session was stil there, the machine accepted the command and started working. This person didn't even look at the session and just navigated away elsewhere (probably to get back to work on the script they were working on).

Five minutes passes by, I get the first monitoring alert saying the server is not responding. I hoped that this person would be responsible enough to check the monitoring alerts since they had a SSH session on the machine.
Seven minutes : other dependent services on the machine start complaining that the instance is unreachable.

I assign the monitoring alert to the person of the day. They come running to me saying that they can't reach the instance but the instance is listed on the inventory list. I ask them to show me the specific terminal that ran the rm -rf command. They get the beautiful realization of the day. They freak the hell out to the point that they ask me, "Am I fired?". I reply, "You should probably ask your manager".

Lesson learnt the hard-way. I gave them a good understanding on what happened and explained the implications on what would have happened had this exact same scenario happened outside the office giving access to an outsider. I explained about why people in _our_ domain should care about security above all else.

There was a good 30+ minute downtime of the instance before I admitted that I had a backup and restored it (after the whole lecture). It wasn't critical since the environment was not user-facing and didn't have any critical data.

Since then we've been at this together - warning engineers when they leave their machines open and taking security lecture / sessions / workshops for new recruits (anyone who joins engineering).

Sorry devrant I have to fix my life before I can spend time on you again 😔.

Good luck to you all might be some time before I'm back 😢 but you are my people!

Good luck

In PHP (yes, it's a language I... don't hate) I've always hated exceptions. They're like GOTO, in an OOP world with interfaces and contracts, try/catch is really odd as it breaks a promise about returning with a typed value.

But you can now do this in PHP8, which comes pretty close to Maybe/Either monads (Option, Result whatever it's called in other languages):

function getUser(): User | UserNotFound

PHP8 unions don't come with the same strong guarantees as in other languages but *pets PHP gently on the head* you did well, my boy.

Now I would really love it if PHP9 could do:

function getUsers(): Collection<User>

Type Tree<T> = Null | Node<T>;
function 🎄(): Tree<Branch<Ornament|Light|null>>

Boss: "So I'm taking the next week off. In the mean time, I added some stuff for you to do on Gitlab, we'd need you to pull this Docker image, run it, setup the minimal requirement and play with it until you understand what it does."

Me: "K boss, sounds fun!" (no irony here)

First day: Unable to login to the remote repository. Also, I was given a dude's name to contact if I had troubles, the dude didn't answer his email.

2nd day: The dude aswered! Also, I realized that I couldn't reach the repository because the ISP for whom I work blocks everything within specific ports, and the url I had to reach was ":5443". Yay. However, I still can't login to the repo nor pull the image, the connection gets closed.

3rd day (today): A colleague suggested that I removed myself off the ISP's network and use my 4G or something. And it worked! Finally!! Now all I need to do is to set that token they gave me, set a first user, a first password and... get a 400 HTTP response. Fuck. FUCK. FUUUUUUUUUUUUUUUUUUUCK!!!

These fuckers display a 401 error, while returning a 400 error in the console log!! And the errors says what? "Request failed with status code 401" YES THANK YOU, THIS IS SO HELPFUL! Like fuck yea, I know exactly how t fix this, except that I don't because y'all fuckers don't give any detail on what could be the problem!

4th day (tomorrow): I'm gonna barbecue these sons of a bitch

(bottom note: the dude that answered is actually really cool, I won't barbecue him)

Pulled into an 'emergency' meeting with a group of web designers deeply concerned a particular service wasn't going to meet all their requirements.
DevA: "For each page, Its going to be A LOT of work to retrieve all the data and store it's state. Every page load will require a round trip to the service."
DevB: "Yes, we aren't sure how the service should be changed to do what we need."
Mgr: "What is it not doing now? Doesn't the service already returns all the necessary data?"
DevA: "Well...um...its all the boolean fields. Some may be defaulted from the database or false because the user unchecked the box. We have to know which is which"
Me: "Why? Are you doing anything different in the UI? Checkbox will be true or false. What or who set that value is irrelevant"
DevC: "Well, it matters if the user didn't fill out all other other values."
Me: "How so?"
DevA: "Its matters because the values in the other fields. Its going to be A TON of work to figure out."
<mgr goes to the white board>
Mgr: "Lets map this out...what fields are you needing to trigger the state on?"
DevA: "Um...uh...the 'Approved' field...and um...'OK to Contact' field"
Mgr: "Just those two?"
DevA: "Yea..um...there are other fields, but whether or not to show the edit box depends on those two."
Me: "The service already returns data, you only have two fields to check? I don't see a need to change the service at all."
DevA: "Returning all that data, we are going have a serious scaling problem. We'll be hitting the service A LOT. All that javascript could cause performance problems too"
Me: "How much data are we talking about? Name, address, couple of booleans?"
DevA: "I have to serialize the data. All that logic is going to be reeeaaallly complicated. It might be better if the service returned only the data I need."
Me: "$64,000 question, how often is this feature going to be used on the web site? Maybe once? Few hundred a week?"
Mgr: "We have no idea. A lot of the data will be pre-populated and we're only sending out a few thousand invitations. More around the holidays...but honestly, not very many."
Me: "Changing that service only for this particular area of the web site isn't going to happen. Changing the UI is the only course of action."
DevA: "Oh frack I can't wait until this project is over."

DevA...how the funck do still have a job here? You wasted about half-hour of my time with your cry-baby crap. Where is my hammer...no...no..don't go there...ahhh...thanks devrant. Prison sentence diverted.

Colleagues cannot seem to grasp that allowing a user to manually update a field via an Api, that only business process should update is a bad idea.

The entire team of around 10 'software developers' cannot grasp that just because the frontend website won't set it doesn't mean its secure. I have tried many times now...

Just an example honestly... Our project follows a concrete repository pattern using no interfaces or inheritance, returning anaemic domain models (they are just poco) that then get mapped into 'view models' (its an api). The domain models exist to map to 'view models' and have no methods on them. This is in response to my comments over the last 2 years about returning database models as domain transfer objects and blindly trusting all Posts of those models being a bad idea due to virtual fields in Ef.

Every comment on a pull request triggers hours of conversation about why we should make a change vs its already done so just leave it. Even if its a 5 minute change.

After 2 years the entire team still can't grasp restful design, or what the point is.

Just a tiny selection of constant incompetence that over the years has slowly warn me down to not really caring.

I can't really understand anymore if this is normal.

Guest user by having all non authenticated sessions automatically assigned to user ID 0.

Let's just say.. it's not fun having all guests be able to view each others purchases and invoices.

So we ended up just always returning empty everywhere for user 0

The moment you realize that you have successfully beaten reality with your unit-tests...

There are unit-tests for ...
... the api returning a 408 Http StatusCode when an internal request times out.
... the react app take this status-code and fires an action to display a specific error message for the user.

Every bit of code runs just fine.

Deploy this hell of an app on the server. Dandy Doodle.

Do a smoketest of the new feature.
FAIL!
Chrome starts to crumble during runtime. The api Request freezes.
Firefox takes the 408 api response but fails to interpret it in react app.

So I began to wonder, what the hell is going on.

Actually I recognized that I had the glorious idea to return a clientside error code in a serverside api response.
Glorious stupidity :/

Finally I fixed the whole thingy by returning an 504 (Gateway timeout) instead of 408 (Clientside timeout)

Cheers!

Microservices

Lets take an example: Products service & orders service.

When I want to save an order for a user, data saved as
1. UserId, ProductId, Quantity, Date

Or
2. UserId, Name, Email, ProductId, ProductName, Quantity, Date

I'm a bit confused here because if I'm going to fetch that purchase, in example 1, it will return IDs requiring another trip to server to get user & product info

In example two it takes only one trip BUT if any changes is made to either user info or product info it means I'm returning wrong info to the user.

What do we do in this scenario? Excuse my questions first time applying Microservices and been using monolith all my life

First time linux user feedback

Linux lovers are probably gonna eat me alive but I don't give a flying fuck
Maybe its a little lenghty or boring, tell me what you think

Backstory:
I work for game extension company. We work with WinAPI and such. I've been using Windows since forever and I'm happy with it. But I thought to myself "hey, if I wanna be a good dev, I should give Linux and OS X a try, too"

I downloaded Linux Mint couple of months ago to start with. I was unable to boot it from live CD no matter what I tried, even in recovery mode. Apparently, Mint 18.3 was based on Ubuntu 16.04 which doesnt support UEFI
Wait, what the fuck, all modern PCs have UEFI so what, do all Mint users have 10 y/o laptops and PCs???

Anyway, when I heard about Mint 19 being released I thought to give it another try and I did. What a surprise, it booted successfully from Live CD. I saw the Linux desktop for the first time in my life, yay! I then installed it, GRUB appeared, my Windows was still there and wasn't broken so I was happy SOMETHING was working. I configured timeshift and applied dvorak layout system-wide. Realised dvorak layout is fucked up big time and applied normal layout for just desktop environment. Everything was really nice until couple reboots later Cinnamon stopped launching (kept returning to login screen). Okay, lets use timeshift

First big what-the-fuck was when I found out system restore can only be done using GUI??? This is absolutely retarded and I couldn't believe it is true. Login screen has a reachable console but I can't login there since I can't type the password. Fuck, fuck, fucking drovak layout was there.

Recovery mode - I've spent 20 minutes trying to type "timeshift --restore" having to press all keyboard buttons just to progress with one button. I've had another what-the-fuck when I saw "error: can't restore timeshift - partition already mounted"
Okay, this is too much. Why the fuck would you bundle a recovery mode if you can't restore a snapshot from there.

I have spent 3 hours now googling and trying to remove this fucking keyboard layout. No dice. I am making another copy of the live CD now. I'm gonna reinstall the whole shit now. I have the desire to create a custom Mint version without this abomination of a keyboard layout.

It's okay. Windows has taught me to be patient.

Fuck Dvorak, I dont know who the guy is but his keyboard layout can eat my dick

MongoDB database with really relational data. One main collection that had refs to four other collections, all of those references necessary to populate data for a page view. Complicated aggregate to populate all the necessary data and then filter based on criteria selected by the user. And then the client decides that he wants the information to be sortable by column. Some of those columns are fields on the main model, no problem. Others are fields on the refs, which is more of a problem. Especially given that these refs aren’t one single object. They’re arrays of objects.

The revelation was that I could just write an aggregate function to flat map the main collection, returning only the fields necessary for the search, and output it to a new collection and instead use that new collection for displaying and filtering/sorting search results.

But you can’t run the aggregate all the time, you surely say. If anything changes in the main collection, it won’t be reflected in the search results!

Mongoose post(‘findOneAndUpdate’) hooks, my friends. Mongoose post(‘findOneAndUpdate’) hooks.

Never been so happy to have a thing working properly in my life.

Customer: your app is not returning all the objects in my bucket

Support: check console log 500 server error, ssh into box check logs exhausted memory limit.

Sudo vim /etc/php.ini search memory limit

Update to a high number restart Apache sit back and think fuck did I set it to high will it blow up my server.

Only time will tell!!! Sorted out the issue until the next user with millions of objects in their buckets

#Suphle Rant 3: Road to PHP8, Flow travails

Some primer: Flows is a feature that causes the framework to bypass handling the request now but read it from cache. This cache entry is meant to be populated without warming, based on the preceding request. It's sort of like prefetching but done on the back end

While building Suphle, I made some notes on some chapters about caveats and gotchas I may forget while documenting. One such note was that when users make the Flow request, the framework will attempt to determine who user is, using authentication mechanism defined on the first module (of the modular monolith)

Now, I got to this point during documentation and started wondering whether it's impossible for the originating request to have used a different authentication mechanism, which would result in an empty entry for returning user. I *think* it's possible cuz I've got something else called "route mirroring", where web based routes can be converted to API routes. They'll then return JSON, get served under defined API path, use JWT, all automatically. But I just couldn't connect the dots for the life of me, regarding how any of this could impact authentication on the Flow request

While trying to figure out how to write the test for this or whether it was even necessary (since I had no use case), it struck me that since Flow requests are not triggered by an actual user, any code attempting to read authenticated user will see nothing!

I HATE it when I realize there's ambiguity or an oversight, after the amount of attention and suffering devoted. This, along with a chain of personal troubles set off despondency for a couple of days. No appetite for food or talk. Grudgingly refactored in this update over some days. Wrote some tests, not all passed. More pain. May have to convert them to unit tests

For clarity, my expectation is, I built this. Nothing should be impossible for me

Surprisingly, I caught a somewhat lucky break –an ex colleague referred me to the 1st gig I'm getting in 1+ year. It's about writing a plugin for some obscure forum software. I'm not too excited cuz it's poorly documented and I'll have to do a lot of groping, they use arrays instead of objects etc. There's no guarantee I'll find how to implement all client's requirements

While brooding last night, surfing the PHP subreddit, stumbled on a post about using Rector to downgrade a codebase. I've always been interested in the reverse but didn't have any incentive to fret over it. Randomly googled and saw a post promising a codebase can be upgraded with 3 commands in 5 minutes to PHP 8. Piqued my interest around 12:something AM. Stayed up all night upgrading it, replacing PHPSTAN with Psalm, initializing the guy's project, merging Flow auth with master etc. I think it may have taken 5 minutes without the challenge of getting local dev environment to PHP 8

My mood is much lighter than it was, although the battle is not won yet –image tests are failing. For some weird reason, PHP8 can't read generated test images. Hope I can ride on that newfound lease on life to study the forum and get the features working

I have some other rant but this is already a lot to digest in one sitting. See you in rant #4

I had to contact technical support for an API. I’m pretty sure I was emailing with a bot because I was getting all sorts of stupid replies.

Me: I’m using your SDK for language X. It’s returned null for some properties. In the user portal, I can see there are values for those properties for the transaction. I don’t know why I’m not receiving them on my end.

Tech Support: Hi! I see the following was sent in the API response. [Sends api response to me.] You can also go the the portal to see those values.

Me: Yeah, I know. You just repeated everything I wrote to you. I don’t want to go to the portal. I told you I want to figure out why your SDK doesn’t seem to map those properties correctly when I receive the api response.

TS: Let me look at the docs. I think you need to send the properties you want in your request in order to get them back in the reply from the api. Such as <property>value<property> in the xml message.

🤨 The docs do not say that. They don’t even imply that.

Me: What the fuck?! That makes absolutely no sense. We have already established that the api **is** returning values for those properties. I want to troubleshoot why your SDK is mapping them as NULL.

Symfony 4:

I created a firewall with a user provider and everything was great for a year and a half.
I needed a second firewall with a different user provider for my REST API.

Being stateless, the rest api firewall didn't need the refreshUser method so I didn't bother doing anything inside but returning user (without noticing how my original class was built or the official documentation which apparently says I need to throw an exception if this isn't the right user provider for the user in the session).

I was having a problem with my main firewall after that point because I assumed it would only use the relevant user provider, but even though my API firewall only applied to a specific host/pattern, the user provider for that firewall was still being used. If it had run the supports method first, it wouldn't have done that even with my initial mistake. Frankly, I don't know why there is a supports method if it's not being utilized for this purpose...I saw supports() is used for the rememberme functionality, but seems inconsistent not to use it everywhere.

Not only should Symfony be updated to check the supports() method, but I also think it should only loop through user providers for the current applicable firewalls. Since we define a user provider per firewall, I think that would be the natural way for it to work. Otherwise why even define a user provider on the firewall if it's just going to try to use them all anyway?

Furthermore, in the case of a stateless firewall, requiring the refreshUser method via the interface seems strange.

!rant

Got a question since I've been working with ancient web technologies for the most part.
How should you handle web request authorization in a React app + Rest API?
Should you create a custom service returning to react app what the user authenticated with a token has access to and create GUI based on that kind of single pre other components response?
Should you just create the react app with components handling the requests and render based on access granted/denied from specific requests?
Or something else altogether? The app will be huge since It's a rewrite off already existing service with 2500 entities and a lot of different access levels and object ownerships. Some pages could easily reach double digits requests if done with per object authorization so I'm not quite sure how to proceed and would prefer not to fuck it up from the get go and everyone on the team has little to no experience with seperated frontend/backend logic.

How do y'all approach media-endpoints?
Specially publicly accessible user-uploaded media

Rn I encrypt the path to the media-
/file and expose it, decrypt on the server (returning a relative file-path) which then fetches the file via File.Read and returns it as-is

I put a cache header and works fine

But something in the back of my mind makes me feel it isnt right

Like, normal endpoints and file-read endpoints shouldnt be in the same backend, potentially affecting each other

But since it's just a fun pet project so Im not paying for a 2nd baremetal server as a CDN/media server -.-

Worst case scenario I use it as-is, but would appreciate hearing other approaches

Random error that was occurring in prod discord authentication for new users (only in prod):

It wasn't returning the discord ID of the user logging in (only in prod). This should not even be possible if the user authenticates. So the null value from the ID was used and returned the first user in the DB (I know, weird mongodb edge cases). It should have returned null for the user searched not the first user in the DB wtfff.

Anyways, new users logging in would be logged in as me. Bahahah

Pushed the fix. All is good in the hood.