A tcp packet walks in to a bar and says “I want a beer”, barman says “you want a beer?” and tcp packet says “yes, a beer” .

In high society, TCP is more welcome than UDP. At least it knows a proper handshake.

A bunch of TCP packets go into a bar, until it’s overcrowded. The next day, half as many go in.

A bunch of TCP packets walk into a bar. The bartender says, “Hang on just a second, I need to close the window.”

When I try to send SYNs to chicks, I don’t get any ACKs. Just FINs and RSTs.

IP packet with TTL=1 arrives at bar. Bartender: “Sorry, can’t let you leave…and you don’t get any beer either…” 

The worst part about token ring jokes is that if someone starts telling one while you are telling yours, all joking stops.

The great thing about TCP jokes is that you always get them.

The problem with TCP jokes is that people keep retelling them slower until you get them.

I would tell some UDP jokes too but I never know if anyone gets them

The best thing about UDP jokes is that I don’t care if you get them or not.

I had a funny UDP joke to tell, but I lost it somewhere...

The sad thing about IPv6 jokes is that almost no one understands them and no one is using them yet.

I tried to come up with an IPv4 joke, but the good ones were all already exhausted.

A DHCP packet walks into a bar and asks for a beer. Bartender says: “here, but I’ll need that back in an hour!

DHCP jokes only work when there is only one person telling them

The worst part of SSH jokes is that, even when they're not funny, you suck it up and just pretend they were anyway.

The problem with token ring jokes is you need to wait your turn to laugh

I’d make a joke about UDP, but I don’t know if anyone’s actually listening…

Before you're hired:
1. A binary tree?
2. Currying?
3. Higher-order function?
4. How does event loop work?
5. What is prototype?
6. What is encapsulation?
7. Can you draw an algorithm?

After you're hired:
1. Hey, can you add auth token and login to our app?

The GET /users endpoint will return a page of the first 13 users by default.

To request other pages, add |-separated querystring with the limit and offset, as roman numerals enclosed in double quotation marks. Response status is always equal to 200, plus the total count of the resource, or zero when there's an error.

You can include an array of friends of the user in the result by setting the request header "friends" to the base64-encoded value of the single white pixel png.

Other metadata is not included by default in responses, but can be requested by appending ?meta.json to any endpoint, which will return an xml response.

If you want to update the user's profile picture, you can request an OAuth token per fax machine, followed by a pigeon POST capsule containing a filename and a rolled up Polaroid picture. The status code attached to the return postal dove will be the decimal ASCII code for a happy smiley on success, and a sad smiley if any field fails form validation.

-- Every single external REST API I've ever worked with.

Ever wanted cheat codes to devRant? Well, that's weird. But here you go, I guess.

Since the avatars do not use any external assets (Such as images), all avatars are generated. To be friendly to people who want to make third-party devRant clients (such as devRantron), avatars are generated server-side, so that the assets don't need to be distributed, and third-party programmers don't need to work out rendering avatars.

But this allows you to cheat a little.

The devRant avatars API works like this: you request a really long URL from the API, specifying the IDs of each cosmetic item the user has active, and it returns a PNG file. But you don't need an auth token to generate an avatar (which makes sense), so the avatar API is essentially a sandbox you can play around with if you have the time and patience.

You can write a really good avatar previewer with this knowledge, and see your avatar with a white tiger, even if you don't have the ++s

Dear Google OAuth,

you might hate me since i spammed you the whole day with access token requests.
But this is all your fault. Because you never gave me ONE SINGLE SHITTY TOKEN!!
WHAT THE FUCK IS THIS "BAD REQUEST" ERROR MESSAGE?!

You're a rich as shit company with thousand and thousands of employees.
OAuth is one of your essentials cause it handles the access to all your services.
So why the hell i cannot get some smart errormessage to debug my shit.

You are like my gf, when she is mad at me and does not tell me why. But even she is a lot easier to debug!

This week I quit the corporate life in favour of a much smaller company (60 people in total) and i never felt so good.

After 3 years in 2 big corporations, I began to hate coding mainly because of:
- internal political games. It's like living inside House of Cards everyday.
- management and non-tech people choosing tech stacks. Angular 4 + Bootstrap 4 alpha version + AG-Grid + IE11. Ohhh yeah. Not.
- overtime (even if it was paid double). I never did a single minute of OT for fixing something that I caused. I spent days fixing things caused by others and implementing promises that other people made.
- meetings. I spend 50-60% of the time in pointless meetings (I tracked them in certain time intervals) but the workload is same like I was working 8 hours / day.
- working in encapsulated environments without access to internet or with limited access to internet (no GitHub, no StackOverflow etc.)
- continuously changing work scope. Everyday the management wants something new introduced in the current sprint/release and nobody accepts that they have to remove other things from the scope in order to proper implement everything.
- designers that think they are working for Apple and are arguing with things like "but it's just a button! why does it take 2 days to implement?"
- 20 apps installed additionally on my phone (Citrix Receiver, RSA Token, Mobile@Work Suite etc.) just to be able to read my email
- working with outdated IDEs and tools because they have to approve every new version of a software.
- making tickets for anything. Do you want a glass of water? Open a ticket and ask for it.
- KPIs. KPIs everywhere. You don't deserve anything because the KPIs were not accomplished.

The bad part of the above things is that they affect your day-to-day personality even if you don't see it. You become more like a rock with almost 0 feelings and interests.

This is my first written "rant". If anyone is interested, I will post different situations that will explain a lot of the above aspects.

Created an developer account to get a token for an API and found this nice license agreement

This is not really a rant, but...dude.

I was browsing github for a suitable library when i found a test repo of someone. A script inside and at the top he wrote his authentication token. I first thought it was a placeholder or an example or a test he used. No. I entered the token and could control his instance of the app. I sent him a message to disable this token.

This is just my token of appreciation for the Skype devs. Can't begin to say how much I hate it. Your android app is a joke even after a host of updates, your desktop client is an even bigger joke (atleast Linux Beta version, I know betas aren't supposed to be stable but this is ridiculous).

You have reinvented chat clients to be extremely bulky, cumbersome and very hard to sync across devices. And you have managed to make it "buffer" more than a YouTube video does on a 2G network. I for one, am blown over by how you did that. And to top it all, you can't close the client on Linux atleast! All you did is just override the close button so that it only minimises it. Brilliant piece of work right there!

Why the hell can't you just close the client and run it in the background the proper way like everyone else does? Why does it have to take 20 *** seconds to open a message? The only reason I am stuck with this is some wierdos in the office still only use this. Get your shit together 😡

Ahh.. I feel much better now.

Fuck the memes.

Fuck the framework battles.

Fuck the language battles.

Fuck the titles.

Anybody who has been in this field long enough knows that it doesn't matter if your linus fucking torvalds, there is no human who has lived or ever will live that simultaneously understands, knows, and remembers how to implement, in multiple languages, the following:

- jest mocks for complex React components (partial mocks, full mocks, no mocks at all!)
- token cancellation for asynchronous Tasks in C#
- fullstack CRUD, REST, and websocket communication (throw in gRPC for bonus points)
- database query optimization, seeding, and design
- nginx routing, https redirection
- build automation with full test coverage and environment consideration
- docker container versioning, restoration, and cleanup
- internationalization on both the front AND backends
- secret storage, security audits
- package management, maintenence, and deprecation reviews
- integrating with dozens of APIs
- fucking how to center a div

and that's a _comically_ incomplete list; barely scratches the surface of the full range of what a dev can encounter in a given day of writing software

have many of us probably done one or even all of these at different times? surely.

but does that mean we are supposed to draw that up at a moment's notice some cookie-cutter solution like a fucking robot and spit out an answer on a fax sheet?

recruiters, if you read this site (perhaps only the good ones do anyway so its wasted oxygen), just know that whoever you hire its literally the luck of the draw of how well they perform during the interview. sure, perhaps some perform better, but you can never know how good someone is until they literally start working at your org, so... have fun with that.

Oh and I almost forgot, again for you recruiters, on top of that list which you probably won't ever understand for the entirety of your lives, you can also add writing documentation, backup scripts, and orchestrating / administrating fucking JIRA or actually any somewhat technical dashboard like a CMS or website, because once again, the devs are the only truly competent ones - and i don't even mean in a technical sense, i mean in a HUMAN sense of GETTING SHIT DONE IN GENERAL.

There's literally 2 types of people in the world: those who sit around drawing flow charts and talking on the phone all day, and those WHO LITERALLY FUCKING BUILD THE WORLD

why don't i just run the whole fucking company at this point? you guys are "celebrating" that you made literally $5 dollars from a single customer and i'm just sitting here coding 12 hours a day like all is fine and well

i'm so ANGRY its always the same no matter where i go, non-technical people have just no clue, even when you implore them how long things take, they just nod and smile and say "we'll do it the MVP way". sure, fine, you can do that like 2 or 3 times, but not for 6 fucking months until you have a stack of "MVPs" that come toppling down like the garbage they are.

How do expect to keep the "momentum" of your customers and sales (I hope you can hear the hatred of each of these market words as I type them) if the entire system is glued together with ducktape because YOU wanted to expedite the feature by doing it the EASY way instead of the RIGHT way. god, just forget it, nobody is going to listen anyway, its like the 5th time a row in my life

we NEED tests!
we NEED to know our code coverage!
we NEED to design our system to handle large amounts of traffic!
we NEED detailed logging!
we NEED to start building an exception database!

BILBO BAGGINS! I'm not trying to hurt you! I'm trying to help you!

Don't really know what this rant was, I'm just raging and all over the place at the universe. I'm going to bed.

One comment from @Fast-Nop made me remember something I had promised myself not to. Specifically the USB thing.
So there I was, Lieutenant Jr at a warship (not the one my previous rants refer to), my main duties as navigation officer, and secondary (and unofficial) tech support and all-around "computer guy".
Those of you who don't know what horrors this demonic brand pertains to, I envy you. But I digress. In the ship, we had Ethernet cabling and switches, but no DHCP, no server, not a thing. My proposition was shot down by the CO within 2 minutes. Yet, we had a curious "network". As my fellow... colleagues had invented, we had something akin to token ring, but instead of tokens, we had low-rank personnel running around with USB sticks, and as for "rings", well, anyone could snatch up a USB-carrier and load his data and instructions to the "token". What on earth could go wrong with that system?
What indeed.
We got 1 USB infected with a malware from a nearby ship - I still don't know how. Said malware did the following observable actions(yes, I did some malware analysis - As I said before, I am not paid enough):
- Move the contents on any writeable media to a folder with empty (or space) name on that medium. Windows didn't show that folder, so it became "invisible" - linux/mac showed it just fine
- It created a shortcut on the root folder of said medium, right to the malware. Executing the shortcut executed the malware and opened a new window with the "hidden" folder.
Childishly simple, right? If only you knew. If only you knew the horrors, the loss of faith in humanity (which is really bad when you have access to munitions, explosives and heavy weaponry).
People executed the malware ON PURPOSE. Some actually DISABLED their AV to "access their files". I ran amok for an entire WEEK to try to keep this contained. But... I underestimated the USB-token-ring-whatever protocol's speed and the strength of a user's stupidity. PCs that I cleaned got infected AGAIN within HOURS.
I had to address the CO to order total shutdown, USB and PC turnover to me. I spent the most fun weekend cleaning 20-30 PCs and 9 USBs. What fun!
What fun, morons. Now I'll have nightmares of those days again.

micromanager: "Quick and easy win! Please have this done in 2-3 days to start repairing your reputation"

ticket: "Scrap this gem, and implement your own external service wrapper using the new and vastly different Slack API!"

slack: "New API? Give me bearer tokens! Don't use that legacy url crap, wth"

prev dev: "Yeah idk what a bearer token is. Have the same url instead, and try writing it down so you don't forget it?"

Slack admin: "I can't give you access to the slack integration test app, even though it's for exactly this and three others have access already, including your (micro)manager."

Slack: "You can also <a>create a new slack app</a>!" -- link logs me into slack chat instead. After searching and finding a link elsewhere: doesn't let me.

Slack admin: "You want a new test slack app instead? Sure, build it the same as before so it isn't abuseable. No? Okay, plan a presentation for it and bring security along for a meeting on Friday and I'll think about it. I'm in some planning meetings until then."

asdfjkagel.

This job is endless delays, plus getting yelled at over the endless delays.

At least I can start on the code while I wait. Can't test anything for at least a week, though. =/

I wrote a database migration to add a column to a table and populated that column upon record creation.
But the code is so freaking convoluted that it took me four days of clawing my eyes out to manage this.
BUT IT'S FINALLY DONE.
FREAKING YAY.

Why so long, you ask? Just how convoluted could this possibly be? Follow my lead ~

There's an API to create a gift. (Possibly more; I have no bloody clue.)
I needed the mobile dev contractor to tell me which APIs he uses because there are lots of unused ones, and no reasoning to their naming, nor comments telling me what they do.

This API takes the supplied gift params, cherry-picks a few bits of useful data out (by passing both hashes by reference to several methods), replaces a couple of them with lookups / class instances (more pass-by-reference nonsense). After all of this, it logs the resulting (and very different) mess, and happily declares it the original supplied params. Utterly useless for basically everything, and so very wrong.

It then uses this data to call GiftSale#create, which returns an instance of GiftSale (that's actually a Gift; more on that soon).

GiftSale inherits from Gift, and redefines three of its methods.

GiftSale#create performs a lot of validations / data massaging, some by reference, some not. It uses `super` to call Gift#create which actually maps to the constructor Gift#initialize.

Gift#initialize calls Gift#pre_init (passing the data by reference again), which does nothing and returns null. But remember: GiftSale inherits from Gift, meaning GiftSale#pre_init supersedes Gift#pre_init, so that one is called instead. GiftSale#pre_init returns a Stripe charge object upon success, or a Gift (and a log entry containing '500 Internal') upon failure. But this is irrelevant because the return value is never actually used. Pass by reference, remember? I didn't.

We're now back at Gift#initialize, Rails finally creates a Gift object using the args modified [mostly] in-place by all of the above.

Another step back and we're at GiftSale#create again. This method returns either the shiny new Gift object or an error string (???), and the API logic branches on its type. For further confusion: not all of the method's returns are explicit, and those implicit return values are nested three levels deep. (In Ruby, a method will return the last executed line's return value automatically, allowing e.g. `def add(a,b); a+b; end`)

So, to summarize: GiftSale#create jumps back and forth between Gift five times before finally creating a Gift instance, and each jump further modifies the supplied params in-place.

Also. There are no rescue/catch blocks, meaning any issue with any of the above results in a 500. (A real 500, not a fake 500 like last time. A real 500, with tragic consequences.)

If you're having trouble following the above... yep! That's why it took FOUR FREAKING DAYS! I had no tests, no documentation, no already-built way of testing the API, and no idea what data to send it. especially considering it requires data from Stripe. It also requires an active session token + user data, and I likewise had no login API tests, documentation, logging, no idea how to create a user ... fucking hell, it's a mess.)

Also, and quite confusingly:
There's a class for GiftSale, but there's no table for it.
Gift and GiftSale are completely interchangeable except for their #create methods.

So, why does GiftSale exist?
I have no bloody idea.
All it seems to do is make everything far more complicated than it needs to be.

Anyway. My total commit?
Six lines.
IN FOUR FUCKING DAYS!

AHSKJGHALSKHGLKAHDSGJKASGH.

Front end + back end = Project finished.

This is my first full stack application that I spent a month working on. It's a basic database that holds car information and saves it to a SQL db. I built this using Java Spring/Hibernate for my backend and Node.JS/REACT for my front end. Mariadb handles SQL requests. REACT handles token requests for secure login, that was the hardest part of this whole thing.

I was going to comment on how frequently I feel like garbage and an inadequate excuse of a human being, but today is my birthday and this is the best gift I could get, a finished project from scratch.

I'm 29 today devRant. And I work over the weekend before going back to school, but at least I fucking finished something that I started.

...thanks, for everything. 😄

@JoshBent suggested that I'd make a blog about security.

Nice idea, fair enough!

*registers domain at provider with discounts at the moment*
*tries to find whois protection option*

"You can add WHOIS protection to your account as an upgrade"

*requests authorization token*

*logs into usual domain name provider account*

*transfers domain name*

*anonymizes WHOIS details within two seconds*

I could've stayed and ask them about the cost etc but the fact that they even HAVE a price for protecting WHOIS data is a no-go for me.

Fuck domain name resellers which ask money for protecting ones WHOIS information (where possible).

- Let's make the authentication system so the user can only login in one device at time, because this is more secure.
- You know that this will be a general-public application, right?
- Yeah!
- Sou you want to "punish" users with a logoff on the other device when he tries to login in a new one?
- Yeah!
- But before you said we will use Json Web Token to make the backend stateless.
- Yeah!
- And how will we check if the token is the last one generated?
- We will store the last generated token for this user on a table in our DB.
- So... you are basically describing the old authentication model, with session tokens stored on the backend and communicating them via cookies.
- Yeah, but the token will be sent on the Header, not on cookies
- Okay, so why will we use Json Web Token to do this in the first place?
- Because this is how they're doing now, and this will make the backend stateless.

A moment of silence, please.

I finally did it. I finally got rid of that client in a positive, respectful manner.

So basically, my dad has a freelance colleague. For a side project that person asked me to make him a website. My dad mentioned to said person that my sister's boyfriend does web design (he's trained to use autocad for designing the structure of furniture, nothing fancy just straight lines and upside down doors that fail after a while..

So my brother in law charged the guy 400 money for the design. I charged the guy 200 for the programming because my dad forced me to drop down my price to fit the budget because business relationship and he obviously couldn't let my sister's boyfriend not make more money than he deserves.

In the end after waiting on the design for weeks (I literally saw him do it in photoshop all in 2 layers on his laptop in half an hour) I had to rush the project because the due date was coming up. I already had most of it done but I had to redo a good part of the front-end to fit the design structure. I also had to re-do the design in photoshop to get the images and colors I needed, then cut it up into html. So realistically, my sister's boyfriend barely did anything.

Now the deal was that I'd develop the website and perform any updates/upgrades to it. I'd also host it on my webserver for a monthly fee. My sister's boyfriend was to handle any and all content related support.

At first it was all good, I only ever spoke with the guy when he needed a feature added and he paid me well for it. Overall the hit I took in initial development was paying off. As time went by, my sister's boyfriend started ignoring the guy's calls and the guy started calling me instead.

Now, he had this deal with my brother in law where he could charge his time at 35 money an hour. That's about 4 times minimum wage for not doing much.
Then I started to basically take over all support, but I was only allowed to charge 30 an hour. Pretty reasonable still and I wasn't too busy so it was all good.

As time went by I ended up getting asked to do more and more minimal changes. At some point I had done so many minimal changes I had to charge the guy about 2 hours extra that month and he went completely mental saying I can't just work for hours without telling him beforehand. We decided I had to discuss a price before any change. I charged my time on the phone with him twice after that and both times he bitched about me being expensive and once he even said he wanted to leave.

Now comes the fun part. A week ago he had an issue that was 100% support related. He tried calling my sister's boyfriend but the guy obviously didn't pick up. He called my dad about it, and my dad ended up calling my my sister's boyfriend. Now this guy is so slimy, he purposely didn't hang up the phone knowing my dad would use his cell and assume the other party would hang up because calls cost money. The guy heard my dad call my sister's boyfriend and heard him pick up immediately. He went completely mental saying how he wants both of us to always reply and call him back immediately.

This guy was always my lowest priority. He didn't really make me money and his calls and requests were annoying and unnecessary. Add to that that I specifically didn't want to handle support and was forced into it anyway, while all 'design' things (up to figuring out where and how to display a visitor counter) absolutely had to go to my sister's boyfriend..
But regardless of that, I generally replied to his emails within 10-20 minutes and rarely more than 25 hours.

My dad agreed (for us) that we now both had to reply to him within 24 hours. I was now stuck checking my voicemail every couple hours because my sister's boyfriend sucks at life.

During his rant he threatened to leave me, again. That was the point where I said fuck it.

For the past week I've been ignoring his calls. When he emails me I don't take more than 5 minutes replying. This morning I found an e-mail with 4 requests;

He wanted me to make a content-related change;
He wanted me to give him access to the site's Google analytics;
He wanted me to add a feature and write a guide on how to use it;
And fucking finally, he wanted a 'token to transfer his website'.

I promptly emailed him back saying I added his email a week ago and that he'd gotten an email from Google about it then, that I'd changed the content he wanted me to, a price for the last dev task and a token for his domain name, adding that its valid for 35 days and that his new host can contact me to receive a backup file of his website.

Sadly, I do have this on 10-minute dev job to do, but then I'm invoicing him all jobs I haven't invoiced yet and he can find another host willing to deal with his insanity.

The best part is I lose a webhosting client but I'm sure he'll still ask my sister's bitched parasitic boyfriend whenever he needs a photo resized and he'll still pay him 35 money for 2 minutes of work.

Fuck customers.

A month ago I had some medical tests, the next morning, the clinic's send a email with my results. Oh surprise, unbelievable security flaws. They sent me a link without any kind of authentication, token, or security. I looked at my results, and by entering consecutive and random numbers I was able to download a lot of results and folders of other patients. I wrote an email to the clinic informing them of this situation and their response was "Thank you". Today I have accessed the link and the error is still present. I am going to notify higher health authorities.

I'm losing my fucking mind right fucking here.

Setting an anti-csrf token in the index.php file ONCE. Yes, I triple trillion checked, only fucking once.

Print it to the page as test, fair enough, looks good.

Send an ajax request to the server:
AN ENTIRELY FUCKING DIFFERENT TOKEN 😡

Fucking hell.

Checked the GitKraken save files for fun (kind of a hobby) and oh well.... what a wonder:
They store your fucking GitHub access token in "plain text" in a hex file as you can see in the image.
I checked the token and it works. Wow.
Good job GitKraken ✔
That happens when you're closed source...

On the presentation for my database project my team and I showed a NodeJS + Mongo + VueJS project with cloud storage capability, nothing fancy but did everything from scratch (from token auth and system encryption to the frontend CSS and the database) the teacher made some questions and meh'd at it.

Behold team two's project, WordPress with a standard template and phpMyAdmin, teacher loves it because "it's so beautiful"

Guess who just failed that class?

God I love college, it's the best time investment I've ever done and it'll surely pay out.

Dev: Can you please tell me why you changed this?
Me: Because we need to handle permissions in the app. The quickest way of doing it, according to the docs, is [insert change log here]
Dev: But we can just check for the user's token.
Me: That's not exactly a permission, because...
Dev: I was only showing the information related to the user according to their token.
Me: I understand. But that means you're filtering data, not authorising users to access it. If a user is logged in, but changes query parameters, they can still access data they shouldn't be able to.
Dev: Whatevs.

Le me then proceeds to try to push my changes (that took the whole day to implement), gets a "you need to pull first" message from git, doesn't understand why, logs onto GitHub and realises dev has implemented their "permissions".

I was the one responsible for making those changes. Le dev was meant to be doing other things.

How do I even begin to explain?

Help my team get a new token for the stand ups... We are thinking about something more orange...

Embarrassing moment:

Needed to deliver apk urgent urgently​ for push notification testing. I was unable to receive push token. Code is right in every way. Couldn't figured out in 15min. Lead comes to my seat and asks what's issue. And hey suddenly I figured it out. It was my wifi closed.. Bullshit 😬😠

Everyone complains that a certain developer's code is not up to standard and when they have to take over his project the lack of code quality is really slowing them down.

I look at code, agree it is poor quality and put together a learning plan for said developer.

Also look at who approved every pull request which allowed bad code into our codebase. Same developers as those complaining it's no good. You had your chance to stop it!

@netikras since when does proprietary mean bad?

Lemme tell you 3 stories.

CISCO AnyConnect:
- come in to the office
- use internal resources (company newsletter, jira, etc.)
- connect to client's VPN using Cisco AnyConnect
- lose access to my company resources, because AnyConnect overwrites routing table (rather normal for VPN clients)
- issue a route command updating routing table so you could reach confluence page in the intranet
- route command executes successfully, `route -n` shows nothing has changed
- google this whole WTF case
- Cisco AnyConnect constantly overwrites OS routing table to ENFORCE you to use VPN settings and nothing else.

Sooo basically if you want to check your company's email, you have to disconnect from client's VPN, check email and reconnect again. Neat!

Can be easily resolved by using opensource VPN client -- openconnect

CISCO AnyConnect:
- get a server in your company
- connect it to client's VPN and keep the VPN running for data sync. VPN has to be UP at all times
- network glitch [uh-oh]
- VPN is no longer working, AnyConnect still believes everything is peachy. No reconnect attempts.
- service is unable to sync data w/ client's systems. Data gets outdated and eventually corrupted

OpenConnect (OSS alternative to AnyConnect) detects all network glitches, reports them to the log and attempts reconnect immediatelly. Subsequent reconnect attempts getting triggered with longer delays to not to spam network.

SYMANTEC VIP (alleged 2FA?):
- client's portal requires Sym VIP otp code to log in
- open up a browser in your laptop
- navigate to the portal
- enter your credentials
- click on a Sym VIP icon in the systray
- write down the shown otp number
- log in

umm... in what fucking way is that a secure 2FA? Everything is IN the same fucking device, a single click away.

Can be easily solved by opensource alternatives to Sym VIP app: they make HTTP calls to Symantec to register a new token and return you the whole totp url. You can convert that url to a qr code and scan it w/ your phone (e.g. Google's Authenticator). Now you have a true 2FA.

Proprietary is not always bad. There are good propr sw too. But the ones that are core to your BAU and are doing shit -- well these ARE bad. and w/o an oppurtunity to workaround/fix it yourself.

Last week my company thought it would be a great idea to introduce a new sh*tty internal web portal that gives federated access to aws (instead of using our own accounts to assume dev roles like we used to do).

This broke a lot of sh*t that simply used to ask for an MFA token and used our practically permissionless accounts to assume a proper dev role. An MFA token that we'd enter directly into the terminal/tool. It was very seamless. But nooooooo we now have to go a webpage, login with sso (which also requires mfa), click "generate credentials," copy-paste those into terminal/creds file and _then_ continue our aws cli call. Every. Single. Day.

BUT TODAY I HAD ENOUGH.

I spent the entire day rewriting the auth part of our tools so they would basically read the cookie that's set by the web portal, and use it to call the internal api that generates the credentials, and just automatically save those. Now all we need to do is log into the portal, then return to the tool and voilà, the tool's also got access! Sure, it's not as passive as just entering an MFA token directly, but it's as passive as it gets. Still annoyed by this sh*tty and unnecessary portal, but I learned a thing or two about cookies.

.... And it appears my Atom has Entered the Matrix. Full time.

In other news, I successfully completed the E-Commerce App I was working on, even though that Stripe Verification was a ball ache and the bane of the entire project giving me a stupid bug in jQuery whereby it was infinite looping over adding the token and not actually submitting the card charge. Somehow changing my button from using an id to using a class fixed my problem :/ (# -> .)

In january 2023 i was contacted by a recruiter offering me a job position.

I DID NOT ASK FOR A JOB.

I WAS NOT LOOKING FOR A JOB.

THEY contacted ME.

Ok. So i went along with it and see how it goes. They probably wont hire me nor would i give a shit. Chatted with this recruiter for a while. She forgets to answer my message for 5 fucking days. Twice. Once because she was doing God knows what and the second time because she was on paid vacation. Fine i don't give a shit about you at all anyways.

So this recruiter chatting has been stretched out for several days. I think over a WEEK. So she forwarded me to their lead developer.

I applied to work as a full stack java spring boot backend + angular frontend engineer.

So:
- java backend
- angular frontend
- full stack
- shitload of devops
- shitload of projects i built
- worked with clients
- have CS degree, graduated
- worked a job at their rival company

What could go fucking wrong with all of these stats right?

During technical + hr interview (3 of us on google meets) they asked me what salary I'd be comfortable with.

I said $1500/month straight out.

keep in mind:
- In my country $500 or $600 is a salary for engineers per month
- You get a raise of +$150 which is around $750 after working for 1+ year
- You can earn $1000+ after you work for +2 years
- Rent here is $200-300 a month at minimun. And because of inflation its just getting worse especially with food. So this salary is not for living but for survival.

Their lead engineer gave me a WHOLE ASS FUCKING PROJECT TO BUILD and i had to code it within 10 days. Great so at least 17+ days of my fucking life to waste on these fucktards who contacted ME.

The project was about building a web app coffee shop literally what mcdonalds has when you order via those tablets. I had to build this in java spring boot and angular. I had to integrate:
- docker, devops
- barmen, baristas, orders
- people can order at the table or to go
- each barista can take 5 orders at a time
- each coffee has different types of fields and brewing time
- each barman brews each coffee different period of time
- barista cant take more than 5 orders for to go until barman finishes the previous order
- barista can take more than 5 orders but if those orders were ordered from table, and they have to be put in queue
- had to build CRUD admin functionality coffee's
- had to export them all of the postman routes
- had to design a scalable database infrastructure for all of this alone
- shitload of stuff more

And guess what. After 10 painful days I BUILT THE WHOLE THING MYSELF AND I BUILT EVERYTHING THEY ASKED FOR. IT WAS WORKING.

Submitted it. They told me they'll contact me within 7 days to schedule the final Technical interview after they review what i built. Great so another 17+7 days of my fucking time wasted.

OH and they also told me to send them THE WHOLE GITHUB REPOSITORY AND TRANSFER OWNERSHIP TO THEIR COMPANY'S OWNERSHIP. once you do this you cant have your repository back. WTF? WHY CANT YOU JUST REVIEW THE CODE FROM MY PUBLIC REPOSITORY? That was so weird but what can i fucking do argue with these dickheads?

After a week of them not answering i contacted them via email. They forgot and apologized. Smh. Then they scheduled an interview within 3 days. Great more of my time wasted.

During interview i was on a google meets with their lead engineer, 1 backend java spring boot engineer and 1 angular frontend developer. They were milking me dry for 1 whole fucking hour.

They only pointed out the flaws in what i built, which are miniscule and have not once congratulated me on the rest of the good parts. I explained them i had to rush those parts so the code may not be perfect. I had other shit to do in my life and not work for your shitty project for $0/hour for 10 days you fucking dickriders.

So they quickly ran over to theory. They asked me where is jwt token stored. Who generates it. How the backend knows to authenticate user by it. I explained.

What are solid principles. I said i cant explain what is it but i understand how it works, why its needed and how to implement it (they can clearly see in the project i just build that i applied SOLID principles everywhere) - but i do admit i dont know the theory behind it 100% clearly.

Then they asked me about observables and promises in angular. I explained them how they work and how subscribe method is used (as they can clearly see that i used it in the code). Then they asked me to explain them under the hood of how observables work. The fuck? I dont know and dont care? But i can learn it as i work there?

Etc

Final result: after dragging this for 1 fucking month for miserable $1500/month they told me: we can either hire you now but for a much lower salary which you probably wont be happy with, or you can study more these things we discussed "and know why the car leaks oil" and reapply back to us in 2-3 months!

Well, for starters there was a cron to restart the webserver every morning.

The product was 10+ years old and written in PHP 5.3 at the time.

Another cron was running every 15 minutes, to "correct" data in the DB. Just regular data, not from an import or something.
Gotta have one of those self-healing systems I guess.

Yet another cron (there where lots) did run everyday from 02:00 to 4ish to generate the newest xlsx report. Almost took out the entire thing every time. MySQL 100%. CPU? Yes. RAM? You bet.

Lucky I wasn't too much involved at the time. But man, that thing was the definition of legacy.

Fun fact: every request was performed twice! First request gave the already logged-in client an unique access-token. Second request then processed the request with the (just issued) access-token; which was then discarded. Security I guess.

I don't know why it was build this way. It just was. I didn't ask. I didn't wanted to know. Some things are better left undisturbed. Just don't anger the machine. I became superstitious for a while. I think, in the end, it help a bit: It feels like communicating with an alien monster but all you have is a trumpet and chewing gum. Gentle does it.

Oh and "Sencha Extjs 3" almost gave me PTSD lol (it's an ancient JS framework). Followed by SOAPs WSDL cache. And a million other things.

Cannot use invalid token: token invalid.

Thanks, guy.

he: checkout my crazy FUD hack (a token stealer which turned out to be far more malicious than i anticipated)
me: executes it (yes in a VM)
windows defender: lemme delet this
he: ooh i forgot the word stub in there. microsoft detects that lemme fix that sends new file
me: here we go aga..
ms defender: nononono virus 117% delet this
he: i forgot it still!!

later i deactivated ms defender and analysed the traffic of the vm. in addition to stealing my fake tokens he also tried to read my Firefox/chrome history, IP.
when i asked him (2 days later) what this was all about in his "educational only" "token stealer" he threatened to
a) publish my IP
b) publish my browser history and with that my real name and address
b.0) when i asked him for proof he said he knows that my real name is "Roman Gräf" and i live in Frankfurt. (btw i do live in Frankfurt and that is in the profile of the discord server where he found me and i have the same username on discord as i have here)
c) to kill my machine and all my projects
got bored, blocked him, shut VM down.

Escalation channel

Q: @here I'm sending a request to X and I'm getting a timeout. Please help.

A: Can you please share the request you're sending?

Q: It's <URL> and I send this token as a Bearer: <token>

A: I understand that, but it's a lot easier to debug if we have the curl for said request. You can find it here: <postman_screenshot_with_arrows>

Q: Here's what it looks like: <postman_screenshot_with_17.4_km_long_curl>

Embedding private encryption key in production javascript file and fetching third party session token client side.

That moment when you work the whole day to write a discord bot from scratch. No discord.py and other wrappers. Pure websockets, oauth2, https, json loads here and there. Understanding how the discord API works was a real challenge, but I did it :).
Most of my time was spent on discord's gateway connection and identification system.

The bot can renew its token, get all the guilds it is part of, all the channels and users of these guilds, send message and communicate with the gateway.

Tomorrow I will start connecting it to a voice channel and let it "speak". Thinking of combining text-to-speech with it, but I am not sure how well they are going to harmonize together.

After working for this company for only a couple years, I was tasked with designing and implementing the entire system for credit card encryption and storage and token management. I got it done, got it working, spent all day Sunday updating our system and updating the encryption on our existing data, then released it.

It wasn't long into Monday before we started getting calls from our clients not being able to void or credit payments once they had processed. Looking through the logs, I found the problem was tokens were getting crossed between companies, resulting in the wrong companies getting the wrong tokens. I was terrified. Fortunately I had including safe guards tying each token to a specific company, so they were not able to process the wrong cards. We fixed it that night.

*Working on a project with boss, I am working on a mobile app, he is working on web service app.

Me: this service takes user id as parameter to get all account details (all other web services are like that)

Boss: yes, I use the id to filter the data.

Me: but by this, everyone has the id can do anything ! why we do not use session token?

Boss: this is a detail, it is not important !

Me:...

*7 years of experience my ass

Google just emailed me to tell me that I should, "take action against suspicious apps that can access your data"... but the app in question was a Google Drive API token I made for a thing I am personally developing .-.

26 or so hours up now. And I've got a few stories to tell :) feel free to refresh your cup of coffee and take a seat.

Last few days I've been going into this odd place called intown.irl to get in touch with its inhabitants. An odd place I have to say. But in some cases quite rewarding, even got a MILF home with me and into bed at some point. Anyway...

3 days ago I think it is now? Thursday evening I took my laptop to this local bar where I had this issue about dihydrogen monoxide with one of the bartenders earlier (you'll find that rant on those keywords). Still wanted to visit it regardless though, as I met that first woman there earlier that approached me. Unfortunately I didn't see her there that day.

Some bald guy who was clearly drunk approached me. Many people were already giving curious looks at this laptop I brought to the bar. I finally tuned it up with the stickers from FOSDEM.. I'll put a picture of it in the comments. My theme was one of privacy (central), distributions and Google's open source initiative (which aligns with the keychain token I got from them as well). But of course.. that guy.. he thought that a pimped/riced laptop obviously meant that I was a hacker.

Guy went to the toilet.. went back.. and suddenly grabbed my laptop and turned it towards him. Boy was I never more smugly satisfied that those rubber pads on the bottom are quite resilient. Could've almost damaged my screen by trying to grab it like that. But it's a CCFL display.. so high voltage. If it were to become broken.. worth it. 😈

On it at the time was a terminal, pinging Google (had network issues at that bar, to the point where one of the - I think - staff members got up to me and offered the WiFi password and got to talk with me.. more on that later), and my usual Linux desktop along with the Arch anime wallpaper with the quote of Da Vinci.. simplicity is the ultimate sophistication. Of course the guy saw the terminal.. and probably reaffirmed.. yep, that's a hacker. At least he wasn't too wrong about the general term.. but the hat.. most likely he was wrong on that one.

Guy left with this question.. "you are a hacker, aren't you."
I replied to him: "No sir. I'm not a hacker. I've got no idea what you're talking about."
Guy kept looking at me weirdly for the whole night to come.

Back to that companion guy though. Mac user, yada yada.. but he told me about his backup solution. Apparently - I shit you not - he has not only the photos on his local device, he's also frequently backing them up in Time Machine (which I was really curious about whether it uses mirroring or snapshots.. he couldn't tell, lmk if you do) but not only that.. he was storing another offsite backup in that very bar, in case his house went on fire.

Now that is a proper backup scheme!!! If only more people were like that.

Seriously though.. that bald guy who took my laptop just like that... I just let it slide for that one time, but I tend to treat my machines as an extension of my very self. I think that was a very uncalled for move. Asshole...

How would you have reacted to such a thing? And.. maybe that's why we technologists don't get outside too often? Fucking everything is hacking these days if it's not Knopkes and Blinkenlights… Not every shell is a h4xx0ring console for h3kk1ng de fasbuk…

Microsoft Teams can burn.

Who the fuck thought it would be an excellent workflow, when you want to COLLABORATE IN TEAMS between users in different domains, that each sorry bastard needs to manually log in to a second Teams tenant and loose all the context from their main Teams tenant !?

On random occasions the fucking authentication token expires. I send messages to my team mate in another domain. Three days later I am pissed off because they don't answer. It turns out their authentication token has expired so when they are on their main tenant they don't get any notifications before they manually log in to our tenant as a guest. HOW FUCKING GREAT IS THAT AS A NOTIFICATION SYSTEM ??!

Would it be that fucking difficult to maintain a notification bar with all tenants and note with an exclamation mark or something REALLY FUCKING SIMPLE to hint about an expired token ? It's not like this is magic, Slack does it already.

FUCK !

Hope you survived the Monday;)

As I promised, I’d like to post my comic series “Destory” here regularly.

A story about two devs and their funny but serious project, on the hype technology - the blockchain.

Note to my past self:

Thank you for taking care of me and assuming that out of no fucking sudden authorization token will be required to perform an API call!
You saved me so much refactoring and modifications with your tiny little assumption of how fuckups will think :)

Fuck this
I get to work with API where you CAN authenticate with username/password and get a token

But you CAN'T get user info from token (auth response contains ONLY token)

So what I have to do:

1. Get token

2. Request ALL FUCKING USERS and load them into my DB

3. Search through local DB by username and, yeah, here I go

Now I need to have a cron job to update user DB 1/2 times per day

I can't think of ANY reason not to allow this

Twilio literally broke my integration because I have not logged into its portal for 2 weeks. Got notified by users complaining SMS wasn’t going through.

Boss: "So I'm taking the next week off. In the mean time, I added some stuff for you to do on Gitlab, we'd need you to pull this Docker image, run it, setup the minimal requirement and play with it until you understand what it does."

Me: "K boss, sounds fun!" (no irony here)

First day: Unable to login to the remote repository. Also, I was given a dude's name to contact if I had troubles, the dude didn't answer his email.

2nd day: The dude aswered! Also, I realized that I couldn't reach the repository because the ISP for whom I work blocks everything within specific ports, and the url I had to reach was ":5443". Yay. However, I still can't login to the repo nor pull the image, the connection gets closed.

3rd day (today): A colleague suggested that I removed myself off the ISP's network and use my 4G or something. And it worked! Finally!! Now all I need to do is to set that token they gave me, set a first user, a first password and... get a 400 HTTP response. Fuck. FUCK. FUUUUUUUUUUUUUUUUUUUCK!!!

These fuckers display a 401 error, while returning a 400 error in the console log!! And the errors says what? "Request failed with status code 401" YES THANK YOU, THIS IS SO HELPFUL! Like fuck yea, I know exactly how t fix this, except that I don't because y'all fuckers don't give any detail on what could be the problem!

4th day (tomorrow): I'm gonna barbecue these sons of a bitch

(bottom note: the dude that answered is actually really cool, I won't barbecue him)

Web3 truly is a fucked up space. All of the fuckertry happening over here is out of control. Literally a dystopian shithole of scams frauds crimes theft and ponzi schemes.... As much as i try to defend web3 since im a web3 dev it's getting real fuckin hard. The more i work in this space the more i understand economics and how all of this shitshow flows.

Without diving into details, I'll tell you right now from a very deep economic perspective: i realized that all of these cryptos are just.. shams, quasi buzz words to keep the "investors" giving them money. Essentially like wolf of wallstreet scams mixed with bernard madoff multi billion dollar ponzi schemes. The "investors" earn a lot of money.... But on paper! As unrealized gains. And by the time they are able to withdraw their money, that money becomes worthless because of insufficient liquidity in the pool that has been drained from top to bottom of the pyramid. So the only person truly getting filty rich is the one on top of this pyramid - the founders!

After the FTX disaster that happened 2 days ago the prices of ALL coins dropped drastically and it isnt stopping. So much for your glorified "decentralization" 😹😹😹😹😹

How can something be decentralized if its enough for 1 influential man to tweet some shit and the company/token price value drops or increases within minutes? In this case the whole of crypto got sliced by 1 influential man... Again. It's only a matter of time until someone else goes bankrupt and cycle repeats... Again.

Is that really an exposed, unsheltered, publicly visible, unprotected token lying around

//Dunno what causes these random connection errors; probably just hiccups in connection between our EC2 instance and Discord
try {
client.login(token);
} catch(e) {
//Do nothing, just prevent it from crashing the main thread and the client will reconnect
}

Might be more of a self-rant.. We’re developing an application with token-based authentication.
It’s a big an complex authentication model and flow, which we wrapped up a month ago. All of us very proud of it.

All of a sudden none of it worked.
We debugged for days, there were no errors or anything to trace what was happening.

Today we realized that we set the expiration of the token to 20 years.
Aaaand the expiration time is later on converted to epoch.

Guess what happens when you try to use a value > 2 147 483 647 in C#? Stuff blows up, cuz that’s the limit of an int32.

So yeah, feels good having prepared for the Y2K38 bug already, even though we’ll be replaced by AI writing better software than my dumb ass by then.

(To be fair, it was hidden in Microsoft Owin, which could use some error handling and/or proper messages..)

So I wrote a code for a discord bot a few months back. It worked perfectly alright. Suddenly one day, the bot starts sending random shit to me!

Then I realised that my bot had been hacked because I didn't use the bot token as an environment variable while deploying!

Instead I added it to the code, which I uploaded on GitHub! 😐

It’s throw back Thursday!

Back to 1979... before the time of the red dragon book compiler book, (forgetting about the green dragon book) ... there was a time where only a few well written compiler and assembler “theory” books existed.

What’s special about this one? Well Calingaert was the co patentor of the OS/360. .. “okay soo? ... well Fred Brook’s Mythical Man-Month book I posted the other day. Calingaert is basically the counterpart of brooks on the OS/360.

Anyway, the code is in assembly (obviously) and the compiler code is basic.

Other than this book and from my understanding 2-3 other books that’s all that was available on compilers and assemblers as far as books written goes at the token.

ALLL the rest of knowledge for compilers existed in the ACM and other computing journals of the time.

Is this book relevant today, eh not really, other than giving prospective, it’s a short in comparison to the red dragon books.

If you did read it, it’s more of a book that gives you more lecture and background and concepts.. rather than here’s a swath of code.. copy it and run.. done.. nope didn’t happen in this book.. apply what you lean here

As a token of my commitment to devRant I bought a new phone so I can use the app. True -fucking- story... Goodbye old buddy #lumia930 (pi) (b)

Hey here we go:)
My first comic series - “DevStory”

A story of two devs aiming at changing the world’s impact about cryptos by their own token project.

Bugs, cheap scammers, money, flying unicorns and a lot of laughs!
(Episode 1)

I once agreed to maintain and develop an application used in a different section of the school to keep inventory and make sure everything is where it is supposed to be.

At first there was enthusiasm, together with 2 of my classmates we agreed and git clone-d the .NET application that now graduated students built and maintained for the past few years. What could go wrong right?!

It became clear that the original students that worked on it followed an older curriculum, meaning they still got taught .NET instead of the core variant that we get now, not only that but it also seemed that they either did not fully grasp the Clean/Onion architecture or didn't get it in class since there were infrastructure components in the 'Domain' project of the solution. Think of 2 DBContexts in the domain model, yep.

One of us bailed in the first week, the other one and I felt bad for the people using the app so we went on and tried to work on the first bugs that were described in a document. One of these bugs was 'whenever I filter on something in the list, everybody gets to see that filter on their screen instead of only me'. Woah that's weird! Let's see how they put that together!

Oh god, they are using a _static_ variable to store filters, no wonder that it doesn't work properly. Ever heard of sessions?!

Second bug: Sometimes people can't create an account when we sign them up from the admin panel. Alright that is weird, let's figure that one out! Wait a second it seems to work in development? What's this about.

Oh wait I can't create an account on production either? Oh that's weird, wait a second... Why do I have to put my e-mail in a form that was sent to me through e-mail? Why is my address not filled in already? OOH, if someone types in the wrong e-mail address (which is easy since our school has 4 variants of the same f*cking e-mail address) it won't work since it can't recognize the user! Brilliant! Remove e-mail input box and make a token/queryparam determine the user account.

Ah that seems good, it's a mess but it seems a tiny bit better now, great! We're making progress and some sweet buck.

Next bug, trillions of 50x errors on random pages, that's a weird one.

Hm everything works in development, that's odd. Is the production data corrupted?

DID I MENTION that in order to get into the system in development we have to load in a f*cking production database backup ON OUR DEVELOPMENT MACHINE and then ask one of the users' password to login to it and create an account for ourselves? Seeding? What's that, right?!

Anyway, back to bug fixing. I e-mail the the people responsible for the app and get a production admin account, oh I also can't ssh into it because of policies so I have to do everything over e-mail and figure out what's causing the errors. I somehow also wonder if they have any kind of virtualization in place, giving students a VM to do that stuff in doesn't seem so weird does it ? Even with school policies?

Oh btw, 'deploying' means sending a .zip file to a guy in another building and telling him how to configure it, apparently this resulted in a missing folder that the application needed to work and couldn't make on its own. This after 2 weeks of e-mailing back and forth.

After 3 months i quit out of despair and sadness, and due to the fact that I just couldn't do it anymore. I separated everything into logical subprojects and let the last guy handle it, he was OK with that and understood why I left.

Luckily, around that time I already had an actual job at a software development company :)

So after 6 months of asking for production API token we've finally received it. It got physically delivered by a courier, passed as a text file on a CD. We didn't have a CD drive. Now we do. Because security. Only it turned out to be encrypted with our old public key so they had to redo the whole process. With our current public key. That they couldn't just download, because security, and demanded it to be passed in the fucking same way first. Luckily our hardware guy anticipated this and the CD drives he got can burn as well. So another two weeks passed and finally we got a visit from the courier again. But wait! The file was signed by two people and the signatures weren't trusted, both fingerprints I had to verify by phone, because security, and one of them was on vacation... until today when they finally called back and I could overwrite that fucking token and push to staging environment before the final push to prod.

Only for some reason I couldn't commit. Because the production token was exactly the same as the fucking test token so there was *nothing to commit!*

BECAUSE FUCKING SECURITY!

So one of my clients had a different company do a penetrationtest on one of my older projects.

So before hand I checked the old project and upgraded a few things on the server. And I thought to myself lets leave something open and see if they will find it.

So I left jquery 1.11.3 in it with a known xss vulnerability in it. Even chrome gives a warning about this issue if you open the audit tab.

Well first round they found that the site was not using a csrf token. And yeah when I build it 8 years ago to my knowledge that was not really a thing yet.

And who is going to make a fake version of this questionair with 200 questions about their farm and then send it to our server again. That's not going to help any hacker because everything that is entered gets checked on the farm again by an inspector. But well csrf is indeed considered the norm so I took an hour out of my day to build one. Because all the ones I found where to complicated for my taste. And added a little extra love by banning any ip that fails the csrf check.

Submitted the new version and asked if I could get a report on what they checked on. Now today few weeks later after hearing nothing yet. I send my client an email asking for the status.

I get a reaction. Everything is perfect now, good job!

In Dutch they said "goed gedaan" but that's like what I say to my puppy when he pisses outside and not in the house. But that might just be me. Not knowing what to do with remarks like that. I'm doing what I'm getting paid for. Saying, good job, your so great, keep up the good work. Are not things I need to hear. It's my job to do it right. I think it feels a bit like somebody clapping for you because you can walk. I'm getting off topic xD

But the xss vulnerability is still there unnoticed, and I still have no report on what they checked. So I have like zero trust in this penetration test.

And after the first round I already mentioned to the security guy in my clients company and my daily contact that they missed things. But they do not seem to care.

Another thing to check of their to do list and reducing their workload. Who cares if it's done well it's no longer their responsibility.

2018 disclaimer: if you can't walk not trying to offend you and I would applaud for you if you could suddenly walk again.

Guy's Discord bot "crashes"
we asked him what error.
"no error" he replies
we ask for a screenshot.
bot immediately exists

We ask: have you added this and this (`client.login(token)`)?
He replies: "yes"
We ask for sauce-code, he provides
what do we see? he forgot to add `client.login(token)`

Hello fellow devRanters, look what I found in our API constants on this fine day!

LIST_USERS: '/api/GetUsers',
USERS_WITH_QUERY:'/api/GetUsers?Query=',
MORE_USERS: '/api/GetUsers?Token=',

You get what you pay for, you get what you pay for, you get what you- AAAAAAAAAAAAAAAAAAAARRRGGGGG!!!!!!!!!

If we had a devRant vote on the most annoying word of 2018, I'd vote for "token".
Token here, token there, token yourself in the rear!

Some project I'm currently working on has to fetch 4 different tokens for these syphillis-ridden external CUNTful APIs.
Your mother inhales dicks at the trainstation toilet for one token!

ComputerToucher: *opens Jira ticket* Dev team needs tokens for the APM for a new app with multiple tenants. Ezpz. Hey, developer. Do you want one golden token for all of your app tenants or would you like us to generate one token for each?

Developer: Let’s have a meeting to discuss it.

CT: It’s…an exceedingly simple question. One token or 4? Which does your app support?

Dev: Yeah I think we should discuss with this with the platform team, can you set up the call?

CT: (Internally) I am the platform team? Do you not know how your applica-never mind I’ll just ask the PM directly.

CT (in chat): I’ll ask PM to schedule the call.

*Goes back to Jira ticket, changes priority to 4, removes ticket from sprint entirely, picks something else to work on*

Leaking an API access token to the web client... oh no no noooo...

The worst thing I have seen a dev do?

- Have all the APIs work without an access token for our main product which handles ~10k requests a day.
- Calling our architecture secure in the crucial investor meeting and being 'confident' that our database can not be compromised. No wonder we did not get funded.

The "stochastic parrot" explanation really grinds my gears because it seems to me just to be a lazy rephrasing of the chinese room argument.

The man in the machine doesn't need to understand chinese. His understanding or lack thereof is completely immaterial to whether the program he is *executing* understands chinese.

It's a way of intellectually laundering, or hiding, the ambiguity underlying a person's inability to distinguish the process of understanding from the mechanism that does the understanding.

The recent arguments that some elements of relativity actually explain our inability to prove or dissect consciousness in a phenomenological context, especially with regards to outside observers (hence the reference to relativity), but I'm glossing over it horribly and probably wildly misunderstanding some aspects. I digress.

It is to say, we are not our brains. We are the *processes* running on the *wetware of our brains*.

This view is consistent with the understanding that there are two types of relations in language, words as they relate to real world objects, and words as they relate to each other. ChatGPT et al, have a model of the world only inasmuch as words-as-they-relate-to-eachother carry some information about the world as a model.

It is to say while we may find some correlates of the mind in the hardware of the brain, more substrate than direct mechanism, it is possible language itself, executed on this medium, acts a scaffold for a broader rich internal representation.

Anyone arguing that these LLMs can't have a mind because they are one-off input-output functions, doesn't stop to think through the implications of their argument: do people with dementia have agency, and sentience?
This is almost certain, even if they forgot what they were doing or thinking about five seconds ago. So agency and sentience, while enhanced by memory, are not reliant on memory as a requirement.

It turns out there is much more information about the world, contained in our written text, than just the surface level relationships. There is a rich dynamic level of entropy buried deep in it, and the training of these models is what is apparently allowing them to tap into this representation in order to do what many of us accurately see as forming internal simulations, even if the ultimate output of that is one character or token at a time, laundering the ultimate series of calculations necessary for said internal simulations across the statistical generation of just one output token or character at a time.

And much as we won't find consciousness by examining a single picture of a brain in action, even if we track it down to single neurons firing, neither will we find consciousness anywhere we look, not even in the single weighted values of a LLMs individual network nodes.

I suspect this will remain true, long past the day a language model or other model merges that can do talk and do everything a human do intelligence-wise.

!(!(!(!(!(!(!(!rant)))))))
My new HTC smartphone hates me.
First it started to shut down all of the sudden yesterday night, when I was solving quadratic equations on my laptop.
I thought that it might be due to low battery. So I have restarted it. After putting itself into a bootloop for 4 start sequences, it was able to fully start to the page where it told me to enter the security pin to decrypt my files. I also had 30 attempts left. Like a ransomware.

I was like "tf I didn't set anything up".
So I decided to use my first attempt as I had 30 attempts left.
I entered the pin (I can swear that it's correct) and it told me that it has to wipe the /data partition.

I did that. I pressed that button. After waiting for 30 minutes I gave up and rebooted into the bootloader.
Bootloader -> Download Mode -> wipe /data (stock rom + stock recovery btw.)

Some error with "e: mount /cache failed[...]e: mount /data failed"
So, I tried using the adb sideload - no success.
Fastbooted into RUU Mode - HTC keeps rebooting itself into the RUU Mode - no success

Tried to flash the firmware and twrp recovery from Download mode - no success
Then I tried to flash all these things from the sd card - no success

Searched for revolutionary (I know this from my old HTC sensation device).
It wasn't big of any help.

Then someone on xda recommended htcDev (htc's <b>developer-friendly</b> lol site)
I followed every step. Everything seemed to be okay.
I got to the last step.
I needed to get my encrypted token by entering "fastboot oem get_identifier_token" to be able to submit it to HTC, and after they would send me an e-Mail with an .bin file that would let me unlock the bootloader to be able to flash my way through all this headache giving fucking piece of dog shit!

But since I can't back to the phone settings to select the bootloader activation box that would let me get my token... but nah.

FML

------------
Sent by using the devRant web app (:\)

Ok so we just signed a new client with some "artificial intelligence" back-end...

To authenticate with their back end, they developed a FU**ING GET REQUEST so the username and password are passed in the URL.

Then we get a token that we pass in FU**ING GET REQUESTS to communicate with their "artificial intelligence enhanced" back end.

I can't even. I just can't.

Morning there:)
To everyone who’s enjoying / doesn’t but is going to enjoy ( ̀⌄ ́) the DevStory:
here we go, with the third episode.

Leave a comment below and tell me your “dev stories” :)

PM asked me to make the code deeper, here's the new load script:

//Someone is born (init script and load deps, also run it)
$life = new begin_life();
//magic happens (generate random token)
$life->Living = openssl_random_pseudo_bytes(rand(), TRUE);
//We end it all
$life->die();

Oh boy I got a few. I could tell you stories about very stupid xss vectors like tracking IDs that get properly sanitized when they come through the url but as soon as you go to the next page and the backend returns them they are trusted and put into the Dom unsanitized or an error page for a wrong token / transaction id combo that accidentally set the same auth cookie as the valid combination but I guess the title "dumbest" would go to another one, if only for the management response to it.

Without being to precise let's just say our website contained a service to send a formally correct email or fax to your provider to cancel your mobile contract, nice thing really. You put in all your personal information and then you could hit a button to send your cancelation and get redirected to a page that also allows you to download a pdf with the sent cancelation (including all your personal data). That page was secured by a cancelation id and a (totally save) 16 characters long security token.

Now, a few months ago I tested a small change on the cancelation service and noticed a rather interesting detail : The same email always results in the same (totally save) security token...
So I tried again and sure, the token seemed to be generated from the email, well so much about "totally save". Of course this was a minor problem since our cancelation ids were strong uuids that would be incredibly hard to brute force, right? Well of course they weren't, they counted up. So at that point you could take an email, send a cancelation, get the token and just count down from your id until you hit a 200 and download the pdf with all that juicy user data, nice.

Well, of course now I raised a critical ticket and the issue was fixed as soon as possible, right?
Of course not. Well I raised the ticket, I made it critical and personally went to the ceo to make sure its prioritized. The next day I get an email from jira that the issue now was minor because "its in the code since 2017 and wasn't exploited".

Well, long story short, I argued a lot and in the end it came to the point where I, as QA, wrote a fix to create a proper token because management just "didn't see the need" to secure such a "hard to find problem". Well, before that I sent them a zip file containing 84 pdfs I scrapped in a night and the message that they can be happy I signed an NDA.

Me:
* Builds Project and Hosts it *
* thinking * : * ' I don't really need to push to Master, I'll just push it to the deployed branch *

Me: * tests project from host *

Me: * sees a bug, fixes it and rebuilds the project, hosts it and pushes code to deployed branch *

4Hrs Later:

Colleague: Dude did you see the Typos you made? Fix them!

Me: In my defence, I wrote this at 4am in the morning, did not sleep for 2 days.

Colleague: Don't Care, fix it.

Me: *Creates Hotfix Branch from Master*
* INSTALLS DEPENDANCIES AND FINDS OUT A NEW VERSION IS OUT AND UPDATES THAT AS WELL *
* Runs Project and finds out it's not the hosted version. *
* Merges Deployed Brunch to Hotfix Brunch and this happens *

Error Message: Unexpected token

620 Merge Conflicts

🤦🏽‍♂️🤦🏽‍♂️🤦🏽‍♂️

How many times will you say hi to me when we're passing on the stairs for nth time? How many 👋 will you send me in one day at almost regular intervals? I'm not a fucking rest api. You don't have to generate a fucking oauth token every time you pass me some information. I have a fucking state and it's getting distracted by too much human interaction

Day 1 of learning to build interpreters: finished the scripts for basic mathematic operations and beginnings of functions... Spent 4 fucking hours trying to track down why the compiler is treating an end of file token as an addition token... No luck, going to bed with a headache and half a head of torn out hair...

I've been using the Square REST API and I spent one hour thinking there was something wrong in my code until I f** found that THEY were not following OAuth 2 guidelines, which made their workflow incompatible with the OAuth lib I was using, so I had to mark an exception for Square's OAuth from the rest of my OAuths. Specifically, RFC 6749 Section 4.2.2 and 5.1.

However, after reading OAuth 2 guidelines, I became angry at THEM instead. The parameter `expires_in` should be the "lifetime in seconds" after the response. This will always be innevitably inaccurate, since we are not taking into account the latency of the response. This is, however, not a huge problem, since the shortest token lifetimes are of an hour (like f** Microsoft Active Directory, who my cron jobs have to check every ten minutes for new access tokens). Many workflows (like Microsoft, Square, and Python's oauthlib) have opted to add the `expires_at` parameter to be more precise, which marks the time in UTC. However, there's no convention about this. oauthlib and Microsoft send the time in Unix seconds, but Square does this in ISO 8601. At this point, ISO 8601 is less ambigious. Sending a raw integer seems ambiguous. For example, JavaScript interprets integer time as Unix _milliseconds_, but Python's time library interprets it as _seconds_. It's just a matter of convention, a convention that is not there yet.

Hope this all gets solved in OAuth 2.1 pleeeaasseee

fuck..fuck..FUCK..FUCK YOU MANTIS!!!
fuck you and your fucking invalid security token... fucking cunt...
yeah i love extracting my notes from POST data via the browser dev console cause you fucking delete it when hitting the back button...
THANKS FOR NOTHING

when youre working on a API and every testCase is all green plus manual testing thru Postman extension is all good..

then makes a web app use that API, authorization works as intended but the token is immedially invalid...

just..how..

A freelancer asked for my github personal access token (PAT) to start working on the opensource project.

I know you can set access rules for the PAT, but the guy already started off sounding hella scammy. 😬

Sometimes human stupidity still surprises me.

Today I was able to stop the release of a ticket at the last moment that intended to put urls WITH A SECURITY TOKEN TO ACCESS USER DATA through a link shortener.
Some PM assumed that it would be a reasonable course of action to map an url secured via jwt through to a 4 character, countable, base64 string so that we don't have to send multiple sms if they contain this url. I can accept that the implications might slip through one person but the fact that this was put into a ticket by a pm, prioritized by PO, estimated by an entire team, implemented by a professional developer, reviewed by a senior and then scheduled for release without anyone asking themselves if there might be a reason for a security token to be long, that one shocks me.

PM asked me to develop an application to fetch data from the customer's DB, which would require an access security token provided by the customer. To get the token, I would have to travel to Germany (I live in Portugal) to get it personally (it's not possible to have someone else pick it up for me).

It turns out the security token is a completely closed environment, with its own OS, without the possibility of installing any application or communicating with the exterior. The laptop itself would boot from the token's OS.

It was concluded I would have to hack the security token, which is completely non compliant. So the PM decided not to go forward with it.

But now, I have to go Germany anyway to pick up the security tokens because they forgot to order them for these other guys who would be using them to access the customer's DB manually and they don't want to delay the project anymore.

Oh, and the security tokens cost the project 500€/month each...

Trying to switch my job. Applied for a well known company. Gave an interview today. I don't fucking get the obsession of these developer recruiters so fixated on data structures and algorithms. I know it's a massive part of computer science but guess there is no fucking room left to innovate in there. There are legitimate researcher teams working for implementation of these barebones inside system foundations. No general software developer gives a fuck about this piece of shit discipline of study. You wanna know why they propagate this as the panacea to test people because it's fucking easy. Give a project to somebody as interview procedure, it'll take time to bring out an interesting problem and an interesting solution to that. Sorry to say but all these data structure enthusiasts are nothing better than board game enthusiasts.

Also why can't you refer existing solutions to create your solution. I've seen some good problems which actually require you to think. But again those are heavy and can't be tested so you're left with reversing a fucking linked list with O(1) auxillary space. Fuck me ig.

Moreover, what the fuck is wrong with the moral policing internet crowd. Its so sad. I've hardly seen anybody rant about this piece of shit system put in place to push the absolute dead-end nutcases up the ladder. Every other search for it returns a Quora link with some Indian guy complaining about his interviews and in the comments you have the same scholars sitting in their data structure throne imparting knowledge about how data structure holds the fabric of reality together.

I don't hate data structures and algorithms as a subject. It is cool and quite extensive but once you try to make that as a metric of all the knowledge in the world, you've lost my drift. Maybe I'm just angry with the state of things. Maybe I'm just angry with token Quora crowd.

Why do most apps have a password reset page that redirects to a mobile site ?

Why not give them a code they can enter into the app which would then show a password reset page within the app or a link which opens the page within the app.

Isn't it good practice to keep the user within the app?

Isn't it better to serve a token than serve an entire html webpage for the server.

I've been thinking about this but 90% people follow the website pattern and Idk why. Am I missing something ?

Please fill me in on it. (Even devrant uses the same pattern)

SyntaxError: Unexpected token T in JSON at position 0

WHY IS THIS ERROR SO UNAVOIDABLE? Like every time I need to interact with an API, it's a struggle to make this go away.

"Shit, we haven't even come up with a safe word yet!"
"Don't worry, your RSA token has been sent to your e-mail."

I was thinking about how I implement login functionality, and realised I have no clue how I came up with it so decided to ask if it was a good way to do things.

Basically, client logs in, username/email and pass are sent to server.

Server salts and hashes password and checks it against the one in the database for that user.

If its correct, send the client the user ID and the user token. (User id could be username, or a number, it depends)

When that client makes a request, the request must contain the ID and token.

The server checks that the ID and token combo are correct, and because the ID is linked to the user we know who it is and can complete the request.

Usually I make the token a random string of 16 or 32 chars, each account has their own token, and it may be stored in the browser so they stay logged in. I also normally add a "log out everywhere" button, which essentially just generates a new token to overrides the current one, making any previously saved tokens invalid.

A few years ago, i had a task to implement a webservice of an insurance-company into our .NET Development.

The security requirements of this insurance-company webservice were top notch.
As a client you had to build a request that used a negotiated certificate, canonical header structures, security timestamp, a secret token in header, ...

To configure all this stuff via web.config WCF was pure pain in the ass.

After many phonecalls and emails, i finally managed to meet all security requirements to send a valid request.

First, i didn't recognized my breakthrough, because my client still had thrown exceptions while calling the insurance-webservice.

Why was that?

The exception told me on the most possible gentle way, that .Net isn't able to process an unsecured response, when there was a secured request before.

So there was top notch security for requesting, but dumbass unsecured responding with all the precious customer information.

*epicfacepalmnuclearexplosionfollowing*

I even had to raise the. Net Version of our. Net client, because i wasn't able to configure that it is allowed to process an unsecured response after using a secured request.

Whyyyyyyy?!!?!!1el even!?!

@dfox if you guys aren't ready to take donations for the site, do you have a favourite charity (international preferably) we could donate to as a token of appreciation?

all documentation points to an Invalid auth token being code 400 (ignore the fact that this is a code in the JSON response and not HTTP)

Me: here iz credential. Plz send datas
API: haha fock off and die mate, then credentials you got there aren’t workin’
API: code 998 invalid auth token
Me: *speechless* so that’s why it took me longer than it did to find that error, because YOUR CODE WAS MISSING ALL MY CHECKS FOR CODE 400.

Why can’t people design apis properly.

Just posted a rant that BitBucket gave me a big Internal Server Error

Then I realized one of my extensions was overriding the authentication token (as I configured it to do that for a dashboard) and that was why BitBucket was inaccessible

Why do I keep doing this to myself

A simple bot on Telegram
Just hit and trial

Wanted same for Facebook, some error while accessing token tho. :(

T_PAAMAYIM_NEKUDOTAYIM

This is how PHP refers to :: internally, it's the only fucking token with such a weird name, what is this fucking language?

Who is writing this shit? OOP but it's completely optional? Where is the goddamn sheriff? I'm done, off to Ruby, Python, Go or anything that's not fucking PHP. Sick of this shit. Fuck this language.

How can such a massive language be so poorly designed!?

Why do people design web apis where the way you submit your authorization is via a custom header?

Especially when the authorization is literally a token?

Am I ingesting something special?

This way of converting "string" to "s" (for example)

0) program reads the whole buffer, stores it as an array of instructions
1) program reverses the order of the instructions
2) parser makes standard token from an instruction ("asd" -> ASD)
3) parser2 assigns operands to instruction
4) parser 3 makes string from instruction token ?????
5) parser fucking 4 makeS A MUTABLE STRING INSTRUCTION
6) PARSER FIVE SUBSTITUES OPERANDS
7) AND THEN CUTS IT TO A REVERSED ARRAY OF COMMANDS
8) AND PUSHES IT UNTO THE STACK

WHAT

It's a really interesting discussion, when your boss tells you that it's a perfectly fine idea to directly use a Firebase DB from an Angular web app by storing the Admin Auth Token in a variable in JS.
Thank the spaghetti monster, I was able to argue against it and use the already partially implemented RESTful API with the already used auth.
He basically wanted to save time and omit extra login routes.

It's OK to save time and not implement $randomFeatures.
BUT DON'T FUCKING TRY TO SAVE TIME ON SECURITY!

If it wasn't for me, this web app would turn into a bigger gaping (security) asshole than Sasha Grey's...

"Our Data Service comes PRE-P0WN'D"

Those SHIT-FOR-BRAINS data service providers GLOAT that their data can be natively integrated into most BI platforms, no code required.
How? Because they will EXPOSE THE ENTIRE FUCKING THING ON THE INTERNET.
LITERALLY.
UNAUTHENTICATED URL WITH THE ENTIRE DATASET.
STATIC. WON'T EVER FUCKING CHANGE.
NO VPN REQUIRED. NO AUTHENTICATION HEADERS. NO IN-TRANSIT ENCRYPTION.

"It is safe! No one will know the secret token that is a parameter in the url"
BLOODY BYTE BUTTS, BATMAN! IT IS A FUCKING UNAUTHENTICATED URL THAT DOES NOT REQUIRES RENEWAL NOR A VPN, IT WILL LEAK EVENTUALLY!

That is the single fucking worst SELF-P0WN I have ever seen.
Now I know why there are fucking toddlers "hacking" large scale databases all over the globe.
Because there are plenty of data service providers that are FUCKING N00BS.

Wanna know about hacks? I'll tell you. There is a peace of software called SugarCRM. It has OAuth2 provider implementation. I was assigned to write OAuth2 consumer for it.
It turned out they just failed to make it right.
The list of hacks:
* Hack on standard Authentication header. They use custom.
* Hack on "scope". They send null which is standard violation. So it is replaced to empty string before response processing starts.
* This is my favorite. Refresh token simply doesn't work. So we need to store user's credentials in memory to be able to reauthenticate user transparently.

Why, in the name of all that is holy would you use a secure token generator, and then override it with a short, easily guessable token?! Why take the time? I hate my outsourced devs

@dfox I saw a few posts lately, about websites that people did. So besides the collabs, I'd like to suggest a new section. "DevReviews" or what ever. The basical idea is, every one, that is signed up gets one "token" devRant ++ suporters maybee an additional free token every months or whatever.
If you wan't your website reviewed, you can post it there and people reviewing it will get such a token for their review.
To ensure a certain quality of the reviews, I'd put a minimum caracter length and a "dispute" function, where the review is taken to a community voting, if the person giving the review should get the token, or if the review should be dismissed. Additional "tokens" for additional/more reviews can be bought through the app, that could help a lot of devs get quality reviews and testing and earn you some $ for the servers.

I had joined a new company and got access to their codebase. They were updating password on MD5 hash of user name and their email in get request. No password validation, no token based authentication, nothing.

Eg
...com/change_password/email=(plainemail)&name= MD5(name)

That's it, you get change user password.

I have been trying to wrap my head around authentication in hapi for the last 6 hours...
Fuck this shit... when did simple,
I HAS A USERNAME
I HAS A PASSWORD
CAN HAS SESSION?
become:
- you magically get a token from somewhere
- you magically verify that token
- you respond with { credentials } //magic
- by some fucking black magic the server probably creates a session without you knowing about it...
- you freak out and write your own authentication scheme only to find out that you cannot read payload of POST requests in the authenticate method
- you get angrier and depressed and write a rant

(to be clear: there is @hapi/basic but I don't think sending a GET request with the URL looking like username:password@domain.tld is very safe...)

Security : Each time I login, they ask me to type the email address I want my one-time-code emailed to. Really!? What security is provided by letting the user decide where to email the flippin token to?!?!

Ok, my RSA token for the next minute is: 740130.

Are you a L337 enough H@xx0R to pwnz my system in the time available?

If any of you have been following my last few rants, you'll know I've been working on a project with a particularly difficult client, trying to meet wholly unrealistic deadlines with only one other developer.

The situation has reached the climax. The client had a call with our project manager and boss on Monday to discuss things. Despite them still not having paid a single bill since October, they've demanded the release date be moved to the 6th April. Apparently we'd agreed to release on this date, despite making no such promises, the (optimistic) deadline we were working towards has always been, since it was set about 2 weeks ago, the 16th April.

Apparently AWS migration won't take as long as we think it will, because the designers that do the CSS for this project say so, despite knowing nothing about the architecture of the requirements of the system once live (like if backups are required and what of).

The bottom line is that client is ending development with us the day after the project goes live to give it to their own in-house team. If they want us to work more after the date, they have to buy blocks of days.

To make things better, a large part of new functionality relies on an external API we can't even begin to do learning tests with, let alone integrate due to back-office errors on their end. They've had since Friday to give us our token, yet here we are.

Something tells me my holidays booked for for the first week of April are going by the wayside.

My dumbass colleague thinks the best idea to a Restful API backend is to store some kind of session based on the token.

It'd be great if that remained as an idea instead of this 11 month-old system he built before I got in.

MOTHERFUCKER.

Yes, it does mean that if the server boots for whatever reason, everyone has to login again to get a valid token LOL

A new developer started working with us a few months back. Plenty years of experience, both front- and backend.
He was the perfect guy for the job, according to management. Two weeks ago he asked me what JWS Cookie I used to send my requests.
After a few minutes we realized that he meant JWT token.

Said developer is no longer working with us, he didn’t like all the new technology.

Not sure if it is a rant or not but I'm getting worried about Apple... Two days passed uploaded a new update multiple times and all ended on the first try 😨
Usually it takes many tries for it to be uploaded 😨
On top of that, iTunesConnect is faster and no longer stuck at loading when token expires 😨

I hope I'm not dreaming 😅

I'm a C++/Obj-C programmer finding it ludicrously hard to switch to Swift.

I find that the constant ability (leading to very poor programmer code) to reduce syntax and add tokens reduces readability and nowhere is this more apparent that with closures.

I'm working through (to my shame) Ray Wenderlich's Swift course and the closure chapter has this:

PS I loathe K&R as much as I do Swift so it's all in Allman formatting for clarity.

let multiply: (Int, Int) -> Int =
{
(a: Int, b: Int) -> Int in

// do Something else

return a * b
}
Why oh why isn't this more simply and elegantly written as:

let multiply = (a: Int, b: Int) -> Int
{
// do Something else

return a * b
}
The equals sign shows clearly that it's a closure definition assignment, as does the starting 'let'. But this way all of the stupid excesses, like the 'in' keyword, the repetition of the params / return type only this time with useful labels and additional tokens are removed and it looks and reads much more like a regular function and certainly a lot more clearly.

Now I know that with the stupid ability of Swift you can reduce all this down to return $0 * $1, but the point I'm making is that a) that's not as clear and more importantly b) if this closure does something more than just one line of code, then all that complicated stuff - hinted to by the comment '// do Something else' means you can't reduce it to stupid tokens.

So, when you have a clousure that has a lot of stuff going on and you can't reduce it to stupid minimalism, then why isn't is formatted and syntactically better like the suggestion above?

I've mentioned this on the Swift.org (and got banned for criticising Swift) but the suggestions they came up with were 'use type inference' to remove the first set of params / return type and token.

But that still means the param list and return type are NOT on the same line as the declaration and you still need the stupid 'in' keyword!

A conversation that i had with my co-worker today. I was having trouble getting into UAT to troubleshoot.

me
i lost access to UAT again

co-worker
F. So secure we can't even get in

me:
lol

co-worker:
I'll email whoever we did last

me:
i can get through the first phase(where you enter pin+rsa)
it denies me access after that
says bad username or password

co-worker:
Oh ok. Prolly just need to reset your pwd then. I'll find the email for helpdesk and fwd.
At least ur RSA works.

me:
yeah what a joy

co-worker:
If it's locked you may need to try from a Windows box. Horizon is bugged on Mac where the submit button stays disabled even when you type a pwd.

me:
i couldnt contain my happiness that my RSA worked
😃

co-worker:
Yeah it's exhilarating
Whenever I pick up my rsa token my life re-finds it's purpose and I feel like I'm meddling through a field of sunflowers.

I once tried to get my RSA token tattooed but it switched too quick.

me:
lol its faster that Usain Bolt

co worker:
Russia got kicked out because of their RSA tokens

Javascript: trailing commas are OK.
JSON: trailing commas are Unexpected token '}' in JSON at ...

GitHub Packages Sucks. Like, it REALLY sucks.

It sounds like the best thing in the world - being able to host your project packages alongside your code! It has full support for Maven, Gradle, Ruby Gems, Node packages, Docker images and even dotnet CLI applications. It even lets you view statistics on how many developers have downloaded a given package! For public repositories, the packages are free to host as well!

So, I decide to use it for my Maven project since it's "so great". I've never used a public Maven repository before, so this was all very new to me. I follow the documentation - simply run "mvn deploy ...." and use a generated GitHub personal access token. No problems there. Deployment is a success and I feel a wave of happiness seeing my packages online. I follow through the various links and it even adds automatically generated usage information for other Maven users - fantastic!

That was, until I decide to try and download one of the files from this package repository. In order to download a file, you must have a GitHub access token. Okay, makes sense I guess? What if another developer wants to use my library? To do so, they have to generate their own GitHub access token, store it in their local ~/.m2/settings.xml file and only THEN can they use my library. So clearly, this is significantly inferior to other public Maven repositories where you don't have to get an access token to simply USE a library.

Upon discovering this, I decide to simply delete all of the packages and continue using whatever previous system I was using. Except of course, they forbid the deletion of public packages because "other projects could depend on it". The only way to delete public packages is to either:

[0] Make the repository private (losing all stargazers and watchers), delete the packages and then make the repository public again
[1] Contact support and ask them to delete the public packages. They say that they'll only do this for "special cases", such as legal issues or GDPR breaches.

I've sent a contact form and I'm currently hoping that they see things in my favor. I mean seriously - a public package repository where in order to use it you have to have a GitHub account and then generate an authentication token - it's absurd!

"Unexpected token: ..."

Thank you Azure, very cool. Would you like to tell me where, how and why?

who's so stressed out right now? me.

why? i need to change the access token in my code because it was changed

why is that stressful? because there is no variable for it, it was hardcoded

who coded that? me.

when? when the whole dev team was drunk asf

fml

Just found the most embarrassing security hole. Basically a skelleton key to millions of user data. Names, email addresses, zip codes, orders. If the email indicates a birthdate, even more shit if you chain another vector. Basically an order id / hash pair that should allow users to enter data AND SHOULD ONLY AUTHORIZE THEM TO THE SITE FOR ENTRING DATA. Well, what happend was that a non mathing hash/id pair will not provide an aith token bit it will create a session linked to that order.

Long story short, call url 1 enter the foreign ID, get an error, access order overview site, profit. Obviously a big fucking problem and I still had to run directly to our CEO to get it prioritized because product management thought a style update would be more important.

Oh, and of course the IDs are counted upwards. Making them random would be too unfair towards the poor black hats out there.

How is the shopify developer experience actually so bad.

Shopify Buy JS docs suck
Product ID's are inconsistent
Token management is not built into GUI

The tech being rude about my RSA token not working locking me out trying to use a USB override stick...he got so mad he just walked out 😂

Trying to use authenticate a JWT token from an Azure service, which apparently needs to use Azure AD Identity services (Microsoft Entra ID, Azure AD B2C, pick your poison). I sent a request to our Azure admin. Two days later, I follow up, "Sorry, I forgot...here you go..."
Sends me a (small) screenshot of the some of the properties+GUIDs I need, hoping I don't mess up, still missing a few values.
Me: "I need the instance url, domain, and client secret."
<hour later>
T: "Sorry, I don't understand what those are."
Me: "The login URL. I assume it's the default, but I can't see what you see. Any shot you can give me at least read permissions so I can see the various properties without having to bother you?"
T: "I don't see any URLs, I'll send you the config json, the values you need should be in there."
<10 minutes later, I get a json file, nothing I needed>
<find screenshots of what I'm looking for, send em to T>
Me: "The Endpoints, what URLs do you see when you click Endpoints?"
<20 minutes later, sends me the list of endpoints, exactly what I'm looking for, but still not authenticating the JWT>
Me: "Still not working. Not getting an error, just that the authentication is failing. Don't know if it's the JWT, am I missing a slash, or what. Any way I can get at least read permissions so I don't have to keep bugging you to see certain values?"
T: "What do you need, exactly?"
Me: "I don't know. I don't know if I'm using the right secret key, I can't verify if I'm using the right client id. I feel like I'm guessing trying to make this work."
T: "What exactly are you trying to get working?"
<explain, again, what I'm trying to do>
T: "That's probably not going to work. We don't allow AD authentication from the outside world."
Me: "Yes we do. Microsoft Teams, Outlook, the remote access services. I can log into those services from home using my AD credentials."
T: "Oh yea, I guess we do. I meant what you are trying to do. Azure doesn't allow outside services to authenticate using a JWT. Sorry."

FRACK FRACK FRACK!!

Whew! Putting the flamethrower away.

Thanks devrant for letting me rant.

Started writing a parser for moonscript. Because I want to do my own syntax highlighting and error support.

I'm sorry, but was this supposed to difficult? Every article I read claimed this was gonna be some impossible feat of herculean effort. I half dreaded it, the other half was kinda elated.

Only it didnt live up to the hype. The tokenizer is a glorified character stream. The lexer is little more than a tokenizer, and the "most complicated" bit is nothing but a fancy transformation of the token output into a tree.

I'm completely to new parsers proper and semantic checking and maybe that's why it seemed easy, but I dont see what all the forewarning in tutorials were ever about.

Project with partner company, during the meeting I asked them how can we secure the communication between two services. I suggested api keys, tokens. They were like nope, no need. But I asked them for their IPs to do whitelisting on our side in Nginx.

But their side, nah not even whitelisting, no tokens, no validations. If one has address, can send anything from anywhere.

How hard would it be to do at least, AT LEAST simple token validation. And they are using the very old IIS server. I think for them as long as data flows in as expected, it is fine.

It's about to be 4:20 on 4/20 get ready to run all your scrips now as you cannot have an unexpected token at 4:20 on 4/20, all token is expected then.

Trying to use a coworker's new API endpoint and I keep getting an "OAuth2 Bearer Token missing" error, despite triple-checking that I set the Authorization header correctly... finally dig into the source code and I find out that all their endpoints require that the bearer token be put into the request body. The fuck?

Ouuu today I experienced how web-devs must feel...

Task: create a form to answer questions with yes/no and a database behind it to collect stats.

So login to phpmyadmin
1. Wrong password got error message
2. No error message, still at login screen, but in address I see a token
3. There must be something wrong
4. Reinstalled phpmyadmin and mysql-server several times, wasted one hour on it - still stuck at login screen
5. Tried different browser and it fucking works!
6. Realized that cleaning cache fixed it...

Token based stock image and ux/ui degin platform on blockchain

Working for a startup building a device / app that let you answer your landline phone on your mobile, and get notifications of missed calls etc.

While developing I purposely didn't secure the endpoint that controlled push notifications.

I waited for the boss to sign up, went to the DB and stole his token. From time to time i'd send a request telling him he missed a call from his wife or son.

... then kicked back and watched the madness and frustration ensue.

Can we take a moment to recognize how absolutely retarded JS' event system is?
Events aren't objects. No, they're managed by an object, and identified by a string.
To subscribe to an event, you call object.addEventListener(name, callback). Because for some reason we can't just have an event object. Events MUST have an owner.
But to unsubscribe you don't call the function addEventListener returned, you don't use the token it returned either. No, you pass the same function to removeEventListener.
Because we don't use serializable tokens like in PP, and we don't return functions like in FP, no, we use functions as tokens, realising idiomatic DFP.

Few months back I got a decent increment as a token of appreciation for my good work.
Yesterday we all received a Special townhall meeting invitation.
We all were wondering what it was about. Now my colleague who sits beside was guessing that it may be about a salary revision and she complained that she didn't get any increment last time.

Inner me: Why the heck company should increment your salary for the shitty work you do.
You are simply incapable of doing what you are supposed to do.
You spend more time talking crap rather than trying to learn and use it to write some non shitty code.
You should be thankful to the company for not firing you.

I'm looking into GraphQL and so far so good, but I am finding it hard to implement business rules, for example:

1. Receive request with auth token
2. Know who the user is by extractin userId from token
3. fetch data related to that user only.

I was only able to make it allow or deny if there is a token or not lol

DAILY LARAVEL PROBLEMS

I need to parse a JWT with some custom claims. There's a JWT library with Laravel; documentation really lacking, kinda hardcoded to work with Laravel but whatever; it's already installed, let's see what can I do with it.

It turns out I can't say something like "take this token, parse it, tell me it's valid". Let's see how that goes.
You need to build a parsing class with a manager, some auth stuff, a parser.
To build said manager you need a provider that implements a contract, a blacklist, a factory (of what?)
To build the factory (of what?) you need a claim factory and a payload validator
To build the claim factory you need a request
To build the blacklist you need a Storage
To build the storage you need a CacheContract
To build a CacheContract you need IDK it's a mess
To build the contract you need... IDK for real

WHY LARAVEL IS SHIT: 'cause only in this framework it seems reasonable to build this clusterfuck to parse a base64 encoded string, throw some json_decode and check a signature. And have it work only to authenticate a user.

Indigogo is to retail what ICOs are to he financial industry.

- some random people think of an idea (ICO = token, IGO = magical dick cream)

- they both rely on well made but completely horse-shit marketing material

- they both spam your sites with the same repetitive ads

- they both offer discounts for getting in early (aka give us money before we have designed or built anything)

- they both make outlandish and sometimes illegal product claims (ICO = Visa is a partner, IGO = magic dick cream does magic things)

- in the end most of both options ends up giving you nothing at all and just running away with your money

- best case scenario they both deliver a product that is utterly worthless and meaningless

- everyone is hunting for that one coin or product that is a not a total scam.

I don’t hate indigogo but they certainly are shady as fuck. I’ve rolled the dice on then 4 times and got scammed on 2 of them. It’s basically a crap shoot.

VSCode is doing really strange things to my language server, in such variety that I'm starting to suspect that it's simply incorrect because it's very unlikely that I'd misunderstand so many distinct things at once.

- The trace level is verbose, yet VSCode absolutely spams the LS with trace: off requests

- the capability update request I used to set file watchers never gets a response even though the standard clearly states that all requests must get responses or progress reports quickly, and I'm not getting file updates even after vscode responds to a file system change. By the way, if file watching is a capability, why can't I set it in the protocol handshake with all the other capabilities?

- my semantic token provider (used for syntax highlighting) is simply ignored, no requests, no errors

- the debug console is spamming editor internal errors

Is there any modals for angular 2?? The ng2-bs4-modal gives unexpected token error. I swear after this project I am never using angular. Worst framework ever.

React Js all the way.

So this is kind of an odd scenario, but bare with me. My client has been issued a JWT token. After having received and stored it, I completely reset the database, and so also emptied the users table. Note that we're using MySQL with auto incrementing ID, whose counter has been reset. The user ID is stored in the JWT, so now the JWT isn't referencing an existing user anymore, so the client will get a 401. The problem arises when a new user registers and is inserted in the new database. That user will get ID 1, and so the old token for the other user will suddenly be valid for another user. I know it's an odd case, but is this a flaw in JWT? I guess an easy solution would be to use random ID's, but I'm still wondering.

They say that runing the same command over and over again is a sign of insanity.

LIKE HELL IT IS!!!

I've been running `terraform apply` for the last hour (trying to dump an EKS token in plain-text, because my k8s-related providers failed to auth to the cluster), and miraculously the problem went away. Now the error is no more.

Insanity?

I beg to differ!

Narf!

My workplace is still using xml based configuration, and non-spring boot projects.

So every spring boot tutorial I find feels like "Look at how easy you can get this running" and then it's just actually a toy you can't get into production.

Also it kind of bugs me that you need to be online to actually be able to initialize/create a spring boot project and every single tutorial says so.
You can make a local network m2 repository, but can one make a spring initializer service?

Either way, migrating every single project to Spring boot is a no-no,

And I'm stuck with like 5 prototypes of SSO integration from which only 2 work, and the other 3 have their own problems.

One does redirect to the login and all, but the SAML endpoint gets 404 on response when you log in.

One is on OpenID Connect, but I would need to update the project from Spring 3 to Spring 5 to get it working, which upon attempting to do seems to break everything else.

One has an external library handling the security context just the way we are accustomed to, but it only does a 401 forbidden when you go without logging in and I'm starting to think it is actually one of those that require you to extract the token or something manual like that, which wouldn't work for us

The other two are spring boot tutorials that worked out of the box, both SAML and OpenID, still can't use those for the main projects.

I'm tired of dealing with this configuration hell, been two months at this, I want to get features done as usual, not be stuck configuring stuff that might or might not work.

Rant aside, I think I figured I need to use a different Security adapter, but I needed to vent.

Currently working on my own Express App with CSurf for csrf validation.

Works great but one problem...

HOW THE FUCK SHOULD A POST REQUEST COMING FROM JAVA GET THE FUCKING TOKEN.

Should I made my RESTApi without csrf protection?

I am crying right now...

I have a question, let's say I have a website and app both using oAuth facebook login. Should I save the access token provided by facebook in my database and if I should, what will happen to the access token when user logins with facebook on website and then login again with the app? is that mean access token is going to be overwritten by new login? and do you have any other suggestions for 0auth integration?

You know what pisses me off about Solidity?

The lack of useful information and the bullshit around it.

How many times I see a video named “Advanced Smart Contract Testing” and go through it to see that it includes...

- setup the testing in a project
- run a simple test
- test the basic attributes of a token (name, symbol etc.)
- the end

THE FUCKING END???!!!

Are you kidding me! Advanced what?

The problem is that smart contract “auditors” are getting paid $500,000 USD for 2 months of auditing. Yeah, that’s right, half a million to look over code and write a report.

So why would those folks ever share that knowledge? They wouldn’t.

That’s why you have these fucking jokers who go and get a basic understanding of Solidity and then make an “Advanced Solidity Course”

To each their own though, if it makes them feel good about themselves then go for it.

But from me, you can take your “advanced” course and shove it up your basic ass, sideways.

JWT vs PASEDO???

Advantages/Disadvantages

“Not a security guy” no more😼
I already completed 10/16 chapters of this book, including formatted and updated every code example in the github repo.
There’re lots of fillers in the book.
😑Lots of repeating samples.
The nosql part in node.js is completely broken.🤯
The code mixed with space and tab, so I have to format it before starting the exercise. 🙀
The git repo has about 150 forks, it makes me wonder how many copies they actually sold, since the entire book is closely tied to code samples.🤔

So today we renamed a repo on bitbucket. We changed the remote url on local PCs and kept working. When deploying, our deploying platform threw an error saying invalid repo name, which was expected. Thing is, said platform doesn't have a "change repo remote url" option, so we did it manually over SSH. It didn't work as it now says the bitbucket token is invalid. There is no option to change or set the token. Redeploying will take almost an entire day due to configurations. FML.

The frontend developers in my company are the reason why I have anxiety. Here are few things that grinds my knees:
1) for a long time in projects, they deleted the auth token from their storage without integrating the logout api. They thought why use an API for that. :)
2) most of them had no clue that form fields could accept javascript as inputs and work as XSS vulnerabilities. This actually happened with a client, he got so fucking pissed.
3) One of them asked me to convert a PATCH request to DELETE cos fuck REST and HTTP methods.

For fuck’s sake. I need to get out of this place.

Is logout useless on a Rest API that uses JWT token?

Discuss

“httpOnly cookies prevent XSS attacks”… wow.
As if not being able to get your cookies is going to stop me from doing bad things.

When I'm in via XSS, it's over. I'm changing the page content to your sign-in form with “please sign in again” notice, but it sends email/password straight to me. What percentage of users is going to enter their data? What do you think? With password managers prefilling data, and the annoyance being one “enter” hit away, I think a lot of users will fall for that. No one, including you, will be able to tell the difference without devTools.
You can rotate the session token, but good luck rotating the user's password.

Oh, did I tell you I could register a service worker using XSS that will be running in background FOREVER?

But don't listen to me. Don't think. Just use httpOnly and hope for the best. After all, your favorite dev youtuber said they could protect you from XSS.

I'm currently in a bit of a predicament.
Here's the deal:
I want to separate my back-end from my front-end code a bit more (currently PHP code is mixed up with all the HTML, Javascript etc.. basically: front-end and back-end are one).
The question here is: how should I go about this?

In my current project, I have written some javascript code with jQuery that checks whether the user is logged in or not (checks for an auth token and UID to be present in the cookies).
However, this results in the page (in this case a dashboard that only logged in users should see) being visible for a moment before the user is redirected to the login page...

How could I go better about this (No, I won't use AngularJS for this)?

The whole API service relies on a token obtained by posting to a http URL: http:// blah/get_token?User=malleable?Password=longandcomplicatedpasswordforsecurity
🤔👌👏

i don't understand what would be termed as "relaxing" for me.
when i was in college , i watched a lot of movies on romance, bromance and friendship. being from a very angry , isolated family with bitter relationships from relatives, we had almost 0 people to interact with.
i personnally was also very different from society and struggled making friends.

as of now i did have somewhat come over this problem and have a good number of "known people" (atleast 500+) that i can categorise into'
- A just people with whom i shared a situation( college, office, tutions)
-B people with whom i have spent my free times in those situations (aka friends, and free time = lunch breaks, seat sharing, projects with them, etc)
-C people with whom i spent some time willingly( aka close friends from college, tutions and home, with whom i played cricket, went on partying/touring places , etc)

-D people whom i liked but never got a love back( aka girls to whom i told i like them. they mostly belonged to category C but eventually went to category A)

previously the category C people were special for me and i would weave my life around them. like all those bromance and friendship movies? these are the guys with whom i would do that. world tours and awesome weird shit? these people will be their in the pic... i would wish them on birthdays, i will call them every few days, go meet with them , have a bite, plan trips, movies , etc...

but today i feel am so done with everyone. i feel like everyone is so fake and forgetful, no one is worth my attention. i can easily forget wishing them birthdays or calling/meeting them every few weeks, because i don't want to or care about it.

friendship , from what i have realised, is just a means of dealing with a task in a group. it just provides a herd immunity and herd advantage . and once you learn how to survive alone, you don't really see a point in it. after coming out of college i was alone in the world, as my friends were from different fields. before college, i thought these were the guys with whom we will be living as F.R.I.E.N.D.S, not just in terms of relation, but rather in a symbiotic way: each one helping each other.
today, i feel criingy just thinking about it.

no friend will remember you for more than a year if you die now. everyone will move on. and in the struggling phase that me and my friends are right now (20-30s), we don't even need to die to forget our friendships.
my so called friends have wished me less on my birthdays than the lifeless apps i have on my phone.

so neither i am expecting someone to do something for me, nor do i think i want to do anything with anyone

------
so back to the problem, i don't know how will i find some relax or meaningful time anymore.
i am always up for trips and one of the first person to say yes to plans.

once upon a time i had this realisation that in a trip, we can enjoy 3 things:
1. the people with whom we are
2. the place we are visiting : the locals, the foods, the nature
3. the mode of travel : car on highways, bikes or flights above the clouds , or some memorable train journeys, etc.

but lately so even that seems to be not working out.
- the people are shit
- places feel like somewhat same everywhere . it's either : rocks/mountains or snow or water or buildings and population. it's just a temporary change of scenary and doesn't really gives a feeling of peace. same for mode of transport.

if i rule the going out part, the things that remains is to enjoying your job, home family and daily life. that i do , but that's the thing that creates an environment of "bored-out"-ism in my mind.

i don't know what i am looking for. the only thing i have not experienced is that class D of people. to have a token of faith/respect/appreciation/love from a non blood related person. to have someone with home i will not feel "bored out" when am planning a journey with them.

mathematically , it seems so far fetched and crazily impossible. like if get bored out and loose trust on people whom i shared most of my life after 50-60 meets, how can i be not bored, and be unhappy with a person to whom i have to see each day?

but since this happens for most of the couples, i will say the mind is the biggest and the most fantasizing mystery of human body ❤️ 💔

Discord apparently has a new vuln allowing bot accounts to become normal accounts without regenerating the token. Explains all the thotbots and shit appearing.

If you build a company on the blockchain you're basically committing to 100% transparency with your investors if you fail to increase the value of your token or coin your investors will be left holding the bag. 💰

token auth woes

I am fed up of doing shitty token authentications that don't refresh and are database dependent. what's the good way to do token auth for rest APIs? json-web-token?

Haven't pushed anything to my github repos for over a year. Tried it today and it took me FOURTY FUCKING MINUTES to figure out this Personal Access Token HORSESHIT.

FUCK YOU GITHUB, why must every aspect of software development become spoiled by PARANOID FUCKING FUCKWEASELS?

So I am debugging a connector library for an api that users curl.

I am fighting my ass off with errors and a lack of debug, testing or thought for CI

Take a poke around this set of classes only to find.

Postman token in the opts. and a removal of ssl check. What you straight copied from postman.

Like seriously clean up your fucking code if you are gonna put something out as production ready to your team.

Console.log('fuck');

I guess I need a word count filter.. who would spend their monthly "token" on something like that

>finally gets around to installing vsftpd on home server RPi
>doesn't work
hmm.mp2
>configurating
>confusing as fuck template documentation
>man page isn't much better
>gets it working
>goes to log in
User: pi
Password: a
(What? It's a home file/command server isolated from the Internet. Sue me.)
nope.avi
>why
>tries again
nope.svg
>FUCK
>sees small raw-command log in bottom-right of phone FTP client
hmm.flac
>tries again, watches log
PASS *****
>the fuck
>goes to change user pass over SSH
# passwd
"Current password?"
about half a second later
"passwd: auth token manipulation denied"
>the delay tho
>WAIT A SECOND
one time i got past some parental software bullshit on a tablet by abusing the delay between opening a banned app and the redirect to the normal software at like age 7. (Doing so let me enable remote wipe through Google. bye bye software!)
>*inner 7 year old has autistic screech*
# nano temp
a
abcdefghi
abcdefghi
^O Y ^X
# passwd < temp
>fucking works
>logs in to FTP server successfully
>does the one file download that was needed

why and how did that fucking work

Just curious, how do remote workers onboard with their company?

And I guess basically now all offices are closed, what happens after your hired, your first day of work?

At my company to work remotely, you would need a token card and access permissions.

Why can't I wrap my head around laravel enough to build an authentication system I've built before 😖😡😠

External Login Service and my app would be an OAuth2 client receiving an id token...and no there isn't a third party integration for this login service

So i'm workin on a wrapper for an api, and it has authenticated endpoints. My request function has a check to see if the user has a token before making the authed request, but guess who forgot to actually mark like 20-40 different methods as authed : D

Interview question i had:

- how does jwt work under the hood, where is it stored, what 3 parts is it made of, who creates jwt, how does the server know what information the jwt token has (how can it say oh you're Joe you can login now)

- what is the difference between observable and promise in typescript, how does observable work, what is a stream, what is the difference between fetching data through an observable and fetching data with promise and when should we use one over the other, what does .next() funcrion do in observable under the hood

Answer me these questions without googling

A game taking place inside an operating system. Like Tron but needs to have much more solid analogies. User's body as tty process. Some representation of scheduler priority and memory allocation. Forking. Children and zombies. Init.

Some process-ownable token representing file handles.

Network ports as portals through which data may be sent by acquiring a file handle and using it.

/proc, /mem, etc are extreme stretch goals.

Never really started because I couldn't decide how to represent all the different parts so they would all be consistent *and* entertaining

As an extension of the extreme stretch goals, a multiplayer functionality where players can shell into each other's game worlds ("computers")

I jumped on this NodeJS codebase to quickly implement an additional method in the custom logger. How hard could it be, right?

I implemented the method alright. But I can't find where to use it... There are like 10 different logger instances used in this tiny app and in one place logger is even used as a vessel (holder object) for the client's JWT token (to access it from the interactor).

oh, and it's a javascript app (somehow I assumed that node apps are typescript.. silly me!)

What the fØ©ĸ spaghetty-fest is this!?!?!