Hacker News: holtalanm

New comment by holtalanm in "JavaScript Object Signing and Encryption is a bad standard (2017)"

holtalanm — Mon, 12 Jul 2021 20:04:13 +0000

then you're hitting the db on every request just to do auth.

if you _had_ to do that, I would put the counter into something like redis instead.

New comment by holtalanm in "JavaScript Object Signing and Encryption is a bad standard (2017)"

holtalanm — Mon, 12 Jul 2021 20:01:02 +0000

watched the whole thing. was very informative. Actually havent used RSA in any capacity in years (AES is a lot easier to use), but always viewed RSA as a battle-tested encryption method/alg. I suppose with anything there are ways to misuse it, and RSA appears to be really easy to misuse.

New comment by holtalanm in "JavaScript Object Signing and Encryption is a bad standard (2017)"

holtalanm — Mon, 12 Jul 2021 18:55:40 +0000

> 1. Massively increases server strain and bandwidth usage

A short-lived JWT that fits into an HTTP Header is not going to _massively_ increase your bandwidth usage. At most, you will end up with a single refresh request every few minutes as each short-lived JWT expires.

> 2. Has problems with users less reliable connections (they'll be randomly logged out all the time)

Usually if your request failed due to a bad connection, the client wouldn't be designed to automatically log out the user. That would be just terrible UX.

> 3. Makes "Remember Me" style features impossible (unless you use a server-side store for that, which brings us back to it not being stateless)

Incorrect. A short-lived JWT tied to a refresh token allows for a remember-me style feature by checking account access when issuing a new JWT token.

New comment by holtalanm in "JavaScript Object Signing and Encryption is a bad standard (2017)"

holtalanm — Mon, 12 Jul 2021 18:48:33 +0000

that would be insanely illegal.

New comment by holtalanm in "JavaScript Object Signing and Encryption is a bad standard (2017)"

holtalanm — Mon, 12 Jul 2021 15:47:25 +0000

Yeah, if you need that kind of control over token access, then im not certain a jwt is the right tool for the job. For most use-cases a short-lived jwt is fine, as it expires in a matter of minutes, or even seconds, depending on configuration.

New comment by holtalanm in "JavaScript Object Signing and Encryption is a bad standard (2017)"

holtalanm — Mon, 12 Jul 2021 15:44:53 +0000

I can see that. I suppose when people say they need 'server-side session storage' I start thinking of app state, but in reality it could be as simple as storing a jwt refresh token that would be considered valid.

New comment by holtalanm in "JavaScript Object Signing and Encryption is a bad standard (2017)"

holtalanm — Mon, 12 Jul 2021 15:30:00 +0000

i have never seen anything anywhere advocating for moving away from RSA. i'm curious to see what their sources are for this claim.

New comment by holtalanm in "JavaScript Object Signing and Encryption is a bad standard (2017)"

holtalanm — Mon, 12 Jul 2021 15:27:50 +0000

> in reality you still need server side state for useful features like logging out

im curious about this. normally 'logging out' just involves deleting the secure http-only cookie where the jwt was stored. is there something I'm missing here?

New comment by holtalanm in "Console Do Not Track – Proposal for a standard environment variable"

holtalanm — Tue, 06 Jul 2021 18:47:39 +0000

well, good luck getting buy-in from the cli tool devs, then? the other option requires absolutely zero buy-in from homebrew, gatsby, dotnet, or any other cli.

New comment by holtalanm in "Console Do Not Track – Proposal for a standard environment variable"

holtalanm — Tue, 06 Jul 2021 18:46:27 +0000

are there documented cases of these cli tools abusing their telemetry? are they entirely used to pinpoint performance issues and bugs within the tools that implement this telemetry tracking?

if it is the former, i can see there being cause for concern. if it is the latter, this is just pure fear-mongering.

New comment by holtalanm in "Console Do Not Track – Proposal for a standard environment variable"

holtalanm — Tue, 06 Jul 2021 14:52:47 +0000

my question here is:

are we really concerned about console tools overreaching their telemetry? personally, I am not.

I would love to know why others think this is some kind of huge issue, without a bunch of 'what-if' scenarios.

New comment by holtalanm in "Console Do Not Track – Proposal for a standard environment variable"

holtalanm — Tue, 06 Jul 2021 14:49:42 +0000

I liked the Gatsby comment/suggestion a lot better: a tool for automatically setting the do-not-track env flags for all different dev tools.

New comment by holtalanm in "Virtual DOM is pure overhead (2018)"

holtalanm — Tue, 29 Jun 2021 22:04:22 +0000

you don't have to clone it. cloning the object and putting it in Vuex will still result in it being reactive.

`Object.freeze` is what I used. This causes Vuex to not traverse the object for changes. in my case, the objects I was pushing into the Vuex state were essentially immutable once I pushed them in, so this did the ticket.

well, that, and only pushing partials of the entire state, so the object model didn't get too unwieldy. To get the total state, i just replayed the changes on top of the base state. base state was reset once the number of changes got to a certain size.

New comment by holtalanm in "Virtual DOM is pure overhead (2018)"

holtalanm — Tue, 29 Jun 2021 14:09:33 +0000

> In my experience it has never, ever been the JS rendering layer which has caused unresponsiveness in an application.

Implemented a undo/redo stack on top of Vuex once that worked on some very large data structures.

Got unresponsiveness after only ~3 changes to the data. Purely due to how Vuex checks state for changes. No network, no database; purely in the frontend client.

Ended up needing to freeze the state as I pushed it into the Vuex store, so Vuex wouldn't check previously pushed state for changes.

My point is, there are multiple places where, if you are building an app of scale, you can run into client performance issues.

New comment by holtalanm in "JavaScript Is Weird"

holtalanm — Mon, 28 Jun 2021 19:28:32 +0000

> The site is called "JavaScript Is Weird", not "Weird Javascript"

am i being punkd?

New comment by holtalanm in "JavaScript Is Weird"

holtalanm — Mon, 28 Jun 2021 13:22:54 +0000

> Calling these things weird is fair enough but I can't help thinking this is code you'd never actually write outside of the context of a "Look how weird JS is!" post.

That is the whole premise of the site, though. They even say that these examples aren't common syntax or patterns before you start.

New comment by holtalanm in "AWS BugBust"

holtalanm — Fri, 25 Jun 2021 16:07:50 +0000

Most of the comments are completely dunking on Amazon for this, though.

New comment by holtalanm in "Hasura GraphQL Engine and SQL Server"

holtalanm — Fri, 18 Jun 2021 18:42:15 +0000

best solution is to use int/long primary keys, with a uuid column that has a unique index. then the uuid can be used with public-facing apis.

New comment by holtalanm in "80% of orgs that paid the ransom were hit again"

holtalanm — Fri, 18 Jun 2021 18:34:49 +0000

Doesnt this just mean that 80% of orgs that were hit with ransomware attacks just didn't bother to fix their infosec, and got hit again because they left the same holes open to be exploited?

Fool me once, shame on you. Fool me twice, shame on me.

New comment by holtalanm in "Ohio Republicans close to imposing near-total ban on municipal broadband"

holtalanm — Thu, 17 Jun 2021 18:10:51 +0000

almost like having competition drives innovation up and prices down.

too bad most ISPs have literal monopolies over entire regions of people.