Show more

Rightie it's time! Let's move this thing. And hope it doesn't die in a fire!

Either today or tomorrow, if everything goes according to plan, this little instance will move to a new home.

Will people hate and despise me if I say that I actually enjoy writing web apps using Angular and Typescript? :O

Scuttlebutt seems really nice, but I have a feeling that for it to become popular it has to be less convoluted and confusing for the potential end-user who's not a technical genius. It makes sense to those of us who deal with this stuff often, but I'm pretty sure I'd have the hardest time trying to explain it to my mom for example.

I feel like sharing something so here's yet another unfinished song. Maybe I'll finish it, maybe I won't, but seeing as it's been sitting around for almost 2 years the answer is...probably not. :P

Not sure who needs to hear this but NordVPN is bad people and you shouldn't be using them. Selling of customer data, using Oxylabs, it's all around pretty bad news. It's not worth it. Yes, sorry, it's Medium. (Something else you shouldn't be using btw!) news.ycombinator.com/item?id=2

I guess I'll use Redis for session management instead of JWT then.

Show thread

Or just don't use stateless tokens at all and make that extra call to verify a token after the request is made?

Show thread

What if you used a proxy for your web app to store the tokens, keep all it's state contained and off the client, while providing tokens to people implementing your API that may have better means to store the tokens securely? If you have that kind of access to a device then certainly you could be doing much worse than just steal someone's tokens?

Show thread

Short expiry time and rotating tokens sound like something you should be doing in either case. If someone grabs your token, then it doesn't matter whether or not it's stateful or not, you'll have to invalidate it either way by either re-signing a new token with, for example, a changed password, or by removing it from your session state. What if you used a short JWT as an HTTP only cookie? 4096 bytes sounds like a lot of data, makes sense to not send such a large token with each request anyway.

Show thread

Anyone got a minute to explain to me exactly why JWT's are bad? In the browser, yes, if you're vulnerable to XSS, someone could grab your token. But for authenticating against an API? HTTP only cookies would work for the browser app in this case, so should I use stateful tokens to authenticate against my API from something that's not a website as well? I see way too much conflicting info and I don't have the skill to verify cryptographic properties.

Show more
The Dragon's Cave

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!