Comments by "Biomorphic" (@biomorphic) on "ByteByteGo" channel.

  1. Most company do Scrum + DevOps, which means there is a DevOps engineer as part of the team. This person is basically a system administrator with cloud knowledge, usually AWS, less frequently Azure and GCP. He can't write a program and he has no idea when to use DocumentDB and when DynamoDB. The issue with this approach is that only one person knows how to deploy and running the services. To deal with this issue, sometimes companies create a DevOps team, but this often does not work either, because it becomes a bottleneck. Sometimes developers need very specialised tools, like Kafka, Flink, that DevOps simply can't scale or operate properly, due to the massive amount of configuration required. So for me it's way better if there are no DevOps at all. Facebook instead employs SE in teams called Production Engineering Teams. Basically these are skilled developers with deep knowledge of the operating system and application they run. People who can debug the code. Facebook does not use Kubernetes or ECS or whatever, so these teams ensure a service, or a bunch of services, are up and running. But do not make mistakes, these are not DevOps, these are skilled Software Engineers. What I personally did, as tech lead and CTO, was to create a platform. In small startups I created the platform myself, and then developer used it. My colleagues were surprised we were able to cut 80% of the code. In bigger companies I usually create a team, that I call R&D, but it's basically PE, that is responsible to build the platform. I do not think one solution fits all use cases. But PE for me is better, because the entire team acquires knowledge of the platform using it. They learn how to deploy, how to make improvements to the platform itself. I am a huge fan of PE and monorepo.
    15
  2. You should never send roles and permissions, that would be a huge security breach. You check roles and permissions based on the ID.
    10
  3. You do assume that the token is generated server side, which is not always the case. If your client is a mobile app, then it is much better if you generate the token on the client. The mobile app generates a new token for every new call, signing the token with the private key. The token would then be verified with the public key. The pair (private/public key) is generated during the sign up/sign in process. The public key is stored on the server, the private key in stored on the device keychain. No replay attack is possible in this configuration. Implemented for two different apps, first time 6 years ago. Most people creates a server side token, which is not as secure, because you can steal the token. And generally this token expires after days, otherwise you would have to issue a new token, and maybe ask to relogin every day, which is really annoying.
    5
  4. Monorepo does not have to be mono. If you have three different products, with three different stacks, it does not make sense to have them in the same repo, unless they do share the same pipeline, they have the same dependencies and they do use the same stack. If you have a product with 20, 50, 100 services, then having 100 repos is a nonsense. Different products can have different repos. They will be fully managed by different people, they will use a different stack. If there is no common ground, then use different repos, but do not separate services of the same product in multiple repos, that is stupid.
    4
  5.  @IkechiGriffith  oh, the gap is ginormous. You need to learn a lot about system design and patterns, and gain a significative experience designing systems. Also, I don't think you can be a PE if all you have done is writing bash or Python scripts. You need to be able to write complex software and master at least a programming language.
    3
  6. In fact they should be generated on the client, as I explained in another comment. Even though is not easy to steal a token because it travels over TLS, if stolen, it grants you the permission that that user has. You can't alter the content, because the signature will get verified by the server (so you won't act as a different user), but you can still use it till expires to perform any calls you want according to the privileges associated to the user. If that user is admin, you can create another admin, and then you have full control of that software system.
    2
  7. It is not inefficient. Generating a token is not really time consuming. And it is much more secure, and never requires to relogin or to use a session, which are indeed slow and dangerous. @doxologist 
    1
  8. You are wrong. How do you steal a secret that is stored in the keychain? You need to have access to the device, and you need to know the device password to access the keychain, and even if you have access, the value stored in the keychain can be encrypted. At that point you would need to debug the app itself to see which key is used to decrypt. Considering apps are sandboxed, you are not going to do that, not in a million years. And if you manage, that means you have full control of the device. You can't do shit if you don't have access to the device. But you can steal a token generated on the server any time. Also the token generated by the client can't be reused, because it changes for every call, so you cannot even perform a replay attack. And you don't need any fuckin session. To be able to act like that client you need to be able to generate a token with uid, did, exp, nbf, and sign it with the private key, which means you need to have access to it. You can steal the token as many times you want but you cannot ever use it. Meanwhile if you steal a token generated by the server, you can use it multiple times, and even alter it. And by the way, generating a token on the client is what Apple does. You all go for the easiest, or better, the most used solution, which is often the worst. Sessions should never be used.  @marklnz 
    1
  9. First of all, it is true not all the clients are mobile apps (but they can be), but in fact you don't use the same method. You generate the token when the client is indeed an app (Android or iOS, they do both have a keychain). When the client is the browser, you do store the JWT in a cookie, and you tie the cookie to the IP, so that a stolen cookie cannot be used outside your network. Unfortunately there is not other way around it if a client is the web browser. Sure, you can install the app on your phone, assuming you were able to hack the phone of someone else who has legit credentials, and you stole his private key from the keychain (very very very very unlikely), but the keychain you are using is related to the did, and the did (device ID) of your device is different, so the token that the app generates on your phone is invalid. You can push as much as you want, but generating the token on the client, when the client is a mobile app, is much more secure, especially if the mobile app is the only client you have. You cannot perform any attack, unless you steal the phone, and you pass the biometric, having full access to the device. Also this system ensures that a user can use his set of credentials on a single device, so that different users cannot share their credentials and pay for a single license, which is something you cannot do otherwise. I studied this stuff, I know what I am talking about. If I did the thing this way is because I deeply studied the subject. Maybe in the future, with WebAssembly, we'll have a way to make it work also inside the browser. Maybe it is already possible, I do not know. @marklnz 
    1
  10. Who said that the private key is shared, and also, where is written that such a key should be stored on the server? When you do generate a key pair for ssh, for example, you do that on your own machine, and you store your public key in the authorized_keys file on the servers you want to access. The same approach can be used for mobile applications. It is MORE SECURE (I repeat it again), than generating the key pair on the server, because it is not susceptible to the replay attack, and it does not require to relogin or refresh. Also the token cannot be stolen, because a new one is generated for every call. Can you understand? If you cannot, then you choose the wrong profession.
    1
  11. What you do not get is that a signed token can be stolen, and can be used to perform a number of calls by the attacker, using the permission of the authenticated user. What I have described, and successfully implemented, is a way of magnitude more secure. Either you do not understand it, either you are one of these people who want to be right at all costs. In any case, I am giving up on you, my time is precious. @Jen-kx3oh 
    1
  12.  @M3t4lstorm , you are mistaken. You know, if you assign admin role to a user, and then you revoke that role, the token will still be valid and it will still have admin permissions. There is the possibility that the token will be stolen, and used by someone else who will act as an admin. This can cost you a lot. You should not use JWT for authorization, but only for authentication. You fetch roles and permissions after you have authenticated the user. People need to stop doing things because are convenient or common. A common practise is not necessary a good one. In fact Scrum sucks, but everyone is using it. And this is just one of the many examples I can provide.
    1
  13.  @PouriyaJamshidi  no, it's not, they have completely different skills. Both SRE and PE are programmers, DevOps are not, in fact, they do write scripts and configuration files. SRE need to be able to debug a system, and they have extensive coding experience. Their understanding of an application goes beyond the networking, they can look into the code and see what is wrong. They can even build debugging tools, if necessary. PE are senior programmers, architects, with an extensive experience in system design. They know about patterns, frameworks, databases and operating systems. They can build a software system from scratch, they can refactor an existent application, they are architectes at core. PE > SRE > DevOps
    1