This is a weekly roundup of awesome DEV comments that you may have missed. You are welcome and encouraged to boost posts and comments yourself using the #bestofdev tag.
Thank you for posting this. I totally agree. If someone is writing out code and making a computer do anything they are a programmer. I’m sure this rings true for lots of people. I know as a self taught programmer trying to get into a developer role I suffer from imposter syndrome. But, it is important to remember that those feelings are a lot more common amongst developers than we think, especially among those with experience doing it for a living.
I think there's way too much hype around it and people are using JWT because it's shiny!
As our industry shifts our paradigm from monoliths to microservices, knowing JWT is quickly becoming a requirement. Sometimes it is good to use the new shiny toy as an excuse to learn it. Even if your app serves less than 4,000 requests per minute and JWT would be overkill for your application, learning JWT and having practical knowledge of it is also of value.
Many articles will show you how to setup and login with JWT but they ignore the hard parts - Logging users out and blacklisting users
This is one area that is definitely overlooked and also complex. The most common solution for this is on the auth server itself, which will keep a list of users that are authenticated, expiring them when they log out. On each request the token will need to be checked against the auth server to see if the token is still valid. This adds significant overhead.
More commonly, most companies will decrease the expiry of the JWT, so it must be refreshed more often. This is due to the difficulty and overhead of managing a true logout experience.
“JWT is secure”
JWT is secure, but it is at the same time less secure than session based authentication. For example, the JWT is more vulnerable to hijacking and has to be designed to prevent hijacking. An unexpiring JWT can become a security risk.
You are also trusting the token signature cannot be compromised. This can happen if you are using weak encryption, encryption that becomes vulnerable in the future, or having the the private keys compromised. This vulnerability doesn't exist with sessions.
So while JWT is secure, it introduces new attack vectors that need to be considered.
There are valid reason to use JWTs:
- API back end - Your site is static and your back end is an API.
- Micro-service architecture - A very common way of authenticating across disconnected systems.
- To Learn JWT - Implementing JWT in smaller projects is a good way to start learning JWTs.
- Externalizing your authentication to a 3rd party provider like Auth0.
JWTs do not come without their own complixity:
- Security is more complex and needs to be understood.
- Just like how micro-services add complexity, JWT adds the same complexity as the auth is disconnected.
- Simple things like logout become complex and might require changing your expectations and business requirements.
- Doing JWT right is hard.
Python and Ruby are my two favorites. Honorable mention to Bash because it's fun. :)
I've tried to learn more strict static, compiled languages (and I will keep trying, because I think it's an important skill to have), but I can't be nearly as productive or creative as I can in Python and Ruby. I love that you can just throw some code into a file and run it right away. I love that they're forgiving of little things.
I love that they don't have semicolons, and minimal code braces. #spacesbeforebraces #butalsoendkeywords
They don't have huge, giant, opaque, intimidating build toolchains, and they've got a robust standard library that cuts down on how frequently you have to install a dependency, which means that when you do install a dependency, it doesn't install the entire whole world of other people's dependencies.
It's funny that they're so different in their philosophies:
- Python: There should be one way — and preferably only one way to do any given thing right.
- Ruby: There are many good ways to do things (method aliasing, anyone?), and whichever way makes you happy is what you should do.
And both of those things resonate with me, but in different ways and situations.
If Python had blocks and the focus on method chaining that Ruby does:
numbers.filter(&:even?).map(&:to_s).join # happy sigh
I would be very happy.
The only thing that I really feel myself missing is an easy way to deploy my code repeatably to someone else without having them go through a bunch of steps that make no sense because they don't do Python.
But no matter how often I go off to learn another language, I always find myself coming back to Python and Ruby. They're really the only languages that I've ever written something and then sat back and smiled because the code was so slick and pretty.
So anyways... I ❤️ Python and Ruby.
SaaS == Software As A Service. Basically cloud hosted software, web applications, etc. Usually accompanied by a recurring fee.
PaaS == Platform As A Service. Think providers like Digital Ocean, Microsoft Azure, Amazon Web Services, who offer virtual servers, database hosting, etc.
You may well use docker or kubernetes together with your chosen PaaS provider, but not necessarily. Docker and Kubernetes are both pieces of software for "containerising" applications. This essentially makes it easier to deploy your application to different platforms as you can standardise the parts of the environment that are relevant to your application. That's a topic for a whole different post.
BaaS == Backend As A Service. I admit this isn't a term I'd heard before. BaaS providers offer services that let you easily store data, files, handle push notifications, etc. Assuming you don't have any needs that aren't served by their API, it means you can focus entirely on your front-end code, integrate with their API, and they handle the majority of the backside of your application.
Finally, when asked: Do you have any energy and time for your personal goals after a full day of work at your job? @mortoray
discusses motivation, setting goals, and drawing energy from personal projects:
If I didn't pursue my personal goals I'm end up with no energy for life. As it hard as it can seem, your personal goals are the ones that matter. If you dedicate everything to work, and it's not one of your personal goals, you'll find yourself burning out and in a terrible situation.
It's similar to sports. Getting exercise every day isn't an optional activity. If you leave it out, you'll suffer for it. It's irrelevant whether you think you have time or energy, there is no way you can avoid it and remain healthy. I find the same is true of personal goals.
Sure, I'm exhausted some days, and have a terrible lack of time. But the only thing making it worthwhile is that I'm pursuing my own goals.
See you next week for more great comments ✌