DEV Community: Ely The latest articles on DEV Community by Ely (@edeckers). https://dev.to/edeckers https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3559082%2F048052b3-6c42-4db8-bd63-ceee3556673a.jpeg DEV Community: Ely https://dev.to/edeckers en Building an MCP server: teaching AI assistants about backups Ely Sun, 15 Feb 2026 19:30:54 +0000 https://dev.to/edeckers/building-my-first-mcp-server-teaching-ai-assistants-about-backups-21g5 https://dev.to/edeckers/building-my-first-mcp-server-teaching-ai-assistants-about-backups-21g5 <p><em>My journey into the Model Context Protocol</em></p> <p>Today I built a Model Context Protocol (MCP) server to connect AI assistants with <a href="https://github.com/bareos/bareos" rel="noopener noreferrer">Bareos backup infrastructure</a>. Join me as I walk through building this integration and share what I learned along the way.</p> <p>Or if you just want to see the result, check it out at <a href="https://github.com/edeckers/bareos-mcp-server" rel="noopener noreferrer">https://github.com/edeckers/bareos-mcp-server</a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2xhn1i1qjbfbce1gmz1p.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2xhn1i1qjbfbce1gmz1p.webp" alt="Photo of a clown puppet" width="800" height="533"></a><em>Photo by <a href="https://unsplash.com/@venczakjanos" rel="noopener noreferrer">János Venczák</a> on <a href="https://unsplash.com/photos/a-close-up-of-a-statue-of-a-clown-jpZ3jjGs1W0" rel="noopener noreferrer">Unsplash</a></em> </p> <h2> What is MCP? </h2> <p>The Model Context Protocol is Anthropic's solution for giving AI assistants like Claude access to external tools and data. It's a JSON-RPC based protocol that runs over stdin/stdout.</p> <p>The concept is straightforward: instead of manually running <code>bconsole</code> commands, copying output, and pasting it into a chat, you ask <em>"show me the last 10 backup jobs"</em> and the AI fetches it directly from your Bareos Director through the MCP server.</p> <h2> Why Bareos? </h2> <p>I've been managing my backups with Bareos for a while now. And while <code>bconsole</code> is powerful, it requires remembering specific command syntax for listing jobs, checking storage pools, or viewing client status.</p> <p>Being able to query backup infrastructure conversationally, like <em>"why did last night's backup fail?"</em> or <em>"how much storage is left in the Full pool?"</em> seemed like a practical use case for MCP.</p> <h2> The journey </h2> <h3> Understanding the Protocol </h3> <p>MCP is a JSON-RPC protocol with three main operations:</p> <ol> <li>Initialize: Server announces capabilities</li> <li>List tools: Server describes available tools</li> <li>Call tool: Client executes a tool with arguments</li> </ol> <p>And that's pretty much it. The rest is tool implementation and error handling.</p> <h3> Read-Only by design for now </h3> <p>I deliberately kept everything read-only initially, so no starting jobs, deleting volumes, or pruning backups. Just queries. This was a practical decision: I wanted to understand the protocol and tool design without worrying about accidentally breaking production backups. Mutable actions are planned for later versions.</p> <h3> Emergent behavior </h3> <p>The interesting part came when I realized Claude could answer questions I hadn't explicitly coded for, and which would require multiple bconsole queries. Ask it "Which clients haven't backed up in the last 24 hours?" and it will:</p> <ol> <li>Call <code>list_jobs</code> to get recent jobs</li> <li>Call <code>list_clients</code> to get all clients</li> <li>Compare the two</li> <li>Provide an answer</li> </ol> <p>I built primitive tools; the AI combines them to answer complex queries. That's the real value of MCP: you're building composable primitives, not a comprehensive API.</p> <h2> What I learned </h2> <h3> Tool design matters </h3> <p>The quality of tool descriptions directly impacts how well the AI uses them. Vague descriptions lead to mistakes. Clear, specific descriptions with parameter explanations work reliably.</p> <p>For example:</p> <ul> <li>Don't do this: "List jobs"</li> <li>Do this: "List recent backup jobs. Use the limit parameter to control how many jobs are returned (default: 50)"</li> </ul> <h3> Testing without an AI assistant </h3> <p>You can test MCP servers with just echo and pipes:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>echo '{"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}' | \ ./bareos-mcp-server </code></pre> </div> <p>No need to configure Claude Desktop or spin up a full client. Just send JSON-RPC over stdin. It is actually how Claude will interact with the server, and it is very useful for debugging.</p> <h3> Build for composition </h3> <p>Don't try to predict every query users might want. Build small, focused tools that can be combined. The AI is surprisingly good at figuring out how to compose them.</p> <h2> Recommendations for building MCP servers </h2> <ul> <li>Start with a tool you already use. Pick something you interact with regularly, you'll understand the use cases and catch issues faster.</li> <li>Begin with one tool. Get one tool working end-to-end before adding more. I started with <code>list_jobs</code> and expanded from there.</li> <li>Write clear descriptions. Tool descriptions are the AI's only guide.</li> <li>Be specific about parameters, formats, and return values.</li> <li>Test with raw JSON-RPC first. Verify your tools work with manual calls before involving an AI assistant. Faster iteration, clearer debugging.</li> <li>Start read-only if safety matters. Read-only operations let you learn the protocol without risking production systems. Add mutations once you're confident.</li> </ul> <h2> Try it yourself </h2> <p>The code is open source at <a href="https://github.com/edeckers/bareos-mcp-server" rel="noopener noreferrer">https://github.com/edeckers/bareos-mcp-server</a> with installation instructions for both Claude Code and Claude Desktop.</p> <h2> Useful resources </h2> <p>Building your own MCP server? These resources helped me:</p> <ul> <li><a href="https://modelcontextprotocol.io/" rel="noopener noreferrer">https://modelcontextprotocol.io/</a></li> <li><a href="https://docs.anthropic.com/claude/docs" rel="noopener noreferrer">https://docs.anthropic.com/claude/docs</a></li> <li><a href="https://github.com/modelcontextprotocol/typescript-sdk" rel="noopener noreferrer">https://github.com/modelcontextprotocol/typescript-sdk</a></li> <li><a href="https://github.com/modelcontextprotocol/servers" rel="noopener noreferrer">https://github.com/modelcontextprotocol/servers</a></li> </ul> <p><strong>Built something with MCP or considering it? Let me know in the comments!</strong></p> <p>If the Dutch language doesn't scare you, and you'd like to know more about what keeps me busy aside from my pet projects, check my company website <a href="https://branie.it" rel="noopener noreferrer">https://branie.it</a>! Maybe we can work together on something someday :)</p> ai mcp programming devops Building Flipr: a URL shortener, one commit at a time Ely Sun, 09 Nov 2025 21:09:46 +0000 https://dev.to/edeckers/building-flipr-a-url-shortener-one-commit-at-a-time-gnb https://dev.to/edeckers/building-flipr-a-url-shortener-one-commit-at-a-time-gnb <p><em>Part 1: the simplest thing that could possibly work</em></p> <p>Welcome to the first post in a series that dives into the world of distributed systems building on Kubernetes, using as a subject <strong>the "Todo application" of systems design</strong>: a URL shortener we'll call <strong>Flipr 🐬</strong>.</p> <p>The goal is to build an actual, functioning, deployable system, designed to scale from a single instance to a distributed cluster on Kubernetes.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj7hgoxzfiwhxvn0w4ong.webp" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fj7hgoxzfiwhxvn0w4ong.webp" alt="Photo of a happy dolphin in the water, who I like to think is named Flipr" width="800" height="533"></a><em>Photo by <a href="https://unsplash.com/@louangm" rel="noopener noreferrer">Louan García</a> on <a href="https://unsplash.com/photos/dolphin-in-body-of-water-Xsq5ie5f498" rel="noopener noreferrer">Unsplash</a></em> </p> <h2> What this series is and what it is not </h2> <p>This series focuses on building a distributed, scalable URL shortener and the architectural decisions behind it. To keep that focus sharp, I'm intentionally omitting several things that would be critical in a production system, such as:</p> <ul> <li> <strong>No unit tests:</strong> focus is on architectural evolution, not a production-ready codebase</li> <li> <strong>Minimal input validation:</strong> basic checks only, not production-grade security hardening</li> <li> <strong>No abuse prevention:</strong> there will be rate limiting, but anti-spam measures won't be covered</li> <li> <strong>No user accounts:</strong> this is a simple shortener demonstrating distributed systems concepts</li> </ul> <p>So, if you're looking for a complete, production-ready URL shortener, <a href="https://github.com/topics/url-shortener" rel="noopener noreferrer">check GitHub and take your pick</a>. But if you want to understand how distributed systems are built and how to benchmark architectural improvements, you're in the right place!</p> <h2> Requirements &amp; scale targets </h2> <p>Before we write any code, let's define what we're building toward. I'm intentionally keeping the performance targets vague, because actual throughput and latency will depend entirely on the hardware you deploy to.</p> <p>And while we don't define hard performance targets upfront, we'll be benchmarking each iteration and comparing results throughout this series. This way, we can demonstrate that our architectural evolution actually improves performance and scalability, not just adds complexity.</p> <p><strong>Functional Requirements:</strong></p> <ul> <li> <strong>Short Code Specifications:</strong> <ul> <li>Length: 6-7 characters</li> <li>Character set: a-z, A-Z, 0-9 (62 characters)</li> <li>Namespace: 62^7 = ~3.5 trillion possible codes</li> </ul> </li> <li> <strong>URL Constraints:</strong> <ul> <li>Max original URL length: 2,048 characters (browser-safe)</li> <li>Short code lifetime: Indefinite (no expiration)</li> </ul> </li> </ul> <p><strong>Design Goals:</strong></p> <ul> <li> <strong>Horizontal Scalability:</strong> add more instances to handle increased load, rather than relying on bigger servers</li> <li> <strong>Read-Heavy workload:</strong> expect redirects to vastly outnumber shortening requests (typical 10:1 ratio or higher)</li> <li> <strong>Storage growth:</strong> design for millions of short codes with room to grow</li> <li> <strong>Low latency:</strong> keep both shortening and redirects fast (sub-100ms when possible)</li> </ul> <h2> So where do we start? </h2> <p>The best place to start is with the simplest possible implementation of the core functionality: shortening URLs and redirecting to them. From here, we can iteratively add features, optimizations, and infrastructure components, each time motivated by a real need that arises from the limitations of the previous version.</p> <p><strong>Before we dive into code, a quick note on approach (you should skip this if you don't care for me getting all philosophical)</strong></p> <p>When you start simple and get something working, storage methods, scaling strategies, and database schemas follow naturally from the problems you encounter, not from upfront speculation.</p> <p>Over my career, I've met countless developers who approach this in the exact reverse order, and I used to be one of them: I'd start with the database model, design the perfect schema, plan the caching strategy, and then try to build the application around it.</p> <p>Starting with the database model, however, locks you in early. For starters it decides <em>that</em> you'll be using a database, maybe even a particular brand. <strong>But an application should dictate storage, not the other way around</strong>.</p> <p>Now I build production applications differently: I build the simplest thing that works, and let the architecture emerge from real constraints. It's not just an approach for this blog series, it's how I work day-to-day.</p> <p>I know this isn't some kind of mind-blowing revelation, but if you've never tried it, I highly recommend it: it's allowed me to demonstrate and discuss with stakeholders early-on, and it's kept my pet projects from stalling out, because when you see something working quickly, you keep those sweet-sweet endorphins pumping instead of getting stuck in architecture decisions and losing interest.</p> <p>Alright, enough with the philosophical digression, let's finally see some code 😅</p> <h2> Flipr 0: let's go ephemeral! </h2> <p>As promised, this first version is intentionally minimal, without any external dependencies such as databases or caching layers: pure business logic and a simple HTTP server. Everything lives in memory, which means it all disappears when the server restarts. Exactly how we like it for now :)</p> <h3> The stack </h3> <p>Nothing fancy, just solid, battle-tested tools that get the job done!</p> <ul> <li> <strong>TypeScript</strong> for adding some sanity ontop of JavaScript</li> <li> <strong>Node.js</strong> as the runtime</li> <li> <strong>Express</strong> for the HTTP server</li> <li> <strong>Winston</strong> for structured logging</li> <li> <strong>Zod</strong> for request validation</li> </ul> <h3> Business logic </h3> <p>Let's start with the core: the <code>Shortener</code> class, which is where all the URL shortening logic lives, completely independent of HTTP, databases, or any infrastructure concerns. By keeping this business logic separate from transport and storage, the code stays clean and testable. As a bonus, we could reuse it in other contexts later, like a CLI tool or a different web framework.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">validator</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./validator</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">NUMBER_OF_CODE_GENERATOR_RETRIES</span> <span class="o">=</span> <span class="mi">10</span><span class="p">;</span> <span class="kd">type</span> <span class="nx">ShortRecord</span> <span class="o">=</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="nl">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">CodeRestrictedError</span> <span class="kd">extends</span> <span class="nc">Error</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">CodeRestrictedError</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">FailedUrlRetrievalError</span> <span class="kd">extends</span> <span class="nc">Error</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">FailedUrlRetrievalError</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">ShortCodeNotFoundError</span> <span class="kd">extends</span> <span class="nc">Error</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">(</span><span class="nx">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">super</span><span class="p">(</span><span class="nx">message</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">ShortCodeNotFoundError</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">lookup</span><span class="p">:</span> <span class="p">{</span> <span class="p">[</span><span class="nx">key</span><span class="p">:</span> <span class="kr">string</span><span class="p">]:</span> <span class="nx">ShortRecord</span> <span class="p">}</span> <span class="o">=</span> <span class="p">{};</span> <span class="kd">const</span> <span class="nx">generateShortCode</span> <span class="o">=</span> <span class="p">(</span><span class="nx">length</span><span class="p">:</span> <span class="kr">number</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">chars</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">code</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nx">code</span> <span class="o">+=</span> <span class="nx">chars</span><span class="p">.</span><span class="nf">charAt</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">floor</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">random</span><span class="p">()</span> <span class="o">*</span> <span class="nx">chars</span><span class="p">.</span><span class="nx">length</span><span class="p">));</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">code</span><span class="p">;</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">exists</span> <span class="o">=</span> <span class="p">(</span><span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="o">!!</span><span class="nx">lookup</span><span class="p">[</span><span class="nx">code</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">insert</span> <span class="o">=</span> <span class="p">(</span><span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">lookup</span><span class="p">[</span><span class="nx">code</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">code</span><span class="p">,</span> <span class="nx">url</span> <span class="p">};</span> <span class="p">};</span> <span class="kd">const</span> <span class="kd">get</span> <span class="o">=</span> <span class="p">(</span><span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">ShortRecord</span> <span class="o">=&gt;</span> <span class="nx">lookup</span><span class="p">[</span><span class="nx">code</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">generateShortCodeWithRetry</span> <span class="o">=</span> <span class="p">(</span> <span class="nx">length</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">validate</span><span class="p">:</span> <span class="p">(</span><span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">boolean</span><span class="p">,</span> <span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">code</span> <span class="o">=</span> <span class="nf">generateShortCode</span><span class="p">(</span><span class="nx">length</span><span class="p">);</span> <span class="kd">let</span> <span class="nx">attempts</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">while </span><span class="p">(</span><span class="nx">attempts</span> <span class="o">&lt;</span> <span class="nx">NUMBER_OF_CODE_GENERATOR_RETRIES</span><span class="p">)</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nf">validate</span><span class="p">(</span><span class="nx">code</span><span class="p">))</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">code</span><span class="p">;</span> <span class="p">}</span> <span class="nx">code</span> <span class="o">=</span> <span class="nf">generateShortCode</span><span class="p">(</span><span class="nx">length</span><span class="p">);</span> <span class="nx">attempts</span><span class="o">++</span><span class="p">;</span> <span class="p">}</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to generate a unique short code</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> <span class="kd">type</span> <span class="nx">CodeBlockList</span> <span class="o">=</span> <span class="p">{</span> <span class="na">reserved</span><span class="p">:</span> <span class="nb">Set</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">offensive</span><span class="p">:</span> <span class="nb">Set</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="nl">protected</span><span class="p">:</span> <span class="nb">Set</span><span class="o">&lt;</span><span class="kr">string</span><span class="o">&gt;</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">type</span> <span class="nx">ShortenerConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">shortcodeLength</span><span class="p">:</span> <span class="kr">number</span><span class="p">;</span> <span class="nl">codeBlockList</span><span class="p">:</span> <span class="nx">CodeBlockList</span><span class="p">;</span> <span class="p">};</span> <span class="k">export</span> <span class="kd">class</span> <span class="nc">Shortener</span> <span class="p">{</span> <span class="k">private</span> <span class="k">readonly</span> <span class="nx">validate</span><span class="p">:</span> <span class="p">(</span><span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">boolean</span><span class="p">;</span> <span class="k">public</span> <span class="nf">constructor</span><span class="p">(</span><span class="k">private</span> <span class="k">readonly</span> <span class="nx">config</span><span class="p">:</span> <span class="nx">ShortenerConfig</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">validate</span> <span class="o">=</span> <span class="nf">validator</span><span class="p">(</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">codeBlockList</span><span class="p">.</span><span class="nx">reserved</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">codeBlockList</span><span class="p">.</span><span class="nx">offensive</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">codeBlockList</span><span class="p">.</span><span class="k">protected</span><span class="p">,</span> <span class="p">);</span> <span class="p">}</span> <span class="k">private</span> <span class="nx">test</span> <span class="o">=</span> <span class="p">(</span><span class="nx">code</span><span class="p">:</span> <span class="kr">string</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="k">this</span><span class="p">.</span><span class="nf">validate</span><span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nf">exists</span><span class="p">(</span><span class="nx">code</span><span class="p">);</span> <span class="k">public</span> <span class="nx">shorten</span> <span class="o">=</span> <span class="p">(</span><span class="nx">url</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">customCode</span><span class="p">?:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">ShortRecord</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">customCode</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="k">this</span><span class="p">.</span><span class="nf">test</span><span class="p">(</span><span class="nx">customCode</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">CodeRestrictedError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Custom code is restricted</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">newShortCode</span> <span class="o">=</span> <span class="nx">customCode</span> <span class="o">||</span> <span class="nf">generateShortCodeWithRetry</span><span class="p">(</span><span class="k">this</span><span class="p">.</span><span class="nx">config</span><span class="p">.</span><span class="nx">shortcodeLength</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">test</span><span class="p">);</span> <span class="nf">insert</span><span class="p">(</span><span class="nx">newShortCode</span><span class="p">,</span> <span class="nx">url</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">r</span> <span class="o">=</span> <span class="nf">get</span><span class="p">(</span><span class="nx">newShortCode</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">r</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">FailedUrlRetrievalError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Failed to retrieve the shortened URL</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">code</span><span class="p">:</span> <span class="nx">r</span><span class="p">.</span><span class="nx">code</span><span class="p">,</span> <span class="na">url</span><span class="p">:</span> <span class="nx">r</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="p">};</span> <span class="p">};</span> <span class="k">public</span> <span class="nx">resolve</span> <span class="o">=</span> <span class="p">(</span><span class="nx">shortCode</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">ShortRecord</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nf">exists</span><span class="p">(</span><span class="nx">shortCode</span><span class="p">))</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">ShortCodeNotFoundError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Short code not found</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">get</span><span class="p">(</span><span class="nx">shortCode</span><span class="p">);</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h3> Let's break this down </h3> <p><strong>Storage:</strong> The <code>lookup</code> object is our entire database. It's a simple key-value store mapping short codes to URLs. When the server restarts, everything disappears. Perfect for now.</p> <p><strong>Code Generation:</strong> The <code>generateShortCode</code> function creates random strings from a 62-character alphabet (a-z, A-Z, 0-9). With a default length of 7 characters, that gives us 62^7 = ~3.5 trillion possible codes. Plenty of headroom.</p> <p><strong>Collision Handling:</strong> The <code>generateShortCodeWithRetry</code> function tries up to 10 times to generate a valid code. "Valid" means it passes the blocklist check <em>and</em> doesn't already exist in our lookup. If we can't find a valid code after 10 attempts, we throw an error. In practice, with trillions of possible codes and an empty database, collisions are very unlikely.</p> <p><strong>Blocklists:</strong> the imported <code>validator</code> function checks three lists:</p> <ul> <li> <strong>Reserved:</strong> things like <code>api</code>, <code>health</code>, <code>admin</code> that can be used to claim authority and exploit unsuspecting users</li> <li> <strong>Offensive:</strong> self-explanatory</li> <li> <strong>Protected:</strong> codes we might want to use for special purposes later, or might be exploited by confusing people, such as names of well-known social media sites</li> </ul> <p><strong>Custom codes:</strong> users can optionally provide their own short code (like <code>flipr.io/mysite</code>). We validate it the same way as generated codes. If it's restricted or already taken, we throw a <code>CodeRestrictedError</code>.</p> <p><strong>Error types:</strong> three custom error classes let the HTTP layer distinguish between different failure modes:</p> <ul> <li> <code>CodeRestrictedError</code>: The custom code is blocked or taken (422 Unprocessable Entity)</li> <li> <code>ShortCodeNotFoundError</code>: The code doesn't exist (404 Not Found)</li> <li> <code>FailedUrlRetrievalError</code>: Something went wrong after insertion (500 Internal Server Error)</li> </ul> <p>This separation keeps the business logic clean. The <code>Shortener</code> class doesn't know anything about HTTP status codes.</p> <h2> Wiring it up with Express </h2> <p>The <a href="https://expressjs.com/" rel="noopener noreferrer">Express server</a> is straightforward. Here are the two main endpoints:</p> <p><strong>Shortening a URL:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/shorten</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">URL shortening request</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">shortening_try</span><span class="dl">'</span><span class="p">,</span> <span class="na">originalUrl</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="na">customCode</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">custom_code</span><span class="p">,</span> <span class="p">});</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">url</span><span class="p">,</span> <span class="nx">custom_code</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">URLRequest</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">r</span> <span class="o">=</span> <span class="nx">shortener</span><span class="p">.</span><span class="nf">shorten</span><span class="p">(</span><span class="nx">url</span><span class="p">,</span> <span class="nx">custom_code</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">shortUrl</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">baseUrl</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">r</span><span class="p">.</span><span class="nx">code</span><span class="p">}</span><span class="s2">`</span><span class="p">;</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">URL shortened successfully</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">shortening_success</span><span class="dl">'</span><span class="p">,</span> <span class="na">shortCode</span><span class="p">:</span> <span class="nx">r</span><span class="p">.</span><span class="nx">code</span><span class="p">,</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">short_code</span><span class="p">:</span> <span class="nx">r</span><span class="p">.</span><span class="nx">code</span><span class="p">,</span> <span class="na">short_url</span><span class="p">:</span> <span class="nx">shortUrl</span><span class="p">,</span> <span class="na">original_url</span><span class="p">:</span> <span class="nx">r</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">API shorten error:</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">shortening_error</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span> <span class="k">instanceof</span> <span class="nx">CodeRestrictedError</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">422</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Custom code restricted</span><span class="dl">'</span> <span class="p">});</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span> <span class="k">instanceof</span> <span class="nx">FailedUrlRetrievalError</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Failed to retrieve the shortened URL</span><span class="dl">'</span> <span class="p">});</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>We validate the request body with <a href="https://github.com/colinhacks/zod" rel="noopener noreferrer">Zod</a>, call <code>shortener.shorten()</code>, and return the result. If the shortener throws one of our custom errors, we map it to the appropriate HTTP status code.</p> <p><strong>Resolving a short code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">/:shortCode</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">Redirection request</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">redirect_try</span><span class="dl">'</span><span class="p">,</span> <span class="na">shortCode</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">shortCode</span><span class="p">,</span> <span class="p">});</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">r</span> <span class="o">=</span> <span class="nx">shortener</span><span class="p">.</span><span class="nf">resolve</span><span class="p">(</span><span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">shortCode</span><span class="p">);</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="dl">'</span><span class="s1">Redirection successful</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">redirect_success</span><span class="dl">'</span><span class="p">,</span> <span class="na">shortCode</span><span class="p">:</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">shortCode</span><span class="p">,</span> <span class="na">destinationUrl</span><span class="p">:</span> <span class="nx">r</span><span class="p">.</span><span class="nx">url</span><span class="p">,</span> <span class="p">});</span> <span class="nx">res</span><span class="p">.</span><span class="nf">redirect</span><span class="p">(</span><span class="mi">302</span><span class="p">,</span> <span class="nx">r</span><span class="p">.</span><span class="nx">url</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">logger</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Redirect error:</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">redirect_error</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span> <span class="k">instanceof</span> <span class="nx">ShortCodeNotFoundError</span><span class="p">)</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">404</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">&lt;h1&gt;Short URL not found&lt;/h1&gt;</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">;</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p>This is the redirect endpoint. When someone visits <code>flipr.io/abc123</code>, we look up the code and send a 302 redirect to the original URL. If the code doesn't exist, we return a 404.</p> <p>The rest of the Express setup is standard boilerplate: CORS headers, static file serving for a simple web UI, a health check endpoint, and <a href="https://github.com/winstonjs/winston" rel="noopener noreferrer">Winston</a> logging throughout. <a href="https://github.com/edeckers/flipr-distributed-url-shortener" rel="noopener noreferrer">You can see the full server code in this GitHub repo</a>.</p> <h2> Running it locally </h2> <p>Want to try Flipr yourself? The code is open source and ready to run.</p> <p><strong>Clone and install:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/edeckers/flipr-distributed-url-shortener.git <span class="nb">cd </span>flipr git checkout part-1-ephemeral npm <span class="nb">install</span> </code></pre> </div> <p><strong>Start the server:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm start </code></pre> </div> <p>The server will start on <code>http://localhost:8000</code>. You'll see Winston logging output in your terminal.</p> <p><strong>Shorten a URL:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8000/api/shorten <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"url": "https://example.com/some/very/long/url"}'</span> </code></pre> </div> <p>You'll get back a response like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"short_code"</span><span class="p">:</span><span class="w"> </span><span class="s2">"aB3xY9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"short_url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://localhost:8000/aB3xY9"</span><span class="p">,</span><span class="w"> </span><span class="nl">"original_url"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://example.com/some/very/long/url"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Test the redirect:</strong></p> <p>Visit <code>http://localhost:8000/aB3xY9</code> in your browser, or use curl:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-L</span> http://localhost:8000/aB3xY9 </code></pre> </div> <p><strong>Try a custom code:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-X</span> POST http://localhost:8000/api/shorten <span class="se">\</span> <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"url": "https://example.com", "custom_code": "mysite"}'</span> </code></pre> </div> <p>If you have the web UI enabled, you can also visit <code>http://localhost:3000</code> in your browser for a simple form interface.</p> <h2> What's next </h2> <p>In the next post, we'll containerize Flipr and create basic Kubernetes configurations using Kustomize. We'll explore how to package the application for deployment and set up the foundation for running it in a distributed environment.</p> <p>The code evolves in branches on GitHub, so you can follow along commit by commit, deploy it yourself, or jump to any stage that interests you. This is designed as a learning resource for understanding distributed systems architecture, and it's fully open source under the MPL-2.0 license.</p> <p>If you spot issues, have suggestions, or want to contribute, open an issue or PR on the repo. I'm building this in public as both a learning exercise and a reference implementation for self-hosting.</p> <h2> Wrapping it up </h2> <p>We started with a simple question: what's the minimum viable URL shortener? Turns out, it's about 150 lines of TypeScript. This ephemeral version won't survive a restart, and it won't scale beyond a single instance, but that's fine and intended: we've proven the concept works, and we have a solid foundation to build on.</p> <p>Next part of this series, we'll dockerize the application and add a basic Kubernetes configuration. See you then!</p> <p><strong>Have you ever started a project by building the database schema first, only to realize later that your application logic didn't quite fit? Or do you prefer starting with the data model? I'd love to hear how you approach greenfield projects in the comments!</strong></p> <p>If the Dutch language doesn't scare you, and you'd like to know more about what keeps me busy aside from writing these blog posts, <a href="https://branie.it" rel="noopener noreferrer">check my company website branie.it</a>! Maybe we can work together on something someday :)</p> typescript kubernetes architecture tutorial Stopping Bad Actors: Inside 1Password’s Security Model Ely Sat, 11 Oct 2025 13:16:23 +0000 https://dev.to/edeckers/stopping-bad-actors-inside-1passwords-security-model-14c https://dev.to/edeckers/stopping-bad-actors-inside-1passwords-security-model-14c <blockquote> <p>This post is <a href="https://medium.branie.it/how-building-useless-software-made-me-a-better-developer-98e9c5f6cbc4" rel="noopener noreferrer">part of a series on my pet projects</a> that I’ve worked on over the years and I feel would be nice to showcase. So if you like this idea, make sure to <a href="https://medium.branie.it/recreating-my-first-computer-an-atari-2600-emulator-7b72279a4afd" rel="noopener noreferrer">check out my Atari 2600 emulator from my previous post</a>!</p> </blockquote> <p><strong>I’ve been using password managers for many years, trusting them with literally everything: from my bank accounts to my inbox; my entire digital life actually. And since you’re reading this, you probably do too.</strong></p> <p><strong>From the moment I started using a password manager, I wondered: how does this actually work? Why is this secure, <em>is</em> this secure? I pieced together a pretty firm idea of how things must work under the hood. And as it turns out, I wasn’t too far off.</strong></p> <p><strong>But there’s a difference between having a mental model and really understanding something. For me, the best way to bridge such a gap is to build it. So I created a <a href="https://github.com/edeckers/lib1password-unofficial" rel="noopener noreferrer">fully 1Password-compatible TypeScript library</a> and turned it into an <a href="https://passwords.lgtm.it/" rel="noopener noreferrer">interactive explainer</a>. I'm a web developer, not a cryptographer, which means security-wise it will leave something to be desired, but the implementation works with real 1Password data, which means I must have understood <em>something</em> 😅</strong></p> <p><strong>Let me walk you through the process, using the credentials of the one and only legendary actor and director Tommy Wiseau, an avid 1Password user and ambassador himself!</strong></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foq4af48s5upmpqk5851j.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Foq4af48s5upmpqk5851j.jpg" alt="Closeup of person gesturing 'ssh' with finger against mouth" width="800" height="512"></a><em>Photo by <a href="https://unsplash.com/@tinaflour" rel="noopener noreferrer">Kristina Flour</a> on <a href="https://unsplash.com/photos/grayscale-photo-of-woman-doing-silent-hand-sign-BcjdbyKWquw" rel="noopener noreferrer">Unsplash</a></em> </p> <h2> Protecting Tommy Wiseau’s scripts and your passwords </h2> <p>Imagine you’re <em>the</em> <strong>Tommy Wiseau</strong>: you’re between takes on your latest project, and you need to access your script notes. But here’s the thing: you can’t afford to have your scripts leaked. Your creative process is <em>unique</em>. Your dialogue is <em>distinctive</em>. One leak and the internet would have a field day.</p> <blockquote> <p>Tommy Wiseau famously starred in the <a href="https://www.youtube.com/watch?v=7h7QG7W14qs" rel="noopener noreferrer">Stopping Bad Actors</a> commercial for 1Password, check it out!</p> </blockquote> <p>So, naturally, you use a password manager, 1Password in particular. But how does 1Password actually protect Tommy’s precious scripts? How does it keep his passwords secure even from 1Password themselves? Let’s find out.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6lq7fapo1fiiaj1st4d5.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6lq7fapo1fiiaj1st4d5.gif" alt="Tommy Wiseau saying he can't elaborate about something, because it's confidential" width="640" height="320"></a>Tommy knows what's up</p> <h2> The Journey: from curiosity to code </h2> <p>Tommy's passwords are stored on 1Password's servers, but they claim they can't decrypt his vault even if they wanted to. How does that work? What's stopping a rogue employee from accessing his script for "The Room 2"? <em>(hey, one can dream)</em></p> <p>I found my answer in 1Password's <a href="https://1passwordstatic.com/files/security/1password-white-paper.pdf" rel="noopener noreferrer">Security Design white paper</a>. It's an excellent read and it's pretty palatable, much more so than I expected beforehand. A recommended read for sure!</p> <p>But understanding theory is one thing. I wanted to implement it. Because for me, the best way to truly understand something is to build it. So I set out to create a <strong>TypeScript library</strong> that implements 1Password's security model, <strong>which is capable of decrypting actual 1Password vault data</strong>; if my implementation couldn't handle the real thing, how would I know I truly understood it?</p> <blockquote> <p>A pleasant surprise: the Web Crypto API, <a href="https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto" rel="noopener noreferrer">SubtleCrypto</a> in particular, handles all the heavy lifting. <a href="https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto#supported_algorithms" rel="noopener noreferrer">PBKDF2, AES-256-GCM, RSA-OAEP, it's all built into every modern browser</a>. No external crypto libraries needed.</p> </blockquote> <h2> And so I verified it can process actual 1Password data </h2> <p>To verify full compatibility, I created a test account, intercepted the encrypted data using <a href="https://en.wikipedia.org/wiki/Burp_Suite" rel="noopener noreferrer">Burp Suite</a> and the <a href="https://github.com/1Password/burp-1password-session-analyzer" rel="noopener noreferrer">1Password Session Analyzer plugin</a> to strip away the custom in-transit encryption layer on top of TLS, and <a href="https://github.com/edeckers/lib1password-unofficial/blob/980b6c2115f4ae738a5a4e7753d1c78e45015ff5/spec/actualPasswordScenario.spec.ts" rel="noopener noreferrer">wrote a test that decrypts the data using my library</a>. The test passes, because the implementation is byte-for-byte compatible with 1Password's production encryption. Pretty cool, right?</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fogrzjyr1jwcwetlwwbxg.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fogrzjyr1jwcwetlwwbxg.gif" alt="Tommy Wiseau saying " width="480" height="270"></a></p> <h2> "But I don't want to look at code, just explain it to me" </h2> <p>Fair enough, let's step through the process of what happens when Tommy unlocks his 1Password vault.</p> <blockquote> <p>It's important to realize that aside from the Account Password, <strong>each of the keys</strong> in the steps below <strong>is randomly generated on your device</strong> when you create your account; 1Password only ever sees their encrypted versions.</p> </blockquote> <p><strong>1. Account Password + Secret Key = Account Unlock Key (AUK)</strong></p> <p>Tommy's password and his Secret Key are combined <em>on his device</em> using PBKDF2 (650,000 iterations), plus some salts here and there, to create the AUK. Which is an intentionally expensive operation, happening once per session. It keeps brute-force attacks at bay, and his Account Password and Secret Key a secret from 1Password.</p> <p><strong>2. AUK decrypts a keyset's Symmetric Key</strong></p> <p>The AUK unlocks a fast <a href="https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt#aes-gcm" rel="noopener noreferrer">AES-256-GCM symmetric key</a>. This key protects Tommy's <a href="https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/encrypt#rsa-oaep_2" rel="noopener noreferrer">RSA private key</a>, while also making it easy to change the <em>Account Password</em> or <em>Secret Key</em>: only the <em>Keyset Access Key</em> needs to be re-encrypted with the new <em>AUK</em>. Everything downstream stays untouched. No need to re-encrypt your entire account.</p> <p><strong>3. Symmetric Key decrypts RSA Private Key</strong></p> <p>The symmetric key unlocks Tommy's RSA private key. Together with the public key, this keypair can decrypt his vault-specific keys without exposing his Account Password.</p> <p><strong>4. RSA Keypair decrypts Vault Keys, which encrypt Tommy's Data</strong></p> <p>Each of Tommy's vaults has its own AES-256-GCM key, encrypted by his RSA public key. These vault keys finally decrypt his actual passwords and data, including those precious script notes.</p> <p>Here's what this looks like in the actual, albeit simplified, response from 1Password's servers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"uuid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rv4ge63poeyompbhty2efk5xxi"</span><span class="p">,</span><span class="w"> </span><span class="nl">"encryptedBy"</span><span class="p">:</span><span class="w"> </span><span class="s2">"mp"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">mp</span><span class="w"> </span><span class="err">/</span><span class="w"> </span><span class="err">auk</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Layer</span><span class="w"> </span><span class="mi">2</span><span class="err">:</span><span class="w"> </span><span class="err">Symmetric</span><span class="w"> </span><span class="err">key</span><span class="w"> </span><span class="err">(encrypted</span><span class="w"> </span><span class="err">by</span><span class="w"> </span><span class="err">AUK)</span><span class="w"> </span><span class="nl">"encSymKey"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PBES2g-HS256"</span><span class="p">,</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"xKj4pR0Ws-FyikpQGSxGk..."</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Encrypted</span><span class="w"> </span><span class="err">symmetric</span><span class="w"> </span><span class="err">key</span><span class="w"> </span><span class="nl">"p2c"</span><span class="p">:</span><span class="w"> </span><span class="mi">650000</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">PBKDF</span><span class="mi">2</span><span class="w"> </span><span class="err">iterations</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Layer</span><span class="w"> </span><span class="mi">3</span><span class="err">:</span><span class="w"> </span><span class="err">RSA</span><span class="w"> </span><span class="err">private</span><span class="w"> </span><span class="err">key</span><span class="w"> </span><span class="err">(encrypted</span><span class="w"> </span><span class="err">by</span><span class="w"> </span><span class="err">symmetric</span><span class="w"> </span><span class="err">key)</span><span class="w"> </span><span class="nl">"encPriKey"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"data"</span><span class="p">:</span><span class="w"> </span><span class="s2">"UN1mx3kJh_Qeqdyt-7Jvq..."</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Encrypted</span><span class="w"> </span><span class="err">private</span><span class="w"> </span><span class="err">key</span><span class="w"> </span><span class="nl">"kid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rv4ge63poeyompbhty2efk5xxi"</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Layer</span><span class="w"> </span><span class="mi">3</span><span class="err">:</span><span class="w"> </span><span class="err">RSA</span><span class="w"> </span><span class="err">public</span><span class="w"> </span><span class="err">key</span><span class="w"> </span><span class="err">(unencrypted)</span><span class="w"> </span><span class="nl">"pubKey"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"alg"</span><span class="p">:</span><span class="w"> </span><span class="s2">"RSA-OAEP"</span><span class="p">,</span><span class="w"> </span><span class="nl">"n"</span><span class="p">:</span><span class="w"> </span><span class="s2">"rwVd9EM4bEwLAI4QWzJhq..."</span><span class="p">,</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Why four layers? </h2> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F698jmkymaurg4xhqfj25.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F698jmkymaurg4xhqfj25.png" alt="A screenshot taken from the interactive explainer, showing a diagram of the 1Password keyset hierarchy" width="799" height="764"></a></p> <ul> <li> <strong>PBKDF2 is slow by design</strong> which adds protection against brute force</li> <li> <strong>Symmetric crypto is fast</strong>, perfect for protecting the larger RSA private key</li> <li> <strong>RSA enables sharing</strong>: vaults can be shared without sending Vault Passwords in plaintext or revealing your Account Password</li> <li> <strong>Per-vault keys</strong> mean compromising one vault doesn't compromise others -** Rolling Account Credentials is simple** only the Keyset Access Key needs to be re-encrypted with the new AUK</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6b87udwv72kjjd4nkdzy.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F6b87udwv72kjjd4nkdzy.gif" alt="Tommy Wiseau exclaiming 'Ha ha ha, What a story, Mark!'" width="480" height="270"></a></p> You right now, probably. My name is not Mark though <h2> Try It Yourself </h2> <p>Want to see this encryption chain in action? Head over to <a href="https://passwords.lgtm.it/" rel="noopener noreferrer">my interactive 1Password explainer</a>. You'll see each layer of the encryption process unfold step by step.</p> <h2> That's Encryption, Baby! </h2> <p>Building this TypeScript implementation helped me understand what the 1Password Security Model looks like and why each layer exists. PBKDF2 slows down attackers and hides your password an secret key from 1Password. Symmetric crypto protects your private key efficiently. RSA enables secure sharing. Per-vault keys contain breaches.</p> <p>Seeing how these pieces fit together and getting it to work with real 1Password data, turned abstract concepts into some pretty thorough understanding.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7jvxx7c1ycp9bpegzls9.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7jvxx7c1ycp9bpegzls9.png" alt="Still from " width="800" height="464"></a></p> Still from "The Room" by Tommy Wiseau <p>If you're curious about the implementation details or want to integrate 1Password vault decryption into your own projects, the full TypeScript library is available at <a href="https://github.com/edeckers/lib1password-unofficial" rel="noopener noreferrer">https://github.com/edeckers/lib1password-unofficial</a>. It's fully compatible with real 1Password data, just don't use it in production, and obviously don't trust a library by some internet stranger like myself with your actual credentials and secrets.</p> <p>For a deeper dive into 1Password's security model, particularly how it works in local client applications, <a href="https://darthnull.org/inside-1password/" rel="noopener noreferrer">David Schuetz's deep dive series</a> is an excellent resource. <strong>Fun fact:</strong> I found his series because I encountered the string <em>"Obfuscation Does Not Provide Security But It Doesn't Hurt"</em> (pretty funny, I think) in the source of the 1Password site, and Googling it, his site was the only hit. <a href="https://darthnull.org/1pass-misc/" rel="noopener noreferrer">He touches on it briefly</a> :)</p> <p>Did this post spark your curiosity about cryptography or password security? Are you working on similar projects, or do you have questions about the implementation? Let me know in the comments!</p> <p>If the Dutch language doesn't scare you, and you'd like to know more about what keeps me busy aside from my pet projects, <a href="https://branie.it" rel="noopener noreferrer">check my company website branie.it</a>! Maybe we can work together on something someday :)</p> typescript webdev security tutorial