DEV Community: Shobhit🎈✨

Psst... I can build this in a weekend!

Shobhit🎈✨ — Tue, 27 Feb 2024 16:10:00 +0000

What can you really build in a weekend?

The core functionality with happy path? Probably, yes.

But will it be useful? I doubt it.

Can you add support for settings so users can customize the workflow in that weekend?

What about error states when things go awry?

What about security?

The mobile or desktop optimized version?

What about compliances needed to serve?

And onboarding, so users can actually get some value out of it?

Admin panel? Customer support tool integration? Handling weird payment flows? Marketing site?

Converting a weekend hacked up prototype, to a proper functioning business takes a lot of time and effort.

Yes, you can come up with a prototype that users can use and play around with, and you should to reduce time to feedback!

But don't belittle other people's work of turning prototypes to a proper business with a flippant attitude.

Originally written on my site. Would love to hear your opinion! :)

Building and Deploying an Amber app in 2 days

Shobhit🎈✨ — Fri, 29 Jun 2018 06:54:49 +0000

This was originally posted on my blog.

Yesterday night, I deployed my first Amber app to production. It’s a JSON hosting service for your mobile and web apps. I call it JSON Keeper.

The app is very simple and straightforward right now. It only has one screen with no user accounts. You simply go to the site, paste your JSON and receive a URL where it’ll be hosted.

Building the app was very similar to Rails experience. Amber has the good old MVC structure, and regularly spits out response in microseconds.

It took me some time to internalize that it is reporting things in microseconds. I kept comparing the response time of Amber app to a Rails app. This was a bit disappointing as I saw 300ms for Rails and 300 µs for Amber app.

Later when I looked closely at the unit of time did it all make sense.

Developing this app was a refreshing experience. I was concerned that strong typing will get in the way of productivity but it rarely happened. Although I did run into a weird bug which produced itself only on production, but that’s a story for another time.

Speed

Yes, any post from a Rubyist trying out new frameworks and languages will invite speed comparison, but it’s true. Crystal is a blanzingly fast language and when deployed by creating an optimized binary, the response time is mind blowing.

As I had said a few paragraphs ago, Amber is generating a response in less than 1 millisecond. Think about that! A similar Rails app deployed with MRI and passenger takes 200 milliseconds or so to generate a response.

Needless to say, Crystal (and Amber) is really giving us great speed with a pleasure to work with language.

“Fast as C, Slick as Ruby” is true!

Deployment

Deployment experience very nice with Amber. You can build a binary to copy paste (or scp) to your server and it have all required files, and code to run the server. No need to install and maintain dependencies on your servers any more. This also helps us while sharing our app with others.

This is pretty similar to how Go lang does it deployment.

On top of manually building and deploying, Amber gives you some deploy recipes out of the box. Currently it supports Digital Ocean and Heroku, with support for AWS, Azure, GCP coming soon.

This is kind of like Capistrano integrated in framework itself with native support and the ability to spin up servers. Although, I didn’t use this feature as I wanted to experience the native way of deploying Amber/Crystal apps.

Stability

Stability can be measured on two different parameters – How stable is the server once deployed, and how stable is the framework/language in terms of incorporating breaking changes with new releases.

The servers seems to be very stable. I did some load testing on it and while Ruby/Node servers start responding slowly, I saw no such issue with Amber.

The framework and its APIs though are largely work in progress. I myself contributed a couple of commits to the framework and reading through the code and discussions shows you that the framework, and possible even the language, will have breaking changes in next releases.

To be fair I’ve used Amber v0.8.0 and Crystal v0.25.0 so these kinds of things are expected.

Conclusion

I am super excited about future of these two little technologies. Writing Crystal is a pleasure and it provides a lot of things which Ruby by its nature cannot. All Crystal (and Amber) now need is a serious corporate backing and they’ll explode in popularity.

What is the funniest thing a non-developer has asked you about code?

Shobhit🎈✨ — Thu, 31 May 2018 14:46:12 +0000

For me, it was a client who was scared about the language I'll use and had to ask this:

I just couldn't control my laughter. :)

What's yours?

Simple String encryption in Rails

Shobhit🎈✨ — Fri, 25 May 2018 07:46:53 +0000

If you've ever implemented any kind of SSO, you'll have encountered "relay state". Relay state is a parameter you send to your identity party, and they send it back to you without any modification so you can identify the user who just authorized.

It's a pretty common flow, used by Google as well as many other OAuth providers.

When I was a new programmer, I simply sent the user_id of the user as relay state and did a User.find(user_id) to fetch user.

Why do I need to encrypt User ID

So, imagine this, if you signed up for my service, and then later wanted to add your Google credentials, you'd click on a button and it'll take you through the whole authorization workflow, in the end making a Webhook request with relay state as your user id, in plain text.

This was pretty bad as now some user capable of doing Inspect element can change the user_id from their number to any integer and my application would think the other user has authorized. Now they can use "Login with Google" on the sign in page and simply log in as that other user.

Insecure af.

When I was adding a Stride integration to my app which notifies when a certificate is going to expire soon, I had the same problem as their official docs ask us to add a button where you add a relayState parameter. Their application sends us a webhook once the user has added our app. The user is not redirected back to our site, unlike Slack.

So the only way of identifying the user was with that relayState and leaving it to plan user_id would mean if you change the button's value and click on it, you will potentially get notified when other user's certificates are going to expire.

Encrypting the User ID

To combat this issue, I added two little functions to my helper class and called them encrypt and decrypt. The functions looked like this:

# Assuming your Secret Key Base is in Rails.application.secrets.secret_key_base

def encrypt text
  text = text.to_s unless text.is_a? String

  len   = ActiveSupport::MessageEncryptor.key_len
  salt  = SecureRandom.hex len
  key   = ActiveSupport::KeyGenerator.new(Rails.application.secrets.secret_key_base).generate_key salt, len
  crypt = ActiveSupport::MessageEncryptor.new key
  encrypted_data = crypt.encrypt_and_sign text
  "#{salt}$$#{encrypted_data}"
end

def decrypt text
  salt, data = text.split "$$"

  len   = ActiveSupport::MessageEncryptor.key_len
  key   = ActiveSupport::KeyGenerator.new(Rails.application.secrets.secret_key_base).generate_key salt, len
  crypt = ActiveSupport::MessageEncryptor.new key
  crypt.decrypt_and_verify data
end

How `encrypt` works

Encrypting a text requires a key and salt. Decrypting an encrypted text requires the same key and salt, otherwise this won't work.

We generate a salt with these lines:

len   = ActiveSupport::MessageEncryptor.key_len
salt  = SecureRandom.hex len

Once we have our salt, we can use the Rails' secret_key_base as a "key" to generate a cryptographic key.

key   = ActiveSupport::KeyGenerator.new(Rails.application.secrets.secret_key_base).generate_key salt, len

Using this key, we create an encryption object crypt

crypt = ActiveSupport::MessageEncryptor.new key

and then we encrypt our text via:

encrypted_data = crypt.encrypt_and_sign text

Now, we could have simply returned this encrypted_data and provided this as a relay state, but since salt was generated randomly, we would know what it was and so won't be able to decrypt this data.

I used a trick from Rails' has_secure_password and bcrypt, and returned a string which contains salt and encrypted_data as you can see from the last line of encrypt method:

"#{salt}$$#{encrypted_data}"

This returns a string where you have both salt and encrypted_data and the user can't change this to other user's ID without knowing your secret_key_base.

How `decrypt` works

Once you understand the encrypt method, decrypt id fairly straightforward.

The decrypt method accepts a text parameter, from which it extracts salt and data (or rather encrypted_data).

salt, data = text.split("$$")

Once you have the salt with us, we create the crypt object, just like we did in the encrypt method:

len   = ActiveSupport::MessageEncryptor.key_len
key   = ActiveSupport::KeyGenerator.new(Rails.application.secrets.secret_key_base).generate_key salt, len
crypt = ActiveSupport::MessageEncryptor.new key

And then, we decrypt the data:

crypt.decrypt_and_verify data

which we return back from the method.

Conclusion

This is a pretty simple method of encrypting and decrypting a user_id or any other data.

In an ideal scenario, you would create a table and keep a user's token for an application, which you would send as a relayState and use it again to identify the user back. It takes time to get that perfect, so this simple encryption and decryption works amazing to get up and running as quickly as possible.

But in the long run, you'd build out a table to keep all this information secure and more robust. That's what I've done with my app. :)

If you're an expert in security, could you tell me if there's something that I've done here which would make it unsecure? Thanks!

Monitor your HTTPS certificate expiry with this script

Shobhit🎈✨ — Sat, 19 May 2018 08:26:15 +0000

Last year's new years eve, I got a call from my client. They said their website was infected by a virus and no one can access it.

Now, my client runs a juice shop, and had no idea about how the web technically works, so I discarded the "virus" issue but he said site can't be accessed so I fired up Firefox in my phone and I saw the Your connection is not secure page.

Ever since Let's Encrypt came out of beta, I've used it to convert all my and my clients' sites to secure connections via HTTPS. I had set up a cron as instructed by certbot to renew the certificates regularly, but it used to fail every once in a while because I didn't update the python packages, or something like that. Let's Encrypt is kind enough to send a mail before expiring, but initial installations were done by an employee.

Since it was 31st of December, I was at a party and no where near my machine with which I could ssh into the server and slay this beast. I had JuiceSSH on my phone using which I SSHed into the server (thank god I had added my keys as authorized), updated the packages and renewed the certificates.

All this while people around me were counting backwards from 10.

Not taking a pledge

This wasn't even the first time this was happening so I decided then and there that I am going to solve this problem for myself. I carefully chose not to make it my new year's resolution otherwise I'll be telling the same story next year.

So on 1st January, I wrote a Ruby script (more about which in a minute) and kept improving it to catch all sorts of red flags with HTTPS installations including if a certificate is revoked, affected by the Symantec mess, is self-signed or is past/near the expiry date, validating the chain of trust, etc. The script eventually converted into a nice little piece of web app called Monitor Certificates, but let's get back to talking about the script now.

Getting the certificate

First thing you'll need to do is procure the certificate from a domain. Surprisingly, this was difficult to achieve. I am a big fan of HTTParty for making requests with Ruby, but unfortunately I couldn't find a way to get it to return certificates.

So I went one layer down the abstraction and used Net::HTTP. To get a certificate, you have to run

require 'net/http'
require 'openssl'

domain_name = "example.com"

uri = URI::HTTPS.build(host: domain_name)
response = Net::HTTP.start(uri.host, uri.port, :use_ssl => true)
cert = response.peer_cert

This gives you an object of certificate in the cert variable. This variable is of the type OpenSSL::X509::Certificate. These are called X.509 certificates, and they are the standard for public key certificates.

X.509 certificates give us a lot of details about the certificate including who issued it, when it was issued, when it will expire, how to find if it is revoked, and a plethora of other useful information.

Finding the expiry dates

To find the date when the certificate will be invalid, you just need to call cert.not_after. This returns a Time object which tells us when the certificate will expire.

So if you want to be notified everyday for 2 weeks before the certificate is supposed to expire, your script will look like -

require 'net/http'
require 'openssl'

domain_name = "example.com"

uri = URI::HTTPS.build(host: domain_name)
response = Net::HTTP.start(uri.host, uri.port, :use_ssl => true)
cert = response.peer_cert

two_weeks = 14 * 86400 # 14 * One Day

if Time.now + two_weeks > cert.not_after
  # send reminders
end

Reminding your self

You can use lots of things to send these reminders. I've now implemented SMS, Emails (to multiple people), Slack and Stride in my app.

I have some friends who use this script to push mobiles notifications to themselves (using Pusher), web notifications, geckoboard updates, adding to To-Do lists, adding to trello boards, etc. Any communication platform is fair game.

For example, if you're on a Mac, there's a neat little command you can use to send a notification to yourself.

So I'll incorporate that command in our script to send us notifications.

require 'net/http'
require 'openssl'

domain_name = "example.com"

uri = URI::HTTPS.build(host: domain_name)
response = Net::HTTP.start(uri.host, uri.port, :use_ssl => true)
cert = response.peer_cert

two_weeks = 14 * 86400 # 14 * One Day

if Time.now + two_weeks > cert.not_after
  time_remaining = (cert.not_after - Time.now)
  days_remaining = time_remaining / 86400

  `osascript -e 'display notification "Certificate for #{domain_name} will expire in #{days_remaining.to_i} days. Please renew soon." with title "#{domain_name}"'`
end

I removed the if condition and ran the script and the output looks like this today

Now all you need to do is add it to your crontab and it'll keep reminding you when your certificates are getting close to renewal.

Conclusion

Obviously, the script that I've shown you isn't the most elegant piece of software but it gets the job done. If you want to monitor multiple domains, just turn the script into a method and run the method against each element of your array of domain_names.

We've just scratched the surface here but it's a solid start to build your monitoring infrastructure and more features here to make sure your certificate hasn't been revoked, or if it's a paid certificate, who is the issuer.

I have added all this and more in my app to help keep on top of HTTPS issues.

Hope this was helpful for people like me who keep breaking their Let's Encrypt automation, or forgetting that a cert is up for renewal and management forgot to tell you that they are getting mails from vendors to issue a new one. 😁

For the next post, would you like me to show you how browsers determine if a certificate they are receiving has been compromised or revoked?

Happy Coding!

Why I am not going to attend Hackathons anymore

Shobhit🎈✨ — Tue, 17 Apr 2018 13:25:57 +0000

Originally published on my blog.

There was a Hackathon by our local government a few days back and the whole situation was insane. They almost brought me to tears.

It was a 36-hour Hackathon and it felt like torture for the participants. Some of them fainted, some of burned out, and I could see the “passion for coding” vanish from their eyes.

I had a follow-up discussion, two days after the event with the participants and most of them were of the opinion that they don’t want to code for some time. They burned out.

Was it really worth it? If you kill yourself to haphazardly finish a project in X hours, and then burnout and be unproductive for the next month, is it really justified to do so?

Problems with Hackathons

1. The toxic culture

Hackathons promote a toxic culture where you’re supposed to write code because you’re passionate about coding, in a highly caffeinated, intoxicated environment. This not how you work daily, in a sustainable manner.

You need proper sleep to work well, and create something worthwhile, of good quality.

You need good food in your stomach, and a clear focused mind to complete your project.

Hackathons are the exact opposite of these. They provide you with access to lots of Pizza, Beer, and Coffee. Alcohol and Caffeine might help you focus in the short term, but they are diuretics and you lose more water in the long term.

2. Exclusive

It’s not really inclusive because only young developers, with no responsibilities and ample of free time can manage to participate.

Women tasked with the household responsibility won’t be able to participate. Senior developers, with kids waiting for them don’t participate. Developers with back-pain, who are not allowed to sit for a long time, won’t participate.

Only the naive junior developers, with no previous burnout experience are the people I’ve seen participating and enjoying Hackathons.

3. Social and distractions

I can either code or I can be social and meet other people. I can’t do both at the same time, or else I won’t be able to do anything well.

If you want me to socialize, create a social event where expectations are clear, and if you want me to code, create a distraction free environment. The current system doesn’t give me the freedom to focus on anything, consequently making it a waste of time.

In conclusion

Hackathons really screw up your health and lead you to a burnout, mess with you sleep cycles, and create bad code quality. Most of the projects made in a hackathon go nowhere.

As I start getting older (and hopefully wiser), I realize that a sustainable work rate is always better than this burst of code.

Hackathon’s most powerful idea is to do focused work on something other than your daily job. I think that’s Hackathon organizers should embrace that, but their motives are very different.

A Hackathon I’d like to organize would give people time constraint, and allow them to do other things during the event. Work for 8 hours on a new thing, and then done, go home.

After all, Hackathons are a wordplay on Marathons, then why do they feel like an unsustainable sprint?

DEV Community: Shobhit🎈✨

Psst... I can build this in a weekend!

Building and Deploying an Amber app in 2 days

Speed

Deployment

Stability

Conclusion

What is the funniest thing a non-developer has asked you about code?

Simple String encryption in Rails

Why do I need to encrypt User ID

Encrypting the User ID

How encrypt works

How decrypt works

Conclusion

Monitor your HTTPS certificate expiry with this script

Not taking a pledge

Getting the certificate

Finding the expiry dates

Reminding your self

Conclusion

Why I am not going to attend Hackathons anymore

Problems with Hackathons

In conclusion

How `encrypt` works

How `decrypt` works