DEV Community: Nguyen Kim Son

You don't have to use Webpack

Nguyen Kim Son — Sun, 15 Nov 2020 11:12:14 +0000

Nowadays, webpack seems inevitable for a web developer.

But for a conventional, i.e., not a single-page application, using webpack can feel awkward because:

there's no need to have a single JS file: each page is independent and their JS code needs to be isolated.
there isn't much JS code for a conventional web app.

As a web developer, I sometimes feel the urge of adding Webpack to our flow but I just can't justify the utility. Don't get me wrong, I have been using Webpack since its beginning for several SPA projects but it just doesn't add any major productivity boost for our conventional web app.

Sure, with the right configuration, Webpack will help writing the code a bit easier but I'd rather spend the setup and config time on adding features that actually bring values for users. This is even more important for a new project where you want to quickly validate the idea.

Our open-source web app doesn't use Webpack and we never felt the lack of it slows down the development nor affect the code quality.

In fact, we use inline JS and the JS code lives in the same file as the HTML and CSS. That config is nice to work with as you know changes are isolated. In this regard, our page is similar to a VueJS single-file component. And yeah, we use jQuery 😱.

So if you don't find the need of using Webpack in your project and somehow feel shameful about it, don't as you aren't alone!

Your email address is your online identity

Nguyen Kim Son — Sat, 14 Nov 2020 23:51:47 +0000

If you use the same email everywhere, your email becomes your online security number.

And you shouldn't hand out your identity that easily.

Make sure to not use the same email everywhere. It can be as easy as having 1 email for family & friends (Facebook), 1 for professional (LinkedIn), 1 for non-essential stuffs (newsletter, e-commerce, etc). Better yet, you can also have a different email "alias" for each website using service like SpamGourmet, SimpleLogin (disclaimer: I'm its founder), AnonAddy, 33mail.

It's never too late to start protecting our online privacy. Your future self will be thankful :).

Why we left AWS

Nguyen Kim Son — Wed, 19 Feb 2020 03:29:21 +0000

I've always been using AWS for hosting from simple prototypes to critical B2B systems. Thanks to its incredible catalog of products, almost all needs are covered.

So naturally the first version of SimpleLogin is hosted on AWS. And as we are based in Paris, the Paris data center is picked for the proximity.

For past adventures, I mostly use third-party email delivery services like Postmark, SendGrid, SES, etc. Unfortunately their pricing models are based on the number of emails, which are not compatible with the unlimited forwards/sends that SimpleLogin offers. In addition, we want SimpleLogin to be easily self-hosted and its components fit on a single server. For these reasons, we decide to run our MTA (Mail Transfer Agent) on EC2 directly.

I naively believed that would work as AWS is after all a VPS hosting service and everything can be run on EC2. As it turns out, we ended up spending way too much time and effort to have our EC2 instances handle email delivery correctly:

Setting up PTR (or rDNS) record on AWS is only achievable via a request ticket and requires several exchanges. In comparison, on UpCloud (our current cloud provider) this could be done directly on the dashboard.
AWS Elastic IP addresses have a bad reputation. We tried to whitelist these IPs but some RBL (Realtime Blacklist) just take forever. And their UX/UI is terrible. We needed to move fast and I feel this mundane task is slowing us down. After attempts to whitelist some IPs, we tested other, newer AWS data centers hoping for better results. Unfortunately, all Elastic IPs we tried were blacklisted by several RBL.
AWS suddenly decided to block our port 25 claiming our email server had become an open relay which was simply not the case. Fortunately that was before the beta so only we were affected. It would be a catastrophe if this happened to our users. We speculate that AWS wants to push for using their SES (Simple Email Service). SES is a nice service but as explained earlier, it is not compatible with our goals. SES is used by some of our self-hosting users though. There's a section in our self-hosting doc that shows how to plug SES into SimpleLogin.

By our experience, AWS doesn’t have in place a good enough mechanism to stop spammers from using their Elastic IPs, leading to their bad network reputation.

It's time to move

Because of the earlier difficulties, we took a step-back and analyzed our architecture to see if it's really dependent on AWS:

we used RDS to manage the database. RDS is a solid service that saves us from database maintenance stuffs like backups or patching. Its replication is also a killer feature. However SimpleLogin doesn't use the database that much: we basically just need to get the mailbox associated with an alias in order to forward the emails and that's about all. A SQLite database might just as well do the job.
we used CloudWatch for monitoring and log management and CloudWatch is a very good solution to centralize and manage logs. Its pricing is also very attractive. However we don't have to be in AWS to use CloudWatch. As the logs are sent asynchronously, using CloudWatch from another cloud doesn't affect performance. In addition some new log services are quite promising and we'd love to give them a try.
we used S3 to upload files, at the time of writing only for user profile pictures. Writing to S3 is not frequent so same as for CloudWatch, we can use S3 from another cloud. Both S3 and Cloudwatch are disabled when self-hosting SimpleLogin so all components still fit on a single server.

So we decided it’s maybe better to make SimpleLogin cloud-agnostic and we'll just manage the cloud servers ourself. That opens several advantages:

We could experience first-hand the difficulties of self-hosting SimpleLogin, otherwise speaking "eat your own dog food".
We could set up a true redundancy mechanism with SimpleLogin deployed on 2 (or more) separate cloud providers.
This point is not really important but it's just so refreshing to use a simple UI rather than the complex AWS Console.

We studied some popular options like DigitalOcean, OVH (OVH is very popular in France), Linode, etc and decided to give UpCloud a serious try due to several reasons:

They came highly recommended by our friend who has more than 100 cloud servers including some email servers on UpCloud and he seems to be pretty happy with their quality & support.
Their cloud servers are not throttled and able to achieve full performance. We haven't done any benchmark but with the same configuration, we feel UpCloud servers are indeed faster than EC2 ones.
Port 25 is not open by default and unlocking it requires a careful examination which helps to maintain the network reputation.

We started by moving our staging environment from AWS to UpCloud. The hardest part was to replace RDS. We decided to take on managing our database ourself using Docker along with some monitoring and backup scripts. Other components were easy to move as they were already based on Docker.

After extensively testing the staging environment we took the plunge to migrate the rest of our cloud environment. Our entire infrastructure is now running on UpCloud. Despite our cautious expectations that the migration would be a rough journey, in the end, the move was smooth and downtime less than 10 minutes. After deploying all components on UpCloud, the longest step was actually just waiting for the DNS changes to propagate.

Now our service has run on UpCloud for some time and our users report having much better success with email delivery. Time will tell, but so far we are pretty happy with UpCloud.

Our next step is to deploy SimpleLogin on another cloud provider for redundancy. Any recommendation is welcome!

Originally posted on https://simplelogin.io/blog/we-left-aws/

Looking for beta testers for open-source email alias service

Nguyen Kim Son — Fri, 20 Dec 2019 21:22:14 +0000

Hi all!

We are building the first open-source email alias and identity provider service, called SimpleLogin

It works in a similar way to other email alias solution (spamex, mailcare, e4ward, etc) with Postfix as MTA and Python script to handle the email forwarding AND backwarding (we don't know how to call it yet, any idea here?): basically an alias can both receive and send emails.

The code source for both the server and clients (libraries, browser extension) is available on our Github at https://github.com/simple-login/, feel free to check it out! We spent quite some time on the self-hosting instructions, if you have your own server, would really appreciate if you can try it!

Please let us know if you have any questions/feedbacks/critics.
Thanks!

We should have an email for each website

Nguyen Kim Son — Sun, 15 Dec 2019 20:00:20 +0000

Why do I receive so many spams?

When this question was asked by my girlfriend (now wife 😅), my immediate answer was "Stop giving away your email" and I suggested creating a secondary email for "suspicious" websites. In addition, using the same email everywhere is like leaving the same footprint on the Internet, allowing advertisers to cross-reference your online behavior, affecting therefore your privacy.

She followed the advice, created a second email and was happy at first. But now she doesn't even check this mailbox as there are so many spams in it 💁🏻‍♀️.

So creating a second email is not a true solution. She needs more than 2, maybe hundreds. And why not an email for each website? But she cannot go to gmail or outlook to create hundreds of accounts, this is unmanageable. There must be a better way.

The solution, as far as I know, is email alias. An alias is actually a normal email address but all mails sent to an alias will be forwarded to your real email. Alias acts therefore as a shield (or a proxy) for the real email. An alias can be disabled anytime, making the spams stop.

Nowadays, some websites allow to unsubcribe quickly but a lot of them still make unsubscribing a difficult process. Some wouldn't even honor the request. And this doesn't stop the websites from cross-referencing your data with your email being the primary key.

Currently there are several solutions for creating email alias, they might give different names to the email alias though. A quick search on Firefox/Chrome store should give a handful of results. As a founder of such a solution, I would obviously recommend mine 😉 but most of the other solutions also work fine.

Let's make spammers' life harder with email alias!

What future for docker?

Nguyen Kim Son — Thu, 14 Nov 2019 10:13:18 +0000

After Docker enterprise part get acquired by Mirantis, Docker future is unclear. On the bright side, without enterprise bloat Docker might finally be able to concentrate on the core product and make Docker great(er) (again).

What feature do you want to see most in Docker? Or which issue that they should work on now to get their glory back?

Do you prefer one-time fee or subscription?

Nguyen Kim Son — Sun, 10 Nov 2019 21:22:01 +0000

Currently working on the pricing for my SaaS startup, I wonder about which pricing model to apply. It seems that almost all SaaS use subscription billing nowadays and I kind of miss the old day when we can buy a software just once.

Would like to hear what do you guys think, do you prefer one-time fee or subscription billing for a SaaS product?

If you care about user privacy, do NOT use Facebook JS SDK

Nguyen Kim Son — Sun, 03 Nov 2019 08:19:19 +0000

Social Login buttons like the ubiquitous Login with Facebook/Google/Twitter/... button is convenient for users as they don't have to go through a lengthy registration process and create yet another username/password. And without a proper password manager (which probably 99% users don't use), they tend to reuse the same password which is bad in terms of security!

However behind the scene, some SDKs (I'm looking at you Facebook!) inject an iframe in your website to display the Continue as {MyName} or Login with Facebook button. Loading this iframe allows Facebook to know that this specific user is currently on your website. Facebook therefore knows about user browsing behaviour without user's explicit consent. If more and more websites adopt Facebook SDK then Facebook would potentially have user's full browsing history! And as in "With great power comes great responsibility", it's part of our job as developers to protect users privacy even when they don't ask for.

Loading this iframe allows Facebook to know that this specific user is currently on your website

The iframe is actually injected in a second script loaded by the https://connect.facebook.net/en_US/sdk.js:

So what should we do to provide this Login with Facebook button to our users? The good news is this is actually easy as Facebook implements OAuth2/OpenID standard so you can use any OAuth2/OpenID library to add the Facebook login button. You can also add other login providers like Google, Github, Apple ... at the same time as those are also OAuth2/OpenID-compliant.

Here are some ressources to implement OAuth2/OpenID in your app for different languages/frameworks:

JS: hello.js, jso, oidc-client-js. oidc-client-js is used to create some OAuth2/OpenID libraries for frameworks like React, VueJS, Angular, Aurelia as listed on https://github.com/IdentityModel/oidc-client-js/wiki
Python: Requests-OAuthlib, Authlib, Python Social Auth
NodeJS: PassportJS, openid-client.

If you happen to use Flask (Python), I have written an article on dev.to on how to implement OAuth2/OpenID into a Flask application: https://dev.to/simplelogin/create-a-flask-application-with-sso-login-f9m

If you really need Facebook SDK, please ask user consent before loading the SDK or only load the SDK when user clicks on the Login with Facebook button.

Update 1: turns out that Google also uses this practice, more info can be found on https://news.ycombinator.com/item?id=21429482

Should we have a dev.to mobile app?

Nguyen Kim Son — Sat, 05 Oct 2019 13:20:24 +0000

The website is amazingly fast but sometimes the mobile app can be handy, for example when there’s no Internet in metro 🚇. What do you guys think?

What’s the thing you hate the most in Python?

Nguyen Kim Son — Fri, 27 Sep 2019 02:15:07 +0000

Don’t take me wrong, I use Python in most of my projects and Python is my most loved language. But sometimes it still drives me crazy... Some of the things that I’d love to see major changes in Python:

import system: import cycle happens to all Python devs I know and until now there’s still no solution or even an official way to organize modules to avoid this problem.
pip/pipenv/pip-tools/setup.py/... : a Python developer doesn’t need to worry about which tool works best for managing dependencies, there should be only one official way to do it.

So what is the thing that bothers you the most in Python?

Should we use a full-feature IDE when learning a new language?

Nguyen Kim Son — Thu, 26 Sep 2019 15:38:19 +0000

In school I used to use basic text editor (notepad, plugin-less vim, etc) when learning a new language but realized that lot of time is lost for trivial errors (missing semicolon, typo, etc) and wonder if using IDE could be more beneficial in this case. In addition IDE usually comes with easy access to documentation that facilitates code discovery.

At the same time using a basic text editor forces us to really understand and master a language syntax.

What text editor do you prefer when learning a new language?

There are better alternatives to Password Manager

Nguyen Kim Son — Wed, 18 Sep 2019 21:36:53 +0000

Re-using the same password for different websites is bad in terms of security as if a hacker got his hand on a website's database, he/she will have access to your other accounts.

But generating a different password for each website and remembering them is impossible for a human being 😅. That's why Password Managers like LastPass, Dashlane, 1Password, etc are created. Their principle is simple: there's a master password that allows you to manage all other passwords (should we call the other ones slave passwords then 😜?). As loosing this master password will open the port to all our secrets, each password manager has their own multi-factor authentication (MFA) to protect it, ranging from one-time password (TOTP) to printing a secret key that you bring with you all the time.

These tools are gaining more popularity now that users are more and more concerned with privacy but these users are still the minority. One of the reasons is because of the difficult and unusual setup process, especially on phones. But the good news is that now Google and Apple have integrated their own password managers inside Chrome and iPhone/Mac, making the Password Manager concept more accessible to the general public.

So all good right? Not exactly because Password Manager is only half the solution to the security issue. Let me explain.

There are usually two parts to login: the username/email and password. Password Manager only protects the password and not the email. Loosing emails has a less catastrophic effect than the password but if leaked, it can lead to the following consequences:

unsolicited emails, aka spams
social hack: knowing you are on some websites would provide enough information for a sophisticated social hack.

So what is the real solution? For me the solution to both privacy and security is to have different personas online: one for professional work (e.g. Linkedin), one for friends & family (Facebook), one for selfies (Instagram 😄), one for passion (travel, football, etc). These personas are totally independent and knowing one would not reveal the others. The first step to this ideal world is to have different emails and passwords for each website.

Apple has understood that and released the Sign in with Apple button earlier this year. SimpleLogin also works on this challenge by starting with the emails: user can create random email-alias that protects their true personal email. But email is only the first step, next would be other personal information like age, gender, phone number, address, etc. (Disclaimer: I happen to be SimpleLogin co-founder.)

There's also no setup for these SSO buttons: no more additional app to install on the phone and the master password is usually already handled by the browser or the OS directly.

But the challenge is now adoption. Without developers adopting these alternatives and insist staying with the classic username/password, users still need to create their password or use their Password Managers. So make sure to ease your users's life by implementing one of those Social Login buttons 🙏.

Please let username/password rest in peace ⚰️.

Below are some tutorials for adding those social login buttons in different framework/language: