2026-W25
This week I worked on auth/session across both backend and frontend. At first, it looked like a normal series of tasks while preparing the codebase for a mobile client: add Bearer authentication, avoid breaking the cookie flow, split the refresh routes, and bring the frontend to the same model.
But as the work went on, it became clear that the main difficulty was not in the endpoints themselves. The real problem was the contract: some of the rules lived in code and habits rather than in an explicitly defined model.
At some point it became clear that a “smart” universal layer was less useful here than a more explicit split. For the cookie flow — /user/*; for the bearer flow — /auth/*, with clearer rules for carrier semantics, protected endpoints, and conflict scenarios.
Once that contract became stricter, it became easier to see the actual mismatches. The backend mostly matched the intended model in terms of session core and fail-closed semantics, but the transport layer was still too permissive in some places: not every cookie+bearer conflict was rejected explicitly, and some restrictions existed more as informal assumptions than as a clear contract.
So for me, the point of the week was not so much the number of shipped changes, but the fact that auth/session became much clearer, and the gaps I found turned into concrete follow-up tasks.
In short: the new transport did not just add more work. It pulled a hidden spec out into the open. That is not very visible in the list of closed tasks, but that was the main shift for me.
What stayed in the background
All the while, job search was there in the background as well — not as a matter of “I should try harder”, but as a constant friction with the format itself. Because of physical limitations, neither voice/video nor speed-based evaluations like live coding are workable for me. At the same time, in a normal hiring pipeline, those things are still treated as the standard way to understand a person. So I am not running only into the market, but also into the process itself: it is much better at recognizing a different type of candidate, while still being treated as a neutral norm. Although in practice, here it seems to be either “neutral” or “norm”.
Top comments (0)