Notes for Week 7 of 2021

I got mostly drawn into correctly figuring cross-service authentication. I spent a lot of time tinkering with OAuth2 and JWT.

Random

Deleted file in PyCharm/WebStorm (same as git rm <file> && git add <file>) and want to restore it? git restore --staged <file> && git restore <file>
If you want to store files on global object with TypeScript (e.g. following figma tutorial), create global.d.ts in your project folder and add

declare module NodeJS {
  interface Global {
    attributeName: typeName
  }
}

Vercel deploys user application to vercel.app subdomains. Someone lost patience, and the whole domain is blocked in the phishing army list. If you use it, you need to whitelist your particular deployment domains manually The domain is not blacklisted anymore ¹
Same story for selected datacenters of Digital Ocean, digitaloceanspaces.com and OpenPhish (which also serve build logs for your Digital Ocean’s apps)
Digital Ocean app spec is not a “template for deployment” as my mental model was. Instead, it is the deployment serialization. Changing it changes and overrides the deployment state. Updating an application with the spec overrides any changes that were done meanwhile, like added environment variables (explains the last week)
If you want to add encrypted environment variables to your application, add them through the website and then download the new spec using doctl apps spec get <app uuid>
If Django user is marked as is_superuser , but not is_staff , it can’t log in to Django Admin
Chopper on Mars is flying OSS, is on Github
MyST: Markdown + reST, of interest if you like Sphinx
I soft-enabled DMARC for my almad.net emails. If you expect an email from me to no avail, please reach out as I may have misconfigured something.

Auth0

Auth0 configuration can be completely done through “github ops.” I haven’t done that myself yet, but I will try:
- https://github.com/auth0/auth0-deploy-cli
- https://auth0.com/docs/extensions/github-deployments
It’s possible to blacklist attributes to make sure you are not storing unwelcome PII.
How to allow the only specific role to access an application
Auth0 has two ways to do RBAC. One is built into Auth0, and one is available through “Auth0 Authorization Extension” and they do have very different capabilities. It’s not always clear which documentation or tutorial is describing which version; pay attention to details
Reauthenticating client in some browsers is failing unless the provider is on the same domain; also see docs around auth and intelligent tracking prevention
There is a catch in auth0-spa-js. Calling getTokenSilently without explicit audience produces an accessToken that is not a valid JWT. This will produce random errors on the server when attempting to validate it. If audience is provided to getTokenSilently, but not createAuth0Client, it will cause “Login error” or “Consent required”, depending on the state and argument combination. The Audience must be provided to both calls (yes, createAuth0Client even though README doesn’t mention that) and it must match exactly. Note that “Audience” in Auth0 means “API”, which maps to “Resource Server” in OAuth2 dictionary. If you also need authorization, then scopes must also match in both calls, it must be defined for the given audience/API and must be assigned to the user’s Permissions (or Roles, if RBAC is enabled for the particular API).
- Don’t worry: I am working with REST APIs for over a decade, I use OAuth2 often, and my head still explodes whenever I have to write sentences like this, let alone try to understand them

Readings from this week

Nanotechnology allows chemical signals from spinach to send emails: Triffids approve.
Why did I leave Google or, why did I stay so long?: Yup.
No news is… a sign of a stagnating Internet: Whenever Internet is centralized, it’s a failure. Maybe: I’d argue all of those decentralized innovations were done before Internet really took of as an economic and political power.
Why Not Rust?: Useful summary as I am deciding whether to venture there.
Speak like a human: 12 ways tech companies can write less-corporate blog posts: Good writing advice not just for corporation blogs.
Clubhouse’s Inevitability: Interesting take on Clubhouse: it just follows the suite of what already happened on the other media.
A hands-off approach for your Terraform (from FOSDEM 2021): Terraform tips, tricks, and tools.

Vercel’s Head of Engineering reached out in two days. Good job! I am keeping the original text here in case someone else would need to debug a similar issue (see Digital Ocean issue). It took me a while to figure out why is this happening as otherwise, my blacklists loaded into router’s adblock don’t cause issues. ↩︎

Published February 21, 2021 in Weekly Notes and tagged APIs • Weekly Notes