moyok's comments

As someone working on a side project that allows people to upload data publically (think something like codepen), what can I do to stay away from trouble like this?

Could be worth noting that the pay of an entry level scientist or engineer is less than 1,000$ a month, probably making less sense to someone from outside India. It's because of a low cost of living in India.

If the JWT is as long as the refresh token, then what's the point of having a refresh token? You would then probably need to get new refresh tokens then to make the session last longer.

The idea is to make the refresh token last for say a few days, and the JWT for say 10 minutes. Now, every 10 minutes the client needs to use the refresh token to get a new JWT. The maximum time a client can have access to the service without a valid refresh token is 10 minutes. All the requests made in this window of 10 minutes would be deemed authenticated by verifying the JWT, and without having to go through the database or cache.

Now, say a user of a web app clicks "log me out from all my devices". The user's access needs to be revoked from everywhere they are logged in. If you invalidate all their refresh tokens, then in a max of 10 minutes they would be logged out from everywhere, as their refresh tokens would no longer work and the JWT duration is only 10 minutes.

This approach is essentially a mid-way or a tradeoff between using traditional sessions and JWT. "Pure" JWT is stateless and hence cannot support individual session revocation. The only way to invalidate sessions in "pure" JWT would be to invalidate the key or certificate used to sign the JWT, but that would invalidate everyone else's sessions as well and hence is not very practical.

Since with this approach you implement sessions plus JWT, it's more complicated than just using sessions. JWT should be used for such applications when the latency or load benefit is significant enough to justify the added complexity. For applications that do not need session revocation, however, JWTs are a convenient way to implement sessions without needing a DB or cache layer.

The point is that it would reduce the DB/cache load, as the refresh token would need to be verified once in a few minutes or so as opposed to verifying it for every request. Regular requests could be authenticated in the CPU itself without having to go through to the DB/cache layer. This means lower latency and reduced load on the DB/cache.

I have personally experienced the security disadvantage you mentioned. I used my Google login to sign into an email client. I immediately realised that the app was going to store all of my email data in their private servers. I quickly went over to the Google dashboard and deauthorised the app, relieved that they would only have been able to get my first few mails in this time. But the app retained access to my emails, even receiving new emails for some time. Probably because of something similar to a refresh token being revoked, but the access token still being valid. I wanted to stop the app from accessing my e-mails, but could not.

However, despite this disadvantage some applications just cannot afford the load of every single request touching the DB or cache. JWT makes sense for that particular use case when you are willing to make this compromise. Instead of every single request touching the cache, maybe every 1000th request does now, because of the token expiration time.

Another use case is when you need a very simple, stateless way to authenticate users and don't require revocation. Some Oauth providers don't give you the option to revoke access tokens, for example.

The thing that scares me about using JWT is that all security completely relies on the one secret that is used to sign tokens - any person with access to that secret has got potentially unlimited access to the app. They can now impersonate any user and do basically anything.

For this, you can use refresh tokens and set the JWT expiration to a low interval - say 10 minutes. After every 10 minutes, the JWT expires,authentication fails, and the client uses the refresh token to get a new JWT. To revoke a client, revoke their refresh token. This way, though they won't be logged out immediately, they would be logged out in a max of 10 minutes when they need to refresh again, and find out that their refresh token is no longer valid. The point is that instead of every request touching your DB or cache, only one request does in every 10 minutes.

Julia is great too for this kind of work

I really like go. I just love that it compiles to a native binary and is so easy to distribute. I love the way interfaces work and that types specify interfaces automatically without explicitly specifying that.

I love the "strictness" of the language - for example the code won't compile if you declare a variable and not use it, or import a library and not use it. I love that there is a standard gofmt which means code auto formats to a standard format. These features really help set some "discipline" when working in a team.

I love the way concurrent code can be called easily and the use of channels. I love the performance - it has been more than fast enough for my use cases so far. I love that I can get started with an HTTP server using just the standard library, and the most popular web frameworks in go are micro frameworks.

Overall, there's a kind of a simplicity about the language that underlies all of the above things, and that is what makes me excited about go.

I have used go in some minor projects that have been running peacefully for months without any hitches, and am using it in a big project mostly in the form of microservices and scripts. It has become my favorite language now.

I used to get paid 500€ a month as a developer for a consulting firm, and it was a 12-hours-a-day kind of a job. The firm would then bill its clients 40-60$ for every hour I worked. From one perspective it does seem exploitative. But on the other hand, I know many people who still dream of getting that job - the money is not good, but it almost doubles when you get promoted, and the career path is good. It's a really intense place with almost impossible deadlines, and you get to learn a lot from the pressure.

I was recently offered a project where I had take a complex analytics algorithm implemented in Excel to the server and implement it as an API for ~250-300$. Took me around ~20-30 hours over an extended weekend to write it in golang and I feel good about it. The work was mostly simple transformations on the input data, though a large number of them. It resulted in roughly 1000 lines of code including tests and comments, and a big part of that time was spent actually understanding the algorithm.

Similarly, I did some work as a favor to a friend - a Facebook app that would send some inspiring quotes as notifications to it's users every few days. It took me maybe 10-20 hours to get it online. Frankly, I am not so proud of the code as it was written in such a hurry, and is a bit messed up. But to its merit, it's been functional for several months without any noticeable downtime, and has sent thousands of notifications so far without any need to touch the server.

These are the kinds of projects that can be done in a short amount of time without a long-term commitment, and make sense for such a budget. For me atleast, 10$ an hour is good money, and 25$ would be pretty decent. 50$ would be something of a dream - I would be making in a day what I used to make in a month at my previous job.

That would be 4*26=104 hours right? That seems a good amount of time.

I have been looking for a solution to the same problem - short projects with no long term commitment for some side income. Maybe this is useful - CodeGophers: https://news.ycombinator.com/item?id=11663869

This used to happen to me every time I had to go to the airport in the night, and would book some local taxi to do that. The drivers just never cared about the traffic signals in the night.

The prevalent attitude seems to be that traffic rules are more like guidelines and can be broken if it seems "okay" to do so. Driving on the wrong side of the road is for example quite common, and most people do it to avoid making a long U-turn. Someone who I knew was driving a car and had a head on collision with a scooter travelling the wrong way on a highway, and the scooter had three passengers on board it (it's called "tripling" and is also pretty common). Sometimes you get to see cars reversing on highways with fast moving traffic, because they missed a turn and wanted to go back.

Things could probably get better in the future though. In New Delhi, for example - according to a new law, if you are caught in a traffic violation (such as ignoring a traffic signal), you lose your license along with the right to drive for three months. I saw somebody's status on Facebook that this happened to them, so it's not just an empty threat too.

I'm in New Delhi, getting 54ms to Bangalore, 84ms to Singapore and 304ms to London.

Looks like it has been implemented in only Chrome and Opera so far. No Microsoft Edge support, and Firefox support is under discussion. https://www.chromestatus.com/feature/4672634709082112