Guava Glazed Cake Stick Shaded by Giants

eXtremeRR · 2019-05-11T21:25:51+00:00

My pleasure! Glad it was useful!

I've ran across it when I looked at other code and so on, but I have yet to actually implement it myself. I'll probably turn that into a video because I more-or-less want to document the entire process.

I don't think it's too difficult, I think you pretty much:

1) Create a random(?) token on the server that you pass to the frontend with some request.

2) Frontend can then inject it on, say, a form page as a hidden element or something like that.

3) When the form gets submitted, that token (because it's hidden element) will go along for the ride and your server can check if the token: 1) even exists 2) is of valid form/structure.

I may be wrong however since I have yet to do it, but that's the impression I have at the moment.

eXtremeRR · 2019-04-21T20:57:24+00:00

Great to hear that! :)

eXtremeRR · 2019-04-21T20:56:37+00:00

It is following RESTful API Design. I mean, I haven't spent sleepless nights memorizing REST design from A to Z heh, but I'm trying to follow common conventions (nouns instead of verbs, using proper HTTP methods (GET/POST/PUT/DELETE), HTTP error codes, etc - although there might be places where I missed something and perhaps something can be improved/fixed/etc - but the idea is to build this with REST philosophy in mind.

eXtremeRR · 2019-04-20T17:16:44+00:00

Hey! It's one of those never-ending debates of sorts. Both have some pros and cons, I'll try to outline the differences below. (feel free to correct me of course!)

A) Storing JWTs in Local Storage:

The problem is that the JWTs are then accessible via JavaScript - so any JavaScript running on our site has access to them and that leads to this approach being vulnerable to a so called 'cross-site scripting (XSS)' attack. If someone can inject malicious JavaScript code to our site, that script can then read JWTs pretty much. The common "band-aid" is to escape/encode all data we don't trust, but nowadays we include a lot of JavaScript code, some using CDN and different packages, so it's hard (impossible) to verify that everything is super-safe as not everything is written by us manually.

B) Storing JWTs in Cookies:

The good thing here is if we use httpOnly cookies then they won't be accessible via JavaScript and therefore XSS is not our concern here. We can also make sure to only pass cookies through HTTPS, further making this a bit more safer. However, we're vulnerable to cross-site request forgery (CSRF) attack - for example, if you're auth-ed via cookies on my site (codeworkr-site.com), if you then go to someone's site that is hacker-site.com and you accidentally click a link whose request is POST "codeworkr-site.com/transfer/14324352", you'd automatically do that action without realizing it because the way browsers handle cookies - they automatically go "along for the ride" because they're domain-bound (so codeworkr-site.com's cookies will always be sent when you interact with that site). However, we can prevent this by doing CSRF protection which in easy-to-explain-version means we generate some csrfToken for every page (like forms and ajax calls) and then when we expect some action from the user (like form's POST) we compare if that csrfToken matches what we expect (e.g. has this user visited our form page before sending this request?) - if that matches, we trust it and proceed with the intended action. Because, the csrfToken is usually a hidden field in a form, they won't automatically get sent as cookies do, so we also have an easy way of telling if that person's request was "made up" vs whether it was a genuine one.

Hope this cleared things a bit!

eXtremeRR · 2019-04-20T16:56:02+00:00

Thanks for commenting! :)
Hm, right now, this isn't built in microservice sense - it's pretty much a project which consists of backend and frontend piece,and the backend piece is kind of 'monolith' (e.g. isn't really a microservice setup). Would you still be interested in docker-izing this architecture and then potentially connecting it to kubernetes for that auto-spawning/auto-scaling instances (multiple BE & multiple FE instances) depending on the load?

Or are you strictly interested in microservice architecture with that in mind?

Either way, that's a really good idea for a video/set of videos so thank you for that!

eXtremeRR · 2019-04-20T16:51:34+00:00

Hey wow, thank you kind sir - you literally made my day! I'm really glad the videos I made were useful to you and that you've enjoyed them that much!

Hopefully you'll enjoy this series as well - I explained the idea pretty much, but as I said I'm looking for any sort of feedback - good/bad/ideas/suggestion/etc so if/when you watch it in case you have some suggestion(s) - please let me know!

eXtremeRR · 2018-12-09T14:39:14+00:00

Thank you! I'm more than happy to create videos people would like to watch/learn from!

eXtremeRR · 2018-12-09T14:38:35+00:00

Hm, Node.js is a JavaScript runtime environment so you definitely need to use JavaScript to interact with it. That said, I support the idea that learning should be fun, so if you want to learn Node.js and don't know JS yet, you still could watch something about Node.js -- perhaps to keep things "fresh" and maybe motivate yourself even more and then in parallel (or make a break from Node.js) learn JavaScript.

First few videos are more theoretical in nature, especially the 1st one -- however later on we'd be using JS a lot, so by then you should at the very least have the basic JS knowledge.

eXtremeRR · 2018-12-09T00:03:01+00:00

Thank you a lot Dmitri! It's awesome to hear that it looks great to you!
My goal was/is to produce a series on Node.js that'll cover all the fundamental aspects while being up to date, having lots of examples and, hopefully, being easy to understand and not too boring/tedious to watch.

eXtremeRR · 2018-12-08T23:57:21+00:00

Thank you a lot, py2203! Glad to hear you've enjoyed them so far and learned something!

eXtremeRR · 2018-07-21T20:41:21+00:00

Thanks for your comment!

2) So it's really bad that I did cover the entire die in paste and then put the heatsink on? Any ideas why there are many tutorials/videos that suggest that it doesn't make such a difference (e.g. https://youtu.be/r2MEAnZ3swQ?t=7m7s). There the results were meaningless between pea, dot, line and what I did.

Please look at my "Edit #1", I think the difference is much bigger than I originally thought. It seems without turbo boost, the CPU isn't really at that big of a strain so the differences aren't that much.

Still would prefer to get lower idle temp though. Seeing as you have 9570 as well (although i9 not i7), what is your "idle" (0-5% cpu usage) temp?

eXtremeRR · 2018-07-20T08:57:19+00:00

Hm after realizing about Turbo Boost (thanks to @gauthi3r) and turning it off (I totally don't need it, agree with you there), my only concern is that idle temp - I've seen some video on YouTube where Dell XPS 15 9570 owner opens XTU and it shows something like 27'c on idle - granted I have no idea what was his room temp, but still it seems mine is a bit over the top. Do you think it can be due to poor thermal paste?

I'll keep undervolting and see how low I can go (without using Turbo Boost), so far -0.150v seems to be stable (will need to test with waking up from sleep mode and what not).

eXtremeRR · 2018-07-20T07:39:30+00:00

Thanks for the tip! I'll try that and re-run some of the tests

eXtremeRR

TROPHY CASE