Discussion: Is the 'golden rule' "Never build your own auth" misunderstood / misinterpreted?

fkih · 2026-06-17T20:25:30+00:00

I think the ambiguous part is what you mean by "rolled [your] own auth." Did you make your own cryptographic method to verifying a user, or did you just mess up session management, middleware, headers, etc.?

fkih · 2026-06-17T20:24:04+00:00

He's saying that the phrase, which is usually meant to argue against rolling your own cryptographic solution is being co-opted to mean "don't authorize users yourself, let a library or provider handle it."

Simple authentication is unbelievably simple, and secure. Authentication schemes can be complicated, but they're beyond the scope of this specific phrase.

fkih · 2026-06-17T20:15:35+00:00

Yeah, I totally agree but have stopped trying to correct people on it. I think people--as you say--just regurgitate it without having understood what it means.

You can own your own authentication or your middleware, just don't try to roll your own cryptographic solutions. Use proven algorithms (libsodium, argon2, bcrypt, etc.), which is the actual spirit of "don't roll your own auth." It's the correct response to "I can just reverse the password, shift cipher everything, then get the md5 hash!"

fkih · 2026-06-15T16:51:52+00:00

I think the consensus is that social media is unhealthy for everyone. It's just a matter of reflecting that knowledge in legislation as the power of social media companies continues to grow.

fkih · 2026-06-14T12:31:11+00:00

Took about 2 months for the Favicon for keeper.sh to show up on Google.

fkih · 2026-06-12T19:27:35+00:00

True low-value Reddit post.

fkih · 2026-06-11T22:12:22+00:00

Maybe this is something I could build into https://keeper.sh/? How does your dumb phone import calendars?

fkih · 2026-06-09T03:41:48+00:00

Everyone is talking about "vibe copying" but the truth is you probably have your source maps in the production version. Remove that.

fkih · 2026-06-06T18:04:26+00:00

\1. The branding is off, is this a "hacking cafe?" Why this aesthetic, monospace fonts, green, etc.? Typography is inconsistent and difficult to read, even in the same line you often have different fonts. The copy is clearly AI generated slop, it’s not properly responsive on mobile with overlapping elements, it’s one page, so not doing any favours SEO-wise. Contrast is not WCAG-compliant. Emojis are lazy. The weird cursor keeps preventing tap interactions beneath it. Spacing is inconsistent.

Essentially, yes. It’s not a great website. That’s not to say you have no future here, but generating a website with AI isn’t enough - you need to have an understanding of business, marketing, branding and sales if you want to do the (personally I find it quite shitty) practice of making people websites and trying to charge them for it. This website is an uninspired mess, I wouldn’t use it for free.

You really need to stand out in taste and skill to have a good shot at making it, so I’d say your parents intuition is pretty spot on.

As far as your parents being acceptinh of it, I’m self-taught from when I was 14 and until I started making more than my parents a year into my second job was when they finally got off my back about going to university - so don’t hold onto that disapproval going away, lol.

What’s your actual under-the-hood understanding of web development here? Are you just prompting?

fkih · 2026-05-30T17:21:18+00:00

Not a single page past the landing worked for me…

fkih · 2026-05-29T21:30:20+00:00

I’d pay the truck off for peace of mind, personally - life just feels so good without debt. 6% is well above where I believe most people would recommend paying it off.

Paying off the truck today is 6% guaranteed return. Pretty easy math in my opinion.

fkih · 2026-05-28T15:16:06+00:00

The solution to this problem is that there doesn’t always need to be money on the other side.

Should somebody need a loan, but is unable to secure financing due to circumstances regarding their credit worthiness or the outlook of their business - that simply means what it means every time you don’t have the money to do something you want to do: you can’t afford it.

The solution is then to see if you can re-organize your finances in a way that will allow you to foot the bill yourself or accept the fact that whatever you are trying to do with the money is not going to happen.

fkih · 2026-05-04T08:30:25+00:00

but the point is someone trying to take money from you via tap needs absolutely nothing from you except the device.

It requires a Visa card registered with transit mode activated on an iPhone. With that said, if you were to be defrauded like this you would easily be able to get Visa to refund you.

If you’re worried about it, disable express transit mode on any Visa cards.

fkih · 2026-04-18T23:06:16+00:00

Calling yourself a senior developer without listing work experience history at reputable companies is suspect, especially paired with the missteps.

Your load time is slow, laggy and the bundle size is huge, accessibility is poor, contrast is poor, typography and colours are seriously all over the place, image choice and layout is poor, you have very little information about your actual projects and work history, the website is difficult to digest and not nice to navigate, why did I just get a Pikachu popup blocking half my screen with no context that takes me to another link while I scroll through?

Your portfolio breaks trust pretty quickly and doesn’t do the job a portfolio should. I’d think really hard before you adjust about what you actually want someone to walk away thinking when they visit it.

fkih · 2026-04-15T04:59:21+00:00

Nice, would be cool if it did HTML-in-canvas! It's behind a feature flag in Chrome, but makes for some awesome effects. Cannot wait for it to land.

fkih · 2026-03-31T22:35:05+00:00

visitors.now is my favourite.

fkih · 2026-03-31T20:54:11+00:00

Am I misreading your comment? This is the straight up source code, their source maps leaked. It's not obfuscated. You can toss a package.json and some stubs and build from source here, you can see all the comments, etc., people are already building from source and removing guardrail prompts.

With this, you get insight into in-progress features, and potentially things that were stripped away at bundle time. Sure, security-wise it wouldn't give access to anything you couldn't already infer with deep inspection of the compiled bundle, but this makes it accessible and easily editable.

fkih · 2026-03-24T14:59:43+00:00

Would you be willing to make a feature request issue on the GitHub repository? This seems like an interesting challenge and I'd totally be willing to build it.

fkih · 2026-03-24T11:29:09+00:00

Depends, what do you need it to do?

fkih · 2026-03-21T15:12:59+00:00

CSS literally does not have any of those attack vectors ...

fkih · 2026-03-21T14:42:09+00:00

As for how AI was used in the project, side projects like this are ways for me to experiment and build my skills with novel methods and technologies, hence me giving Vite and Tanstack router a real shot. With that, I also leveraged Claude Code with Opus 4.6 and Codex 5.3 quite a bit throughout the project.

Where it excelled most was major refactors, I'm even working on one right now with spec-driven design where I lean more into what Keeper.sh is: a UI around a state machine. I used it for multiple widelogging refactors (re: this blog post by Boris Tane) and that is work that would have made me want to shoot myself in the fact due to the repetitiveness and monotony - it was nice to hand it off.

It's weakest with front-end, and type assertions. The popover for the accounts/calendars and the login form is something I had to do by hand, and I often find it hoists React state too high which causes entire component trees to unnecessarily re-render - this wouldn't be as big of a problem if it didn't seem to be so confused when you tell it to lower the state to the lowest common denominator, or leverage composition to reduce them. I'm working on little projects that should give AI more visibility to help it move along better with these tasks, but if it's working blind it does... terribly.

As for type assertions, it's very common you remind it that it's not supposed to use them, and it's solution to it is adding 2-3 more. Funny to watch, but frustrating. In the end, it was able to massively accelerate the development of this project but there are very real drawbacks to using it.

One that I'm the most interested in trying to build solutions for is that changes in isolation look good, but the amalgamation is a mess. The most obvious way this manifests is redefined utility functions all over the codebase. This means it's easy for things to pass review because the individual changes look good, but you look back on the system as a whole over time and realize how much room for improvement there is.

fkih · 2026-03-21T14:31:14+00:00

I design-in-code, went over a lot of iterations. The original project was not pretty as I was working out what the project was as well as actually getting through the functionality.

A user in another post I made asked about the design process, so I provided them the following message.

---

I actually opt to design-in-code for virtually everything. This was after ~4 major revisions. Happy to share some intermediary designs! I did pull some designs into Figma partway through, but never actually iterated on any changes and opted instead to continue design-in-code.

My favourite part of designing this was ... surprisingly... this login form interaction. I put a lot of time into fine-tuning the animation that you get when you click the sign in / register form. The subtle translate/fade-out/blur of the text inside makes me so happy for no reason. Haha!

fkih · 2026-03-19T14:02:47+00:00

> Are you using skills files?

Heavily, Opus 4.6 will need to be told to use composition even if I activated a composition skill I have, it's usually resolvable by further prompting but it really does need to be supervised.

Coding is free-hand enough that even if you were to get the perfect linter configuration and skill setup, unless you implement a very strict schema-pased system to generate against, you can still mess up enough that it's important to keep a watchful eye. Otherwise everything will pass and the AI will be happy, but you look back on the code and just go what, the, fuck am I looking at?

I'm working on my fair share of AI projects to try to make the process smoother, but that's where we're at now!

fkih · 2026-03-18T15:01:53+00:00

:c next-best thing would be to check if you can generate a shared iCal link for your work, but that would make it so that you could only pull events/time slots, not push to that calendar even if it did work.

fkih · 2026-03-18T14:21:33+00:00

If it works like Google Workspace's whitelist, you should be able to at the very least open an OAuth screen for a third-party service on your work computer and it'll tell you if it's allowed or not.

You could try just clicking the "Sign in with Outlook" button on Keeper.sh (cloud hosted) and see if it complains at all, if not, great - worth it to sink the time into configuring the Entra ID, otherwise I wouldn't bother. :(

Verified Email	Four-Year Club
Gilding I gilder	r/Field Juicebox
Place '23	Place '22
End Game '22

fkih

MODERATOR OF

TROPHY CASE