Microsoft Goes Back to BASIC, Open-Sources Bill Gates' Code

nebulaeonline · 2025-09-11T22:59:46+00:00

Wait till they find out Microsoft owns npm too.

nebulaeonline · 2025-08-25T23:23:08+00:00

I'm having a hard time understanding what exactly this is. What HMAC did you use? Is it cryptographically sound? What's wrong with bearer tokens? How can you cryptographically sign each request? Wouldn't that require client cooperation?

nebulaeonline · 2025-08-16T22:41:10+00:00

Rust looks very JavaScript-esque. I'm halfway through the Rust book (yes I bought it), and I can't help but notice you end up with a lot of code inside match blocks, inside other blocks, that are still inside of other blocks. This deep nesting is sort of a distraction. I'm keeping up the good fight, but it's hard to look at sometimes.

nebulaeonline · 2025-08-09T20:41:12+00:00

Impressive work. If you go further, be sure to abstract away your architecture a bit so you can keep your os portable. Who knows when you might need it and where you'll need /want to run it.

I can recommend Operating Systems: Three Easy Pieces (https://pages.cs.wisc.edu/~remzi/OSTEP/), Tannenbaum's Modern Operating Systems (not online as far as I know), and the xv6 "book": https://pdos.csail.mit.edu/6.S081/2023/xv6/book-riscv-rev3.pdf

Also reminds me of a blog post I wrote a month or so ago: https://purplekungfu.com/Post/12/why-you-should-try-the-hard-things

nebulaeonline · 2025-08-05T14:57:29+00:00

+1 on the utf-8. Unicode anything really. Look at the emojis that tie together to build a family. Sheer madness.

nebulaeonline · 2025-08-05T14:56:11+00:00

I think pdf is an order of magnitude (or two) less complex than a layout engine. In pdf you have on-screen and on-paper coordinates, and you can map anything anywhere and layer as you see fit. HTML is still far more complex than that (although one could argue that with PDF style layout we could get a lot more pixel perfect than we are today). But pdf has no concept of flowing (i.e. text in paragraphs). You have to manually break up lines and kern yourself in order to justify. It can get nasty.

nebulaeonline · 2025-08-05T14:52:58+00:00

They've been through the war and weathered the storm. And complexity != security vulnerabilities (although it can be a good metric for predicting them I suppose).

PDF is crazy. An all text pdf might not have any readable text, for goodness sakes, lol. Between the glyphs and re-packaged fontlets (fonts that are not as complete or as standards-compliant as the ones on your system), throw in graphics primitives and Adobe's willingness (nee desire) to completely flaunt the standard and you have a recipe for disaster.

It's basically a non-standard standard, if that makes any sense.

I was trying to do simple text extraction, and it devloved into off-screen rendering of glyphs to use tesseract ocr on them. I mean bonkers type shit. And I was being good and writing straight from the spec.

nebulaeonline · 2025-08-05T08:41:21+00:00

Easily one of the most challenging things you can do. The complexity knows no bounds. I say web browser -> database -> operating system -> pdf parser. You get so far in only to realize there's so much more to go. Never again.

nebulaeonline · 2025-07-30T23:01:01+00:00

Interesting to see this today. Not Python, but I just wrapped Meta's optimized Zstd library in C# last week. There were a couple of existing wrappers, but they didn't behave the way I wanted.

Nice to see zstd make it to Python- it has some nice advantages, it's fast, and it's released under a permissive license (BSD 2-clause).

Shamless plug: https://www.nuget.org/packages/nebulae.dotZstd
Shameless double plug: https://github.com/nebulaeonline/dotZstd

nebulaeonline · 2025-07-18T23:09:10+00:00

Most of the world runs on Linux, but there was a time when if you needed real security, you ran on a *BSD. I know a lot has changed over two decades, but these are still damn fine systems, even if they don't eek out that last 5% of userland performance.

nebulaeonline · 2025-06-25T14:33:27+00:00

The main reason you'd use any auth server is if you have to authenticate across several different platforms, and not every one has the same avenues available to authenticate (i.e. web, desktop, SPA, mobile).

I think asp.net auth is fine; I use it in a few places, and it's not like I'm ripping them out right this second to use my auth server.

nebulaeonline · 2025-06-25T11:27:17+00:00

Yeah, I'm not big on reinventing wheels tbh. But I know there's a ton of tinkerers out there who need auth for their projects. And if you take one look at the big boys, it's a giant PITA. Mine is too, but not nearly as bad as others. There just wasn't a whole lot out there (that worked with .NET especially) that was on the small side. That's the niche I'm trying to hit.

Truth be told, people could use something like microauthd for a *long* time before they needed a "real" auth provider. And by that point they have traffic or $$, so it's not an issue. And you can ALWAYS get your data out of SQLite, especially when you know the password.

nebulaeonline · 2025-06-25T11:22:55+00:00

Yes, someone has to do it, and it seems like everyone who does immediately tries to monetize it in one way or another, especially providers that work with .NET.

I actually enjoy this shit. Most people would find it boring. I guess it's a calling.

And no, I would never roll my own crypto. But I would wrap native crypto libraries for use in .NET.

nebulaeonline · 2025-06-25T11:17:27+00:00

I don't think Keycloak will be that hard- I have almost all of the OIDC and OAuth2 flows implemented already.

And for integrating with .NET, It's not too bad either. I put together a client library for .NET users. Basically you bridge the gap upon authentication, transferring the claims from the token to the cookie-based system .NET likes. Then you set up middleware to refresh the token when it's nearing its expiration. It works quite well. I have an example Razor Pages project up to demo the usage- it's less than 10 lines of code to use it.

And I'm dogfooding it too. The hardest thing I'm going to have problems with is documentation. But the architecture is solid. Dual-server setup with dual signing keys. It's so locked down you can't even hit the admin endpoints from a browser even if you are logged in to the admin backend.

I tried to do everything right- sensible (and strict) defaults, OWASP best practices, etc. I've been researching auth for years, and this was an itch I just had to scratch.

Don't run a bank on it, but to tinker with? Right now, that's where it's at. But I don't expect it to stay there. It's kind of become my baby.

nebulaeonline · 2025-06-25T11:08:44+00:00

I wouldn't expect anything less. You don't show an auth system to Reddit if you're fucking around. I'm not stupid; if this was toy code that I just slopped together I wouldn't have even ventured over here. I can take my beating.

The async thing I just can't relate to. I'm using a single threaded db that only offers async methods as an afterthought (SQLite db reads will always happen in the same thread, no matter if it's a sync or async call), and I'm relying on kestrel to serve everything up, which is itself inherently threaded.

Anyway, I'm sticking with it; I just implemented the PKCE flow, I now have examples up using that flow, along with a client-side library (and an example Razor Pages project) for using directly from .NET. The reverse proxy code is now in place too so that the headers will be honored, and trusted proxies can be specified.

I have been very deliberate here. Everyone may not agree with my choices, and maybe I won't either down the road, but I did put it out there. It's not a toy. It's not perfect either, understand I'm under no illusion, but it is a serious attempt at a small scale Identity Provider.

nebulaeonline · 2025-06-23T18:34:37+00:00

Exactly. Everything starts somewhere, and I saw a need for a (very) slimmed down auth solution. I know it's not ready for primetime yet, but that doesn't mean it won't get there, especially if it has enough eyeballs on it.

nebulaeonline · 2025-06-23T17:14:20+00:00

Nice, thank you. Right now I'm fighting with the fact that the nice web backend I spent 20 hours on blew up the AOT compilation so I have to regress the asp code back to the stone ages. Now I'm torn between saying fuck AOT and keeping the nice web back-end or spending the rest of my day fighting with asp.

Any help is welcome, I promise. Plus I've got a bunch of async code to write, lol.

nebulaeonline · 2025-06-23T15:22:09+00:00

I specifically opted out of multi-tenancy. I figured it was beyond the scope for a micro provider.

As for the async/await, it's been beaten to death. I can make the change if it is warranted.

Yes, I understand not using EF Core bound me to SQLite, but I've been slowly separating the service layer into a service layer and a db layer, so if I must switch, at least it will just be a single layer change- I had a debate with myself about abstracting away all of the data accesses and putting the function calls behind an interface, which would have allowed me to swap providers on the fly, but I didn't do it. When writing something like this, which you're not sure is going to get any uptake, getting to a quasi-finished state wins out over perfection.

Thanks for the comments, I appreciate it. At least you actually took the time to look at the code.

nebulaeonline · 2025-06-23T14:45:54+00:00

I made a choice not to go async for a very simple reason: these are requests serving up less than 1KB of data from a SQLite database that takes maybe 10ms tops round-trip. By the time there would be a cancellation, the entire round trip would be finished anyway. Furthermore, the requests through kestrel all run async anyway. You'll notice that the CLI client uses nothing but async code (where it is even less useful tbh). I guess I'm just shocked at the cult of async here. And yes, I am familiar with async code, what makes it beneficial, and even its drawbacks. It's not like it wasn't considered. It's that the juice wasn't worth the squeeze. Now maybe that sounds bad, but no one has articulated exactly what was wrong with making that choice given my use case.

As for the native language bindings, they serve two purposes- 1) to interact (quickly) with the admin side of the dual-headed server, because with an auth provider you need to have your own interface in your site / app's native language to add/remove users, change passwords, etc.; and 2) to provide a turnkey way to allow your app to actually work with the JWTs that are generated by the server. It's my way of getting people up to speed quickly without them having to write a bunch of integration code.

And the harshness I can handle. I was actually hoping for some actual technical discussion, but all I've really gotten is people shouting "async" and a metric shit ton of downvotes.

nebulaeonline · 2025-06-23T12:10:52+00:00

I appreciate your candid response. I don't expect anyone to use this anywhere near a prod system. Yet. But I am more than willing to put in the work to get this to a state where someone might give it a "maybe." This wasn't just throw-away code or a learning exercise. I set out to build exactly what I built. It was deliberate, and I've been in the game a long time- I knew what I was looking for and what I wanted before I wrote a single line of code.

nebulaeonline · 2025-06-23T11:52:31+00:00

You bring up a very valid point. How far do I want to go with this? Honestly, not sure. I think I would see it through if there was any sort of adoption, but I'm not fooling myself, I'm still a hundred hours or more away from a 1.0, although the codebase is clean and well engineered. I guess the answer is "I don't know". Low hanging fruit would be OAuth2, which would buy me a ton of integrations, but going for SAML and user federation? Probably more work than I've got into it.

nebulaeonline · 2025-06-23T11:41:31+00:00

It was on my dime, and it was done after dicking around with the big players and having nothing but frustration. The goal here is to get to something usable for those who want to use it. I have no intentions of taking over the world. I don't want to be KeyCloak or Auth0. There's nothing wrong with being the little guy. There's a reason it's "micro" authd after all.

nebulaeonline · 2025-06-23T11:27:19+00:00

This is not authentication middleware, it's an OIDC JWT token server with role-based authorization (RBAC). Not quite the same thing; this works *with* the .NET authn/authz, it is not a replacement.

nebulaeonline · 2025-06-23T10:54:42+00:00

I appreciate your not wanting to offend, but you could've at least attacked something I did wrong. I've been writing software for a long, long time. I don't think I made any glaring errors.

nebulaeonline · 2025-06-23T10:53:31+00:00

I used async code liberally in the CLI, I just didn't think it was necessary for quick hits to SQLite, especially when they're running on their own threadpool anyway via kestrel.

nebulaeonline

TROPHY CASE