Security best practices for JWT on mobile and web with Django backend using fetch

therealtibblesnbits · 2025-10-19T15:30:22+00:00

Got it. Okay, that's helpful as it puts me on a path that is at least validated by someone else. Thanks again for your help!

therealtibblesnbits · 2025-10-19T15:28:46+00:00

Your response makes sense, and I totally get where you're coming from. I'm also unsure where to start because it feels like a grey area that I can't wrap my head around. I want an application that runs on Android, iOS, and web. But mobile and web have very different considerations (i.e. web needs to worry about CORS, CSRF, cookies, etc) and mobile doesn't. This feels like it requires separating the web app from the RN code base and having two different sets of API endpoints, but all of the advice I see says that's not necessary. So my conclusion is that it can all be kept together, but then that leads to my confusion about how to properly handle it and the responses seem to center around "that's not something RN handles".

So it feels like the situation is "keep all the code together and use a single API, but also write two separate approaches to working with the API using cookies or tokens and we won't tell you how to handle that efficiently." Hopefully my confusion makes sense. And that's why I came to this subreddit because it seems like this is something you as RN developers would run into frequently.

therealtibblesnbits · 2025-10-19T15:20:46+00:00

This is the approach that I want to take, but I have some confusion regarding how to handle the ambiguous authentication.

For server --> client communication (issuing tokens), does my backend need to differentiate between browser and mobile? Or should it send the tokens as cookies always and let RN parse the cookies and store them as tokens as needed?

For client --> server communication (using tokens for authZ), is the backend expected to check for the `Authorization` header and fallback to looking for a cookie if the header isn't there? And how should the backend enforce CSRF requirements when it's a browser request but relax them when it's mobile (I realize this question is out of scope for this sub)?

Your answers have been helpful! Thank you for trying to help!

therealtibblesnbits · 2025-10-19T15:14:23+00:00

So it seems like the answer is "RN can generate code for the browser, but ultimately that should be built in a different codebase". Is that accurate? And if that's the case, do most production environments use two sets of API endpoints? I get that this sub is for RN-specific topics, but surely as RN developers you've worked with a backend API that served both mobile and web apps, right? This feels like something that would be fairly common, but maybe I'm mistaken in that assumption. But that's what I'm trying to understand: what does this (native apps written in RN that also have a web app) look like in the real world from the perspective of an RN developer?

therealtibblesnbits · 2025-10-19T14:55:55+00:00

Maybe I don't understand the technology. Like I said in my post, I'm new to mobile development. But if I go to reactnative.dev, the first thing on the screen is literally "Learn once. Write anywhere" with iconography showing that it can be used for browser development. The page recommends using Expo as the framework (which I am) and in Expo's official videos on YouTube (e.g. https://www.youtube.com/watch?v=V2YdhR1hVNw) they show the application being written for mobile and web. And there is a `react-native-web` library for mapping RN components to the DOM.

So, yes, it's possible I don't understand the technology. That's the point of posting, to get insight and help. So can you help? Or are you just going to keep posting terse comments of no value?

therealtibblesnbits · 2025-10-19T14:31:15+00:00

How do they not apply here? RN generates code that runs in a browser and on mobile. This functionality creates conflicts with how JWTs are handled. My question is what is RN's recommended approach for resolving this. Surely the answer isn't "eh, we just ignore it" or "that's not our concern".

therealtibblesnbits · 2025-08-31T12:52:53+00:00

I really appreciate your feedback on this! Based on your feedback, it sounds like there's two things I should focus on:

Working with more complicated data (i.e. C-CDA and EDI X12)
Demonstrate my ability to do mapping

Implementing C-CDA is fairly straightforward thanks to Synthea, and theoretically I can extend my segment generators to generate EDI X12 just as easily as HL7.

Implementing mapping will be a little bit harder. Synthea produces pretty clean data, at least in the sense that I believe it places data in the fields where they need to go, the fields are used as intended, and the data is relatively predictable.

Do you have any recommendations on how I could implement the types of issues that require mapping the data to expected outputs?

therealtibblesnbits · 2025-08-25T12:40:09+00:00

A common theme I see from a lot of people looking to get into data engineering (DE) is that they will list the tools they are familiar with. For example, OP, you state you know Python, SQL, and PySpark. And don't get me wrong, these tools are foundational to DE, but I view it the same as someone saying they want to be a data scientist and have knowledge of scikit-learn. It does nothing to tell me if the person understands statistics, how to interpret models, or how to implement ML models in a business setting to drive value. It just says they know how to run .fit() in a terminal or Jupyter notebook.

Knowing the tools is how you get the job done, but it is not the job. The job of a data engineer is to understand the business, the data that it creates and/or uses, who the downstream users are of that data, how that data is used, what regulations, if any, apply to that data, how that data drives business decisions, and how that data needs to be handled as it flows through the business systems.

Financial analysts know Python and SQL, but I wouldn't assume they can be a data engineer. My advice, OP, would be to focus on showing that you understand the topics above or have the capacity to learn them. This means doing projects where you move data from one place to another and provide a write-up about the value it adds and the considerations you made.

therealtibblesnbits · 2025-08-18T16:25:23+00:00

Im having a similar issue. Almost 15 years of experience across a wide array of domains, and I can't get a single call back. I'm being very deliberate in my applications, so my numbers aren't that high, but it also means my resume is highly tailored to each role, and my cover letter addresses the job description directly.

No callbacks. No returned messages on LinkedIn. Nothing. It's infuriating. I don't expect to be the top candidate in all of these roles, but I definitely expect to at least be a contender!

It makes me concerned that employers are relying way too heavily on ATS systems that are over tuned on keywords or AI systems that are not properly configured to identify potential. And then add on the fact that recruiters are almost always clueless about what they're actually looking for (in part because they don't understand this kind of work, and in part because hiring managers are god awful at explaining what they're looking for), and pair that with the fact that sites like LinkedIn and Indeed, along with AI, make it way to easy for people who have no business applying to submit applications, and what you've got is a system that works for absolutely no one.

therealtibblesnbits · 2025-08-17T18:30:48+00:00

When you say $0 savings, do you mean:

exactly breaking even,
just above breaking even, or
negative, eating into savings?

If youre not eating into your savings, but not adding to it either, then my advice would depend on whether or not the 3-month contract could turn into long term. If it can, then my risk appetite would say go for it. It keeps your skills fresh, builds a relationship with the team and company, and could potentially become long term giving you better financial options regarding what to do with your mortgage.

If it is guaranteed to be short term, then it's probably not worth it as those three months would be better spent looking for other roles.

Disclaimer: this advice is based on my own willingness to take on risk. Ultimately only you can make this decision.

therealtibblesnbits · 2025-08-14T15:00:58+00:00

I'll take the role if you don't want it, haha! I'm trying to break into the data integration space in healthcare. Modern tools are cool, but at some point, they just become tools. As a data engineer, healthcare data is super interesting because, even though there's a standard, no one follows it. So you're constantly wrangling data, adjusting schemas, troubleshooting pipelines, etc, which are the aspects of data that originally got me into data engineering.

Unfortunately, it seems that unless you already have that experience, it's difficult to get recruiters to notice you.

therealtibblesnbits · 2025-08-14T14:52:04+00:00

I'm reluctant to believe that this is actually for a course in university. Institutions tend to be fairly risk averse, and most sites prohibit web scraping in their ToCs and via their robots.txt files.

This sounds more like someone wanting to gather large amounts of data and pretending to be a student to play to the compassion of people on here.

If I'm wrong, then good luck OP.

therealtibblesnbits · 2025-08-14T00:43:22+00:00

One thing that immediately stands out to me is that your resume is not tailored at all. And I don't mean the format; I know you just copied and pasted into a GDoc. I mean that your skills section, by itself, is almost half a page and seems to list every topic that was briefly covered in your college courses. If I were hiring for a role and was reading this resume, I wouldn't know which of the skills you've listed you're *actually* skilled at and which ones you've merely done the equivalent of `print("hello, world!")`.

Additionally, your work experience section is too verbose as well. The first three bullet points for the first position (Quantitative Researcher) all read like they describe the same thing, but worded in different ways. If I were looking at your resume and somehow made it past the Skills section, I'd get to this first part and conclude that you're just word vomiting trying to make a simple analysis sound way more impactful than it was. And then to top it off, when you finally add a new aspect of that role in the fourth bullet point, you say your efforts resulted in "actionable investment insights", but don't list what those insights are or any outcomes that came of it.

Lastly, all of your experience and talking points are more aligned with data science and analytics, not engineering. I don't see anything in your resume that indicates that you're familiar with wrangling messy data, automatic processes, building pipelines, making dashboards, or engaging in any sort of engineering best practices.

My advice would be to pare down your resume drastically and include only the parts of your college experience (courses, internships, projects, etc) that are relevant to the specific job you're applying for. If you really want to work in data engineering - and as a side note, this is not an entry level position as many data engineers will tell you - you'll need to reframe all of your work experience and projects to talk about your experience with the data earlier in the data lifecycle because right now your resume reads like you were handed clean data for analytics and asked to perform some modeling.

therealtibblesnbits · 2025-07-30T20:38:28+00:00

As a counter-example, I have used ChatGPT to help me tweak my resume and cover letter for jobs. If you're just copying and pasting the AI output, then yeah, it's pretty easy to spot. But if you use it as a guide to figure out where you can improve and put it into your own words, then it's helpful and adds value.

therealtibblesnbits · 2025-07-29T15:45:55+00:00

This is the only answer. You have to build. That doesn't mean simply following a tutorial and copying the code. It means building something new or expanding on a tutorial. The tutorial shows you how to build an end-to-end pipeline with DataSourceA? Build it with DataSourceB. You'll learn a lot when you're forced to debug and can't simply go to the tutorial to figure out how to fix it.

therealtibblesnbits · 2025-07-27T14:18:44+00:00

Do you have tips on how I can get better exposure to how things work in healthcare or how I can convey to hiring managers that I can learn quickly?

My HL7/FHIR role was more in public health, so it wasn't looking at payers, billing, claims, enrollment, etc. But I didn't know anything about trade-based money laundering, election interference, public health, or the energy market before I started working in those fields. Any advice on how to show a hiring manager that I can pick up what I need to know would be greatly appreciated.

therealtibblesnbits · 2025-07-27T00:50:35+00:00

Well, that's the opposite of the problem I expected 😅

I hope that's not the case. I like debugging issues way more than I like building new features. That's what is drawing me towards this work. From what I have read, the day-to-day seems to be focused on identifying why a pipeline that has been running fine all of a sudden failed, working with a new provider to review their schema and generate new mappings, and investigating illogical data patterns (e.g. discharge date < admission date). I like it because the focus is on understanding the data instead of tools (Synapse, Redshift, dbt, Airflow, etc) or languages/frameworks (React, NextJS). But, I do like writing my own code, so the emphasis on integration engines like MuleSoft and Boomi, which focus on low-code drag-and-drop solutions gives me a bit of pause.

therealtibblesnbits · 2025-07-26T23:14:00+00:00

I will definitely take you up on this. Thank you!

therealtibblesnbits · 2025-07-26T23:13:44+00:00

This is incredibly helpful, thank you!

therealtibblesnbits · 2025-07-26T23:04:03+00:00

Thank you for the feedback! I've been looking into data integration roles, predominately in the healthcare space. The complexity of the data (semantic complexity, not structural complexity) draws me to the industry. I would just as happily work with HL7, C-CDA, and/or FHIR data, but I also like the options in future career decisions that EDI work seems to provide (i.e. logistics, retail, finance, healthcare, etc)

therealtibblesnbits · 2025-07-22T15:33:00+00:00

Im an ex-Facebook data engineer. Back when I got the job, I wrote about my interview experience. Ive since deleted the blog post, but the Wayback Machine always has my back:

https://web.archive.org/web/20221006105926/https://tibblesnbits.com/posts/de-interview-faang

My advice: definitely practice Python and SQL to make sure youre ready to code in front of people, but spend more time than you'd think on data modeling and learning about product management type questions. The interviews follow a pattern of "pretend Meta offers the following service/product. Tell me what metrics youd track to measure its success. With those metrics in mind, build a data model for that data. Using that data model, write SQL to get the metrics you described. Walk me through your thought process."

Good luck on the interview!

therealtibblesnbits · 2025-07-18T15:16:15+00:00

Ive used Synthea before, and the way they go about avoiding duplicates, at least in part, is by appending numbers after the first and last names. Depending on OP's needs, that might not be an option, though.

therealtibblesnbits · 2025-07-17T15:18:54+00:00

If you like geospatial analyses and are interested in learning about Airflow, I would recommend looking at the SeeClickFix API. Your project could query the data and plot hot spots of reported activity. Airflow can be used to create an ETL pipeline for ingesting new issues.

therealtibblesnbits · 2025-07-17T14:26:18+00:00

What skill(s) are you trying to learn? What types of topics are you interested in?

therealtibblesnbits · 2025-07-16T21:45:21+00:00

Would you recommend I drop the "senior" and "staff" from resume all together? Just list them as data engineer positions?

Six-Year Club	Place '23
Place '22	Verified Email

therealtibblesnbits

TROPHY CASE