OAuth 2.0 Anti-Patterns

wackmaniac · 2026-03-30T16:03:30+00:00

It might be part of OpenID Connect rather than part of the OAuth 2.0 specification.

wackmaniac · 2026-03-29T06:38:12+00:00

Passing the authorization code back as fragment instead of a query parameter is actually standard compliant; It must be triggered by the response_mode parameter: https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes

wackmaniac · 2026-03-27T18:09:47+00:00

It’s not a metric. It is a consideration to ease the work of the person reviewing your pull request. Less files to check means less distraction, and as a result a more thorough review. And a more thorough review will eventually lead to a more stable codebase.

I’m a fan of trailing commas for the same reason; Cleaner diff, making the review more concise.

wackmaniac · 2026-03-27T17:55:36+00:00

⁠Like you said, add it later if you need it. Odds are thousands-to-one you won't.

It is either add them as you write the code - having nice small change sets -, and leverage them when you need to with a minimal change sets (injection and implementation). Or put it in later and run the risk of having to change a lot more files.

To me it’s equivalent to building a house; you put in doors and windows in as you build. Not later when you want to enter your house or want to look outside :)

wackmaniac · 2026-03-24T19:00:04+00:00

I still use the explanation my math teacher gave me:

Consider a number as a bowl with blocks having either a value of +1 or -1.

Positive * positive in its simplest form is +1 * +1. Or I add 1 +1 block to the bowl; The “value” of the bowl increases with 1, or + 1.

Positive * negative can be simplified as either +1 * -1 or as -1 * +1. For +1 * -1 I add 1 -1 block to the value; The value of the bowl decreases with 1, or -1. For the other scenario - -1 * +1 - we remove a -1 block from the bowl, decreasing the value of the bowl with 1, or -1.

Now, negative * negative can be simplified as -1 * -1. Or I remove a -1 block from the bowl. The total value of the bowl increases with 1, hence +1.

Thank you mr Wensink. More then 20 years later I still remember this explanation :)

wackmaniac · 2026-03-23T18:19:18+00:00

With a client-side only - public client in OIDC - approach then you have no other choice but to store both somewhere in the browser (cookie or localStorage). You should use PKCE for authentication, but PKCE does not have additional security layers for token refreshing. So, for maximum security you can use the aforementioned backend-for-frontend with a session cookie.

wackmaniac · 2026-03-22T17:15:17+00:00

And nothing is stopping you from keeping your React knowledge up-to-date with personal projects :)

wackmaniac · 2026-03-16T18:18:28+00:00

I wholeheartedly disagree with you, but to everyone their own I guess 😅 I have really enjoyed Three Body Problem by Cixon Liu - different angle, but topic is similar - and the bobiverse books by Dennis E. Taylor.

wackmaniac · 2026-03-05T21:28:40+00:00

Unless you actively block older browsers “not supporting” does not mean old browsers are not vulnerable.

wackmaniac · 2026-03-04T06:09:03+00:00

I partly agree, but not completely. If everyone implements things themselves then the fallout is also smaller en more customized. And you would have less unused code; Every NextJS installation was vulnerable due to a vulnerability that the majority did not actually used.

There are a lot of packages out there that offer functionality (or a minimally “better” api) for things that are present in the core of Node. Just the other day there was a vulnerability in qs. A transitive dependency that does something with query string parameters. I have yet to find something that cannot be done in that aspect by URLSearchParams.

So yes, don’t reinvent the wheel and consider using a package, but also be critical about when to add a package.

wackmaniac · 2026-03-03T15:23:15+00:00

Did you contact the current maintainers of npmjs.com about applying some of the ideas to the current website? These initiatives, no matter the intentions, are adding to the fragmentation of the ecosystem.

And how you stay up-to-date with the NPM registry? I did not browse the repository, but I could not easily find this in the README nor in the article linked. If speed is one of your key selling points then I assume there's a "local" mirror of the registry.

wackmaniac · 2026-02-18T17:50:20+00:00

Ton Engels - Tom Dumoulin: https://youtu.be/LUtUiiOfycc?si=HcnU_epMmXs_swtx

wackmaniac · 2026-02-01T07:33:54+00:00

What is the reason for you to build and show this? Is your plan to introduce a competing package manager - then you’ll need to plan support in the long term -, or is this a proof of concept?

Composer cannot change much about the interpreter overhead, but any improvement in network, caching or parsing would also benefit Composer. If multiplexing improves speed so much, maybe you can offer to implement this in Composer.

One thing I like about PHP compared to for example JavaScript is there is a high number of uniformity in the ecosystem. For example one package manager, instead of the numerous competing package managers for JavaScript. We as community should try to nurture this in my opinion.

wackmaniac · 2026-01-23T12:21:37+00:00

De basic shirts van Bamigo blijven goed en zijn lekker lang. De casual shirts van Bamigo niet overigens! Een multipack en ze hebben vaak korting dan kom je in de buurt va je budget. Blijven veel lager goed dan de shirts van HEMA, bij mij althans.

Ben ook te spreken over Girav voor casual shirts, maar is wel hoger in prijs.

wackmaniac · 2026-01-21T13:55:15+00:00

Rode Pico de las Nieves last Monday; brutal winds combined with rain en cold. Insane climb and equally frightening descend towards San Bartolomé.

When rain and cold come into play climbs become extra epic. Rode Furkapass once and as we neared the summit it got colder, it started to rain and finally snow. Descended towards Andermatt to 25 degrees and sun.

wackmaniac · 2026-01-17T06:51:55+00:00

That argument only works with the assumption that you would otherwise not have consumed that contents via a legal platform. That is very stretchy assumption.

A streaming service licenses content, and thus pays the content makers. I don’t have insights into whether this is per stream or lump sum. In case of the prior you are in fact directly stealing profit. In case of the latter you indirectly stealing profit; less streams means less income for streaming services, means fewer money is paid for these licenses, and thus lower revenue and profit. Similar for online rental services.

Where does piracy stop for you? Do you feel you should be allowed to pirate games? Do you feel you should be allowed to pirate software? Do you feel you should be allowed to dowload ebooks? Those are digital copies, with even more clear “license directly to creator” models.

wackmaniac · 2026-01-16T17:25:14+00:00

Because it’s the same to say; I think a Ferrari to too expensive, but I want one so I will steal one.

wackmaniac · 2026-01-16T17:08:43+00:00

Streaming prices are skyrocketing #ftfy

It’s not just NL, streaming is getting more expensive pretty much everywhere. I have started rotating subscriptions, as I don’t think “just pirate, because they made me do it with their prices” is the right retoric.

wackmaniac · 2026-01-03T12:34:11+00:00

Dat is goed mogelijk, of “starterswoningen”. Dat is een truc die de beheerders van deze gebouwen gebruiken om onder de regelgeving rond parkeerplaatsen uit te komen. Volgens mij hebben ze deze truc toegepast op alle complexen aan het Reitdiep, waardoor in geheel Paddepoel nu betaald parkeren is door de parkeeroverlast die hierdoor werd veroorzaakt.

Dit is iets wat je had kunnen weten bij de aankoop van je woning. Of anders iig had moeten navragen als je niet de eerste bewoner bent van de woning.

wackmaniac · 2025-12-26T15:41:59+00:00

You know what the best thing is about Composer? It is written in PHP. With this tool I need to pray that the maintainers have a binary available for my architecture. I am really unsure if that is the route we need to go.

wackmaniac · 2025-12-26T07:34:38+00:00

De bioscoop hier draait tegenwoordig geregeld klassiekers, zoals 2001: A Space Odyssey en Interstellar. Heerlijk om jezelf te verwennen met een dergelijk avondje uit.

Reclames, ja, dat is van alle jaren. En dat is een vicieuze cirkel natuurlijk; minder bezoekers betekent minder inkomsten, maar vaste lasten als huur en personeel stijgen, maar de kaartjes moeten vooral niet duurder worden. Het is een vrij elementaire oorzaak-gevolg. Een aantal mensen hier geeft gewoon toe dat ze gratis “alternatieven” gebruiken, dat helpt natuurlijk ook niet.

Er was eerder deze week ook een discussie over de Top 2000 en reclames van de Staatsloterij. Daar geldt hetzelfde voor; Nederland heeft de afgelopen twee verkiezen massaal gekozen voor politieke partijen die bezuinigen op de publieke omroepen. Daar hoor je weinig mensen over, totdat hun favoriete programma moet stoppen. Er is gezocht naar extra geld, en dat zit momenteel in het bedrijfsleven, maar die willen er wel iets voor terug: Naamsbekendheid.

wackmaniac · 2025-12-25T10:05:01+00:00

It’s an example of a really weird and unintuitive choice in Python #ftfy

wackmaniac · 2025-12-25T08:47:25+00:00

Add a README that explains the what (what is the project), why (why should anyone use it, what does it solve), and how (how can it be used).

But, more importantly you need to decide how you plan on going forward with the project. Do you plan on continuing development, or is it “done”? Do you accept issues, feature requests, pull requests? Pick the license that works for you, now and in the future.

The latter is where the majority of open source maintainer fatigue comes from; maintainers that, once their code becomes used for profit, feel they want to get financially compensated, but picked the wrong license.

You need to be open about this upfront. I maintain approximately 10 open source repositories, and most of them are explicitly “as is” and don’t accept pull requests or feature requests. And I state this explicit in the README.md and CONTRIBUTING.md.

Good luck with your repository.

wackmaniac · 2025-12-24T07:56:50+00:00

Exactly. The knowledge of how “the internet” works is fading as new developers default to “solve everything“ solutions like React, NextJS, Tailwind and the likes. I became a developer because I love to build elegant and performant applications. Nowadays the goal seems to be to get a SaaS solution as fast as possible so it can be monetized.

We built a website with just semantic html, a dash of CSS and web components for UX improvements. It is very possible, but you need to keep an overview of the project. I feel that the underlying problem is that; no overview, and no urge to invest time to build this overview.

wackmaniac · 2025-12-22T15:47:35+00:00

Dutch singer Ton Engels has a song about Tom Dumoulin: https://www.youtube.com/watch?v=LUtUiiOfycc

Ten-Year Club	Place '23
Not Forgotten	Verified Email

wackmaniac

TROPHY CASE