Decoupled Django usually means that you are providing a client SPA with a API, such as a DRF powered REST API.
If you are using something like token auth (you mentioned JWT), then you are not using cookies, at which point CSRF is not needed. This is because the user's browser isn't automatically sending the cooking containing a session ID on every request to the server.
That said, you can implement session auth with DRF REST APIs, which accept a session cookie on requests. For this, I believe you would receive/send CSRF tokens via HTTP headers.
XSS is not something you would worry too much about in an API endpoint. It is something you should worry a lot about in your client side SPA though. If using something like React, your templates will be auto-escaped, and thus you have to go out of your way to make it a problem.
Where I get confused is storing the tokens securely. There's a lot of conflicting information online. I've come across many examples where they suggest localStorage which is a horrible idea.
A lot of the advice I see now is about http-only cookies but I think I'd probably look more into oAuth in the future.
The current best practice is to keep the token in memory only and store a refresh token in an HTTP-only cookie.
In my experience though, if you’re only doing web-based auth and don’t _need_ to use JWTs for a specific reason, just use regular session cookies, it’s way less hassle. Coordinating auth and refresh state across page refreshes and tabs is a pain, and using a refresh token means you’re using cookies and saved session state anyway, so you lose pretty much all of the unique benefits of using JWTs and still have all the downsides.
This is one of my favorite software development books of all time. It's the book that finally offered straight forward guidance and wisdom on how to properly utilize OOP language features.
I was so lucky to have run into poodr when I did. Early enough in my career to still feel like I didn't know anything, but with just enough experience to have encountered the problems she was addressing "in the wild." Absolutely formative for me I have no idea where I'd be without it. The only other book to even approach its impact for me is working effectively with legacy code.
Concur. I took Sandi's workshop based on the 99 Bottles book, in Ruby with a Ruby crowd, but was immediately able to apply it to Python programming.
Very helpful and clear thinking about refactoring out complexity—and not just refactoring for its own sake, but under the constraint that you want to move your program forward, add new functionality, etc. Refactoring with a direction, purpose, and direct payoff.
Other languages do sometimes implement this at the library level. Clojure's core.async comes to mind (though there are subtle differences). There's downsides to this approach though.
The data going into each "mailbox" either needs to be immutable, or deep copied to be thread safe. This obviously comes at a cost. Sometimes you just have a huge amount of state that different threads need to work on, and the above solution isn't viable. Erlang has ets/dets to help deal with this. You will notice ets/dets looks nothing like the mailbox/process pattern.
Erlang is great, but it is hardly the "one true way". As with most things, tradeoffs are a thing, and usually the right solution comes down to "it depends".
> The data going into each "mailbox" either needs to be immutable, or deep copied to be thread safe
Or moved. The mailbox/process pattern works great in Rust because you can simply move ownership of a value. Kind of like if in C you send the pointer and then delete your copy.
Of course doing this across threads doesn't work with every type of value (what Rust's type system encodes as a value being `Send`). For example you can't send a reference-counted value if the reference counter isn't thread-safe. But that's rarely an issue and easily solved with a good type system.
QQQ has done great the last decade, but that's no guarantee it will outperform the next decade. Make sure you understand what you are getting yourself into by overweighting in the tech sector, and that it's a plan you can stick with during the hard times.
I don't quite see what the outbox pattern has to do with the two generals problem.
The point of the outbox pattern is that a durable record of the need to send an event is stored in the DB as part of the DB txn, taking advantage of ACID guarantees.
Once you have that durable record in your DB, you can essentially treat your DB as a queue (there's lot of great articles on how to do this with Postgres for instance) for some worker processes to later process the queue records, and send the events.
The worker processes in turn can decide if they want to attempt at least once, or at most once delivery of the message. Of course if you choose the later, then maybe your event is never sent, and perhaps that was the point you were trying to make to the interviewer.
They key takeaway though is that you are no longer reliant on the original process that stores the DB txn to also send the event, which can fail for any number of reasons, and may have no path to recovery. In other words, at least once delivery is now an option on the table.
> I don't quite see what the outbox pattern has to do with the two generals problem.
Well then, hopefully you would have found it an unsatisfactory 'solution' and walked away from that interview too ;)
> Once you have that durable record in your DB, you can essentially treat your DB as a queue (there's lot of great articles on how to do this with Postgres for instance) for some worker processes to later process the queue records, and send the events.
Yeah but I already have a queue I can treat as a queue. It's called Kafka.
The killer feature for me that Slack has over Discord is the ability to hide images, so I'm not stuck being distracted by some random person's obnoxious animated meme.
There's no way to disable them in their mobile apps unfortunately without jumping through a couple hoops with something like a PiHole or using an alternative app on Android.
The alternative apps are great though. No ads, no tracking, included sponsorblock etc. I use libretube. Grayjay is also nice but a bit too commercial for me.
I don't use YouTube very often as I don't like the video format but sometimes I can't avoid it. And this makes it a lot more palatable.
There's some arguments behind why you might want to not lay blame plainly (and especially publicly) on an individual, within a business team setting.
- Laying direct blame on someone may lead them to trying to hide problems to avoid the pain/shame in the future.
- Related - everyone makes honest mistakes. Creating and environment where people feel ok admitting to these is a lot more ideal than the alternative.
- Teams should be encouraged to take collective ownership, such that if someone who works with xyzelement sees them failing to prioritize, they need to do something about it, even if it's just raising a concern early in the project with those who need to hear said concern.
That all said, sometimes people do need direct feedback (in private), especially when they are struggling in general with their job.
If you are using something like token auth (you mentioned JWT), then you are not using cookies, at which point CSRF is not needed. This is because the user's browser isn't automatically sending the cooking containing a session ID on every request to the server.
That said, you can implement session auth with DRF REST APIs, which accept a session cookie on requests. For this, I believe you would receive/send CSRF tokens via HTTP headers.
XSS is not something you would worry too much about in an API endpoint. It is something you should worry a lot about in your client side SPA though. If using something like React, your templates will be auto-escaped, and thus you have to go out of your way to make it a problem.