Readit News logoReadit News
sandeepkd commented on Netflix Revamps Tudum's CQRS Architecture with Raw Hollow In-Memory Object Store   infoq.com/news/2025/08/ne... · Posted by u/NomDePlum
jiggawatts · 6 days ago
The common solution is to spin up a dedicated DNS hostname called something like "preview.www.netflix.com" and turn off all caching when users go via that path. Editors and reviewers use that, and that's... it. Solved!
sandeepkd · 6 days ago
A solution as simple as this is not easy to miss, on other side, to be fair its hard to know what other considerations were involved in the review and design process. Some one had to present a reasonable rationale to go in a certain direction.
sandeepkd commented on Vaultwarden commit introduces SSO using OpenID Connect   github.com/dani-garcia/va... · Posted by u/speckx
sandeepkd · 10 days ago
Interesting to see a PR being merged after good 2 years. Thought about the idea of reviewing the changes for self learning, however the number of files involved made me to give up on that idea soon enough. The number of comments (610) gave an impression that the PR must have been reviewed thoroughly, however a close look tells that the comments are mostly about the topic itself, not about the code changes. Unless the code review is managed internally, the PR gives an impression of mostly happy paths.
sandeepkd commented on Emailing a one-time code is worse than passwords   blog.danielh.cc/blog/pass... · Posted by u/max__dev
DecoPerson · 18 days ago
The attack pattern is:

1) User goes to BAD website and signs up.

2) BAD website says “We’ve sent you an email, please enter the 6-digit code! The email will come from GOOD, as they are our sign-in partner.”

3) BAD’s bots start a “Sign in with email one-time code” flow on the GOOD website using the user’s email.

4) GOOD sends a one-time login code email to the user’s email address.

5) The user is very likely to trust this email, because it’s from GOOD, and why would GOOD send it if it’s not a proper login?

6) User enters code into BAD’s website.

7) BAD uses code to login to GOOD’s website as the user. BAD now has full access to the user’s GOOD account.

This is why “email me a one-time code” is one of the worst authentication flows for phishing. It’s just so hard to stop users from making this mistake.

“Click a link in the email” is a tiny bit better because it takes the user straight to the GOOD website, and passing that link to BAD is more tedious and therefore more suspicious. However, if some popular email service suddenly decides your login emails or the login link within should be blocked, then suddenly many of your users cannot login.

Passkeys is the way to go. Password manager support for passkeys is getting really good. And I assure you, all passkeys being lost when a user loses their phone is far, far better than what’s been happening with passwords. I’d rather granny needs to visit the bank to get access to her account again, than someone phishes her and steals all her money.

sandeepkd · 18 days ago
I am afraid that this flaw is present for almost all phishable methods (SMS, TOTP, email OTP, App Push) to certain extent (except passkeys, mtls)

"Click a link in the email" isn't much secure either for most part. You might end up following a link blindly which can lure you into revealing even more information

Passkeys aren't that great either cause almost everyone has to provide a account recovery flow which uses these same phishable methods.

The language in communication is probably the most important deterrent here, second to using signals in the flow to present more friction to the abuser. A simple check like presenting captcha like challenge to the user in case they are not authenticating from the same machine can go a long way to prevent these kind of attacks at scale

Posted by u/sandeepkd 19 days ago
Ask HN: Whats your wishlist from your authentication system
sandeepkd commented on Critical vulnerability in AI coding platform Base44 allowing unauthorized access   wiz.io/blog/critical-vuln... · Posted by u/waldopat
sandeepkd · 25 days ago
I might go to the extent of saying that this is classical example of security by obscurity, and for good or bad reasons, a lot of applications would fall into this category, one way or another.
sandeepkd commented on How to make websites that will require lots of your time and energy   blog.jim-nielsen.com/2025... · Posted by u/OuterVale
superasn · a month ago
Always use ORMs and then spend the next year debugging N+1 queries, bloated joins, and mysterious performance issues that only show up in prod.

Migrations randomly fail, schema changes are a nightmare, and your team forgets how SQL works.

ORMs promise to abstract the database but end up being just another layer you have to fight when things go wrong.

sandeepkd · a month ago
At the end of day its a trade off. It would be an exception if anyone can remember their own code/customization after 3 months. ORMs or frameworks are more or less conventions which are easier to remember cause you iterate on them multiple times. They are bloated for a good reason, to be able to server much larger population than specific use cases and yes that does brings its own problems.
sandeepkd commented on Ask HN: What are you working on? (July 2025)    · Posted by u/david927
sandeepkd · a month ago
Making it easier to build simple web applications, host your static content with in built authentication functionality to make your content secure and dynamic. For enterprise customers, solving the tenancy for SAAS businesses when it comes to authentication.

https://weblegit.com

Bit of context, I have background building authentication systems and almost all the time its built as just another feature even though its THE FEATURE which gates all other features.

sandeepkd commented on Building better AI tools   hazelweakly.me/blog/stop-... · Posted by u/eternalreturn
taylorallred · a month ago
One thing that has always worried me about AI coding is the loss of practice. To me, writing the code by hand (including the boilerplate and things I've done hundreds of times) is the equivalent of Mr. Miyagi's paint-the-fence. Each iteration gets it deeper into your brain and having these patterns as a part of you makes you much more effective at making higher-level design decisions.
sandeepkd · a month ago
Along the same lines, its probably little more than that. When it comes to software development, every iteration of execution/design is supposedly either faster or better based on the prior learnings for things that you have done by urself or observed very carefully.
sandeepkd commented on We made Postgres writes faster, but it broke replication   paradedb.com/blog/lsm_tre... · Posted by u/philippemnoel
otterley · a month ago
> To be an effective alternative to Elasticsearch we needed to support high ingest workloads in real time.

Why not just use OpenSearch or ElasticSearch? The tool is already in the inventory; why use a screwdriver when a chisel is needed and available?

This is another one of those “when you have a hammer, everything looks like your thumb” stories.

sandeepkd · a month ago
There can be multiple reasons, one that I can think of right away would be to keep the stack as simple as possible until you can. Realistically speaking most of the companies do not operate at the scale where they would need the specialized tools.
sandeepkd commented on Kiro: A new agentic IDE   kiro.dev/blog/introducing... · Posted by u/QuinnyPig
hu3 · a month ago
Interesting. How large is the project?
sandeepkd · a month ago
It was relatively pretty small project, about 5ish controllers and same number of service classes. The experiment lasted for about 2.5 hours where I was active for the first 45 minutes and then just pressing the buttons to move next in passive mode.
s

u/sandeepkd

KarmaCake day24February 6, 2025View Original