SFNode is a community run Node.js meetup in San Francisco created by Dan Shaw, AKA dshaw (twitter.com/dshaw). We meet on the second Thursday of each month.
Our location changes month to month. If you have an event space, we'd love to have you host. The event host typically provides food and drink, but if you're not able to we can usually find a sponsor for that. During the COVID-19 pandemic of 2020, we will be doing some online meetings while we're all stuck at home.
Each month we feature 2-3 talks about Node.js, server-side JavaScript, npm and the surrounding ecosystem. We try to find a good balance between beginner and advanced topics.
If you want to help, we are always looking for contributors (github.com/sfnode/contribute). Join us.
Follow us on Twitter at twitter.com/sfnode .
Пікірлер
Awesome
What a phenomenal talk. I have been trying to understand some of these undocumented tools, trying to build my own tool akin to TypeScript Explorer (but different altogether) and here Max has explained many of the things I needed to understand. Plus his extension looks very useful and robust. Thank you!!
Promo>SM 😍
Woha!!! This is the best talk of all time, in all possible parallel universes.
One of the best conferences I've seen in my life... Jarred is simply a performance genius.
Very funny, Okta is actually using JWT for authentication now and that talk is just bs.
27:59 authenticate for multiple sub domains 45:30 use jwr for file download auth and forgot password email link.
You are great, very competent and content and motivated
His hairstyle is absolutely believable.
Well success walmik, wish from MI, Madhavnagar, Sangli,
Dude is like the reincarnation of Doc Brown, hell he even looks like him
He sounds like a crazy scientist who just left his lab to perform a speech about his findings.
I really hope this takes off
Bun seems to be going great. But still my hands-on experience with the bun was a little slacky too. Like installing some cli globally, then command is found but doesn't works😅. So waiting for more contributions from the community😊
bun has re-invigorated my love of js. Node has just stagnated for years.
Much respect for the project. He looks tired during this presentation.
Bun fixed a bunch of old repos i had that node 18 broke - insane.
A bit like the first Ryan Dahl 2009 Node presentation
Mad scientist hair
I hate when I have to wait 160ms. I generally like things being completed before I initiate.
❤🔥❤🔥❤🔥❤🔥
looks like this gonna be mainstream
Why write a whole JSON parser vs. just using the native parser in a worker thread? JS doesn't *have* to be single-threaded anymore, right?
I was wondering this as well. I'm sure Mark has a good reason though. He's obsessed.
@@thedoctor5478 & @JoeyTren because to pass the results of that parse back to the app or main thread needing it... requires... you guessed it, to serialize it again! Lolol how could they mess this up, that we have to do things like what I did? Some types of objects can be memory pointer swapped (TransferrableArrays, but not JSON/objects!) and worker/threaded parse + Structured Clone isn't as fast. There's also the complexity of it, and less cross-environment/platform friendliness. Book's parseless approach tho will make swapping between threads (and machines) for stuff like this trivial tho, but it replaces JSON entirely. Last commit was pretty close to MVP for people to alpha test, started writing an example/sample for docs, hopefully coming soon (no timeline, oops haha). Thumbs up that you got this message.
much respect !!
It seems like bun has optimizations that could be achieved both in v8 and node, but I wouldn't dare to make some drastic changes that bun might have done, it's ok in a new platform though. I wonder how close are google and node devs looking to your optimizations to implement those themselves.
ahh
he auto passes args after every statement, i <3 this guy
auhhh
Urbit is the decentralized web.
I checked it out and while it seems cool I think its dead in the water. You need to pay money to join the network, and even though that'd probably be a good direction for humanity to take, theres no way normies would ever get on board with that
Listing pros and cons is a really really bad way to prove something because basically you control what you want to list
Thank you for creating this
thank you so much
That guy single-handedly made me not trust Okta. I get you have to sell your product but holy hell, do you have to be this disingenious?!?
loved the talk. loud and clear.
Lol, because hitting centralized state one additional time for each request is better... hahaha. Seriously, this talk is 99% FUD, like about every anti-JWT-article on the Internet. Use very short expiration, use refresh tokens, enforce signing with either RS256 or HS256 with ephemereal secrets and you're set. Stateful session handling is plainly stupid and amounts to self harming behaviour in the day and age of microservices and cluster based backends. And don't get me started on the oversimplification / red herring of "bawt you need to do CRUD anyway for each request". Are you kidding me? Any developer with an IQ of > 80 knows how to use pub/sub (Redis mq, for example) to move into ultra scalable, async territory. DB access takes 100 ms? Just throw a message into Redis and let your background worker services take it from there. Come one, you can do better. And if you wonder about my credentials: I'm 20+ years of professional experience in software engineering, I'm the lead software engineer where I work and I insist on yearly security audits by an external party.
I love this guy's attitude...good talk
Can you really trust a man that has a bag full of beef jerky that he calls candy?
"Let the hate flow..." 😆
Interesting
Don't use JWTs for your hello world project.
becaus they're not
01:02 who am I, sentry 01:40 why you should care 02:06 fs.readFile... 04:11 so first we can be a little bit better 05:23 comparing to other languages, python, ruby, php, lua 06:30 try catch comes up short 10:59 errors 11:54 exceptions 14:30 Erros vs Exceptions in Async Node Land, we're generally not going to throw exceptions 16:15 operational errors 18:38 programming errors to avoid 20:05 lint your code 21:45 the game plan 23:04 know and use different mechanisms for effective handling
It is enough to say that JWT is an AUTHORIZATION instrument not AUTHENTICATION. Use right thing in right place! Stupid talk
Isn't he just arguing that sessions are a better authorization instrument?
I interesting talk. I think the point about adding an expire time to sessions wasn’t fair, since someone can just change the expire time in the session, you can’t do that with jwt. Also, the jwt will scale better, since I’m not making a database request to verify a jwt, ever, I can use the database only for retrieving what I need and not have to ping the database on every api/page request, which I would have to do with sessions. That would add up to a huge amount of wasted database requests. Also, I don’t store a users name or email in a token, I would see that as a security risk, and you can just get that from the database if your getting the profile data etc...
well if you store your session in Redis you'll have to look it up with or without a JWT so unless if you have a super simple app that doesn't have real session data in Redis or a DB then this is a moot point.
this is bullshit, the biggest advantage of JWT is that I don't need to hit the DB for every request to fetch session data. The only disadvantage is it is hard to revoke the tokens on demand, however the combination of access tokens and refresh tokens is a pretty good solution.
If a user's account is compromised, it is a good thing that the cryptography keys are also reset in case the cryptography keys are also compromised. All the things this guys has said can be resolved and really aren't issues. I do agree that JWT are more complicated than session IDs but for session IDs to be as secure as JWT, they need to be just as complicated. It all depends on how both are implemented.
Perfect one
Great talk! Learned a lot!
Thanks, this was so refreshing, I too stumbled upon dozens of online tutorials preaching the superiority of JWT and saying it's used by large companies, but not _how_ . One question though, you said when talking about password reset link that the JWT is sent in the URL? I thought the JWT was information stored in the local storage - how is stored there if it's in the URL?
The token is send through email directly. The link for reset reach an endpoint in the backend. And that generate the token and send it to the person email. Only that person get it. And a token is thr passport that grant access. It's like me sending you. Your passport or access card with a trusted mailer person or something. Tokens have nothing to do with storage. And then it's about how the backend retrieve them. Expect them arriving. And validating. Validation is just the verification of the signature. Depending on the cryptographic algorithms for signature that was chosen. It's mainly some mathematical computation operation. and it go from hashing algorithm. To asymmetric crypto algo. Or symetric in case of symetric signature. (In most cases asymmetric is to be used).
Great talk!
Quite interesting. Thanks for the talk. 👍
At the time of register, you can define a check so that when your service dies gracefully then consul will automatically remove the service from the registry list. I think he missed this part here.
enjoyed the talk. cleared up some things :)