Month: August 2023

Stateful vs Stateless JWT’s

JSON Web Tokens (JWTs) are cryptographically signed JSON objects. The crypto signing is what provides the trust guarantees since consumers of a JWT can verify the signature using a public key. Now there’s two types of JWT’s: stateful and stateless jwt’s. Stateless JWT’s are probably the most common JWT. All the information needed by the […]

Why can’t you tamper with a JWT?

JWT tokens are a very popular way of transmitting claims information between systems. It’s based on a public key system so that the claims can be verified and the verifier can be confident that the claim was issued by a trusted entity. Microservice architectures will commonly use the claims to perform access control. For example, […]

Reflected XSS

Reflected XSS attacks are a common way of tricking a users browser agent into executing malicious code. I’ll share onedefinition I found from mozilla and unpack the key terms / concepts. When a user is tricked into clicking a malicious link, submitting a specially crafted form, or browsing to a malicious site, the injected code […]

The CAP Theorem is probably not for you

The CAP Theorem frequently comes up in conversations around distributed systems and system design. If you’re looking at resources on system design, it will inevitably come up. However, chances are you’re not the target audience for the CAP Theorem and you’re probably better off ignoring it altogether. CAP was presented as a keynote by Eric […]

MongoDB Majority Read Concern

One common misconception of mongos read concern: majority is that it’s reading from a majority of nodes. This is understandable because it’s counterpart write concern: majority requires acks from the majority of nodes. But that’s not at all what read concern does. Reads always get submitted to a single node using a server selection process […]

SAML and OAuth Purposes

Lets assume you’re the owner of COOL WEB APP. Typical authentication with a web services involves the user providing specific credentials for your app like email and password. This information gets transmitted in a HTTP request and your backend verifies the credentials and grants access to user. Hopefully you also store the user credentials in […]

There is no such thing as “non-relational” data

In data modeling discussions I often hear the phrase “non-relational data”. It’s usually someone making a case for why data should be in a NoSQL store or just denormalized in general. The argument is usually that the data itself is somehow inherently “non-relational” and so it should be put in a non-relational database. Calling data […]

How two phase locking prevents lost updates

Two phase locking is an old method of ensuring serializable transactions using locks. A common issue with non-serializable isolation in the fact of concurrent writes is the lost update problem. Here’s an example of a lost update, lets assume: Some databases will detect a write conflict like this and raise an error and others may […]

MongoDB Read Preferences

MongoDB read preferences give you control over read behavior when using replicasets. Writes in every environment go to primary, but reads can be configured to read from secondary or primary based on various criteria. In most versions of mongo, the read preference defaults to primary in the client but you should check your version for […]

Why the words in “CAP theorem” are so confusing!

Consistency The word “consistency” is extremely overloaded in the realm of distributed systems. In CAP, consistency means (informally) that every read reflects the most recent write. This is also known as single-copy consistency or strict / strong consistency. Data is replicated to multiple nodes in these systems, but any reads to this storage system should […]