!security

(Less a rant; more just annoyance)

The codebase at work has a public-facing admin login page. It isn't linked anywhere, so you must know the url to log in. It doesn't rate-limit you, or prevent attempts after `n` failures.

The passwords aren't stored in cleartext, thankfully. But reality isn't too much better: they're salted with an arbitrary string and MD5'd. The salt is pretty easy to guess. It's literally the company name + "Admin" 🙄

Admin passwords are also stored (hashed) in the seeds.rb file; fortunately on a private repo. (Depressingly, the database creds are stored in plain text in their own config file, but that's another project for another day.)

I'm going to rip out all of the authentication cruft and replace it with a proper bcrypt approach, temporary lockouts, rate limiting, and maybe with some clientside hashing, too, for added transport security.

But it's friday, so I must unfortunately wait. :<

Testing hell.

I'm working on a ticket that touches a lot of areas of the codebase, and impacts everything that creates a ... really common kind of object.

This means changes throughout the codebase and lots of failing specs. Ofc sometimes the code needs changing, and sometimes the specs do. it's tedious.

What makes this incredibly challenging is that different specs fail depend on how i run them. If I use Jenkins, i'm currently at 160 failing tests. If I run the same specs from the terminal, Iget 132. If I run them from RubyMine... well, I can't run them all at once because RubyMine sucks, but I'm guessing it's around 90 failures based on spot-checking some of the files.

But seriously, how can I determine what "fixed" even means if the issues arbitrarily pass or fail in different environments? I don't even know how cli and rubymine *can* differ, if I'm being honest.

I asked my boss about this and he said he's never seen the issue in the ten years he's worked there. so now i'm doubly confused.

Update: I used a copy of his db (the same one Jenkins is using), and now rspec reports 137 failures from the terminal, and a similar ~90 (again, a guess) from rubymine based on more spot-checking. I am so confused. The db dump has the same structure, and rspec clears the actual data between tests, so wtf is even going on? Maybe the encoding differs? but the failing specs are mostly testing logic?

none of this makes any sense.
i'm so confused.

It feels like i'm being asked to build a machine when the laws of physics change with locality. I can make it work here just fine, but it misbehaves a little at my neighbor's house, and outright explodes at the testing ground.

Monday - delivered feature1. Manager demands starting to work on new feature2. I start working on feature2.

Thursday - in late evening manager provides feedback from testing feature1 for which internal testing starts Monday.

Friday. I start investigating. Everything is fucking broken. Backend contract broken from BE side, UI broken by another team member's PR from FE side. Missing configuration from FE side that was not documented anywhere.

I start working on issues from my side, inform relevant parties and coordinate that they would make fixes on their side (ofc after getting a lot of pushback trying them to force me to write workarounds to work with their broken implementations)

My manager during the day: what was the reason for us being blocked now?

Me: broken BE, broken FE by another team member, missing undocumented configs. Too late (and incomplete) testing feedback. Having to switch to feature2 priorities before finishing everything with feature1. Basically all things out of my scope.

My manager: so just to clarify we are blocked from internal testing because YOU missed this? Why it wasnt caught sooner?

Me: due to 5 same reasons that I listed before, I can list more but would prefer focusing on getting things working today

Manager: Ok, as WE discussed let's focus on getting things working and discuss about improving this processes in the future.

Seriously it fucking sucks working in this bank as a mobile developer.

We are responsible for basically everything.

From scoping out work according to business requirements, documenting stuff, to creating/maintaining BE contracts and constantly double triple checking everyone else's work across the chain.

Actual mobile implementation or proper testing is like the last priority in this case. And yet we are the ones that take all the blame if we fail to meet arbitrary deadline.

Fucking hell. Im gonna start documenting all decisions of this retarded manager, I'm not gonna allow him to throw me under the bus due to failures caused by his own shitty decisions