Can I rely on Google id_token for web session?

I’m building a website without a “server”: JavaScript and AWS Lambdas as back-end through API Gateway.

Knowing there is no solution for session when using lambdas, I was wondering if I could only use the id_token provided by the Google JavaScript library to authenticate a user?

The idea is to pass the token for each request to the back-end and make a request to Google to know if the token is legit.

Does this sound like a secure solution?

Is it wise to completely rely OAuth2 for new users and not have our own login(with username and password) system

My question is: Is it fine to build applications where the user login is completely handled by OAuth2 and services like that. That way we do not have to have our own password database for the users. How good this approach would be keeping in mind the user experience? Also would this approach be easy to implement the multi-factor authentication?

Do we still need a Remember Me button on websites? Or can we rely on modern browsers to handle this?

I recently had a discussion at work about whether to include a “Remember Me” option on our website. Altough I was initially in favour of the idea, I later realised that most browsers already provide such functionality. So I was wondering if it’s still necessary to include this option in 2018. What do you think?

How do you test a function which is composed of other functions that rely on a db connection?

I have written this function which checks if a user already exists in the application:

async function ValidateUserExists(username, email){ if(!username || !email) throw new Error('Invalid number of args passed. Please pass username and email'); let taken_valid_username = null; let taken_valid_email = null; if(username){     taken_valid_username = await UsernameExists(username); } if(email){     taken_valid_email = await EmailExists(email); }  if(taken_valid_username) return taken_valid_username; if(taken_valid_email) return taken_valid_email;  return null; 


I have integration tests that prove UsernameExists() and EmailExists() work correctly.

It’s main purpose is to see if a user already exists in the database. I can’t just mock something here because both UsernameExists() and EmailExists() are designed to reach into the database and see if a user actually does exist.

I have a lot of functions like this as I’m building an app whose main purpose is to manipulate a database, meaning I have A LOT of integration testing happening.

So far the test I’ve written looks like this:

it('should see if a user already exists on an existent email', async ()=>{     const test = await CreateDummyUser();     const user = await ValidateUserExists(test.username,;     //expect user properties here     await DestroyDummyUser(test); }) 

Is there any approach to mocking/stubbing anyone has taken to attack composite functions like this? Is it sufficient enough that the functions is composed of pass?

Can DDD entity rely upon infrastructure library?

Suppose I want this on my User entity:


That means:

public void createNewSecurityToken() {   var buffer = new byte[32];   new RNGCryptoServiceProvider().GetBytes(buffer);  // <--- here's the issue   this.Token = Convert.ToBase64String(buffer); } 

This is not a DI dependency, just a class from the infrastructure. But does that “break” DDD?

The alternative is this:

user.setSecurityToken(token);   // pass it in (probably from a domain service) 

But that leads to anemic entities.

Which is the preferred DDD approach, and what considerations should I take into account when faced with this sort of design decision?

Should you rely on implicit type contracts for function returns types, or always make it explicit?

Say you’re using an external library, that includes type declarations, and it has a function like:

function foo(x: number) : string {    //implementation } 

Somewhere in our code we’re calling this with:

function ourFunction() {     return foo();  } 

or with the return type explicit :

function ourFunction() : string {     return foo();  } 

Typescript is smart enough to infer that the return type of this function is string.

So I don’t have to declare the return type of ourFunction, but I can.

The question is – should I?

The way I’m thinking about this is – that if I make the return type explicit, then I later change the implementation of the function – if I accidentally change the return type in the process, that’s going to make me immediately aware of the problem.

On the otherhand – with the code I’m currently writing, I’m basically just copy pasting the return types from that external function that I’m calling.

Are there any general principles that help with making this decision?

Why do we still have programming languages that rely on indentation / white space? [on hold]

A long time ago when starting learning programming I remember a teacher saying that compiler do not care about whitespace and they are useful to make code readable for human beings. It made perfect sense back then, but I only knew some Pascal and C++.

Many years later, after diving in many other languages I began wondering what is the rational of having programming languages that rely on indentation / white space, as there are quite a few disadvantages:

  1. Stange errors like this one (unindent does not match any oute indentation level)
  2. Minifying still requires extra whitespace – example
  3. Many other reasons as indicated in this Quora post:

    • lack of white space indentation across operating systems / text editors
    • whitespace might be introduced while doing code merge
    • possible errors while copy-pasting
    • all modern IDEs automatically indent code

Question: Why do we still have programming languages that rely on indentation / white space?

Does Bitcoin security rely on the assumption of nearly continuous transactions? [duplicate]

This question already has an answer here:

  • What happens if there are no transactions in a block? 3 answers

So for an attacker not to overcome good nodes, I believe we rely on the fact that blocks are always being produced, making the attacker essentially outpaced. But in the extreme and ridiculously unlikely case that no Bitcoin transactions occur within a certain sufficiently large time window, could an attacker gain control of the chain and do damage? If not, why?

Can I rely on this github repository files?

I recently found this GitHub repo, but after cloned it I note that the comparison between the file compiled (using g++) from source HLuna.cxx and the binary included in the repo (HLuna) is different: differ: byte 25, line 1. Is the provided binary file secure? I’ve already analyzed that in VirusTotal without any issues, but I don’t have expertise to decompile and read the output, and I’ve previously executed the binary provided without thinking about the risks.