Gonna do an auth workshop based on the Lucia docs at my school Any advice on hosting these events?

Had wonderful conversations with @dominikg.dev, @danielroe.dev, @antfu.me, @evanyou.me, and so many more people at @vuefes.bsky.social today!

my email inbox is super tidy but I've given up on my github inbox soooo many read notifications that I probably won't revisit

The storage layer is much more simple now! You just need to provide a single KV storage to get started github.com/faroedev/far...

Excited to announce Faroe - a modular auth server distributed as a Go package - Handles all the hard parts of auth - Works with your existing user table (no direct db connections) - Just bring a KV store + email server - Runs anywhere

2 hours... stay tuned :D

Here's a quick demo for the auth thing I've been working on I also recorded myself showing a bit of the code but it was so bad I had to cut it

Why is errors(.)Is the recommended way to compare errors in Go anyway? You can't tell which function returned the error. If errors are supposed to be independent of the source function, why do we have generic errors like io.EOF?

The exact error conveyed by an error variable/type depends on which function threw/returned it so why do we define them globally and share them between functions? Why don't languages scope error definitions to functions and function types?

I'll be at @vuefes.bsky.social this year!

now I'm free, I can finally start implementing the auth solution I've been designing for the past month+ - handles all the hard parts including sessions, email verification, and rate limiting - own your user table - customizable sign up flow - easy setup - open source stay tuned :)

Today was my last day at clerk!

IMO Neapolitan pizza in Tokyo is on par with Naples' but I still haven't found a gelato place here that comes even close to what I had in Rome. I miss them so much

I love that designing public APIs (e.g. libraries) forces you to find solutions that's actually good and not just in the "it works" territory. It requires both technical knowledge and some magic

Realized the other day that emails can be case sensitive ooof

Went to the Ghibli concert!

dubai chocolate was very mid

I pretty much exclusively listen to one artist (zutomayo) when it comes to jpop and I feel like I'm missing out on a lot of good music

Carbonara! Better than last time and I think I can improve it one more time

> watch an interview with a japanese idol > google her idol group > is... that my classmate???

What companies have tried pay-for-source-code monetization model where you pay to get the source code? I only know replicache and dexie cloud (both are local-first stuff funnily enough)

Does anybody know how "session cookies" (where you don't set the cookie expiration) work on Safari? It doesn't seem to get deleted when I close the window maybe @jensimmons.bsky.social ?

absolutely horrendous ui (the 3 selection boxes are area > prefecture > city)

Carbonara! I think this was better than the ones I had in Rome

If you have a standard email/password flow, email isn't a second factor for mfa. It's just an alternative to passwords. Actual MFA is: (password OR email) AND (totp OR passkey OR security key)

Follow up: Asking for the current password when changing passwords is obvious. Should you also ask for the second factor? Probably yes, but always or only after N hours since last verification?

If a user has 2FA enabled and wants to change their email, should you ask for their password, second factor, either, both, or none? The app has the standard email password-reset flow

the fuck

I've overhauled the entire sessions section. Patched out a very impractical timing attack and the API is much cleaner now. Added a few more guides on inactivity timeouts and JWTs as well lucia-auth.com/sessions/basic

I've soured a lot on the idea of forms with progressive enhancement. I think it's fine to require JS to write and update data

New toy! (yes I wish it was a switch 2)

Based on gpu benchmarks, here's my recommended parameters for web apps: - Argon2id: m=32768, t=3, p=1 - scrypt: N=65536, r=8, p=1 - bcrypt: cost=10* (of course bigger is better but these should be good enough) (I'm not an expert)

One of the worst offender yet

I really need a bigger desk. Like much bigger. Something like 1x2m. Don't have the space tho :(

The biggest problem with argon2id and scrypt is that there's no optimized gpu implementations in the public to benchmark. Bcrypt is great against gpus but weak against specially designed hardware. Yescrypt looks good but not enough info

Personal update: Joined @clerk.com as intern! I'll be part of their fraud team for the next 3 months

Totally missed this! It's been just over 4 years since I started programming Hoping my 5th year will be even more exciting!

Wait WHAT Holy shit. We reached 10k stars!!!! Thank you!

I can't be the only one who didn't know about the 'void' operator... right? right?

left is vscode and right is my own syntax highlighter - it's soooo much better (just finished adding class support)

Squashed most major issues with my syntax highlighter and parser. Gonna need to test it against some test262 test cases next

Finally some good fucking cookies. Crispy on the edge and chewy and soft in the middle

Why does Discord keep fucking up its light theme? It hasn't looked good once in its entire existence. Is it intentional???

Rebuilt the TS type parser, and look at that consistency! No more symbols highlighted in different colors or not highlighted at all (creating a syntax highlighter from scratch :D)

The upcoming Mario Kart is $80 holy fuck

I can't stop coughing since visiting Naples

Photos of cats I met in Italy (that aren't a blurry mess lol)

Just came back from Italy! Visited Rome, the Vatican, Naples, Capri, and Caiazzo. I had so much fun with my camera

Hello, Rome! I've been to Japan, Argentina, US, Dubai, and Australia, but never Europe before. Can't wait to stuff my face with delicious food

Flying over Batman rn