Very cool

Seems very fast for e2e. What frameworks for testing and backend?

We've had e2e tests for like 3 years, as far as I know they've never caught or prevented a single bug. If I had to guess they cost us a programmer-hour per week. I'd probably rather delete them. I'd rather release broken code every now and then than wait 30 minutes for every release.

You can pry unit and functional tests out of my cold dead hands.

Yuuuupppp. Most **** is far from mission critical. Way better to have fast dev cycles and robust release processes with lots of visibility (or observability if you want to be a cool kid) into what’s happening.

I don't think I'll ever run e2e tests as a gate like you guys are doing. But it makes me feel a lot better to have them to run as regression tests every now and then.

One of the big lessons from my previous job is we tried to do everything at once - unit tests, integration tests, e2e tests - all as gates in our CI/CD that could block a build or roll back a deployment.

Now I only have the unit tests as a blocking gate. The other I run on my own after a big push to a new environment. Over time they're getting more stable and I'm learning more about how to make them less brittle to legit code changes. And they have caught a few bugs - some of which were in sleepy corners of the app that might not have been noticed for a while.

You can't do that if your goal is just to get them done and into a CI/CD flow as fast as possible imo. You have to take baby steps on those. Otherwise the tests break, frustrate everyone and get immediately commented out of the CI/CD.

It also helps if you're the DevOps guy and the one who wrote all the tests.

Man I hate JWT. I get that it's necessary for Netflix-scale, but who is actually at that scale?

A few days before releasing to our alpha testers (bigwig board members), we just found a major bug that somehow slipped through all testing.

When a new CRM user signs up, first we have to find them in the system - at which point I populate custom field to Cognito (AWS' authentication/identity management system) with their CRM ID. Then that value gets tacked on by API Gateway, via a custom integration request template, to every REST call to the back end. Great.

Except that the first time a user signs up (or the first time we find their CRM ID, which could come later after they make a donation) - all the Cognito user information is already in the JWT token for that session. So it doesn't pick up the new CRM ID. It comes back as blank to the back end. Even though it's populated in Cognito, the idToken is stale.

Fortunately for normal Cognito users, I am able to refresh the session and get new tokens in this scenario. However for users who elect to use social sign on through Cognito - Cognito doesn't provide a refresh token for some reason. So I can't refresh the ID and auth tokens.

So now I have to redesign the whole system to fix the case of the CRM user's first session not working properly for social sign on users, because I don't have the CRM ID in the token yet.

Just give me a good old-fashioned user session please.

None of the above has anything to do with "JWT" which is just a method of encoding data into a token and validating a few parts of the data.

None of the things you've described are strictly necessary - you may have set things up so that you need to do them this way, but you didn't have to. I have projects that use JWT for authentication and I don't do any of this stuff. Typically I just issue JWT tokens that contain the absolute minimum the user needs to have in the UI and that have a short expiration. Often this is just a user_id.

Yup. We have user ID and maybe if they're an admin or something.

Also everyone stop saying jwt token before I lose it

That **** drives me nuts. We’ve been doing work with Programmable acceleration cards (PAC) and everyone cals them PAC cards

ATM machine. PIN number

Pragmatism people.

GNU = GNU's not Unix

The girl that hated my guts had a habit of pronouncing common tech words embarrassingly wrong and I never felt I could correct her because she’d have taken it the wrong way. One she always used to say (and write) was “depreciated” rather than “deprecated.” I’m probably just nitty but i think it makes someone sound foolish when they mispronounce common terminology.

Yeah our problem is I need to set a CRM ID - which I have to search for the first time the user signs up (or signs in after a CRM record has been created for them). So I can't add the CRM ID to the token after the fact.

I ended up using a Cognito trigger which happens after every authentication. But the problem there is we have one Cognito user pool for dev, stage and pilot. So there's no way to have a dev, stage and pilot version of my complicated trigger.

lol I would have corrected that usage. It is confusing .

I have a javascript question - it's in React if it matters but I don't think it necessarily should.

I have an API that returns a PNG image. The API requires authentication so I can't just say
<img src='/path/to/api'>

I want the frontend to call the api, download the data, and display it as a PNG. Is there a simple way to do it?

I've done some light googling and it seems like it's doable if I have base64 encoded data (which I currently don't, but I guess I could encode it). Is there any other way?

Last react app I worked on did it with base64

Yeah, that's what I'm doing now. Seems like kind of a weird hack though.

ETA: I could make it work with cookies but I really don't want to.

I doubt this helps, but I had a project in node where I was requesting an image from a google map like this:

I didn't put that "body" into a PNG, but used a pdf library to make it part of a pdf, but I could have rendered that as a PNG I think.

I'm not sure about the authentication part. Google requires it there and there's a key parameter in the url.

Is it really that much of a hack? base64 encoding seems to come up all over the place for passing web data.

What would be a better way to do it, are there complex libraries?

You can fetch binary image data into a blob, and then use URL.createObjectURL to get it into a form that can be used with an image tag.

https://stackoverflow.com/questions/...display-a-blob

https://developer.mozilla.org/en-US/...reateObjectURL

So here's the thing. If my API didn't require auth, then I could do
This is essentially the platonic ideal - the browser knows how to fetch and render images, there is no code required.

But if I need to send a header, or POST some data, I feel like there should be an easy way to do it - I don't have to encode data for the img src tag, if you see what I mean.

So I could use cookies, or I could send an auth param in the url params, like
img src=/api/whatever?session_key=foo
and either of those would work. I was just a little surprised there wasn't a way to say... I have an img tag, here's the data that should go in it (I mean, you can do that - if you b64encode it, which I guess is fine, just seems like a weird edge case)

Just use a proxy that checks auth on that get route? Do whatever you can to not process it on the browser.

We use base64 encode with angular for png

What Grue said - don't make this harder than it needs to be. Leverage basic webserver image serving and browser handling - just have an auth server/proxy in the middle that blocks the request if the auth isn't met.

Well are you using cookies for this auth? If not, or unless you can't use an auth proxy for some reason - then maybe go with well named's solution.

Ok sounds like you can use cookies or params. Yeah do that. The browser caches images and all kinds of weird stuff that only works in a normal <img> tag. Unless you don't want it to cache the image - and then again maybe go the complicated route.

You can fill in an image source though with the base64 data at page load time. Google images does it.