(Read this article on the blog)Notes on Navigating Corporate Giants: Jeffrey Snover and the Making of PowerShell This is an interview with Jeffrey Snover on how PowerShell was built and his… Read More

(Read this article on the blog)Notes on Why Swift's type checker is so slow let address = "127.0.0.1" let username = "steve" let password = "1234" let channel = 11 let url = "http://" + use… Read More

(Read this article on the blog)My notes on Things you wish you didn't need to know about S3 This article is a list of surprising facts about S3, several of them were new to me. I really like… Read More

(Read this article on the blog)Notes on DynamoDB now supports cross-account access. But is that a good idea? DynamoDB announced support for resource-based policies a few days ago. It makes… Read More

(Read this article on the blog)My notes on The Trough of Despair I like this article because it touches a problem that I'm seeing over and over again: short-sightedness. People want to see i… Read More

(Read this article on the blog)Notes on Subdomain Takeover: Ignore This Vulnerability at Your Peril This article describes what are the implications if an attacker gets access to a subdomain… Read More

(Read this article on the blog)My notes on The security concerns of a JavaScript sandbox with the Node.js VM module Eval is bad, right? But then, what are the alternatives? Node has a vm mod… Read More

(Read this article on the blog)My notes on Visual Studio Code extensions are much less secure than browser extensions or even npm packages This is another serious attack vector that opens th… Read More

(Read this article on the blog)AWS adds passkeys support, warns root users must enable MFA This is a welcome change. I'm yet to find out how I plan to use passkeys but I'm happy that they ar… Read More

(Read this article on the blog)My notes on If you're using Polyfill.io code on your site – like 100,000+ are – remove it immediately This is a hack that we're seeing more and mor… Read More

(Read this article on the blog)When I started working with AppSync at the fall of 2020 it already supported all important data sources: reading and writing data in DynamoDB tables, calling L… Read More

(Read this article on the blog)I've just been bitten by a "supported but not supported" feature from AWS. CloudFront started supporting access control for Lambda function URLs. They publishe… Read More

(Read this article on the blog)Back then, besides SQL injection and XSS, the big web vulnerability was CSRF (Cross-Site Request Forgery). As an illustration if a bank at bank.example.com use… Read More

(Read this article on the blog)Cognito User Pools is a user directory where the users of an application can authenticate before they can access protected resources. In practice, that means C… Read More

(Read this article on the blog)I'm changing my offerings from one-time per-book payments to a subscription that includes all my content that I'm selling directly. This is the next step on my… Read More

(Read this article on the blog)Hardcoded assumptions What I found is when a piece of software is "brittle" that is the result of hardcoded assumptions that are not guaranteed by the other pa… Read More

(Read this article on the blog)There are so many commands and options in Git, and it continues to evolve to this day. This complexity makes it challenging to know every detail and edge case… Read More

(Read this article on the blog)Integrating AppSync with RDS Originally, the AppSync RDS data source supported specifying a statements and a variableMap fields in its request mapping template… Read More

(Read this article on the blog)Thinking about encryption When talking about a software architecture I often get this question: "Is it encrypted?". A "No" is the bad answer as everybody assum… Read More

(Read this article on the blog)Working with DynamoDB DynamoDB is a key-value store which means that every item needs a unique key and operations are per item. Because of this, what operation… Read More

(Read this article on the blog)Migrate to Nix The premise of Nix shell is that it makes available a fixed version of tools. This solves a common problem: how to make sure that all developers… Read More

(Read this article on the blog)Unhandled rejections In one of my projects I'm building a cache that works across workers. With that library, I can turn any function into a cached one where t… Read More

(Read this article on the blog)postMessage calls Worker communication uses postMessage calls, and values passed to it will be cloned using the structured clone algorithm. This makes it easy… Read More

(Read this article on the blog)Why workers JavaScript has a single thread model, which means that whatever code you write will be run by only one CPU core. It is nicely encapsulated in this… Read More

(Read this article on the blog)Publishing a library Back then when I wanted to write and publish a JavaScript library, all I had to do is to create a new GitHub project, write a package.json… Read More

(Read this article on the blog) Signed URLs Signed URLs is a mechanism to securely give access to protected content. It works by the backend generating a signature that the clients then can… Read More

(Read this article on the blog) Resource creation failures In the previous article we looked into a case where a resource was created implicitly, preventing the CDK from creating it. In tha… Read More

(Read this article on the blog) Logging for services Some resources in AWS are helpfully created when needed. The prime example for this is CloudWatch Log Groups: when the service, for exam… Read More

(Read this article on the blog) Content distribution URL signing is a way to provide controlled access to protected content. The backend contains custom code that decides whether a user can… Read More

(Read this article on the blog) When working with DynamoDB I found that one of the main challenges is how to maintain consistency when multiple processes are accessing the database. I wrote… Read More

(Read this article on the blog) IAM identities Generally, it’s a bad idea to use IAM users in cases when roles are also an option. This is because roles provide a secret-less way for… Read More

(Read this article on the blog) Environment information Sometimes I need to make a small static file available via a web URL. For example, to communicate pieces of information about the env… Read More

(Read this article on the blog) CloudFront signed URLs CloudFront signed URLs rely on a private key to calculate a signature that is added to the URL. This makes them secure: only the backe… Read More

(Read this article on the blog) Last updated on 2023/09/22 to include changes up to JDK 21. This article is also available in Chinese by Alex Tan. Since the release of version 8, up to ver… Read More

(Read this article on the blog) Last updated on 2023/09/22 to include changes up to JDK 21. This article is also available in Chinese by Alex Tan. When Java 8 introduced Streams and Lambda… Read More

(Read this article on the blog) Overview CloudFront signed URLs allow access to a path under a distribution. The backend has access to the private part of a key pair and its public counterp… Read More

(Read this article on the blog) Origin paths CloudFront routing is based on path patterns. There are ordered cache behaviors that define a pattern that CloudFront will try to match with the… Read More

(Read this article on the blog) I’m happy to announce the first publicly available version of my next book! While there are a lot of topics that are work-in-progress, I feel that it is… Read More

(Read this article on the blog) Lambda response type Lambda recently added support for streaming responses that lets functions send data to clients while they are still running. Originally… Read More

(Read this article on the blog) CloudFront URL signing CloudFront URL signing relies on a public/private key pair where the public part is added to the CloudFront distribution as a trusted… Read More

(Read this article on the blog) Handling secrets in the cloud The recommended way to handle secrets in AWS is to put them either into SSM Parameter Store or into Secrets Manager. Then whate… Read More

(Read this article on the blog) Webapp hosting in AWS A common setup is to host static files for a web application in an S3 bucket and then add CloudFront for HTTPS and custom domain suppor… Read More

(Read this article on the blog) Environment informations on the frontend A common challenge with applications with a backend-frontend separation (which is most apps out there) is how to com… Read More

(Read this article on the blog) Building on AWS IoT Core In the course of this article we’ll build a stack on AWS IoT Core that implements a simple echo functionality. Whenever a devi… Read More

(Read this article on the blog) I’m happy to announce that the book has now reached 1.0! This means it is content complete and contains everything I wanted to include in it. It does n… Read More

(Read this article on the blog) Device lifecycle events Connected devices can push data to AWS IoT Core via MQTT. Then the backend can react to these messages via topic rules. This forms th… Read More

(Read this article on the blog) PureScript is a statically typed general-purpose programming language inspired by Haskell, compiled into JavaScript. The vision of the language is to make fro… Read More

(Read this article on the blog) Files with AppSync AppSync, as all serverless solutions, builds on the “small and quick” response model. This means the response size and the tim… Read More

(Read this article on the blog) Certificates in IoT Core AWS IoT Core requires TLS mutual authentication and that relies on certificates. This means that even the simple use-case of connect… Read More

(Read this article on the blog) File uploads to a serverless API Uploading files directly to a serverless API only works for small sizes. This is because these APIs enforce the “small… Read More

(Read this article on the blog) Paginating responses Pagination is necessary almost every time when an endpoint returns a list of items. While there are exceptions to this, for example when… Read More

(Read this article on the blog) AppSync Javascript resolver runtime The new Javascript runtime is an alternative to the original VTL for writing resolvers. It is a new addition to the the p… Read More

(Read this article on the blog) MQTT messages on the backend IoT topic rules provide an event-driven mechanism for the cloud to react to incoming MQTT messages. When a device connects to th… Read More

(Read this article on the blog) Generating IoT certificates A certificate in IoT Core is a resource on the cloud-side that identifies the connected device. This has to be added in advance a… Read More

(Read this article on the blog) Policies in IoT Core In AWS IoT Core, a device connects using a certificate with a policy attached and that defines what operations the device can do. Since… Read More

(Read this article on the blog) MQTT client application In the previous article we discussed the backend side for the resources we need to configure on AWS IoT Core to allow a device to con… Read More

(Read this article on the blog) In the previous article we discussed the basic building blocks of AWS IoT Core that you need to use to connect a device via MQTT. Now we’ll look into ho… Read More

(Read this article on the blog) IoT Core is the service to use when you want to connect devices, usually something physical and small, to the cloud. The platform provides a lot of functional… Read More

(Read this article on the blog) SNS is a pub-sub service that can fan-out notifications in AWS. Many services can publish messages to it, and you can add implement logic in your own applicat… Read More

(Read this article on the blog) TOTP (short for Time-Based One-Time-Password) is the most used MFA solution. It’s when you need to enter 6 digits generated by your phone during a login… Read More

(Read this article on the blog) Bundled SDK The NodeJs 18 Lamba runtime comes with the usual updates to the language and the standard library. But this time, it also brings one huge improve… Read More

(Read this article on the blog) Arguments-based subscription filtering Originally, AppSync only supported arguments-based filtering for subscriptions. There, the arguments the clients send… Read More

(Read this article on the blog) Sensitive inputs While IAM Roles provide a great way to remove secrets from the architecture, there are still many cases when they needed. For example, the a… Read More

(Read this article on the blog) Abstract types in GraphQL GraphQL supports abstract types where a field references a type that can be one of multiple concrete types when the resolver return… Read More

(Read this article on the blog) VTL with JSON AppSync resolvers use VTL, a general-purpose templating language. During the transformation it gets a template file and a context variable then… Read More

(Read this article on the blog) Generating HTTPS certificates Many times I need to generate an HTTPS certificate for a development server. For example, I can use the https module to start a… Read More

(Read this article on the blog) Caller identity AppSync supports different authorization methods and it makes the user information available for the resolvers. This is the $ctx.identity obj… Read More

(Read this article on the blog) Calling mutations from AppSync If you use a notify mutation to trigger a subscription you often need to call a mutation from some part of the AppSync API. Th… Read More

(Read this article on the blog) JWT JWTs (JSON Web Token) are tokens that one component can generate, sign, and optionally encrypt and pass to other components. The standard defines a broad… Read More

(Read this article on the blog) Protecting S3 buckets AWS recently announced the new Origin Access Control (OAC) feature for CloudFront. This is a successor of the Origin Acccess Identity (… Read More

(Read this article on the blog) IoT Core shadows Devices connect to AWS IoT Core via MQTT and use the protocol to publish and subscribe to topics. For example, a thermometer can report the… Read More

(Read this article on the blog) Lucene is a Java library for indexing and searching that you can embed into your Java application to build a Search Engine. Also, you can find many popular to… Read More

(Read this article on the blog) Storing secrets in AWS For IAM credentials, AWS provides a secret-less way to retrieve and use keys. This is how Lambda functions and EC2 instances automagic… Read More

(Read this article on the blog) With the HTTP data source AppSync can interact directly with HTTP-based APIs. All (or all I know of) AWS services provide HTTP APIs exposing all possible oper… Read More

(Read this article on the blog) DynamoDB is all about access patterns. Since it is a NoSQL database, it does not support arbitrary queries that extract just the necessary data. DynamoDB&rsqu… Read More

(Read this article on the blog) Private API endpoints With AppSync’s HTTP data source it’s possible to call HTTP endpoints directly from a resolver without adding a Lambda funct… Read More

(Read this article on the blog) Calling protected APIs The AppSync HTTP data source can invoke any HTTP-based API. Since many services offer such APIs, this opens a lot of integration possi… Read More

(Read this article on the blog) HTTP data source The HTTP data source provides a way to send an HTTP request directly from AppSync. This is a versatile approach as most things on the Web of… Read More

(Read this article on the blog) SQL-based resolvers in AppSync RDS is the relational database managed by AWS, boasting a ton of features such as multi-AZ deployment, automatic failover, bac… Read More

(Read this article on the blog) Filter expressions DynamoDB provides support for filter expressions that you can use with operations that return a list of items. As a starting point, this q… Read More

(Read this article on the blog) DynamoDB uses token-based pagination. This means when a query or a scan operation potentially return more results then the result contains a LastEvaluatedKey… Read More

(Read this article on the blog) Resolving fields in GraphQL In GraphQL, resolvers can be added for any fields. These can be top-level, such as Queries and Mutations, a type defined in the s… Read More

(Read this article on the blog) Initialize an RDS cluster When you create an RDS database it does not contain tables and data. In a production environment this is the expected behavior: the… Read More

(Read this article on the blog) Sensitive data in the state The Terraform state file usually does not contain sensitive data. When you create a Lambda function, it will contain its configur… Read More

(Read this article on the blog) AppSync follows most other AWS services in terms of how it gets permissions to use resources in an account. By default, it can not access anything and you nee… Read More

(Read this article on the blog) Database passwords in the state file When you create an RDS cluster you need to define a username and a master password. This is not a problem when a trusted… Read More

(Read this article on the blog) Syncthing monitoring Syncthing is an awesome way to keep files synchronized between devices. It is designed to run in the background, so you configure it onc… Read More

(Read this article on the blog) Custom domain with AppSync By default, AppSync creates a domain at https://.appsync-api..amazonaws.com/graphql. This is good if the API endpoint is an &ldquo… Read More

(Read this article on the blog) Input values I use a dotfiles folder that sets up my development environment with all the tools and config I need for my work. One thing it does is it sets u… Read More

(Read this article on the blog) Hashing passwords Hashing is an algorithm that gets a text (or other data) and returns a different, often long and random-looking, text. It’s usually a… Read More

(Read this article on the blog) Scheduling tasks in Linux I have a Linux system and I wanted a monitoring script to run periodically. Easy, right? Just use Cron. Well, after a bit of search… Read More

(Read this article on the blog) Last updated on 2022/04/26 to include changes up to JDK 18. This article is also available in Chinese by Alex Tan. When Java 8 introduced Streams and Lambda… Read More

(Read this article on the blog) Last updated on 2022/04/26 to include changes up to JDK 18. This article is also available in Chinese by Alex Tan. Since the release of version 8, up to ver… Read More

(Read this article on the blog) Telegram chatbots I started experimenting with Telegram chatbots only recently, and I’m amazed by how versatile they can be. With commands, a webhook… Read More

(Read this article on the blog) AppSync rate limiting Rate limiting is an effective mitigation strategy for some types of attacks. For example, when a single source does an enumeration atta… Read More

(Read this article on the blog) Authorization in AppSync AppSync supports several ways for authorization, such as Cognito, AWS IAM, API key, and a custom Lambda function. The last one allow… Read More

(Read this article on the blog) Access control for Telegram bots In the previous article we built a Telegram bot that forwarded messages to chats sent to an SNS topic. We looked into how to… Read More

(Read this article on the blog) OpenID Connect with AppSync AppSync supports multiple types of authorization providers, and one of them is OpenID Connect. It is an open standard and many us… Read More

(Read this article on the blog) NPM dependencies in Lambda You can define Lambda code inline in an archive_file data source, but that works only for simple functions without any dependencie… Read More

(Read this article on the blog) AppSync subscriptions allow you to push events to clients in real-time when a change happened. This is great for applications that show data that can change w… Read More