WTF Bites
-
—again whether it is a query parameter, option or path segment is minor compared to being in the URL
I agree. Authentication stuff does not belong in a URL.
But there's more to this. All their calls require parameters to be sent as path segments. No URL parameters or form data/JSON anywhere. This forces every endpoint to have an exact signature, and they are painting themselves into a corner in terms of API evolution.
-
@Zecc There is always the
/api/v328.11/
option for API evolution. Expect to see/GetDebAccountsEx
,/GetDebAccountsV2
and such in future. Yeah, named arguments are a bit more flexible, but most programming languages use positional ones only and it does not seem to be that huge of a deal.
-
@Applied-Mediocrity said in WTF Bites:
@Bulb Because of TCP, actually, which keeps the connections in
TIME_WAIT
state and spawns new ones for every request.Interesting, thanks.
It does show subpar design of the class though, because it mixes settings like default headers, which should usually not be shared application-wide, with the connection pool that almost always should. Would be better to have an explicit connection pool defaulting to a global static instance (so you can override it e.g. in tests, but normally get the one shared one).
-
@Applied-Mediocrity said in WTF Bites:
@Bulb Because of TCP, actually, which keeps the connections in
TIME_WAIT
state and spawns new ones for every request.… if the WebApiClient is a contoller that lives on, it's OK to have own instance of HttpClient embedded in it. The problem is creating a new HttpClient for each request, but that's not happening here.
-
@Zecc There is always the
/api/v328.11/
option for API evolution. Expect to see/GetDebAccountsEx
,/GetDebAccountsV2
and such in future. Yeah, named arguments are a bit more flexible, but most programming languages use positional ones only and it does not seem to be that huge of a deal.True, and I did think of that. But I meant specifically when you want to add would-otherwise-be-optional parameters, as seen in the
/GetDebAccounts///0/100
andGetDebAccounts/someAccount/someAccount/0/1
.There is zero reason, other than laziness on their behalf, for not providing an endpoint where minAccountNo and maxAccountNo default to empty strings and recordNo to 0. Even count could have a reasonable default.
What happens next if they want to add a filter by last modification date? Will they create a new separate endpoint accepting a new parameter for every criterium, forcing me to add empty strings for all the criteria I don't care about at any point in time? It's ridiculous.
-
@Zecc It looks to me like someone created ‘smart’ tool that takes an API in some programming language (like Java or C#) and exposes it over http by introspection.
Seems to save work until they need to evolve it for some time and the impedance mismatch starts to reflect their waves.
-
@Bulb Fair. It depends on the usage.
It's one of those lovely .нет gotchas that I ran into myself in the early days. Couldn't send e-mail about the failure. Have we ran out of internets? Hmm, webpages don't work. But wait, UDP works fine. Firewall issue? No. Ok, let's restart and see. Works for a minute or two, then keels over again Let's look at netstat...
-
@Applied-Mediocrity said in WTF Bites:
Hmm, webpages don't work. But wait, UDP works fine.
That's a bit weird. The ports in time_wait can't be reused for connections to the same address, but they should be available for reuse to other addresses. So I'd expect webpages to work, except any connection to that one server the application was accessing.
-
@Bulb Wouldn't want to visit any rando internets destination from the application server, would we?
-
@Zecc It looks to me like someone created ‘smart’ tool that takes an API in some programming language (like Java or C#) and exposes it over http by introspection.
Seems to save work until they need to evolve it for some time and the impedance mismatch starts to reflect their waves.
Oh, absolutely. This started off as a DLL library, where function signatures were figuratively set in stone and took pointers to ints and pre-allocated arrays.
From there they created a SOAP web service so we didn't have to install our software locally, but the methods on that service required us to pass useless empty objects (for data meant to be returned) because the method signatures required them.
And now this.
-
-
@Atazhaia No no no, it's a library full of DLLs! You can take some out if you bring them back within the allotted time.
-
@Zecc That explains it.
-
It does show subpar design of the class though, because it mixes settings like default headers, which should usually not be shared application-wide, with the connection pool that almost always should. Would be better to have an explicit connection pool defaulting to a global static instance (so you can override it e.g. in tests, but normally get the one shared one).
You should always have several separate connection pools, otherwise one part of the application can starve other, completely unrelated parts of the application. It's especially jarring when internal communication breaks just because some external service is under DDOS attack the pool is full of connections waiting for timeout.
But using one global pool is definitely a way, way better default than using one-connection-per-request.
-
@Kamil-Podlesak Most importantly, global pool is the only thing that can be a default. Any component-specific limits can't be set by default but require the developer to set them according to the applications design. And I never said it shouldn't allow to define the connection pools explicitly. Quite contrary, it definitely should. But one shared one is the only sensible default.
-
I know naming things is one of the hard problems of computer science, but the USB consortium goes out of their way to do it badly.
-
@Benjamin-Hall BSU:V will really piss you off, then, in two years.
-
I guess is, why are you telling me the last scan was 5 days ago, when you found a threat 15 minutes ago?
-
@HardwareGeek dunno man, everything's all the same, whoaoaoao.
-
@HardwareGeek the threat wasn't found during a scan?
-
@HardwareGeek 10 internetpointzz say it's something that you yourself compiled or otherwise produced.
I have this problem quite often. Yes, of course, I'm writing a virus. I've already infected MSBuild and tomorrow the entire world. Muahaha.
-
@HardwareGeek I just had it tell me that a program I compiled (and signed) was a virus. Thanks. (Only on the 32bit version. It was happy with the 64bit one)
-
@HardwareGeek I just had it tell me that a program I compiled (and signed) was a virus. Thanks.
As it turns out, AV programs are sometimes just as stupid and poorly written as everything else.
Years ago I wrote a program and my AV flagged it as a virus ..... WTF? Then I figured out what happened.
Somewhere on the interwebs I had come across the assembly language source code for a virus -- I wasn't interested in viruses but I was learning assembly language at the time and I was eager to study any working code I could find.
There was a subroutine in the virus source code that didn't do anything bad, it just cleared the screen in a clever way. So I copied it into the program that I was writing.
Apparently that bit of screen-clearing code was what my AV program was using to detect that particular virus.
-
@Gern_Blaanston said in WTF Bites:
As it turns out, AV programs are sometimes just as stupid and poorly written as everything else.
Huh. I always thought they were far worse. Good to hear that they're getting their act together.
-
-
@boomzilla well, they’re as badly written as anything else except for having direct access to the kernel and monitoring literally everything your machine is doing.
Several of them also helpfully MITM all your SSL connections with their own weird root certificates.
-
I've been seeing this one since I bought this computer. It's usually very intermittent, but I've gotten it at least 20 times today.
But...
-
-
WTF of my day: So, I built a web page using Blazor Server. Runs fine in development. Pushed it to the production server and ran
dotnet build
there.Got this:
Only one compilation unit can have top-level statements.
(For those not in the know: It's basically indicating that there's the equivalent of two
Main()
statements somewhere and the program does not know which is the actual entry point)The error indicated one of the
Razor
pages as the culprit. Only solution I could find, after banging my head against the wall: Delete the offending file from the solution, and create a new file of the same name, copy&pasting the old content into it.Thus essentially the same content now builds fine.
-
@Rhywden TRWTF is top level statements.
-
That's a bit weird. The ports in time_wait can't be reused for connections to the same address, but they should be available for reuse to other addresses. So I'd expect webpages to work, except any connection to that one server the application was accessing.
The OS might be not reusing that port at all, which is less efficient than it could be but at least easy to program and doesn't matter if people are remembering to clean up their sockets correctly. And aren't doing very large servers. (UDP is a completely separate family of ports.)
-
@boomzilla well, they’re as badly written as anything else except for having direct access to the kernel and monitoring literally everything your machine is doing.
Several of them also helpfully MITM all your SSL connections with their own weird root certificates.
A number of AV systems MITM all file system accesses too, and fuck up the semantics of things in the process. Yay.
-
The OS might be not reusing that port at all, which is less efficient than it could be but at least easy to program and doesn't matter if people are remembering to
clean upreuse their sockets correctly. And aren't doing very large servers. (UDP is a completely separate family of ports.)The sockets are properly cleaned up, but that still puts them in a timed wait state. It is reusing sockets that you have to do to avoid the problem if you are doing a lot of connections quickly—with the added benefit that it saves on the TCP and TLS (for https) handshakes that each costs a round-trip.
-
with the added benefit that it saves on the TCP and TLS (for https) handshakes that each costs a round-trip.
Can't wait for HTTP3/0!
-
@Tsaukpaetra Wait for? Isn't it already here?
-
@cvi Well, it is defined and browsers already support it, but I don't think any of the common ingress controllers (reverse proxies) do and since most web applications live behind a reverse proxy these days, I don't think it can be actually used much anywhere.
-
@Bulb that article suggests that 26% of the top 10 million websites support it - there are patches for nginx for example to support it, and other web servers definitely support it.
-
patches for nginx
Yeah, the likes of Google and Facebook probably use it. For the rest of us, we'll use it when the the patches get merged, and enabled by default, in the images installed by
helm install ingress-nginx ingress-nginx/ingress-nginx
(ok, maybe some of us will consider switching tohelm install traefik traefik/traefik
if it gets that gets there first (I am considering it because it will probably have Gateway api first—if it gets the TlsRoute (tls multiplexed by sni, with arbitrary application layer inside))).
-
@Arantor … actually looks like traefik does have it in released version already, but most load balancers (which are the layer 4 routers that go in front of the reverse proxy) don't support both tcp and udp on the same port yet.
-
@Bulb Figure now is the time one gets to enjoy HTTP/3. By the time all of the above happens, IT will also have heard of it and moved to block it, because it's new and scary.
-
@cvi Where I work at we don't have a corporate proxy, so it might even work. The client I work for gave me their notebook and that has the purple abomination of a proxy called netskope client, so it almost certainly does not work there.
-
@Tsaukpaetra said in WTF Bites:
with the added benefit that it saves on the TCP and TLS (for https) handshakes that each costs a round-trip.
Can't wait for HTTP3/0!
Me neither! By then my cheap web hosting might allow HTTP/2.
-
WTF of my day: Page counters in Word. They simply are black magic and only through
trial and errorarcane spells and sacrifice of a goat will you get what you want.Todays example: The page after the cover page was to begin at "1". It didn't, instead opting to begin counting at "2". Telling it through formatting options to begin counting at 1 yielded a 2 still.
Telling it to begin counting at "0" yielded a "0". Almost there!
Told it to begin counting at 1 again and got .... two.
-
-
@Zerosquare said in WTF Bites:
I'm curious to know if he had chrome installed or not.
Also, does that menu seriously show that he has 10 internetpointzzzz?
-
two
If your cover page is not supposed to be page one, use a section break to logically separate it.
-
@Zerosquare 2 seconds? Faster when offline?
Somebody hasn't upgraded to HTTP/3 yet...
For the record. That's not an actual fix. Opening the start menu should not depend on anything network.
-
For the record. That's not an actual fix. Opening the start menu should not depend on anything onnetwork.
I wonder how many people use the start menu as their default place to search for something on the web. Perhaps a lot do. But of course, it's the only place to search for applications on your computer. It's a convenient place to search for documents on your computer.
-
Status: The stupid!?
Let's see... (researches, because apparently some dumbasses don't know what they submitted and can't be assed to click the link to their own ticket) .... Aight, Imma respond.
Nincompoop.
-
@boomzilla said in WTF Bites:
I wonder how many people use the start menu as their default place to search for something on the web.
Still, you can do that without making network requests when opening the menu.