{"componentChunkName":"component---src-templates-blog-list-template-js","path":"/engineering/20","result":{"data":{"allMarkdownRemark":{"edges":[{"node":{"excerpt":"AWS EC2 is a virtual computing environment (known as instances) to develop and deploy applications. To create an EC2 instance in AWS, we…","fields":{"slug":"/engineering/ec2-instance-aws/"},"html":"

AWS EC2 is a virtual computing environment (known as instances) to develop and deploy applications. To create an EC2 instance in AWS, we need an active Amazon Web Services account.

\n

EC2 Dashboard

\n

First, let's login into our AWS account. Once login, we will land on the Management Console page, we can see all the AWS services.

\n

\"AWS

\n

There is a drop-down on the top left corner, which is one more option to search and browse all the services provided by AWS. You can find EC2 under the Compute category.

\n

\"AWS

\n

Once we click on EC2 you will be redirected to the EC2 Dashboard. It shows the information related to all the EC2 resources for a specific Region in our account.

\n
\n

Note: If we change the region from the top right corner of the dashboard, it will show the selected region's information. In the below snapshot, we have selected Mumbai region.

\n
\n

There is a button Launch Instance to create a new instance in the selected region on the dashboard's bottom section.

\n

\"EC2

\n

How to launch an EC2 Instance

\n

After clicking the Launch button, we need to select the Amazon Machine Image (AMI) it includes the operating system and applications required to launch an instance. Here we will select the Ubuntu Server 20.04 LTS as shown in the below snapshot.

\n

\"EC2

\n

The next step is to choose the type of instance we need. AWS provides many types of instances based on different use cases with various CPU combinations, memory, storage, and networking capacity. We will here select the t2.micro instance, which is a free tier eligible instance.

\n
\n

while writing this tutorial, Amazon provides 750 hours per month of free usage on the t2.micro instance. It makes it very affordable to run small/sample applications for an initial period.

\n
\n

\"EC2

\n

On the Instance Configuration Details Page, we have options to run more than one instance at once, and there are other configurations regarding roles and access management. We will skip all this and click on the Next: Add Storage button.

\n

\"Configure

\n

We can increase or decrease the size of instance storage while creating it; the free tier is eligible upto 30GB; if you need more storage, it will be billed according to Elastic Block Store (EBS) Pricing

\n

\"Storage\"

\n

On the next screen, we can add tags to our instance and storage; these tags are key-value pair which are very useful to add properties to our resources, especially when we have multiple instances.

\n

\"Tags\"

\n

We can define the firewall rules in a security group attached to our instance. With the help of these rules, we can control the traffic to our instance.

\n

\"Security

\n

Once we are done with firewall rules, we can review the complete detail of our new instance on a single page, and here we can click Launch button to launch the instance.

\n

\"Review\"

\n

When we click Launch, it will open a pop-up that will require you to select a pre-existing public-private key-pair or create one to connect to our instance securely. Once you select/download the key, you will be able to launch the instance.

\n

\"Security

\n

It will take approximately 5-10 min to launch the instance. Once launched, You can see the list of your running instances by clicking on the Instances button on the left menu.

\n

\"Running\"

\n

Conclusion

\n

As you can see, it is effortless to create a free tier AWS instance to deploy your application. In the upcoming article, we will show you how to deploy an application on the EC2 instance and the best practices.

\n","frontmatter":{"date":"November 18, 2020","updated_date":null,"description":"Learn how to create an EC2 (Elastic Compute Cloud) instance in an AWS account in simple and straightforward steps.","title":"How to create an EC2 Instance in AWS","tags":["AWS","DevOps","EC2"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/d8663624ccdd85c88db0a127028ee564/58556/ec2cover.webp","srcSet":"/static/d8663624ccdd85c88db0a127028ee564/61e93/ec2cover.webp 200w,\n/static/d8663624ccdd85c88db0a127028ee564/1f5c5/ec2cover.webp 400w,\n/static/d8663624ccdd85c88db0a127028ee564/58556/ec2cover.webp 800w,\n/static/d8663624ccdd85c88db0a127028ee564/99238/ec2cover.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Puneet Singh","github":"puneetsingh24","avatar":null}}}},{"node":{"excerpt":"What is Git Cherry Pick Git cherry-pick is a powerful command that allows any specific Git commits to be selected by reference and append to…","fields":{"slug":"/engineering/git-cherry-pick/"},"html":"

What is Git Cherry Pick

\n

Git cherry-pick is a powerful command that allows any specific Git commits to be selected by reference and append to the current working HEAD. The act of picking a commit from a branch and adding it to another is cherry picking. For undoing modifications, git cherry-pick can be useful. Say, for example, that a commit is made to the wrong branch unintentionally. You may turn to the right branch and select the commit to where it is supposed to belong.

\n

HOW to use

\n

To showcase this, let us assume we have a repository with the following branches:

\n
alpha - beta - gama - delta   `Master`\n     \\\n       x - neutron - Ultraviolet `Feature`
\n

git cherry-pick commitSha

\n

In this example, commitSha is a reference to commit. Using the git log, you can locate a commit referenced assum we wanted to use commit 'neutron' in master in this example. We make sure that we are working on the master branch first.

\n

git checkout master

\n

git cherry-pick neutron

\n

Once executed, our Git history will look like:

\n
alpha - beta - gama - delta - neutron  `Master`\n     \\\n       x - neutron - Ultraviolet `Feature`\n\t
\n

The neutron commit has been successfully picked into the feature branch.

\n

WHEN to use

\n

git cherry-pick is a useful tool but isn't best practice always. Cherry-picking can trigger duplicate commits, and traditional merges are preferred instead in many situations where cherry-picking would work. Git cherry-pick is a useful option for a few situations.

\n

Collaboration

\n

A team will often find individual members working in or around the same code sometimes. Perhaps there is a backend and frontend component of a new product feature. There may be some shared code between two sectors of the product. Perhaps the developer of the backend produces a data structure that will also need to be used by the frontend. In order to select the commit in which this hypothetical data structure was created, the frontend developer could use git cherry-pick. This selection would allow the developer of the front end to continue progress on their project side.

\n

Quick fixes

\n

When a bug is discovered, it is essential to fix that quickly as possible. For example, let's say a developer has started working on a new feature. During the development of a new feature, they find an existing bug. The developer creates an explicit commit to fix this bug. This new patch commit can be cherry-picked directly to the master branch to quickly fix the bug.

\n

Undo and restore commits

\n

A feature branch can often go stale and not be merged into a master. Often, without merging, a pull request might be closed. Git never sacrifices those commits, and they can be identified and cherry-picked back to life by commands such as git log and git reflog.

\n

Other options

\n

-edit\nPassing the -edit option causes git to trigger a commit message before the cherry-pick process is introduced.

\n

—no-commit\nThe —no-commit option executes the cherry-pick, but it transfers the contents of the target commit into the working directory of the current branch instead of making a new commit.

\n

—the-signoff\nThe —signoff option adds the signature line 'signoff' to the end of the cherry-pick commit message at the end.

\n

Git cherry-pick also accepts merge strategy options and conflict resolution as well. Please check the git merge strategy documentation.

\n","frontmatter":{"date":"November 17, 2020","updated_date":null,"description":"Introduction to Git Cherry-pick and its usages.","title":"How to use Git Cherry Pick","tags":["git"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/7cc5358c073674d856e8ea5cddc47710/58556/cherrypck.webp","srcSet":"/static/7cc5358c073674d856e8ea5cddc47710/61e93/cherrypck.webp 200w,\n/static/7cc5358c073674d856e8ea5cddc47710/1f5c5/cherrypck.webp 400w,\n/static/7cc5358c073674d856e8ea5cddc47710/58556/cherrypck.webp 800w,\n/static/7cc5358c073674d856e8ea5cddc47710/99238/cherrypck.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Abhimanyu Singh Rathore","github":"abhir9","avatar":null}}}},{"node":{"excerpt":"Application Security is one of the primary concerns for a software developer. People trust your application and share sensitive or personal…","fields":{"slug":"/engineering/password-security-best-practices-compliance/"},"html":"

Application Security is one of the primary concerns for a software developer. People trust your application and share sensitive or personal information. As a software developer, you need to take care of your application user information security. Authentication and authorization both play critical roles in application security. They confirm the identity of the user and grant access to your website or application.

\n

The process in which confirm the user's identity and provides access to sensitive information is called authentication. Generally, authentication is done through the email/username/password. Authentication using the password is the older and common way, so passwords are a critical component of user's identity security. Password policy is the front line of defense to protect user identity. However, weak passwords may violate compliance standards. A simple or common password could be reversed engineered back to plaintext and sold on the dark web, or result in a costly data breach if compromised.

\n

Why We needed Password Policy & Compliance

\n

Password policies and compliance are rules and methods that enforce the user for using a secure and robust password. A billion credentials were stolen last year from multiple data breaches. According to Verizon's Data Breach Report, 81% of data breaches are caused by compromised, weak, and reused passwords. According to National Cyber Security Centre (NCSC) recent analysis, millions of peoples are using easy to guess passwords like 123456. Recently a security researcher claimed he hacked President Trump's tweeter account by guessing his password maga2020! so now we can understand the need for Password Policy & Compliance. You can check the top worst passwords list here.

\n

1. Minimum Password Age policy

\n

The Minimum password age policy is to decide how many days minimum users must keep a password before changing it. This password policy.

\n

2. Enforce Password History policy

\n

The \"Enforce password history\" policy is used to make sure the number of unique passwords a user must set before reusing an old password. This is an important policy because password reuse is a common issue – the user feels more comfortable with the old passwords. Using the same password for a long duration for a particular account, it will create a strong chance for the password compromised in some way, such as in a brute force attack. Password age policy shouldn't be efficient until the password history policy. Users must change their password, but they can reuse an old password; the effectiveness of a password age policy is greatly reduced.

\n

3. Minimum Password Length policy

\n

The Minimum Password Length policy decides the minimum number of characters needed to create a password. Minimum Password Length should be at least eight characters or more. Longer passwords are generally more secure and harder to crack than short ones. For even greater security, you could set the minimum password length to 14 characters.

\n

4. Passwords Must Meet Complexity Requirements policy

\n

The Passwords Complexity Requirements policy make sure user shouldn't use basic passwords. Passwords should be a combination of uppercase, lowercase, and numbers also include some special characters. We can set the following policies in the password Complexity Requirements.

\n\n

5. Common Password Protection

\n

The users shouldn't use the common passwords, so Restrict the use of common passwords. You can refer to this document for a common password list maintained by LoginRadius and this list is dynamic, and it gets updated from time to time.

\n

6. Dictionary Password Prevention

\n

A Password dictionary is a file that contains a list of potential passwords. This feature prevents your user's from setting a password available in the dynamic password dictionary. We are using this dynamic Password Dictionary in the LoginRadius to prevent the use of dictionary passwords.

\n

7. Password Audit policy

\n

Enabling the Password Audit policy allows you to track all password changes. By monitoring the modifications that are made, it is easier to track potential security problems. This helps to ensure user accountability and provides evidence in the event of a security breach.

\n

Password Compliance

\n

Password compliance is a set of rules to enhance user's data security by encouraging users to use strong passwords and use them properly.

\n

1. FDA (U.S. Food and Drug Administration)

\n

The FDA regulates the set of rules for the food, drugs, biologics, medical devices, electronic products, cosmetics, veterinary products, and tobacco products Industries.

\n

Passwords for FDA Industry Systems accounts must meet ALL of the following requirements:

\n\n

2. HIPAA (Health Insurance Portability and Accountability Act)

\n

The Health Insurance Portability and Accountability Act (HIPAA) enforce a set of rules for sensitive patient data protection. Companies that deal with protected health information (PHI) must ensure HIPAA compliance.

\n\n

3. PCI DSS (Payment Card Industry Data Security Standard)

\n

PCI is the set of rules or guidelines for the businesses that are dealing with payment card data.

\n\n

4. NIST (National Institute for Standards and Technology)

\n

NIST creates a set of rules or guidelines for the businesses that are providing services to the federal government. These guidelines to help federal agencies meet the requirements of the FISMA; however, other organizations reference NIST for strong security standards.

\n\n

Summary

\n

I have explained why we needed a strong password policy & compliance. It doesn't matter how strong a password you are using, but bad guys are using new methods or technologies for exposing the user data.\nMost of the data breaches are happing because of Common or weak passwords. MFA, passwordless, or one-time password are providing additional security for a user account.

\n

Source

\n

https://www.fda.gov/food/online-registration-food-facilities/random-password-generator-fda-industry-systems

\n

https://uwm.edu/hipaa/security-guidelines/#password

\n

https://pcipolicyportal.com/blog/pci-compliance-password-requirements-best-practices-know/

\n

https://spycloud.com/new-nist-guidelines/

\n","frontmatter":{"date":"November 12, 2020","updated_date":null,"description":null,"title":"Password Security Best Practices & Compliance","tags":["Security","Password","Compliance","Passowrd Policy"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/4e0affaac848158a3cb23d1551a0076e/58556/password-security.webp","srcSet":"/static/4e0affaac848158a3cb23d1551a0076e/61e93/password-security.webp 200w,\n/static/4e0affaac848158a3cb23d1551a0076e/1f5c5/password-security.webp 400w,\n/static/4e0affaac848158a3cb23d1551a0076e/58556/password-security.webp 800w,\n/static/4e0affaac848158a3cb23d1551a0076e/99238/password-security.webp 1200w,\n/static/4e0affaac848158a3cb23d1551a0076e/135cd/password-security.webp 1280w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Vijay Singh Shekhawat","github":"code-vj","avatar":null}}}},{"node":{"excerpt":"What is PGP? PGP (Pretty Good Privacy) is a cryptographic process used to encrypt and decrypt information. It combines concepts from…","fields":{"slug":"/engineering/using-pgp-encryption-with-nodejs/"},"html":"

What is PGP?

\n

PGP (Pretty Good Privacy) is a cryptographic process used to encrypt and decrypt information. It combines concepts from symmetric and asymmetric key encryption, maintaining some of the best security and usability aspects of both.

\n

One way PGP can be used is to protect the confidentiality of information. Once the information is encrypted, nobody will be able to decrypt it unless they have the right key. In practice, PGP is commonly used in sending and receiving emails, sharing information on the Dark Web, and others. This is because both on and off the Internet, there are ways to intercept information being sent, making encryption using PGP or similar critical.

\n

On a high-level the process between a sender and receiver looks like this:

\n
    \n
  1. The recipient generates public and private keys.
    2. \n
  2. The recipient sends its public key to the sender.
    3. \n
  3. The sender encrypts the message using the given public key.
    4. \n
  4. The sender sends the encrypted message to the recipient.
    5. \n
  5. The recipient decrypts the message using its private key.
    6. \n
\n

PGP Examples in Node.js

\n

Now, let's go over some examples in Node.js using the openpgp library.

\n\n

We'll go over some basic examples and show how to encrypt & decrypt large files using Node.js streams.

\n

First, set up your Node.js project and install openpgp.js:

\n
mkdir pgp-tutorial && cd pgp-tutorial && npm init\nnpm i openpgp --save
\n

Note: examples use openpgp v4.10.8

\n

Generating keys

\n

When generating private and public PGP keys with OpenPGP, you can define which curve to use in Elliptic-curve cryptography. In this example, we use Ed25519 for its performance and small key size. For the full list of curves, you can choose from, refer to OpenPGP.js docs.

\n

You also need to define a passphrase used to decrypt files and the private key. In practice, this should be a strong, randomized secret generated for a single-use.

\n
// generate-keys.js\nconst openpgp = require("openpgp");\n\ngenerate();\nasync function generate() {\n  const { privateKeyArmored, publicKeyArmored } = await openpgp.generateKey({\n    userIds: [{ name: "person", email: "person@somebody.com" }],\n    curve: "ed25519",\n    passphrase: "qwerty",\n  });\n  console.log(privateKeyArmored);\n  console.log(publicKeyArmored);\n}
\n

Running the above gives us our private key:

\n
-----BEGIN PGP PRIVATE KEY BLOCK-----\nVersion: OpenPGP.js v4.10.8\nComment: https://openpgpjs.org\n\nxYYEX6iKVxYJKwYBBAHaRw8BAQdANJ6JIXuMMZV3NIlwq0POS7xsF2N7+kAE\n7KQjAtfIuqj+CQMI4CUgW9jPsGPgJvQnnCWFf1s7lO/5+D5ZQ9JK25fUtmQo\nWyHX0Ja1ryOoFnvq7u+7fUC0+RAzt8S1xv3eDzazfgNuLtEmufwMyR6wMi78\nKc0ccGVyc29uIDxwZXJzb25Ac29tZWJvZHkuY29tPsKPBBAWCgAgBQJfqIpX\nBgsJBwgDAgQVCAoCBBYCAQACGQECGwMCHgEAIQkQVrbGpNEnCPUWIQQb8YRJ\nhw7DjekU68lWtsak0ScI9UM7AQDv4YRbIdU2ErPf8MobreeLiXXjYZ6fas8E\nzW0KoTZWEQD+NHDY2YYByMF1mWusPkdPDpyBzqMJrlMeihMzZ+PE8AfHiwRf\nqIpXEgorBgEEAZdVAQUBAQdARY37/Vys4Sj6DvwN6TRjxrIqiMIngxQgvOb6\nwi+tQzEDAQgH/gkDCJ2xNZ1OXxv94E8fTLQ3gYHFQuebn/PSijD8CqlvHNB/\n/Z9sIxSFt7rzorW+9v6Awfe+pQwXW5iEyJkdiGu3BM91GMwMvMmZ+rBNlBvq\niX7CeAQYFggACQUCX6iKVwIbDAAhCRBWtsak0ScI9RYhBBvxhEmHDsON6RTr\nyVa2xqTRJwj17W0BAI5MuCWHrqjSRcdjLTwxa++jYv+Yxq4tODj8oh27T86v\nAQCfb3lij9JGlIMNDQgceeougl+Lw4Gb0kQCnsNQRggTDw==\n=yzT4\n-----END PGP PRIVATE KEY BLOCK-----
\n

And the public key:

\n
-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: OpenPGP.js v4.10.8\nComment: https://openpgpjs.org\n\nxjMEX6iKVxYJKwYBBAHaRw8BAQdANJ6JIXuMMZV3NIlwq0POS7xsF2N7+kAE\n7KQjAtfIuqjNHHBlcnNvbiA8cGVyc29uQHNvbWVib2R5LmNvbT7CjwQQFgoA\nIAUCX6iKVwYLCQcIAwIEFQgKAgQWAgEAAhkBAhsDAh4BACEJEFa2xqTRJwj1\nFiEEG/GESYcOw43pFOvJVrbGpNEnCPVDOwEA7+GEWyHVNhKz3/DKG63ni4l1\n42Gen2rPBM1tCqE2VhEA/jRw2NmGAcjBdZlrrD5HTw6cgc6jCa5THooTM2fj\nxPAHzjgEX6iKVxIKKwYBBAGXVQEFAQEHQEWN+/1crOEo+g78Dek0Y8ayKojC\nJ4MUILzm+sIvrUMxAwEIB8J4BBgWCAAJBQJfqIpXAhsMACEJEFa2xqTRJwj1\nFiEEG/GESYcOw43pFOvJVrbGpNEnCPXtbQEAjky4JYeuqNJFx2MtPDFr76Ni\n/5jGri04OPyiHbtPzq8BAJ9veWKP0kaUgw0NCBx56i6CX4vDgZvSRAKew1BG\nCBMP\n=C6S6\n-----END PGP PUBLIC KEY BLOCK-----
\n

File Encryption

\n

Now we can start encrypting information.

\n

Create a text file:

\n
echo 'This file contains secret information' > secrets.txt
\n

Here, we act as the sender who received a public key from the intended recipient. We use their public key to encrypt the confidential information:

\n
// encrypt-file.js\nconst openpgp = require("openpgp");\nconst fs = require("fs");\n\nconst publicKeyArmored = <PUBLIC KEY GIVEN BY RECIPIENT>\n\nencrypt();\nasync function encrypt() {\n  const plainData = fs.readFileSync("secrets.txt");\n  const encrypted = await openpgp.encrypt({\n    message: openpgp.message.fromText(plainData),\n    publicKeys: (await openpgp.key.readArmored(publicKeyArmored)).keys,\n  });\n\n  fs.writeFileSync("encrypted-secrets.txt", encrypted.data);\n}
\n

In the newly created encrypted-secrets.txt file, we have the contents encrypted like so:

\n
-----BEGIN PGP MESSAGE-----\nVersion: OpenPGP.js v4.10.8\nComment: https://openpgpjs.org\n\nwV4DUsPKVnc3UHMSAQdAey4TJiEOrZQIrx6q2zBLgmPkbnhPMt1WR+jCWX5x\nGn8wEim8W4OhDVMwfhtgVIClBCGPhvdeZ1zvVUAJGDdl8+S+DUynKhPNcN8m\nKb9TRGYs0sAlAaXcTChBHSS5kDHV/8Hgjcn0OIs6v2mbCkz/bHs/shwf8WMI\nov711iEkgcXnXIX+ZDGyDFnAKftoygzAf0aZy82g7ejAD9SX13wNmO6TK8Gw\nwr9Xj8F6XBV0yHvdsm2uzRY9W03tTSqAf0anEs+ZWyVR/ha9ddnZJPFKtUbC\nBEF4AMavsIN0CcqpA4q69I3E6GEtkAzgBWfJOOO8mQsNQ1vJWcJocinryBE6\nKbhznoe+R69qmUaJXPpe5scF6tfCYuQtPz4uhOljT+OUP6qss5Nz4zBs4JLq\nnUlyynLLSSgdVr4Hvg==\n=5tyF\n-----END PGP MESSAGE-----
\n

Now, as the sender, we can send the encrypted file to the recipient.

\n

File Decryption

\n

Here, we act as the reciever. To decrypt the encrypted-secrets.txt file, we use our private key and passphrase:

\n
// decrypt-file.js\nconst openpgp = require("openpgp");\nconst fs = require("fs");\n\nconst privateKeyArmored = <PRIVATE KEY>\nconst passphrase = <PASS PHRASE>;\n\ndecrypt();\nasync function decrypt() {\n  const privateKey = (await openpgp.key.readArmored([privateKeyArmored])).keys[0];\n  await privateKey.decrypt(passphrase);\n\n  const encryptedData = fs.readFileSync("encrypted-secrets.txt");\n  const decrypted = await openpgp.decrypt({\n    message: await openpgp.message.readArmored(encryptedData),\n    privateKeys: [privateKey],\n  });\n\n  console.log(decrypted.data);\n}
\n

Which logs the decrypted file contents:

\n
This file contains secret information.
\n

Using Streams for Large Files

\n

If you plan on encrypting or decrypting large files, you won't be able to fit the entire file contents in memory. In this case, you can use Node.js streams.

\n

Here, we encrypt a large file called dataset-1mill.json using streams:

\n
encrypt();\nasync function encrypt() {\n  const encrypted = await openpgp.encrypt({\n    message: openpgp.message.fromText(fs.createReadStream("dataset-1mill.json")),\n    publicKeys: (await openpgp.key.readArmored(publicKeyArmored)).keys,\n  });\n\n  let readStream = encrypted.data;\n  let writeStream = fs.createWriteStream("encrypted-dataset.txt", { flags: "a" });\n  readStream.pipe(writeStream);\n  readStream.on("end", () => console.log("done!"));\n}
\n

And then, we decrypt the newly created encrypted-dataset.txt using streams:

\n\n
openpgp.config.allow_unauthenticated_stream = true;\n\ndecrypt();\nasync function decrypt() {\n  const privateKey = (await openpgp.key.readArmored([privateKeyArmored])).keys[0];\n  await privateKey.decrypt(passphrase);\n\n  const decrypted = await openpgp.decrypt({\n    message: await openpgp.message.readArmored(fs.createReadStream("encrypted-dataset.txt")),\n    privateKeys: [privateKey],\n  });\n\n  let readStream = decrypted.data;\n  let writeStream = fs.createWriteStream("decrypted-dataset.json", { flags: "a" });\n  readStream.pipe(writeStream);\n  readStream.on("end", () => console.log("done!"));\n}
\n

Now, decrypted-dataset.json will have the same contents as our original dataset-1mill.json file.

\n","frontmatter":{"date":"November 10, 2020","updated_date":null,"description":"Starter guide on Pretty Good Privacy(PGP) with Nodejs. PGP, a cryptographic process used to encrypt and decrypt information.","title":"Using PGP Encryption with Nodejs","tags":["Security","NodeJs","Encryption"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.7699115044247788,"src":"/static/17b7404342f677f5ecd47557fd49ab6f/58556/cover.webp","srcSet":"/static/17b7404342f677f5ecd47557fd49ab6f/61e93/cover.webp 200w,\n/static/17b7404342f677f5ecd47557fd49ab6f/1f5c5/cover.webp 400w,\n/static/17b7404342f677f5ecd47557fd49ab6f/58556/cover.webp 800w,\n/static/17b7404342f677f5ecd47557fd49ab6f/54d25/cover.webp 1080w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Andy Yeung","github":null,"avatar":null}}}},{"node":{"excerpt":"Python is a general-purpose programming language and has overtaken Java in popularity according to a recent Stackoverflow survey. People…","fields":{"slug":"/engineering/python-basics-in-minutes/"},"html":"

Python is a general-purpose programming language and has overtaken Java in popularity according to a recent Stackoverflow survey.

\n

People who have never programmed before are tempted to try due to the simplicity to learn and use it. Well, let's get down to business.

\n

Before we get started

\n

Before we get started, there are a few things you should know about python:

\n\n

Print function

\n

We are assuming that you have already installed python. If you do not, please click here.

\n

To write your first Python code, open your text editor and type:

\n
print("Hello world, this is my first python code")
\n

Save the file as helloworld.py and put it into the python interpreter to be executed.\nYou also can run your code on the command line:

\n
C:\\Users\\Your Name>python helloworld.py
\n

If everything went well, you should see something like this:

\n
> Hello world, this is my first python code
\n

You can also use the print function to show integers, variables, lists, etc. Try it!

\n
#show the sum of two integers\nnumber1 = 5\nnumber2 = 7\nprint(number1+number2)
\n
#dividing two decimals\nnumber1 = float(12.1)\nnumber2 = float(4)
\n
#concatenating strings\nname = "Python"\nphrase = str("I hate ")\nprint("I love ", name)\nprint(phrase+name)
\n

Data Types

\n

Python has the following data types built-in by default, in these categories:

\n\n
\n

Note: Variables in Python are interpreted as integers by default. Is a good practice to declare them as another type explicitly (if they aren't integers). You can see the kind of a variable using the function type().

\n
\n

Python Operators

\n

Operators are used to performing operations on variables and values.\nThe main groups are:

\n\n

Arithmetic operators

\n

Arithmetic operators are used with numeric values to perform common mathematical operations.

\n\n

Comparison operators

\n

Comparison operators are used to compare two values.

\n\n

Logical operators

\n

Logical operators are used to combine conditional statements.

\n\n

If statement

\n

Look to the code below:

\n
age = 18\nif (age<21):\n    print("The student is underage!")\nelif (age==21):\n    print("The student is 21!")\nelse:\n    print("The student isn't underage!")
\n

In programming, we often have to choose what to do depending on the situation. It is essential to know how to use conditional arguments like ifand else.\nThe code above print a different message according to a condition.

\n

Try to write a code that asks for two test scores. If the average is less than 7, the user should see \"I'm sorry, you didn't do well on the tests\". If the average is exactly 7, the user should see \"You did it!\". And if it is greater than 7, the user should see \"Congratulations!! You're a great student.\".

\n
\n

Note: to request a response from the user, you need to use the input() function. For example:

\n
\n
name = str(input("What's your name?"))\nage = int(input("How old are you? "))\nprint("I'm %s and I'm %d"% (name, age))
\n

Loops

\n

Python has two primitive loop commands: while and for.

\n

While loop

\n

With the while loop, we can execute a set of statements as long as a condition is true.

\n
count = 0\nwhile count < 10:\n    print(count)\n    count += 1    #this line is the same as    count = count+1
\n

The code above will print count as long as count is less than 10.

\n

For loop

\n

A for loop is used for iterating over a sequence. Using it, we can execute a set of statements, once for each item in a list, tuple, set, string, etc. For example:

\n
#loop through a string\nfor x in "banana":\n    print(x)
\n
#loop through a list of fruits\nfruits = ["apple", "banana", "melon"]\nfor x in fruits:\n    print("I like", x)
\n

Conclusion

\n

Did you understand why python became so popular? In a few minutes, you were able to learn the main concepts of this fantastic language.

\n

Please comment and share this article!

\n","frontmatter":{"date":"November 06, 2020","updated_date":null,"description":"Learn the basics of Python programming lanuage (For Beginners)","title":"Python basics in minutes","tags":["Python"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/e65362be2b3196aeea5b79ea97dab3a6/58556/python.webp","srcSet":"/static/e65362be2b3196aeea5b79ea97dab3a6/61e93/python.webp 200w,\n/static/e65362be2b3196aeea5b79ea97dab3a6/1f5c5/python.webp 400w,\n/static/e65362be2b3196aeea5b79ea97dab3a6/58556/python.webp 800w,\n/static/e65362be2b3196aeea5b79ea97dab3a6/99238/python.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Sara Lins","github":"saranicoly","avatar":null}}}},{"node":{"excerpt":"What is Rest? Representational State Transfer in short-form as REST defines a set of constraints for creating Web Services.\nRest API is the…","fields":{"slug":"/engineering/rest-api-cucumber-blog/"},"html":"

What is Rest?

\n

Representational State Transfer in short-form as REST defines a set of constraints for creating Web Services.\nRest API is the most-used web service technology nowadays, and it's an almost meaningless description. A REST API is a way to communicate for two computer systems over HTTP, which is similar to web browsers and servers.

\n

What is BDD?

\n

BDD stands for Behavior Driven Development (BDD). Nowadays, many Organizations, to get a better advantage of testing, are taking a step forward.

\n\n

What is Cucumber?

\n

A cucumber is an approach that supports BDD. It allows you to write tests that anyone can understand, irrespective of their technical knowledge. In BDD, users (business analysts, product owners, developers, etc..). We need to first write scenarios or acceptance tests that describe the system's behavior from the customer's point of view for review and sign-off by the product owners before developers start actual development.

\n

What are the Prerequisites to Test Rest API using Cucumber?

\n\n

Steps to Install Java

\n
http://www.oracle.com/technetwork/java/javase/downloads/index.html
\n

Download JDK from the above link and install it\nSet the Environment Variable on System Properties

\n
Right Click on My PC -> Properties -> Advanced System Settings -> Environment Variables -> Create New -> provide path of JDK
\n

Steps to Install Eclipse

\n\n

Steps to Install Maven

\n\n

Configuring Cucumber with Maven

\n\n

Now we need three Important files.

\n\n

Feature File: It's a entry point to the cucumber. We use Gherkins to write the feature file. This is the file where you will describe your descriptive language(Gherkin uses simple English). A feature file can contains a Scenario or List of Scenario. A sample Feature file is below

\n
Feature: Login Functionality\n@validLogin\nScenario: User Should Login With Valid Credentials \n   Given Post Login API\n   When Provide Valid Credential\n   Then Status_code equals 200    \n   And  response contains IsLogin equals "true"\n@invalidLogin    \nScenario Outline: Email and Password Validation in Login API \n   Given Post Login API\n   When Provide different combinations to "<email>""<password>"\n   Then Status_code equals <statuscode>    \n   And  response contains message equals "<message>"\n   Examples:\n   |email     \t\t|password    | statuscode |  message\n   |          \t\t|            |   401      | Required email and password\n   | abc\t  \t|            |   401      | Email format is incorrect\n   | abc@mail7.io  \t|\t     |   401      | Required password\n   | abc@mail7.io   \t| password   |   401      | Email and Password combination Incorrect
\n

Save the above code as login.feature

\n\n

StepDefinition:\nNow you have your feature file ready with test scenarios defined. However, our job is not done yet. Cucumber doesn't know when should execute which part of code. So StepDefinition acts as an intermediate to your runner and feature file. It stores the mapping between each step of the scenario in the Feature file. So when you run the scenario, it will scan the stepDefination file to check matched glue.

\n

How to write step definition:\nWe have a chrome extension(Tidy Gherkin) to convert your feature into a step definition.
\nCopy your scenario from the feature file and paste it in Tidy Gherkin and click on Java Steps; copy the Java Steps.\nCreate a new file name a StepDefinition.java and paste the Java Steps

\n
package com.loginradius.login\nimport cucumber.api.java.en.Given;\nimport cucumber.api.java.en.When;\nimport cucumber.api.java.en.Then;\nimport cucumber.api.java.en.And;\nimport cucumber.api.junit.Cucumber;\nimport org.junit.runner.RunWith;\nimport static io.restassured.RestAssured.given;\nimport static org.testng.Assert.assertTrue;\nimport io.restassured.http.ContentType;\nimport io.restassured.response.Response;\nimport io.restassured.specification.RequestSpecification;\nimport io.restassured.RestAssured;\n\npublic class StepDefinition {\n\tprivate  static  final  String  BASE_URL  =  "https://www.loginradius.com";\n\tString email = "abcxyz@mail7.io;\n\tString password = "password";\n\tRequestSpecification request;\n\tprivate  static  Response response;\n\tprivate  static  String  jsonString;\n\n    @Given("Post Login API")\n    public void post_login_api() {\n\t    RestAssured.baseURI  =  BASE_URL;\n\t\trequest  =  RestAssured.given();\n\t\trequest.header("Content-Type",  "application/json");    \n    }\n    \n   @When("Provide Valid Credential")\n    public void provide_valid_credential() {\n      response  =  request.body("{ \\"userName\\":\\""  +  email  +  "\\", \\"password\\":\\""  +  password  +  "\\"}")\n\t\t\t\t\t\t  .post("/user/login");\t\n    }\n\n   @Then("Status_code equals {int}")\n    public void statuscode_equals_(int agr) {\n\t    Assert.assertEquals(arg, response.getStatusCode());\n    }\n\t\n\t@And("response contains IsPosted equals {string}")\n    public void response_contains_IsPosted_equals_(String message) {\n\t    Assert.assertEquals(message, getJsonPath(response, "IsPosted"));\n    }\t\n\n   @And("response contains message equals {string}")\n    public void response_contains_equals_(String message) {\n\t    Assert.assertEquals(message, getJsonPath(response, "message"));\n    }\n    \n\t@When("Provide different combinations to {string}, {string}")\n    public void provide_different_combinations_to_somethingsomething(String email, String password){\n\t    response = request.body("{ \\"userName\\":\\"" + email + "\\", \\"password\\":\\"" + password + "\\"}") .post("/user/login");\n    }\n\n\tpublic String getJsonPath(Response response, String key) {\n\t\tString resp = response.asString();\n\t\tJsonPath js = new JsonPath(resp);\n\t\treturn js.get(key).toString();\n\t}\n\t\n}
\n

Now we have Our Feature file and StepDefinition Ready, we need a runner file to run our Test Scenario's

\n

Runner File:\nA runner will help us to run the feature file and acts as an interlink between the feature file and StepDefinition Class\nBelow is the code which will help you to run the tests

\n
package runner;\nimport io.cucumber.testng.CucumberOptions;\n\n@CucumberOptions(\n\t\tfeatures= {"feature_files/login.feature"},\n        glue= {"step_definations/StepDefinitation.java"},\n        tags= "@validLogin",    // based on tags scenarios will run\n        monochrome=true, dryRun=false,\n\t\t)\t\npublic  class  TestRunner  {\n\n}
\n

Now We have Feature, StepDefinition, and runner files ready, We can run the runner file to see the results.

\n

Conclusion

\n

Cucumber is very useful in understanding the overall testing process without having coding knowledge. Since it uses simple English to write the feature file and makes developer, QA and other stakeholders on same page before starting the actual development.

\n","frontmatter":{"date":"November 05, 2020","updated_date":null,"description":"This article is about basic overview of how to automate Rest API using Cucumber and JAVA.","title":"Automating Rest API's using Cucumber and Java","tags":["Automation","Cucumber","Rest API","Java"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/1775ed5790237a2d1ac5fbda108bc357/58556/cucumber_rest_assured.webp","srcSet":"/static/1775ed5790237a2d1ac5fbda108bc357/61e93/cucumber_rest_assured.webp 200w,\n/static/1775ed5790237a2d1ac5fbda108bc357/1f5c5/cucumber_rest_assured.webp 400w,\n/static/1775ed5790237a2d1ac5fbda108bc357/58556/cucumber_rest_assured.webp 800w,\n/static/1775ed5790237a2d1ac5fbda108bc357/99238/cucumber_rest_assured.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Surendranath Reddy Birudala","github":"reddysuren","avatar":null}}}}]},"markdownRemark":{"excerpt":"Introduction Ever wondered how apps like Spotify, Netflix, or Slack manage seamless login experiences across devices? Many of them use JWT…","fields":{"slug":"/engineering/how-to-integrate-jwt/"},"html":"

Introduction

\n

Ever wondered how apps like Spotify, Netflix, or Slack manage seamless login experiences across devices? Many of them use JWT, or JSON Web Tokens, a compact, stateless method for securely transmitting user identity and session data across services.

\n

With JWT token authentication, identity information is embedded in a signed token, allowing you to maintain user sessions without server-side storage. This approach is highly scalable and ideal for modern architectures like SPAs, mobile apps, and microservices.

\n

In this blog, we’ll walk you through what is JWT, why use it, and how to implement JWT authentication using LoginRadius.

\n

You’ll learn what JWT is, why it’s effective, and how it works in real-world applications. We'll cover both integration methods (IDX and Direct API), generating your signing key, managing sessions, storing the JWT token securely, and applying best practices throughout.

\n

Whether you're a developer, product manager, or IAM architect, this guide offers a complete foundation for implementing JWT token authentication into your application stack.

\n

What is JWT?

\n

JSON Web Token (JWT) is an open standard (RFC 7519) used to transmit information securely between parties as a JSON object. It’s compact, self-contained, and digitally signed, making it a reliable format for authentication and authorization across modern applications.

\n

A JWT consists of three parts:

\n
    \n
  1. Header – Contains metadata like the type of token and signing algorithm (e.g., HS256).
    2. \n
  2. Payload – Stores the actual data or “claims,” such as user ID, roles, and token expiry.
    3. \n
  3. Signature – A cryptographic hash that ensures the token hasn’t been tampered with.
    4. \n
\n

Example of a token structure:

\n

<base64Header>.<base64Payload>.<signature>

\n

Why Use JWT?

\n\n

How JWT Works?

\n

\"Flowchart

\n
    \n
  1. A user logs in with credentials.
    2. \n
  2. Your app (or identity provider like LoginRadius) issues a signed JWT.
    3. \n
  3. The client stores the token and sends it with each request (usually in the Authorization header).
    4. \n
  4. The server validates the token’s signature and claims.
    5. \n
  5. If valid, access is granted — without any session stored on the backend.
    6. \n
\n

JWT simplifies identity verification, especially when you're building apps that talk to APIs or need to scale without centralized session storage.

\n

JWT Authentication with LoginRadius: Overview

\n

LoginRadius provides robust support for JWT (JSON Web Token) authentication, which allows for flexible and secure access control across different digital platforms. Whether you're building a fully custom identity flow or using a pre-built interface, the platform supports various integration approaches depending on your architecture.

\n

If you're looking to understand how to implement JWT token authentication effectively, LoginRadius offers two primary implementation models that cater to different levels of customization and control:

\n

1. IDX Implementation – JWT through a Hosted Login Page

\n

The IDX-hosted login approach enables secure, standards-compliant, JWT-based authentication without requiring you to build a custom login interface. This is a strategic option for fast, compliant, and user-friendly deployments.

\n\n

Configuration Steps:

\n
    \n
  1. Enable JWT Login
    2. \n
  2. Go to authentication configuration settings and enable JWT Login in the Admin Console.
    3. \n
\n

\"Screenshot

\n
    \n
  1. Specify your signing algorithm and expiry policy, and define your JWT Secret Key.
    2. \n
  2. Input a secure JWT signing key.
    3. \n
  3. Specify token expiry duration (e.g., 15–60 minutes)
    4. \n
  4. Select the desired algorithm —HS256 for symmetric signing (same key signs and verifies)
    5. \n
  5. RS256 for asymmetric signing, where LoginRadius securely stores the private key used to sign the JWT.
    6. \n
  6. Your app or backend service uses the public key to validate the token signature.
    7. \n
  7. LoginRadius provides a JWKS (JSON Web Key Set) endpoint to dynamically fetch and rotate public keys, ensuring trust without key exposure.
    8. \n
  8. Update IDX Template for Callback
    9. \n
  9. Modify your IDX login page template to retrieve the JWT post-login. You can access the token via redirect URL parameters or secure JavaScript callbacks.
    10. \n
\n

Example Response:

\n

{

\n

\"access_token\": \"eyJhbGciOiJIUzI1NiIsInR...\",

\n

\"expires_in\": 1800

\n

}

\n

This integration approach works best for all teams that want effective identity workflows without the complexity of building proprietary login screens, something that is crucial for customer portals, onboarding of mobile applications, and even managing access for business partners.

\n

2. Direct API Implementation – Self Managed Login

\n

If you’re building a custom login UI or working in a headless environment, LoginRadius lets you generate and handle JWTs directly through its Authentication APIs. Here’s how you can programmatically perform token authentication using the classic method:

\n\n

Configuration Steps:

\n

Step 1: Authenticate via API:

\n\n

Include the user’s credentials (email + password) in the request body.

\n

Step 2: Get JWT in Response

\n\n

{

\n

\"access_token\": \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\",

\n

\"expires_in\": 3600

\n

}

\n

Step 3: JWT Decoding and Validation

\n\n

Step 4: Set Custom Claims (Optional)

\n

With LoginRadius, it is possible to customize the payload to include user roles and/or any additional metadata. You can set custom JWT claims on the Admin Console.

\n

With this method, you have complete customization over login flows while using LoginRadius to issue signed JWTs for user session management.

\n

NOTE- With either method, LoginRadius ensures that JWTs are securely signed, optionally short-lived, and compatible with standard token validation libraries, making integration seamless for everyone.

\n

To get started with JWT implementation, you can read our complete developer documentation.

\n

Hosted Login vs Direct API

\n

\"Illustration

\n

What is Session Management and How It Works with JWT

\n

Session management is how your app keeps track of a user after they log in so they don’t have to prove who they are with every request.

\n

In traditional apps, sessions are stored on the server using session IDs. Every time a request comes in, the server checks that session ID to verify the user.

\n

In modern apps, especially SPAs and APIs, JWTs are used to manage sessions without needing server-side storage; this is called stateless session management. The token itself carries the user’s identity, roles, and expiration details. As long as the token is valid, the user stays logged in.

\n

Good session management ensures:

\n\n

How LoginRadius Handles Session Management with JWT:

\n
    \n
  1. \n

    User Logs In

    \n\n
    2. \n
  2. \n

    Client Stores the Token

    \n\n
    3. \n
  3. \n

    Access Token Expiry

    \n\n
    4. \n
  4. \n

    Token Renewal

    \n\n
    5. \n
  5. Logout and Token Revocation Strategy
    6. \n
\n

When the user logs out, both the access token and refresh token should be cleared from client storage.

\n\n

Combining these strategies gives you greater control over token misuse and enables a robust, enterprise-grade logout flow.

\n

\"illustration

\n

How to Store JWT Tokens?

\n

When you implement JWT-based authentication, the client (browser or mobile app) needs a way to store the access token and, optionally, the refresh token after they are issued by the authentication server. This stored token is then attached to every subsequent request to prove the user's identity.

\n

Choosing where to store the JWT is a crucial security decision. The most common storage options are:

\n\n

Each option has trade-offs between security, accessibility, and persistence, and the right choice depends on your application's architecture and threat model.

\n

Recommended Storage Strategy

\n\n

Best Practices for Storing JWTs

\n
    \n
  1. Never store sensitive tokens (like refresh tokens) in localStorage or sessionStorage.
    2. \n
  2. Use Secure and HttpOnly flags with cookies to prevent JavaScript access and ensure transmission only over HTTPS.
    3. \n
  3. Set the SameSite=Strict or Lax attribute on cookies to protect against CSRF.
    4. \n
  4. Use short-lived access tokens and rotate refresh tokens regularly.
    5. \n
  5. Implement CSP (Content Security Policy) to reduce XSS risk.
    6. \n
  6. Avoid storing any tokens in frontend code (e.g., hardcoded in JS files).
    7. \n
\n

Conclusion

\n

JWT authentication with LoginRadius offers a modern, stateless approach to managing sessions across distributed systems. The IDX integration is ideal for rapid deployment, while the Direct API model is best for organizations needing deep customization and integration flexibility.

\n

With robust token signing, refresh capabilities, and centralized control, LoginRadius provides a future-ready foundation for secure, scalable identity architecture. Contact us to know more about JWT authentication and implementation guide.

\n

FAQs

\n

1. What is JWT authentication used for?

\n

A: JWT authentication securely verifies user identities, enabling stateless session management across web, mobile apps, and microservices without server-side session storage.

\n

2. How does LoginRadius simplify JWT integration?

\n

A: LoginRadius simplifies JWT integration by offering hosted IDX login pages and direct API-based authentication methods, enabling rapid deployment and deep customization.

\n

3. Is JWT authentication secure?

\n

A: Yes, JWT authentication is secure when implemented with best practices like short-lived tokens, secure storage methods, signature validation, and refresh token rotation.

\n

4. Can JWT tokens be revoked with LoginRadius?

\n

A: Yes, LoginRadius allows revocation of JWT refresh tokens explicitly, and supports strategies like short-lived tokens and key rotation to manage token lifecycles securely.

\n","frontmatter":{"date":"April 15, 2025","updated_date":null,"description":"Discover JWT (JSON Web Token) authentication, its advantages, and how to integrate it seamlessly using LoginRadius' hosted IDX and Direct API methods for secure, scalable identity management.","title":"JWT Authentication with LoginRadius: Quick Integration Guide","tags":["JWT","JSON Web Token","Authentication","Authorization"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":0.7782101167315175,"src":"/static/4cedb7829f98208cbc6d5a9aea4e983d/58556/how-to-integrate-jwt.webp","srcSet":"/static/4cedb7829f98208cbc6d5a9aea4e983d/61e93/how-to-integrate-jwt.webp 200w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/1f5c5/how-to-integrate-jwt.webp 400w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/58556/how-to-integrate-jwt.webp 800w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/1cc9f/how-to-integrate-jwt.webp 896w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Kundan Singh","github":null,"avatar":null}}}},"pageContext":{"limit":6,"skip":114,"currentPage":20,"type":"//engineering//","numPages":53,"pinned":"5c425581-f474-5ae9-abe7-cf5342db2aaa"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}