Categories
development programming

Things I don’t know as of 2021

Things I don’t know

Last time round, I stated the things I didn’t know. Whilst the technical list hasn’t changed much, there’s a new set of skills I want to talk about for this year, as these are the things I want to know.

How to build a diverse team

I’ve worked in plenty of diverse teams, and I’m proud that we managed to build a team from all male to 50% female in the 2 years I was at my last job, but there was a lot of unique features about that job that makes it harder to replicate elsewhere. And some of the groundwork was laid before I joined.

How to be a good mentor

I started mentoring via coding coach last year, and I’ve had to tune my approach to each individual, but I’m still not sure the best questions to ask, and what’s the best structure. If I find out, I’ll share it here.

How to get a sleep routine

Sleep is important. But between the existential crisis of a global pandemic, with the subsequent upheaval of work processes, and the constant desire to get more done, I don’t always timebox what needs to be done, and things fall, including my blog, and my fitness. I have thoughts on how to prioritise and plan better, but I can’t control for external factors.

How to work remotely

Whilst I’ve been used to sort periods of working from home and working with teams spread across multiple offices, this COVID lockdown is different.

I’ve learned how to work asynchronously, but there’s no good replacement for the serendipity of a chat grabbing a coffee or over lunch. Whilst I’m cautious about returning, even when we can, I definitely look forward to seeing people in the flesh again. Even if we’re wearing masks.

Is there a better way to work?

Whilst trying to find how to work “like this, but over video”, I’ve started looking at how properly remote-first companies do it, reading DHH and Reinventing Work, and thinking if there’s a better way of organising work completely. Asynchronous, pull-driven, self-organised. How do open-source and open-contribution (e.g. Wikipedia) work, and are there lessons we can learn there to make companies more effective, more value-driven and more scalable?

Categories
.net code data development

CosmosDb in The Real World : Azure Global Bootcamp 2019 (Glasgow)

Thank you to those who came to my talk today about CosmosDb. I hope you found it useful.

If you’d like to review the slides, you’ll find the presentation online here :

CosmosDb In The Real World – GitPitch

If you have any further questions please ask below and I’ll do my best to answer.

Categories
development leadership lifehacks

Be passionate about something that isn’t your job

There’s a recurring trope from the tech Ponzi schemers that you need to hustle in your youth. Work weekends. Work unpaid. Climb the ladder. It’s what they did, so it’s the only way.

It’s not.

Be passionate about your job. Be passionate about solving your customer’s problems. And be passionate about understanding and representing all your users.

But also be passionate about something else. Something that inspires you to leave the office. Something that satisfies a dream. Don’t narrow down your life to just your job.

Go surfing. Play in a band. Crochet. Spend time with your family and friends. Reset your ideas of what’s normal in working life, because the Ponzi scheme relies on you giving everything to your job, and convincing the next generation to do that too. Because the alternative is to look up and look around.

If you feel you need to work for free at the weekends, volunteer at a homeless shelter, not for a corporation.

Use your weekends for hobbies, for relaxation, for catching up with people in other industries and finding out that these opinions only exist in echo chambers.

Join the conversation on Twitter

Work your brain. Get new ideas. Reset your mind.

Watch TV.

Read books. Walk in the wilderness. Get out of the glare of the screens, and the superstars.

And don’t forget to wear sunscreen.

For more, listen to this podcast on making the most of your leisure time

Categories
development

Non-technical communication

If, like me, you love talking about tech, you may find it hard to speak to clients and managers who don’t. So I try and follow one simple rule.

Let go of the detail.

Have a summary that skips over it, because generally the people you talk to trust you on the detail. If you’ve ever had a boiler installed, they’ll never tell you what pipes they’re using, how it’ll context to the power supply. You agree on the boiler model and the installation date, and let them worry about the detail.

Sure, record the detail for yourself and your team, but make it available on-demand, not as a fire hose.

TL;DR; everything

Categories
lifehacks

Productivity sieve

There’s a lot of information out there. And more generated every day than you could process in your lifetime. So you need to filter out the important nuggets and discard the rest. The most important thing is what you ignore, because you’ll be ignoring most of it.

Many productivity frameworks deal with this problem the same way. Take
the firehose of emails, RSS feeds, Twitter recommendations, that book at the meetup, … and collect them in one place (or, if you really must, 2 – one physical, one digital).

Only add things that look interesting, and be intentional about it. Not every email or every tweet, just the ones you’ve marked (IFTTT or Zapier are a great help here). That’s your first filter.

Then, at a scheduled time, on a regular schedule (weekly or fortnightly) decide what you’re doing with everything in the one place. That’s your second filter.

Then, for the things you’ve decided are important, review them, rewrite them, record them. Your words are the next filter.

And don’t be afraid to rewrite, to delete. I use git for my notes so I know I can keep things clean and look at the history if I need to.

Or, to put it another way:

Put everything in your Universal inbox (Trello, Evernote, Notion, …) – one place for “this looks interesting”, from web, photos, videos, etc. but only what you’ve chosen to put in. Don’t let another person or an algorithm choose for you.

Automate the copying, not the decision to copy.

Each week, for everything in your inbox, make a decision.

👉 Either “this is useful” – archive and tag
👉 Or “this is actionable” – add to task list
👉 Or “why did I bother with this” – bin it

Split tasks into “now and next” and “coming up”

👉 “now and next” is stuff planned until your next horizon (tomorrow, next week, next sprint),
👉 “coming up” is the rest of the stuff important from your latest planning session (this week, this month).
👉 Everything else is unimportant right now, and either is in the ideas archive waiting to be promoted when the project is attached to resurfaces, or is dated to surface at the right time (e.g. annual subscription)

Don’t carry excess weight.

Categories
code development ux

Blank spaces : how to deal with nothing in API design

Consider the following HTTP endpoint:

GET /{user}/appointments

How do we deal with nothing?

Nothingman

🚫 If the user doesn’t currently exist, return 404 – this informs the caller that nothing can be done with this resource until it is created or recreated.

🙈 If the user exists, but we want to protect against username enumeration, return 404 – this removes a route for malicious agents to identify actual users, perhaps prior to a password brute force. They may decide this endpoint is less likely to have the full protections afforded to the login endpoint. This endpoint should also avoid indirect enumeration, for example returning immediately for “user doesn’t exist” and delayed for “user exists but we’re pretending because security”

🔒 If the user exists but the caller doesn’t have permission to see their appointments, return 403 – caller will have to login, or ask someone who has access.

Empty time

Given the selected user exists

🔐 If this user does not support appointments, return 404 – these resources can’t be found.

🗓 If this user does support appointments, but there are none, return an empty list.

note : some APIs will return 204 No Content in this scenario. 204 should only be used for POST or PUT requests to indicate server action was a success, and there’s no data to send back

Empty space

Given the selected user exists
And they have at least 1 valid appointment (see business for what “valid” means)

📺 If the appointment has no location (because online conference links are saved elsewhere in the appointment body) then no location property should be returned

❔ If the appointment has no location (because it is unknown) then the location property should be returned with no data (the empty string)

Categories
development

How to onboard yourself onto a new project

In a well-managed software environment, you’ll have a mentor to help you get up to speed with a new project. But that doesn’t always happen. So here’s some tips I’ve picked up about how I onboard myself onto a new project.

Always ask questions.

That’s how to understand documents and code. If it seems like something obvious, ask a rubber duck first, but on my team, I always prefer the developers who ask for help when needed than the ones who struggle along in silence.

For big documents, always expect to send a clarifying follow-up. Write notes and questions as you go through. Some things will be answered, even if not in the order you expect, but reviewing the document shows you’re taking it seriously, and you’ve taken time to process it.

Rewrite it on your own terms

I’ll tend to write notes about the business domain, possibly a glossary, as well as key concepts that will inform how it needs to be built, such as the main user flows, any special rules around security or performance, or specific highlights that meet the project goals (i.e. the high-level view of what must the project have to be successful. Sometimes it helps me to draw diagrams for the flow, or for the connections between different parts of the system.

Ask more questions

For other questions, a good rule of thumb would be if you can’t figure it out yourself or via Google (or project docs) within 30-60 minutes, ask someone else.

Categories
.net development leadership programming

If you’re not living on the edge, you take up too much room

.net is a battleship, and it’s taken a long time to change everything to core, and figure out what the Framework/Core future is. In the meantime, you may have found your project crushed in the path as new APIs change or old technology gets deprecated.

Ask Java developers about where Oracle is taking their language and you’ll hear a similar story. The future is different. Maybe better, but in some places definitely worse.

Change is inevitable. That’s why our industry has embraced agile, so we’re ready to change on weekly or monthly cycles, not yearly ones. The longer it takes to make the decision to change, the more baggage you have, and the harder that change will be. That’s why Jez Humble recommends “if it hurts, do it more often”. That change may come from the business, from the competition, from the platform, or from the environment. How did you deal with Heartbleed, or Spectre? How many of your customers are still vulnerable, and are reducing herd immunity for the rest? Are other companies carrying your baggage without knowing it? Are you the reason that IE6 VMs are still a thing?

The bleeding edge is painful. .net Core broke things, Angular 2 broke things, Python 3 broke things, Edge broke things. But not keeping up breaks more.

How do you keep your tech contemporary?

Categories
code development leadership programming

Java without semicolons

When I was a tutor at university I remember one student who I only saw towards the end of the year. I think computer science was their additional course. They came in after apparently spending the best part of a year learning Java, and sat down to complete their assignment.

It didn’t take long before I was called over to help. Their code wouldn’t compile. A fairly standard console application, with some output. And no semicolons.

I was incredulous, and as a young eejit, I’m not sure how well I hid that. I couldn’t believe someone could have completed the lectures, read the books, and completed the previous 29 assignments without using semicolons.

How could they spend a year on a Java course and not learn anything?

Regrettably, I refused to help them and pointed them towards the obvious and clear error messages that they’d obviously been looking at before they called me over.

I wasn’t going to build it for them. I couldn’t teach them 1 year’s coding in 15 minutes.

And yet, they turned up. They asked for help instead of struggling on. Exactly the things I’d wish for in my new starts when I started leading teams and onboarding staff.

They knew the shape of the solution and they knew where their talents were. If I’d been a little more patient, I could have nudged them gently on. But I don’t know if that would have been enough.

If you are mentoring or leading developers, are you stepping in early enough? Are you praising effort and being vulnerable enough to ask for help? Can you see their strengths and weaknesses? Are you giving yourself enough time with them?

Are you being the senior that you wish you’d had when you were a junior?

Categories
development

No More Secrets: Using PKCE in OAuth for your JavaScript apps

Thanks to everyone who came to Scottish Developers to see myself and Christos talking about identity. If you missed it, be sure to watch again on YouTube. Many thanks to Carole and Andrew for getting Scottish Developers back and running again.

If you want to review the slides, they’re available here – if you want to use them yourself, please let me know.

Don’t share secrets in your SPA. Use PKCE instead.

During the session, a few questions came up that I want to put here for the permanent record.

Pop-up vs redirect flow

If you were watching myself and Christos closely, you may have noticed that I was using the redirect flow in my examples, whereas Christos, and most of the Microsoft examples, use the pop-up flow.

The key difference here is that the pop-up flow leaves the app intact, does the auth in a separate window, then returns the token to the app from JavaScript. The redirect flow leaves the app, does the login, then redirects back to the app.

The popup flow is thus easier to develop and work with, but it doesn’t work on browsers with strict pop-up settings. I’ve had to change Firefox to get it working, and I’ve never seen it work reliably with an iOS or Android browser. If you need to support IE, MSAL will fallback to redirect flow anyway.

To get the redirect flow to work reliably, you need to be able to restore state when your app gets reloaded. The best way to do this will depend on your app, but common methods would be to persist state (or just current route) in localStorage if there’s nothing sensitive, or pass the current route/state as a data parameter to the login call, and this will be returned to your callback URL, for you to handle appropriately.

Storing Access Tokens

Access Tokens are your secrets. Treat them as securely as passwords. Don’t use local storage for access tokens.

DON’T USE LOCAL STORAGE. DON’T USE LOCAL STORAGE.

Best option is to keep them in memory, and rely on the browser process sandboxing to keep the secret safe.

As Christos mentioned, if you use the MSAL library, it has its own credential cache that will handle this for you.

Passwordless login

If you can, definitely prefer passwordless login. Chances are your website, or your intranet, isn’t important enough to your users for them to create a unique, secure password. Azure AD supports passwordless as well as 2FA and Hardware auth (including biometric on supported devices).

Auth0 supports passwordless login too

More technical details

Is there a use case for server-side secrets?

Yes. For backend services that don’t have an interactive login (such as timer-based jobs), and can keep the secret secure. However, where a service supports it, please use the Managed Principle approach as shown by Christos. If the service never knows the password, it cannot lose it. Let the identity provider grant trusted access on demand.

Where there is an interactive component, the OAuth flow allows the user to verify and control access to whichever subset of their data they choose.

Categories
development leadership

Ask Your Mentor These 40 Questions : about me (Q31-40)

Lifehacker suggests 40 questions to ask your mentor. So that I don’t have to repeat myself, I’m posting the answers here in 4 chunks.

31. What’s the greatest obstacle you’ve overcome?

I was a terrible communicator. Very wordy and imprecise. I started to give presentations, I started writing a blog, forcing me to condense my thoughts into a clearer, simpler form.

32. What’s an obstacle you couldn’t overcome?

I’m terrible at understanding emotions. Working with clients, I can’t tell the cues that help adapt what I’m saying to avoid conflict. I struggle to pitch at the right level of detail. I can communicate a lot clearer than before, but as soon as there’s non-technical issues, I absolutely need an editor. Sometimes that’s a PM, sometimes it’s another technical person. Just another perspective before I put my foot in it.

33. What’s the most unexpected obstacle you’ve had to face?

I’ve done a lot of recruitment over the years, and sometimes I have to reject someone either because someone else was a better fit, or because they failed on some criteria that’s not on the list (such as the guy who, when interviewing with me and 2 female colleagues, only answered questions to me).

Whilst I’ve always been clear that the decision was the right one, explaining that decision is the hardest part about the job. Whilst I want to be direct and honest, I know that my default approach is not appropriate for people who don’t know me well, and so I struggle massively writing, re-editing and phrasing things before talking to the candidate. It’s easily the most stressful thing I have to do.

34. What’s a good thing to be afraid of?

Causing harm.

I’ve worked with a lot of people who are motivated by the knowledge that whatever they build will be used and will make people’s lives that little bit easier. But it’s easy to let oversight or acquiescence let in features or bugs that will cause frustration or actual harm, whether by discrimination or universally.

Never underestimate the power you have to make or ruin someone’s day.

35. What’s been the most exciting point in your career?

Becoming a lead. Because letting go of having to do everything freed me up to think about how to make things better outside of the code I was writing. And suddenly everything was new and there were no easy answers, no red-green-refactor and no acceptance criteria for what makes a team work.

And I’m still learning.

36. Do you find any utility in holding onto regrets?

No. Never.

Regrets imply that you don’t like where you are now. And you have the power to change that.

Are there things I wish I’d done differently? Absolutely. And some of them I can’t even blame hindsight. I knew what would happen and I did it anyway for reasons that I couldn’t even justify at the time.

Know thyself. Learn the lessons. And move on. We all have professional as well as technical debt. Acknowledge it. Work with it.

37. Where do you think you could’ve done better, had you known what you know now?

I would have spent more time exploring at the start of my career. I got lots of opportunities, but the switch I made to a product company, which was also a lot smaller, taught me a lot more about myself. If I’d known how much I didn’t know, I would have jumped sooner.

38. Which values got you to where you are today?

“Don’t be irreplaceable. If you can’t be replaced, you can’t be promoted.”

So I document, I simplify. Any call I get out of hours or on holiday is a failure on my part, a bug in the system. If anyone has trouble following me in a project, I make fixing that bug my top priority. Don’t be a gatekeeper, don’t keep it to yourself, don’t be a bottleneck. Remove yourself from the bus factor.

39. When did you know you’d “made it” and were where you wanted to be?

The first time I got paid for writing software. Everything since has been an iteration on that. Review, reflect, improve.

40. Has your definition of success changed over the years?

It’s simplified. When I’m doing consultancy work, which is what seems to suit me best, success consists of 2 things, in this order :
1. Is the customer happy?
2. Did we make money?

The first is how to keep the lights on next year. The second is how to keep the lights on until then.
Everything else is just a way to break those down into smaller chunks.

Categories
development

Career advice for graduates

I saw this tweet and I’ve been asked this question myself a couple of times so I wanted to highlight this as a reference for others, and collect my thoughts into one place.

Know what you want. E.g. Do you want a startup with scrappy hours but more influence or a big company with more structure but where you have less control?

You don’t have to have a public profile.

If you do have a public profile, make sure it reflects you well.

Doesn’t have to be a blog, but always be thinking about teaching others what you’re currently learning. It really helps you in appraisals, interviews and networking because you’re already reflecting on your skills, and you can more easily help others

Apply even if you don’t meet all the criteria. In most companies “must haves” aren’t. You’ll need to meet some, and be prepared to learn others, but don’t wait until you’re 90% ready.