Node Weekly·11wNode Weekly Issue 610: February 5, 2026
This newsletter covers explicit resource management in JavaScript using the `using` keyword for deterministic cleanup, a postmortem of JSBin's 3-day outage caused by traffic spikes on an outdated Node 7 runtime, and highlights libraries for one-time password authentication (HOTP/TOTP) and simplified FFmpeg video operations. Also includes updates to the 'ora' terminal spinner library and Node bindings for FFmpeg's C APIs.
Cassidy's blog·8wHow passkeys work
A beginner-friendly explainer on how passkeys work using public/private key cryptography, where a private key stays on your device and a public key is shared with the website. Covers the core handshake mechanism, compares passkeys to passwords and password managers, and offers a measured take on their real-world trade-offs — including device dependency and phishing resistance — without overselling them as a universal solution.
Ruby Flow·8wStop Building Settings Pages: A Guide to Ruthless MVP Scoping
Solo developers waste momentum building non-essential features before validating their product. Five common MVP time-sinks to cut immediately: dark mode (doubles CSS work), edit profile pages (no users yet), complex auth flows (pick one method), custom admin dashboards (use DB console instead), and automated billing upgrade/downgrade logic (handle manually until you have revenue). The core principle is to ship only the feature that directly solves the user's primary pain point — the 'core loop' — and defer everything else.
ElixirStatus·7w150,000 Lines of Vibe Coded Elixir: The Good, The Bad, and The Ugly
A founder shares lessons from building 150,000 lines of production Elixir entirely with AI (Claude Code). Elixir's small, terse, immutable nature makes it well-suited for AI coding agents—fewer decisions, fewer tokens, fewer hallucinations. The Tidewave MCP tool extends agent capabilities with live logs and DB access. Key downsides: AI defaults to imperative, defensive Ruby-style code rather than idiomatic Elixir; it cannot debug OTP/async issues or understand Ecto sandbox transaction isolation, causing it to chase red herrings in tests. Architecture decisions still require human oversight. Despite the friction, productivity gains are described as massive.
Laravel News·9wGenerate Secure, Memorable Passphrases in PHP with PHP Passphrase
PHP Passphrase is a Bitwarden-inspired package that generates secure, human-readable passphrases by combining random words from the EFF word list. It offers customizable options for word count, separators, capitalization, and number inclusion, with first-class Laravel integration through facades and dependency injection, plus standalone PHP usage. The package supports custom word lists and includes publishable configuration for Laravel projects.
SingleStore·11wLoad data from S3 without static credentials
SingleStore now supports loading data from Amazon S3 using IAM Roles for Service Accounts (IRSA) instead of long-lived static credentials. The new Cloud Workload Identity feature uses AWS cross-account role delegation, allowing workspace groups to assume customer-provided IAM roles with up to 20 delegated entities per group. This eliminates the need to manage AWS access keys, uses short-lived tokens automatically, and can be configured through new Management API endpoints or the workspace group Security UI tab.
Hacker News·8wWhat is OAuth?
Written by one of OAuth's original creators, this post explains the core purpose and historical motivation behind OAuth in plain terms. Starting from a 2006 Twitter use case, it frames OAuth as a standardized way to send a multi-use secret to a delegate with consent, and for that delegate to make requests on behalf of the user. OpenID Connect (OIDC) is described as functionally equivalent to magic-link authentication. The post argues that OAuth's complexity obscures its simple goals, and that understanding the 'why' before the 'how' is key to working with it effectively.
CSO Online·10wSSHStalker botnet brute-forces its way onto 7,000 Linux machines
A newly discovered botnet called SSHStalker has compromised at least 7,000 Linux servers by brute-forcing weak SSH password authentication. The botnet uses IRC-based command and control, exploits Linux kernel vulnerabilities dating back to 2009, and maintains persistence through backdoors and rootkits. While it hasn't yet monetized access through DDoS or cryptomining, researchers warn it could activate at any time. The primary defense is disabling SSH password authentication in favor of key-based authentication, implementing rate limiting, and removing legacy Linux systems with kernel 2.6 versions. Security experts emphasize this incident highlights the continued importance of basic security fundamentals over chasing advanced threats.
Milan Jovanović·8wHow to Implement Two-Factor Authentication in ASP.NET Core
A practical guide to implementing TOTP-based Two-Factor Authentication in ASP.NET Core. Covers how TOTP works, generating cryptographically secure secret keys with Otp.NET, creating QR codes using QRCoder, the correct two-step setup flow (pending → confirmed), issuing limited-scope tokens during login, validating codes with replay attack prevention via time-step tracking, rate limiting the validation endpoint, encrypting TOTP secrets at rest using AES with a key vault, and generating hashed one-time recovery codes.
Milan Jovanović·11wIntegrate Keycloak with ASP.NET Core Using OAuth 2.0
Keycloak is an open-source identity and access management solution that handles authentication, authorization, and identity brokering. This guide walks through setting up Keycloak as a Docker container, creating a realm with a public OAuth 2.0 client, configuring Swagger UI to authenticate using the Authorization Code flow with PKCE, and implementing JWT validation in ASP.NET Core. The authentication flow involves redirecting users to Keycloak for login, exchanging authorization codes for tokens, and validating JWT signatures locally using cached public keys. The setup includes observing the authentication flow with Aspire Dashboard and covers production considerations like HTTPS configuration, persistent storage with PostgreSQL, and proper security settings.