Johanna Pearce
Logan DiceOne more auth system that will give you nightmares...
This JavaScript code powers a 1,500 user intranet application.
The longer you look at it the more insane it gets.
LogicallySound@LoganDice The icing on the cake is the todo comment on top.
Like putting it in a different file is the LEAST of your concerns here. 🤣
Jacob Herrington@logicallysound @LoganDice even more egregious is the use of an HTML comment... you could just use a JS comment inside the script tag
@jacobherrington @LoganDice Honestly I think that's less egregious. The HTML comment is more visible on a quick scan of the overall HTML file than a JS comment inside the script would be and it's easier to interpret the TODO as applying to the script tag as a whole.
@logicallysound lol I just think <!-- --> is a terrible way to write comments. 😆 Code style is 99% preference.
@jacobherrington I've never liked how HTML comments look so I can sympathize on that point 😅
KemoNine@kemonine @LoganDice actually, `===` is usually a good idea because you avoid accidental type conversions.
Havvy@kemonine In JavaScript, `==` performs coercions so that e.g. `2 == "2"` is true. The `===` doesn't, acting much more like `==` in other C-derived languages.
Chris "Crunchy Leaf" Salzman@LoganDice my favorite part is the three exclamation point todo at the top
Erich Graf Apfel von Herthsen@csalzman @LoganDice Yeah, definitely put this in a different file, and then delete that file.
MoxCheese@LoganDice if ("true" === "true") { return false; }
*chef kiss*
(w)oof@LoganDice wtf it just iterates over every account until it hits the right one??? with 1500 users???? also what the hell is going on at line 556? shouldnt there be hashing involved?
oof.
oof.
Not to mention that it's a frontend code, so anyone can see all the user's info. And execute arbitrary sql, if you want to drop all tables for example.
Crazypedia 
@LoganDice if I understand whats happening here then.... Fired 😵
A Tray of Bees@LoganDice There's like 70+ levels of WTF in this compressed to just those few lines.
Paul-Vincent Roll (he/him)@LoganDice I am not sure why but I kind of want to frame this and hang it on my wall 😐 Can't tell what's wrong with me 🙄
Nate Silva@LoganDice </sarcasm>
John@LoganDice Are... are you going to fix it? Please?
Taco Dave@LoganDice "PUT THIS IN A DIFFERENT FILE" ➡️ 🗑️
eishiya@LoganDice I hurt my throat laughing, thanks!
charlag@LoganDice at least they used triple quotes
Paco Hope@LoganDice My eyes!
brennen@LoganDice i was gonna mention that at least it doesn't seem that there's an injection vulnerability, then i fully caught on that this is running in the client...
mkbThat is going to give me nightmares.
@LoganDice A reply from a friend of mine who read this toot:
"Don't think of it as a security vulnerability, think of it as backing up your user database on every client" 🤣
Daniel Bohrer@LoganDice I think at some point in my life I have written intranet code like this. (Not in JavaScript though. JavaScript didn't exist back then.)
Guillaume Lacasa@LoganDice it will be way more secure when moved to another file!
æon 
@LoganDice I love everything about this. this is art
phryk 🏴@LoganDice raw sql exposed, severe language weirdness, unhashed passwords of all users sent to anyone on every login attempt and then "logged in" is just a cookie you can set arbitrarily anyways and there's *still* more…
Truly astounding – it's like a masterpiece of horrible software engineering.
Simon Brooke@LoganDice You. Are. Kidding. Me.
So many layers of SHIT NO!!!
Dr. Bob Kubernetes, MD@LoganDice better put that in a different file!
"Online"@LoganDice this is gore
paul@LoganDice is there an actual purpose to `if ("true" === "true") {`, or is it just more bonkers shit?
MikeI'm kinda curious about that "True" === "True" at the bottom. Is that an established JavaScript idiom with a well known purpose? Or is it just there?
@mds2 @LoganDice technically it evaluates to true, but it's not remotely ideal.
Andrew G10z@LoganDice please tell us where this code is deployed??
Volkan Özçelik@LoganDice this is wrong on so many levels!
- passwords are not encrypted.
- open to sql injection (there still can be mean people on intranet)
- you are fetching the entire datatable!
My eyes are bleeding at the moment. And that’s not because of the monokai theme :)
Matt Collins
Erlingur@LoganDice Wow! 😳 That's... something.
Nicholas Rempel
Saxxon🦊@LoganDice Oh. Oh nooooo. This is driving me mad already.
Kristian Collie@LoganDice
Everything about this is frustrating except lines 556-558, which are just dadaism.
Everything about this is frustrating except lines 556-558, which are just dadaism.
the Hearth 
@LoganDice okay I know _zero_ about javascript but... `if ("true" === "true")`?????
Kyrah Abattoir 😈✌@LoganDice At least it's not vulnerable to sql injections.
wilhelmina (fake)
Jason Ormes@LoganDice This is all client side? Oh My...😆
Tad Thorley@LoganDice I don't even have words...