Caveats and pitfalls of cookie domains

Not too long ago, we ran into an apparent security issue at my current assignment - people could sign in with a regular account, but get the authentication and permissions of an administrator user (a privilege escalation bug). As it turned out, the impact  of the security issue was low, as the user would need to be logged in as an admin user already, but it was a very confusing issue. In this post I’ll try and explain the situation, how browsers handle wildcard subdomain cookies, and what to keep in mind when building an authentication back-end when it comes to cookies storing session information.

Read more →

Design by contract using GraphQL

When interfacing between systems it is good practice to think about the interface design prior to developing the systems. GraphQL can be a useful tool to write down these design decisions using its schema definition language. Even when you are not using GraphQL itself in production. GraphQL’s schema can be used to generate a mock server for clients and can verify whether the responses of the server are valid. This way a clear and precise agreement on the API can be made upfront to avoid costly surprises at the end of the development phase.

Read more

Tester in an agile team: a necessity or dispensable?

Let’s imagine it’s the year 2025 and we peek inside an average IT company to take a look at the software development teams working there: what are the chances that there will still be a person who is a tester in each of these teams? Some of you will say: “of course they’ll be gone, everybody will be a developer by then”, while some will hope that the role of the tester will still exist. What would that role look like, then?

If we go back to the current day and age, we can already see a trend that’s been going on in a lot of companies that will give us a peak in a not so pleasant future.Read more →

How to create your own Lint rule

When you are part of a multi-team project in Android, it becomes relatively hard to have a common understanding of how components should be used. This is where Android Lint can help you! In this blog we will show you how you can write your own Lint rules and test them. As an example, we create a sample Lint Detector, which is used to detect whether you have excluded the "secret data" in your application from the Android Authobackup introduced in Android Marshmallow.

Read more →

It’s 2017: Test automation is not optional when building mobile apps!

Note: although this post focusses on mobile app development using Xamarin it also applies to other native mobile apps built in Swift, Java or even web apps. it’s 2017! whatever you are building get started with Test Automation!

As a consultant working for Xpirit i get to see a lot of different customers which I help with my expertise in building mobile applications to improve their mobile apps. Something I noticed in the previous year is that continuous delivery is a hot topic and companies and teams focus on deploying apps automatically to their testers through hockeyapp or even to the stores in beta and / or production.

In agile scenario’s (and come on who isn’t doing that currently? Every company or project I visit is saying they are agile or doing Scrum although some only do dailies and call that scrum ) In the current world it is really important to be able to release often because you want to be able to adapt to customer needs which are almost always changing and evolving.

Read more →

Matching strings in Scala

Over December I had a lot of fun doing the Advent of Code coding challenges with some colleagues.

Many of those, such as day 21, require interpreting some kind of string input. While normally I'd probably marshall those strings into case classes before processing, in this case that seemed like overkill: a quick pattern-match should be sufficient.

It turns out there's a couple of ways to approach that, which is also a good excuse to look under the hood and see which Scala concepts they're built on.

Read more →

A Guide to Generating Boring Code with Node

Writing boring code is not fun. Especially if that code is just a derivative of some data. You should generate it instead! A great example is to generate your HTTP client code from an API definition. This is actually very easy to do with a recent node version and requires almost no extra dependencies. In this post I will show you how to take a JSON schema definition and generate some validation logic from that.

Read more

An alternative AngularJS test runner

When building an Angular application, we usually stick to the suggested or auto-generated solution of unit testing; the Karma test runner and server, the Jasmine testing framework, and PhantomJS as the environment to run it all in.

In this blog post I'll explain how this is rather silly, and will provide an alternative and lightweight approach to writing and running unit tests. It will depend on having a certain way of defining your Angular components, and may not be a full 1:1 drop-in replacement, but I can say with a certainty that it'll make your tests faster, the overhead of running them a lot smaller, and improve the quality of tests by having less to worry about.

Read more →

Cypress - Dealing with flaky tests

Test automation is all about feedback. Feedback that gives you quality updates about the features your team has built. A continuous green build is always the goal because this should give you the confidence you need to go to production. Unfortunately, I’m more used to a “traffic light build”, a build which passes and fails intermittently, mainly because of flaky tests. That is one of the worst things about end to end testing in my opinion.

Why on earth do we still put software into production when we can’t trust our test automation?! Well, that's because we retry the build a couple of times until we have a lucky hit: the build is green and we’re ready to go to production. Although this is a solution, it still feels like a pretty silly thing to do.

Another option, which has my preference, is refactoring those tests until they actually work. The annoying part about this is that you don’t know what’s going on, and most of the time it is impossible to reproduce the failures. Reproducing them takes a lot of time debugging, analysing and mostly guessing where the problem is.

What if we could actually see what’s going on?

Read more →