Transcript: Authentication - José Padilla

00:00.0

Hello, good morning. Welcome to another episode of Django Chat.

00:10.7

I'm Carlton Gibson and I have with me my friend Will Vincent. Hello, Will.

00:16.5

Hello, Carlton.

00:17.7

How are you? Today we have a very special guest, Jose Badia. Hello, Jose, how are you?

00:27.7

Hello, how are you?

00:28.4

See, muy bien, muy bien. Let's do the rest in English.

00:32.6

Jose, we're thrilled to have you on. You and I have met a couple of times, and I think I first became aware of you through your work with JWT, so Django REST Framework.

00:42.0

So what's the, do you have a quick background on, obviously Carlton and I know about your work in Django, but what's the quick take on your involvement in the Django community?

00:51.3

So I spent some time building a product called Blimp.

00:56.2

We were a small team building a project management software.

01:00.1

And I remember our first MVP was actually built in Flask and like MongoDB.

01:05.6

And after failing doing that, right, we switched back to Django.

01:12.2

It was like probably like Django 1.2.

01:14.3

And so I spent at least like around five years working with Python and Django.

01:21.3

So I had a chance to kind of help maintain Django's framework

01:26.2

and kind of pick up helping maintaining other libraries like PyJWT.

01:33.1

Yeah, and like through that, I've worked on random other bits and pieces.

01:39.8

And by far, Python keeps being my favorite community.

01:44.8

Yeah, well, we'll link in the show notes.

01:46.7

But I remember seeing you gave, was it 2014 to DjangoCon?

01:50.5

You gave a talk on JWTs, which I think was your first time at a Django conference.

01:56.0

Is that right?

01:57.3

That's right, yeah.

01:58.8

And I think that went well.

02:01.6

I didn't actually give that talk anywhere else, probably like in another Python meetup, but not in a conference.

02:08.4

What I most liked about that talk was how, at that time, visually explaining what a JSON word token is.

02:17.1

I think I did a good job at that.

02:20.5

I'm kind of tying that up to authentication with like Django Rest Framework and Django.

02:26.4

You know, I have to say, Jose, because you've been you were working on Django Rest Framework for just ages and ages and years.

02:32.6

We were there and you were an absolute machine maintaining the framework, you know, every every I mean, maybe you're doing it part of your work, you know, so you had the time, but you were there, you know, making the fixes, doing the updates, you know, absolute rock for years.

02:45.9

thank you thank you that means a lot coming from you definitely um and i don't like looking back i

02:51.8

don't i think what i um contributed the most at that time was kind of the story around third-party

03:01.0

extensions um and you know how that story fits into django's framework and django and you know

03:09.9

the whole uh python um community as a whole um but yeah it was like it was definitely not

03:17.1

part of my job um this is a free time kind of thing okay um but but i definitely was glad i

03:22.7

was able to to help out with with things like that yeah no and you you would you know absolute

03:28.0

stalwart but that's an interesting point you made about the third-party extensions because

03:31.1

it's something that in django rest framework we were really um keen on and still are keen on

03:36.8

Because we have very limited time and limited bandwidth to maintain stuff.

03:41.7

And so someone comes along with a new feature idea.

03:44.0

And it's like, well, first of all, can we put that into a third-party package that that contributor can maintain themselves?

03:50.5

Because that keeps the call maintainable, right?

03:54.5

Yep.

03:55.1

So what was Blimp?

03:56.5

What was the quick take on what that service was?

03:59.4

So, we were kind of three people working on that project, and we got together one day, and we were just thinking of, like, things we could possibly build a product around.

04:12.3

We had all worked in kind of digital agencies and marketing firms and things like that, where mostly they were using Basecamp, like, first version of Basecamp at that point.

04:26.0

So we had, like, really strong opinions about how project management should look like and should work like, especially in that creative environment, small teams.

04:37.8

So we had, we proposed a structured kind of process through product management.

04:46.5

So we had a really nice, like, niche, you know, we were targeting small teams like ours, three, four, five teams.

04:56.0

people, um, most work was around the actual tasks. Um, so we, you know, Basecamp had, um,

05:06.2

messaging and people would just do product management via messaging, which is via email.

05:10.9

Um, so we, we kind of forced you to use our proposed flow. Um, and then, you know, at some

05:19.6

point trello came up asana came up um and you know they were way bigger than us um and eventually

05:27.5

like it it made sense for us to just shut it down and focus on other things right okay what was the

05:33.9

run there because like that was you know five year period you say yeah like at least five six

05:39.4

that's a good run right for a startup that you've you know small team that you sell yeah definitely

05:43.7

running your own show we didn't take money it was completely bootstrapped um we you know got

05:48.6

together and made it happen um we learned a lot through the way you know the whole period um and

05:55.2

there were definitely like really good opportunities for other things to pop up um one of them being uh

06:00.7

this side project i still maintain called fall previews yeah i wanted to ask about or you and

06:06.2

i have spoken about it but i think it's a really interesting project so what's the quick take on

06:11.0

it and then we can dive into the tech stack because that's that's interesting so so we we

06:15.3

were building at Blimp, we had a file section and you could upload files, share them, and you could

06:22.3

upload revisions of files. And once we designed the whole thing, we noticed that we were kind of

06:28.7

missing pretty thumbnails for files. So if you upload a JPEG or a PNG, that's easy. If you upload

06:37.5

a Word document, that's a little bit harder. If you upload a Photoshop file or Illustrator file,

06:41.8

becomes harder um so we we kind of built this um pipeline where you could upload basically any kind

06:50.6

of file and we were we would just output some uh pngs um and that was harder than it sounds

06:58.6

um so we like from the first um from the get-go we kind of built that separate to blimp as a

07:06.6

separate service um and we like after we built it and we were using it we noticed that we could just

07:14.5

put a landing page on it put a pay button in it and other people might buy it

07:21.4

and surprisingly it outlived blimp as a product um it's been going on um and i kind of took over it

07:30.2

um after we decided to shut down the product that's great because that's like the original

07:35.8

microservice right it's yeah right five years before the the book five years before the the

07:41.3

meme it's like yeah it's a microservice and so what's the what's the tech stack or how much can

07:46.9

you tell us about the architecture of it um so yeah so it's it's built with django obviously um

07:52.4

it it does have a simple api so that's django's framework um you know we use celery um pretty

08:02.0

extensively um we are using redis as our broker postgres as our database um we host our workers

08:10.4

on pretty uh hefty ec2 instances um and our api is actually still in heroku um so yeah it's it's

08:21.2

it gives me an opportunity i don't work with python on my day-to-day job um for a while now

08:28.6

And it gives you an opportunity to actually be in tuned with, you know, what's going on with Python and Django.

08:38.3

But it also gives me a chance to kind of polish my scaling skills.

08:43.7

So we have, you know, this is pretty CPU intensive work and we have pretty interesting traffic patterns.

08:50.8

So, you know, I have to think about how we scale this, how we improve our availability, how, you know, we make sure we have monitoring and observability up to par.

09:03.4

Yeah, because I can imagine that you could and maybe do get a big client just comes in and crushes you with.

09:10.4

I mean, I guess so how does the traffic look?

09:12.1

Is that common that out of the blue you'll just get nailed with a lot of stuff and then otherwise it's flat or is there any consistency there?

09:18.5

So, yeah, so we, you know, FilePreviews has customers around the world and different kind of traffic patterns.

09:28.6

So we have people doing like bulk imports of just files that they have.

09:34.5

So sometimes we'll get, you know, 5,000 requests one after the other to generate previews for different kinds of files.

09:42.3

And, you know, I guess part of the challenge is, you know, you'd handle that with scaling your instances.

09:50.9

So you have more instances and you can kind of, you know, process the queue faster.

09:57.3

But things like larger files.

10:00.7

So, you know, we have customers that sometimes upload a PDF file that is like 20,000 pixels by 30,000 pixels, right?

10:12.3

and it's kind of like a pd it's like a giant pdf um so you know those are one of those could be

10:21.6

you know could hold up the queue for a longer time um so like you know we need to kind of be

10:27.6

observing our limits time limits memory limits view limits um file size limits um would this

10:34.7

be a good example of a use case for serverless like you know a lambda or a functions-based

10:39.4

approach or you know because that kind of looks like the perfect example right you've got

10:44.3

discrete jobs that can be done one by one does it would it work in that environment or

10:49.4

um so maybe so yes so i'm hoping to be able to try that um lambda like aws lambda um they have

10:59.9

some limits to the you know the size of of what you can actually install there um so you know we

11:08.2

even though our workers run

11:10.8

in a Docker container, you could

11:12.9

imagine that Docker container is just like

11:14.8

a VM. So

11:16.4

it'll be interesting to kind of split that

11:18.9

into

11:19.4

to be able to just fit into whatever

11:22.7

the constraint for Lambda is. But it

11:24.8

should definitely be possible.

11:27.5

At this point, you know,

11:29.1

this is kind of my side project and I haven't

11:30.9

had the time.

11:32.2

I tried

11:33.2

porting a specific

11:36.4

part of the

11:38.2

pipeline. And it just was so like an additional complexity, like with testing, and just kind

11:47.4

how we would compile different dependencies that would fit into that particular environment.

11:54.6

But yeah, it definitely seems like the thing that you could probably kind of model in that

11:59.5

serverless like architecture.

12:01.5

Okay, interesting.

12:03.2

But it's not, you know, this two plus one, yes, but the other no, is that hang on, you

12:08.6

know, the VM doesn't give me a lot here.

12:10.5

I've got this whole structure.

12:11.5

Yeah, we like I spent a lot of time kind of tuning, or, you know,

12:17.4

we have to a particular infrastructure model and that has solved our immediate scaling issues

12:25.2

so I am not you know touching that much of it now. Can I ask currently you're working at Auth0

12:31.5

is that right? Yes I do I started working at Auth0 as an engineer in August. Okay so in an

12:38.7

earlier episode we were talking about authentication and I sort of said you know I gave Auth0 a go

12:45.0

and it didn't really fit in with Django.

12:47.3

And so, you know, I probably wouldn't use it.

12:49.5

And I don't know, what's the use case?

12:50.8

So here, can I ask you to put your Auth0 hat on

12:53.6

and tell us the Auth0 story for Django?

12:57.6

Yeah, you're wearing the sweatshirt.

13:00.2

So if I'm going to use Auth0 in my Django project,

13:03.9

or I'm going to consider it,

13:04.6

can you just give us the sales pitch?

13:06.5

What does it give me as a Django developer?

13:08.9

Okay, so kind of going back to that episode

13:11.3

where, you know, you were talking about authentication

13:13.7

and authorization and you kind of defined those and i think you did a very good job um and i guess

13:19.3

one question i as a developer of like in the small side projects using django i i often question

13:27.1

myself like why would i use auth0 versus something like django all off right um and if we kind of

13:34.1

think about django's um batteries included philosophy you know django does a really great

13:40.3

work at not letting developers screw up authentication right we there's a configurable

13:48.1

password hatching system with really great defaults so you don't have to think about

13:51.8

using bitcrypt or do i use like md5 or you know it's really hard to even store like plain text

13:59.1

passwords um and then there's this other like whole other things that third-party third-party

14:07.8

packages kind of help with like password strength checks and throttling authenticating against like

14:13.9

third-party identity providers like facebook or google but you the developer you still need to

14:20.7

think about those security related things you need to kind of know that you're looking for

14:28.2

throttling of your login endpoints and you need to install a package after you find it you need

14:33.0

configure you need to maintain that and whatever other um kind of dependencies that that might have

14:38.9

you might need to have a redis server or something else right um so off zero provides authentication

14:47.1

and authorization as a service we give developers and companies building blocks to secure their

14:53.5

applications without having to become security experts um you know we provide unified device

15:01.1

synopsis login experience so it doesn't matter if you're working on a web app or a mobile app you

15:07.0

can still provide this unified login experience that looks like one single thing right um we

15:14.9

provide like many social identity providers um you can add custom ones to brute force protection

15:20.1

breach password detection um you know single sign-on passwordless login multi-factor auth

15:25.5

user management and you know these are all the things that you could probably find if something

15:30.6

like Django or Django all app can't provide you can go and find possibly a third-party package

15:36.9

that somebody built you then need to actually assess if they're you know well maintained if

15:44.3

they're well built if they're secure and then we go back to that you know security expert thing

15:49.7

um um off to also does something really cool um which they allow you to write custom javascript

15:58.0

code to customize any

16:00.0

part of the authentication and authorization

16:02.1

flow. So, for example, if you wanted

16:04.2

to enrich

16:06.3

user profiles from data from

16:08.2

Clearbit, if you wanted

16:10.3

to reuse information from

16:12.0

another database

16:14.0

or service, if you wanted

16:16.2

to, I don't know, notify another system

16:18.3

of real-time logins, you can do that.

16:21.5

So, yeah.

16:22.4

So, it goes back to

16:23.6

Django provides you

16:28.0

login out of the box and you you know you could figure out the whole template situation and

16:33.4

so yourself and you know going back to like one of the recent episodes we were talking about patterns

16:38.7

um and you after you're built you know one two apps that have login you'll notice the patterns

16:46.2

and you'll maybe have your own project templates and you know um but then this other

16:54.4

like little thousands of other things around authentication, authorization, and security,

17:00.5

you either need to be aware of, be proactive, or you'll have to be free active after a possible

17:06.8

incident. So either, you know, you kind of delegate all those really important security

17:16.1

and trust aspects of your application to somebody like Auth0, or, you know, you take that on,

17:22.6

and you need to be aware of you know what taking that on means okay there's so that that's a super

17:28.6

answer and so what um one thing you mentioned at the beginning of that so two thoughts that came

17:34.5

up one one was you you mentioned about the side project versus the big you know it's a side

17:39.4

project yeah totally i can see why you take it on but all zero surely pitches itself for big

17:44.7

projects too right oh yeah it's not just for a developer site so yeah so so it's it's not only

17:50.7

for you know somebody building a web app and a mobile app um we are a identity platform right so

17:58.6

if you're building a single sign-on for your whole like internal infrastructure services on a large

18:06.1

enterprise setting Auth0 would still you know work for you fine and okay and then when the second

18:12.3

thought was when I tried this a long time ago is when Auth0 first came out and I gave it a go and

18:17.0

i gave it it's been i didn't really find that it integrated with django in the way i wanted to

18:21.5

in that it would it would do the jwt client-side authentication i could see how that would give

18:25.8

me the mobile app authentication that was all super but what i really wanted was in my view

18:29.7

request.user to return a an instance so is there now a nice story about integrating with the django

18:35.9

project we'd like remote user remote user back end um so we we have like one of the

18:42.7

things that attracted me to Auth0 a long time ago

18:46.8

was their content as a marketing effort.

18:52.8

And, you know, they have really great guides.

18:57.2

So there's, I was just checking out

18:59.0

the getting started guide with Django.

19:01.8

And since Auth0 actually provides an auth,

19:05.5

sorry, an auth2 API,

19:09.3

you can use something like Django Social Auth or

19:13.0

Django All Auth, and you would use Auth0

19:17.0

as an identity, right? And then you would handle

19:20.4

in Auth0, you would handle Facebook login.

19:25.2

So I, you know, part of the

19:28.7

QuickShare guide I was looking at does use remote user backend

19:33.3

on the remote user middleware.

19:36.2

You know, it really fits into the whole

19:39.1

django lingo okay that sounds that sounds super so i think it can you um in the show notes we

19:46.5

can put a link to those getting started guys with django yeah well and i wanted to ask you too so i

19:51.6

i saw on twitter i think just yesterday there was just um the north bay python conference and uh

20:00.1

guido uh tweeted this thing about um jacob kaplan moss uh django co-creator saying stop using

20:07.1

passwords use login with google facebook um quote google security team is better than yours

20:12.4

i have some i'm honestly my jaw dropped when i saw that

20:17.8

but i'm curious what your thoughts are as much more of a expert in this realm than i am

20:22.5

i just don't even know where they're coming from with that uh you know i mean facebook was storing

20:30.0

stuff in pure text uh i mean i can see auth zero but to just hand it over to you know one of the

20:38.5

couple monopolies to me i just um i don't know there's two parts i'm i feel like i'm missing

20:46.3

something big here if this is just a side weekend project then you know absolutely the more you can

20:53.1

outsource the best but if this is if you know if your user database is a core strategic asset of

20:58.6

your business then you can't just hand it over to a third party so there's that there's that point

21:05.0

which is important and yeah our facebook that's a claw because every time i turn on the news it's

21:10.4

it's so crufty and creepy i mean google's not much better i mean that's i actually i mean so

21:16.4

with uh jingle all off which is fantastic i i think i still have the you know top google spot

21:21.9

for a tutorial on that and i actually deliberately don't i think there's one i maybe i showed gmail

21:25.8

but i don't show facebook because well here i go never working at facebook i think facebook is

21:30.9

pretty awful so i don't feel like doing their job for them um but we gotta find a little bit

21:36.7

of a rant so so make the case for auth zero as opposed to like google facebook if someone just

21:40.8

says well i'm just delegating my auth in either case why is that actually incorrect that's

21:45.5

interesting so so like i think one thing to notice is that you can use all auth i mean sorry

21:52.9

auth0 without um integrating any like social identity providers right you don't need to use

22:01.3

facebook or google or you know the other 300 providers that we might have um you can use like

22:09.0

email and password against the auth0 database right um yeah it's like trust is the name of the

22:18.8

game. It's especially when you're handling such an important path for an application as

22:28.6

authentication is and as authorization is. Yeah, I know. I mean, it's a deep topic. I mean,

22:33.6

one part of this, which I've seen with some services recently, is this login by email where

22:37.8

there is no password. Every time I log in, I just put in my email address and I get a

22:42.3

one-time link. You know, I can see how that's more secure. It's maybe a little annoying,

22:47.2

but i'm seeing that more and more that's um but as well you've got to bear in mind as well that

22:52.0

a lot of people struggle with passwords um and if you can send them a link where they get a button

22:58.1

and they can click it that's or you know tap it these days that's actually a much better user flow

23:02.9

so it's it's arguably more secure probably is and you know assuming the email's not compromised but

23:08.2

the email's the sort of golden key to all of this isn't it um yeah so so so that's like passwordless

23:15.3

login. And that's something that Auth0 allows you to do pretty easily. And, you know, since we also provide, like, MFA, so you can do, like, multi-factor authentication, you can use, like, the Google Authenticator or Authy or...

23:34.8

If you have to, or you can use SMS.

23:36.9

And I think now that we're starting to see 2FA become like something normal,

23:45.5

I wouldn't say it's like, I can't get my parents to use 2FA.

23:52.4

And so then you can't make that a hard requirement, right?

23:58.8

So I can see like passwordless login, not depending on your targets.

24:04.8

As a UX standpoint, it might actually hurt your user experience.

24:13.3

I can't imagine my mom putting in her email, if you remember, switch email to use.

24:20.1

And then, why do I have to go to my email?

24:23.4

And I found the email.

24:24.9

Now, what?

24:25.8

Oh, there's a link.

24:27.3

So again, it depends on your target.

24:31.4

i can see now that you know there's a lot of players kind of working to improve the whole

24:37.9

user story for security like if you think about security keys like hardware keys um

24:45.4

passwords a lot passwordless login um mfa and things like that um so i'm hoping that in the

24:51.3

you know coming years we'll have a better story for all of this i think django needs a better

24:56.9

story as well we don't have the two-factor auth built in yet and we don't even it's not we haven't

25:01.9

yet got the even like the hooks where you would add that really there are a couple of third-party

25:05.9

solutions but they're not you know they need to be brought into django i think it's part of the

25:10.1

batteries that now that you need to be able to plug into two-factor yeah i i recently um so i

25:16.6

love the you know django admin and i never turn it off um so for file previews i've had to kind

25:24.2

of worked around things like pagination because like you know at our rates most things don't work

25:29.5

in the django admin but like once you get through that you know hurdle it's like okay so now how do

25:35.6

i hide the admin login um because i already have like this whole other login flow that i want to

25:43.3

use and and kind of funnel all traffic if you know if it's for our regular users or for admin

25:50.5

support users users um and yeah that's it's been a little bit clunky on that side the way the way

25:57.6

i do that which i don't quite understand that i was just gonna ask are you giving admin access to

26:03.4

some users can see their their previews in there it sounds like there's three levels no it's just

26:08.2

just me at this point okay so so what i do in that in that um situation is i use nginx to lock

26:14.3

it down to localhost and then just ssh into the box so that it's and connect via a tunnel yeah

26:21.3

and then if you're using heroku that becomes like a harder oh yeah okay okay but like the

26:26.5

reason i do that is because then it's not exposed on a you know url and yep and like you know most

26:33.9

logins out there don't even have uh freight limiting or throttling so you can do like

26:39.5

credential stuffing attacks and you would probably you don't even notice yeah yeah well this whole i

26:45.3

mean i wonder just from the for auth zero from the marketing aspect you know all of this stuff

26:50.4

sounds the more you learn about the web the more you go oh my god how scary it is but it's you know

26:56.7

but a beginner just you know wants it to work and has trouble with that so i i wonder i maybe

27:04.5

at what point does someone go wow i really need to switch over to auth zero is it they already

27:11.4

get burned or they're at a big company where the login is complicated um i i just sort of

27:16.6

it feels like you almost need to get burned or be in a large enough complicated enough

27:20.2

organization before you go oh wow maybe i want some help with this yep that's that's it's i think

27:27.1

right now it's, it's kind of, you know, reactive, you've had a bad experience, you've had a leak,

27:36.1

you've had, you know, security vulnerabilities being reported to you. Um, and I think one of

27:44.6

the other like great things that Auth0 does well is again, this is probably a marketing strategy,

27:52.1

is putting out content that is relevant on security topics and best practices

28:00.9

and kind of like teaching the general audience about security

28:07.0

and hoping that we're going to start seeing people be more proactive about this

28:15.5

and, you know, not having to wait

28:19.0

to actually be on a bad position after an incident.

28:23.4

And then, you know, having to figure out

28:25.0

maybe we should have used an identity provider

28:27.9

and, you know, three years in with millions of users,

28:31.6

that might be a harder thing, but still possible.

28:35.4

Right. No, I think they have the fantastic guides on,

28:37.4

I remember just JWTs when I was learning about that.

28:40.7

And I mean, it's similar to what DigitalOcean has done,

28:42.8

I think, to differentiate themselves.

28:44.2

They have fantastic content because, you know, spinning stuff up is scary for beginners.

28:48.4

Though it does seem to me just from a business aspect that at the end of the day, you know, beginners are kind of whatever.

28:54.0

It's all about big clients.

28:55.5

I mean, this is what I have to keep reminding myself because I'm, I mean, even Heroku, like I have Heroku in my books.

29:01.2

And I mean, almost every day I get some sort of question around Heroku or SendGrid, you know, Twilio.

29:07.1

And I'm just like, why can't they be bothered to make this, you know, friendly?

29:11.3

And it's because they don't, I think it's because they don't really care.

29:14.2

Right. I mean, a couple newcomers isn't the same as having really good, you know, docs as opposed to tutorials that an experienced developer at a large company can just dive in and use.

29:24.8

Yeah, that's the thesis I have now. I don't know.

29:26.9

I can't speak to, you know, BotZero or Twilio or Genelec and stuff like that.

29:33.4

But having worked on file previews, I, you know, after some time, I decided to cater to a specific target of users.

29:48.0

mostly because i don't have the bandwidth to deal with a lot of like um incoming like

29:53.3

incoming beginner level leads right at the end of the day they'll they'll unfortunately they'll

30:01.8

require um a little bit more time um and kind of like not not hand-holding but you know explaining

30:08.3

what a webhook is and and things like that um and in my experience kind of converting that

30:16.0

you know all that invested time and resources into converting that specific user to a paying

30:23.2

customer you know the roi is way less um yeah so i'm kind of vague in some parts um i'm kind of

30:35.1

vague in like some of the pricing um vague in kind of like some of the examples that we put out

30:42.1

um and for me that has worked um so i can't definitely speak to to like i think that's a

30:50.7

standard story from sas businesses right it's the the big the few big enterprise clients that the

30:57.0

one where you're off the end of the pricing thing and it's call us for a quote that's where all the

31:01.1

profit comes from yeah yeah well i mean i'm slow coming to this realization but it sort of makes

31:07.4

sense because i've always i've always wondered um well so what so what is the stack at at zero

31:13.2

because you mentioned you're not using python there what what sort of technologies are you

31:16.3

using day to day so it's mostly it's mostly um node.js um like from the ground up main core

31:23.9

services have been built in node.js and we've you know we have tons of people that are very

31:30.4

experienced in how to make node scale um there are some services that are built with like java

31:36.1

and go there's some python i think but it's like for some like ops related things um yeah ask me

31:44.8

switch over to async just do a total rewrite no big deal yeah i'm currently um so when i joined

31:51.4

i joined the the platform domain so we are like the you know backbone of trust for you know our

31:58.7

customers, but we kind of enable other developers in Auth0

32:02.9

to be able to be as

32:06.6

productive as they can be. So I'm working

32:11.0

on our untrusted code execution platform.

32:16.4

So we basically all this code

32:19.1

that our customers can write in JavaScript to extend

32:21.9

different flows of authentication and authorization,

32:26.6

we basically execute their code

32:29.1

and inject the results in different parts of the load.

32:33.7

You know, that's a great problem, though,

32:37.4

because, hey, give me some code.

32:41.1

I'm not going to know what it is,

32:42.6

and I'm going to run it on my computer.

32:45.2

Like, that's a tricky problem, no?

32:49.2

Yeah, doing that at scale seems hard,

32:52.4

but I'm really excited.

32:54.9

it's i it's i've been here for i don't know a couple months now and i've learned so much from

33:00.3

like so many smart people um and you know coming from a small kind of consulting and small products

33:08.1

um the experience i've kind of gained you know doing things at this scale is amazing

33:15.6

and that's you know kind of why i wanted to switch after all these years you know

33:22.1

So you need to enter up in your thing.

33:23.6

Yeah, that's great.

33:25.7

Well, and this may be an ignorant question,

33:28.0

but so it's Node, so are they using,

33:31.6

you know, for the web stuff, is it Express?

33:33.2

I mean, I know the web part is just a teeny piece of it,

33:35.7

but what is, beyond Node, what is the stack?

33:40.1

I mean, I know it's hard to define in such a big organization.

33:42.3

There's some Express and there's some Happy, HappyJS.

33:46.1

And Happy is a kind of batteries-included web framework,

33:50.6

Or API framework, right?

33:52.1

It provides things like JOY for the validation

33:56.1

and the back end, the authentication back end.

33:58.8

Yeah.

33:59.7

You don't have to go looking for them in micropackages.

34:01.6

It's definitely a little more than Express,

34:07.2

way less than Django.

34:10.8

Yeah, and that's...

34:12.6

But I think that there's work on standardization

34:15.9

around, you know, which one should we use when.

34:20.6

um that's all i know well i know that um uh brave browser which actually i use which is

34:26.0

brendan ike um involved with yeah they're big on the the happy train yep and a pretty good stamp of

34:33.8

a off zero also um actually uh they sponsor a lot of open source projects um around authentication

34:43.1

identity you know um so before i even joined off zero they reached out to me one day and they

34:50.3

asked me if I wanted them to sponsor the

34:54.0

PyJWC library. And that's amazing. And I

34:58.2

learned that they do that with many other libraries.

35:03.9

So they're actually, you know, we use

35:06.5

these libraries internally. And even if we don't use them, the fact that there are other

35:10.8

developers working on this,

35:14.0

they care about that.

35:16.2

Yeah, well, I like that they're doing the positive education approach as opposed

35:21.2

to the fear approach.

35:22.2

because fears you can't fear something you don't understand because certainly you know as a parent

35:27.5

i look at all the ads they're all like your kid might die or you're a bad parent like they're

35:31.9

pretty unsubtle about it for you know a car seat or a car um so i appreciate them having that

35:39.0

approach i did want to ask uh we're coming up on time um i think you just gave a talk at pie gotham

35:44.8

right on which will is that out yet can we link to that yes i can definitely get that to the show

35:50.9

notes um so yeah can you talk about that so yeah so i it's it's it's called python government and

35:57.8

contracts um it's it's a talk i gave um i think september at py gotham and actually my partner

36:06.3

in crime he gave a version of that talk at north bay python um oh okay that recording is also out

36:14.7

Um, so, you know, after Jurgen Maria passed through Puerto Rico, um, we, you know, I was

36:23.5

not in Puerto Rico at that time.

36:24.9

Um, and, you know, I spent weeks, if not months without hearing from my parents, um, you know,

36:31.7

due to infrastructure issues, you know, that power was out, cell phone antennas were out,

36:39.6

um, water, you know, was out.

36:41.7

um and so that kind of leads to some uh kind of questionable contracts that were awarded to

36:52.2

companies to kind of you know supposedly rebuild infrastructure in particular and kind of help

36:57.3

after the destruction um the fema was involved in some of that um and that leads to um i kind

37:09.3

of learning about the so the office of the controller in Puerto Rico they put out the

37:16.3

contracts that government agencies award to other contractors and kind of sometime after that I

37:25.3

had some questions as a civilian I am you know I am not a investigative journalist or anything

37:32.2

like that but i i did have some questions about you know how money was being spent in particular

37:40.3

agencies um and i kind of wanted to see you know relations between you know different contractors

37:48.2

doing business as other you know companies um and so i basically built a project um together

37:56.0

where we kind of took the data,

38:01.6

we kind of pull and downloaded all this data

38:04.5

from the office of the controller's website.

38:06.6

We downloaded the actual PDF documents for the contracts

38:09.4

and we're kind of extracting text

38:12.2

from kind of things that I've learned doing fault reviews.

38:16.2

We're extracting that text, we're indexing that data.

38:20.2

So now it can be searched and correlated.

38:23.3

So this is kind of like a, you know, civic hacking project that I'm very passionate about.

38:28.2

I've been working on it for on and off for almost a year.

38:32.3

And finally, this year, we decided to talk about it because we thought it would be interesting story about, you know, kind of how we went about it.

38:42.6

This is open source. It's built Django, Django's framework, Postgres, our front end is like Next.js.

38:52.1

And, yeah, so I'm definitely very excited to keep talking about this.

38:55.8

We're at a point where we're, you know, talking about how we can be more transparent about, you know, how this is financially sustainable.

39:06.4

It does cost some money to run, not that much.

39:10.2

So, you know, we want to be transparent about that and see if we need help from, you know, others.

39:18.6

and it i'm finally like excited to see where this goes um you know i want to empower other people

39:25.6

like me to kind of know what questions to make and kind of be able to visualize and at the end

39:33.2

of the day just hold accountable whoever needs to be held accountable these kind of things you

39:37.7

always see this you know you know billions of dollars are being budgeted for rebuilding and

39:42.6

yet somehow on the ground you know the stuff wasn't rebuilt and well where's that money gone

39:47.5

and it all it takes is the light to be shone on where that money goes and it will be spent in the

39:53.1

right places whereas when there's darkness it goes into people's pockets so that's super i mean and

39:57.8

and this would seem this would seem like like the reason we talk about here committee and and how

40:02.8

that leads up to this and and even after you know two plus years after that happening is that you

40:08.3

know recently the fbi arrested a fema um employee and the ceo of one of the companies involved in

40:16.7

one of these contracts so this is still relevant today and there's ongoing investigations to

40:22.7

multiple you know some politician has a daughter working for you know ten thousand dollars a month

40:30.5

in some like unrelated thing in the government and now we're starting to see this things like

40:38.3

popping up and it's like yes we're fighting against like corruption super well do you do

40:43.6

you know if any of these federal agencies are using your work to help in their investigations

40:48.4

or do they have their own tools how does so so i don't think so um at the end of the day this

40:56.2

the actual contract they are available you have the office of the controller um i do know that

41:04.4

you know there is like some um i don't know journalists kind of using this tool instead

41:14.1

of the controllers tool um just because it's it sucks less um and it's you know you get some

41:21.8

insights um even at the simplest level you get some insights of spending over time um and just

41:28.4

doing you know correlation between you know i don't know um a contractor being entered into

41:36.0

the system with a typo and you can still kind of search through that and see oh you know these two

41:43.6

contractors are the same entity um and they've been awarded this amount of money and you can

41:49.8

see the actual pdf there without having to download it um so yeah so like at the end i

41:56.2

wouldn't have

41:58.6

wanted to build something like this. I would have

42:00.6

wanted the tool put out by the

42:02.6

opposite of controller to be this.

42:05.7

But I'm

42:06.5

happy to

42:07.8

have done it and

42:10.3

keep like...

42:12.5

I spent a lot of time

42:13.8

figuring out how to gather this data.

42:17.1

It's definitely not open data.

42:18.5

It's on their

42:20.5

site somehow and I managed to

42:22.5

just download it very slowly

42:24.5

and make it happen.

42:26.2

So, like, if now I can, like, empower, I don't know, some data scientists to build cool visualizations on something else that I don't know, like, I don't know, spending by a particular geographic location by fiscal year or something like that, they can now do that without having to spend all this time and effort into actually gathering the data.

42:47.3

Super.

42:47.3

No, that's fantastic. I mean, to make this about me, I spent two years of my life on a project with school data in the United States where every state has all this reporting data on these various tests that everyone has to take at third, eighth grade, high school, all these types of things.

43:04.7

And I probably just got a teeny glimpse of what you had, where it's just a nightmare getting this information. I mean, first of all, you know, some states had it online. You could just download the CSV files, you know, like Massachusetts, California. Some states, you know, it was like a PDF. I think it was, I think it was Kansas who said I had to file a Freedom of Information Act request to get a CD with the data.

43:28.2

you know and it's just i so i guess it's a combination of nobody has the ability and

43:35.0

impetus to actually pull all these things together and you realize how futile all these government

43:40.5

agencies are where they're just checking their box and it's like no it doesn't even occur to

43:44.8

anyone to use it for these broader like well what if we wanted to analyze the data what if

43:48.8

we wanted to use it for something they spend millions and tens of millions collecting it and

43:52.7

then it just goes away deeply more deeply sinister than that is that there are institutional

43:57.7

biases against making the data openly available because people in positions of power have a vested

44:03.8

interest in keeping it quiet sure so it's important that people like jose do the civil society stuff

44:08.8

to bring it out into the light and call them to account that's just that's how democracy is

44:13.5

maintained that's how i'm welling up it's yeah well and that's one thing i i love about django

44:20.3

is it's i think unusual its roots in journalism and investigative journalism uh you know from

44:25.3

the beginning right i mean jacob worked at 18f i mean simon's on a fellowship at stanford on this

44:30.9

i mean i kind of love that you know non-pure tech background of django whereas you said you you

44:36.6

wanted an easy way to display this data and the django part didn't stand in your way it was

44:41.3

the collection and all the rest yeah i mean i keep going back to you know django because i

44:47.2

hate reinventing the wheel i just want to get stuff done and so so it's it's you know i have

44:53.2

a project template that kind of has some of my preference baked into it and i feel so comfortable

44:58.1

yeah no i use that it's one of my favorites i'm always following the updates wait you don't use

45:02.3

mine carl no use yours is fine but i use those days okay sorry um competing over free tools yeah

45:11.3

yeah so so it's it you know it goes back to not having to reinvent the wheel all the time like

45:18.0

i just want to make things and do it fast and you know kind of get out the door as fast as possible

45:24.0

and you know django and python are the things to do that um as we wrap up or any plugs you want

45:30.9

to make for us you have a personal site um jpdia.com which will link to anything around

45:36.9

side projects or auth zero you want to mention as we head out the door so i mean auth zero is

45:42.2

always hiring um so i'll plug that link um in the show notes um you know i'll also link to that

45:49.6

by gotham talk um it's something i'm really passionate about um i also set up my kind of

45:55.7

sponsorship profile on github so i could maybe link to that um i i'm hoping to kind of get back

46:02.7

and track with um some of the projects that i've i'm working on um that i know i've kind of over

46:09.7

time let you know kind of sit away and and be unmaintained um and i kind of feel really bad

46:16.5

about that um because you know people actually use them um so i'm hoping to you know start

46:21.1

spending some more of my free time kind of getting them back to date especially like dropping to

46:27.5

python 2 support right but let's let's just let me just say i just have to say that you mustn't

46:34.2

feel guilty because the time that you give to open source is phenomenal and it has been phenomenal

46:38.4

over a massively

46:39.4

sustained period of time

46:41.0

you've got a life

46:41.7

you've got family

46:42.3

you've got work

46:42.8

you've got

46:43.3

other commitments

46:44.7

the guilt is

46:46.4

is not necessary

46:47.7

your work is

46:49.1

stands on its own

46:50.9

thank you

46:51.5

right

46:52.3

well again

46:53.1

I'm so pleased

46:54.0

we could have you on

46:54.9

my pleasure

46:56.2

great thrill for me

46:57.0

great thrill for me

46:58.0

to meet you in person

46:58.9

you know a year ago

46:59.9

so yeah

47:02.4

we'll link to everything

47:03.9

thanks again

47:04.6

thank you for having me

47:05.3

thank you for coming on

47:06.4

ciao

47:07.3

ciao