Daily Logs for Aug 4, 2025

Written by: Tushar Sharma

Featured image for Daily Logs for Aug 4, 2025

Dear Vishi, my logs for today

Navigating the Terminal

Quickly moving around in the terminal is essential for productivity. While Ctrl+A (start of line) and Ctrl+E (end of line) are great for editing commands, scrolling through output is different.

Most terminal emulators (like iTerm, GNOME Terminal, or Windows Terminal) allow you to scroll through the output buffer using Shift+PageUp and Shift+PageDown or your mouse's scroll wheel. To jump directly to the top or bottom, you can pipe the output of a command to a pager like less:

            # Pipe a long command's output to less
ls -lR / | less

# In less, you can:
# - Press 'G' to go to the end (bottom).
# - Press 'g' to go to the start (top).
# - Use arrow keys or j/k to scroll.
# - Press 'q' to quit.

          

Refreshing a File in Vim

When a file you're editing in Vim is changed by an external process (like a git pull), you need to reload it.

:e - Reload if no local changes were made. Vim will load the external changes.
:e! - Force reload and discard local changes. This command reloads the file from disk, overwriting any changes you've made in the buffer.

A Deep Dive into OAuth2 Grant Types

OAuth2 is an authorization framework, not an authentication protocol. It provides standardized flows for applications to gain secure, limited access to user resources without exposing their credentials. Identity Providers like Okta, Auth0, or Entra ID (Azure AD) implement these flows.

The Core Endpoints: `/authorize` and `/token`

OAuth2 separates the process of getting user consent from the process of obtaining an access token. This separation is a key security principle and is handled by two main endpoints:

/authorize: This is a user-facing endpoint. The application redirects the user's browser to it. Here, the user authenticates with the provider (if not already logged in) and grants the application permission to access their data. It then sends back a temporary authorization code.
/token: This is a server-to-server endpoint. The application's backend makes a secure, direct call to this endpoint, exchanging the authorization code (along with its own client ID and secret) for an access token and, optionally, a refresh token.

Why the separation? To keep sensitive tokens out of the browser. The access token is a powerful credential. By exchanging the code on the backend, the token is never exposed to the user's machine, preventing its theft through browser history or malicious scripts.

1. Authorization Code Grant

This is the most common and secure grant type, ideal for traditional web and mobile applications that have a backend server.

Flow:

User Consent: The application redirects the user to the /authorize endpoint.
Get Code: The user logs in and gives consent. The provider redirects back to the application with a short-lived authorization code.
Exchange Code for Token: The application's backend sends the authorization code, its client_id, and client_secret to the /token endpoint.
Receive Tokens: The provider validates everything and returns an access token and a refresh token.

Real-World Examples:

Clicking "Login with Google" on a website like Canva.
A mobile banking app authenticating you.
Connecting a third-party application like Slack to your Google Drive.

2. Client Credentials Grant

This grant is for machine-to-machine (M2M) communication where there is no user interaction.

Flow:

Request Token: A backend service makes a direct call to the /token endpoint, sending its client_id and client_secret.
Receive Token: The provider validates the credentials and returns an access token.

Key Characteristics:

No user involved.
No /authorize endpoint is used.
Typically, no refresh tokens are issued; the client just requests a new access token when the old one expires.

Real-World Examples:

A microservice calling another internal API.
A CI/CD pipeline script deploying resources to a cloud provider.
Running automated API tests with a tool like Postman.

3. PKCE: Securing Public Clients

PKCE (Proof Key for Code Exchange) is not a separate grant type but an extension that makes the Authorization Code flow more secure for clients that can't protect a secret, like Single-Page Applications (SPAs) and native mobile apps.

It mitigates an "authorization code interception" attack. In this attack, a malicious app on a user's device could intercept the authorization code and exchange it for an access token.

How PKCE Helps:

Before starting the flow, the client app generates a secret code_verifier and a transformed version of it called the code_challenge.
It sends the code_challenge to the /authorize endpoint.
When exchanging the authorization code at the /token endpoint, it also sends the original code_verifier.
The server transforms the verifier and checks if it matches the challenge sent earlier. If they match, the token is issued.

This ensures that only the application that initiated the request can complete it.

Reference: Microsoft OAuth2 Documentation

Resolving Ambiguous Mappings in Spring Boot

In Spring MVC, an IllegalStateException: Ambiguous mapping error occurs when two or more controller methods are mapped to the same URL pattern and HTTP method, and Spring cannot decide which one to invoke for an incoming request.

Consider this controller:

            @RestController
class MyController {

    // Maps to POST /123
    @PostMapping("/{id}")
    public String handlePostWithId(@PathVariable String id) {
        // ...
    }

    // Also maps to POST /123, causing ambiguity!
    @PostMapping("/{id}")
    public String handlePostWithIdAndParam(@PathVariable String id, @RequestParam("test") String bar) {
        // ...
    }
}

          

Both methods map to POST requests for paths like /some-id. To resolve this, you need to make the mappings more specific. A common technique is to differentiate based on the presence of a request parameter using the params attribute.

The Fix: Using `params`

By adding params = "test", you tell Spring that the second method should only be invoked if the request URL contains the test parameter.

            @RestController
class MyController {

    // Handles POST /123 (without a "test" param)
    @PostMapping("/{id}")
    public String handlePostWithId(@PathVariable String id) {
        // ...
    }

    // Handles POST /123?test=someValue
    @PostMapping(value = "/{id}", params = "test")
    public String handlePostWithIdAndParam(@PathVariable String id, @RequestParam("test") String bar) {
        // ...
    }
}

          

Now the mappings are unique, and Spring can correctly route requests.

Learning Spanish

I know	Jo se
I know it	Lo se
do you know?	sabes?
I want to know ?	Queiro saber
she know its	ella lo sabe