alpaca

Written in Golang

• The language of choice for containerized environments (Docker and Kubernetes are both written in Go).
• Lighter memory footprint than our Spring Boot apps (see this gist).
• More performant.
• Way faster build / startup times than Spring Boot.
• More maintainable / less boilerplate / fewer lines of code.
• DB connection retries (Spring will fail if DB isn’t up).
• Able to configure frequency of scheduled tasks, unlike Spring’s @Scheduled(fixedDelay = 500).
• Async functions feel natural. No more creating new files just to invoke an @Async-annotated method.

Lightweight

• Alpine Postgres DB uses 8MB (no data).
• Golang server (e.g., auth) takes 10MB (under no load).
• Alpine RabbitMQ uses 80MB (under no load). Not much I can do about that.
• So I could easily run 20 Golang REST APIs and still only use 440MB (well under a Raspberry Pi’s 1GB RAM).

Insanely fast build times!

$ time go build -o ./bin/alpaca-auth ./services/auth
1.52s user 0.59s system 130% cpu 1.618 total

Running feels instantaneous. Doing a ./gradlew bootRun on a Spring Boot app, on the other hand, takes nearly 15 seconds.

Fewer lines of code!

tokei reports 3293 LOC. In Java, the lines of code could easily be 4 times this.

Microservices, not monolith!

Here’s the original RFC that about decomposing the original monolith.

Microservices lead to

• independent development (easier to onboard developers, less surface area for stuff to go wrong)
• independent deployment (no need to bring everything down to update one thing)
• independent scaling (e.g., the CPU-intensive password hashing service need not be tethered to everything else)

Database Changes

• Postgres instead of MySQL.
  • There is no official Alpine MySQL Docker image as of Jan 2018.
• Snowflake PKs.
  • 8-bytes instead of 16-byte UUID PKs. (see PR #5).
  • Snowflakes are harder to guess, but not unguessable, like Tweet IDs.
  • Where we need unguessability, such as with any of our (reset, 2FA, or confirmation) codes, we use v4 UUIDs.
• Cursor pagination.
  • Offset-based pagination doesn’t scale for large offsets.
• Better varchar constraints: 50 for names (see Facebook), 25 for usernames (compromise between Github’s 39 and Twitter’s 15).

Security Updates

• Salt is stored on Password, not Account, per OWASP.
  • “Generate a unique salt upon creation of each stored credential (not just per user or system wide)”
• Dropping LUDS in favor of password complexity, with Dropbox’s zxcvbn.
• Passwords and accounts no longer expire.
• Self-calibrating iteration count. App will determine how many password hash iterations it must perform such that hashing takes roughly a second, or some other given value.

Style Updates

• UI relies on Create-React-App.
• UI uses Material UI instead of Bootstrap.
• Outbound emails use Hermes for templating.

Nomenclature Changes

• “Multi-factor” instead of “two-factor”.
• “Claims” instead of “roles”.

FUTURE

• Security – Backup codes
• Security – “New device”, based on IP address/MAC address combination
• Security – support YubiKeys
• Security – support Authy, Google Authenticator
• Database – look into CockroachDB
• Ability to merge accounts

This site is open source. Improve this page.