So far I have been learning, and understanding Elixir through building projects and small examples. I have seemed to notice a pattern. Elixir really shines when you build apps that work in real-time, snap of a finger right there and then. So a weather app in Elixir would be redundant, as it takes time to update, vs something like a stock market, or Twitter app, that is constantly updating.
I can see that are barely any tutorials using external API’s, probably not unheard of but rarely used. Unless I am wrong?
What is something a little bit more challenging than building Twitter, and blog posts apps?
Not only, but especially for those cases! The tooling is just so good to work with that it makes approach challenges almost trivial. It’s really a language that potentializes your strenghts IMHO.
I don’t know if I follow, could you be a little more specific? What kinds of external APIs are you talking about? What do you consider “more challenging” in that regard!?
It is not everyone’s choice, but I generally use Tesla to integrate projects with APIs, and it is so simple I do not bother to open source this code, I gather that is the case for most people. The Tesla README contains an example for integrating with Github
As part of the standard library? Not that I am aware of, but Erlang does have the :httpc module (and maybe others) that you can use for this purpose in an Elixir app. Maybe those really familiar with Erlang do this commonly, but for myself I just add Tesla to mix and go. Most decent API integrations take a few minutes to wire up.
My last job made very heavy use of 3rd party API calls. I wrote up a conceptual pattern I called “quest” but it’s not a beginner’s tutorial, and it never made sense to me to turn it into a library because the value is in customizing the pattern to your own needs.
I may be wrong, but under the hood every library ends-up using :httpc, directly or indirectly.
Last time I check :httpc is still insecure by default, it doesn’t check for valid TLS certificates when connecting through HTTPS, unless you configure it to do so.
So, the author of each HTTP library needs to take a great deal of care to provide safe defaults for when :httpc is being used or when is being configured, because configuration is not merged, when you update some config you need to pass the whole thing, not just the bit to be updated.
Tesla is one of that libs that is not secure by default:
Thanks for the heads up. Curious that the author has not responded to your issue. Although I would imagine removing a default once it is released poses serious breakage.
On the other hand, if it is true that "under the hood every library ends-up using :httpc", maybe the argument could be made that the bigger problem for the ecosystem as a whole is there? I assume there must be some nuances to this question because, regardless of who you think is responsible for security (languages, library authors, end users) if there was an easy answer, someone would have solved it. Instead everyone seems to prefer to pay security consultants a lot of money to clean up the mess
For better or worse, I think convenience (one of those rare virtues closely connected with developer happiness and business interests) will continue to be a driving force in software. So whatever the solution is, it probably needs to be convenient.
Finally while I agree this is an important issue, it’s arguably moving off the topic of this thread. Now I’m off to make sure I’m using hackney as my adapter in my API clients
For some context why I am so picky about security: I work as a Developer Advocate for Mobile API Security
If the default is very insecure and poses a real security risk, then for me it’s a simple decision, it needs to be fixed and a new breaking version released.
I would even go far, and do a minor path version release so that everyone gets the fix. Yes, it will break, but if devs have proper testing it should be caught before going to production. If it breaks only in production they learn the lesson that they need to properly test their releases, plus you don’t want to be calling HTTPS without the TLS certificate being check to be valid.
At the end of the day what matters for the most part of devs is that it works until it doesn’t, after all bad things only happens to others. As you say developer convenience is important for developer happiness, and that is why its is always the winner over security.
The mentality of our industry is only gonna change when developers start to go to court to face charges for the code they write, maybe it take more 10 or 20 years but will be a reality, as Uncle Bob always say, the day will come. It may come sooner if some tragedy occurs were thousands/millions get killed by code, but sincerely hope that this will not occur.
The history shows that any type of industry is not able to self regulated, only the law maker is able to regulate and enforce regulation, some with more success then others.
This course is not just on how to use Phoenix LiveView. Instead, it’s a journey where we go through the full development of a real LiveView application, which gets real-time data from many Cryptocurrency Exchanges and beautifully renders prices and charts on the browser of (potentially) thousands of users.
