frontpage.
newsnewestaskshowjobs

Made with ♥ by @iamnishanth

Open Source @Github

fp.

UEFI Bindings for JavaScript

https://codeberg.org/smnx/promethee
25•ananas-dev•38m ago•12 comments

Thoughts on Generating C

https://wingolog.org/archives/2026/02/09/six-thoughts-on-generating-c
29•ingve•51m ago•0 comments

Show HN: Algorithmically Finding the Longest Line of Sight on Earth

https://alltheviews.world
181•tombh•4h ago•67 comments

Show HN: Browse Internet Infrastructure

https://www.wirewiki.com
68•pul•2h ago•13 comments

Can Ozempic Cure Addiction?

https://www.newyorker.com/magazine/2026/02/16/can-ozempic-cure-addiction
9•adrianhon•29m ago•12 comments

Long-Sought Proof Tames Some of Math's Unruliest Equations

https://www.quantamagazine.org/long-sought-proof-tames-some-of-maths-unruliest-equations-20260206/
3•ibobev•10m ago•0 comments

Art of Roads in Games

https://sandboxspirit.com/blog/art-of-roads-in-games/
461•linolevan•17h ago•146 comments

Matrix messaging gaining ground in government IT

https://www.theregister.com/2026/02/09/matrix_element_secure_chat/
105•rbanffy•2h ago•71 comments

Vouch

https://github.com/mitchellh/vouch
947•chwtutha•1d ago•418 comments

Show HN: Minimal NIST/OWASP-compliant auth implementation for Cloudflare Workers

https://github.com/vhscom/private-landing
20•vhsdev•3h ago•8 comments

Discord will require a face scan or ID for full access next month

https://www.theverge.com/tech/875309/discord-age-verification-global-roll-out
20•x01•8m ago•9 comments

Offpunk 3.0

https://ploum.net/2026-02-09-offpunk3.html
93•todsacerdoti•4h ago•19 comments

Nobody knows how the whole system works

https://surfingcomplexity.blog/2026/02/08/nobody-knows-how-the-whole-system-works/
101•azhenley•9h ago•81 comments

AT&T, Verizon blocking release of Salt Typhoon security assessment reports

https://www.reuters.com/business/media-telecom/senator-says-att-verizon-blocking-release-salt-typ...
9•redman25•24m ago•0 comments

Roman industrial hub discovered on banks of River Wear

https://www.durham.ac.uk/news-events/latest-news/2026/01/roman-industrial-hub-discovered-on-banks...
29•andsoitis•4d ago•4 comments

LispE: Lisp Interpreter with Pattern Programming and Lazy Evaluation

https://github.com/naver/lispe
76•PaulHoule•4d ago•15 comments

Thought-Terminating Cliché

https://en.wikipedia.org/wiki/Thought-terminating_clich%C3%A9
84•walterbell•4d ago•73 comments

Like Game-of-Life, but on Growing Graphs, with WASM and WebGL

https://znah.net/graphs/
11•znah•1d ago•1 comments

Tessellation Kit (2016)

https://sciencevsmagic.net/tes/#0.5.0.1.aaaaaaaaa
24•surprisetalk•5d ago•2 comments

Show HN: A custom font that displays Cistercian numerals using ligatures

https://bobbiec.github.io/cistercian-font.html
132•bobbiechen•16h ago•27 comments

Every book recommended on the Odd Lots Discord

https://odd-lots-books.netlify.app/
133•muggermuch•15h ago•56 comments

Show HN: I created a Mars colony RPG based on Kim Stanley Robinson’s Mars books

https://underhillgame.com/
258•ariaalam•21h ago•84 comments

Ask HN: What are you working on? (February 2026)

189•david927•19h ago•672 comments

Quartz crystals

https://www.pa3fwm.nl/technotes/tn13a.html
107•gtsnexp•1d ago•31 comments

Show HN: Printable Classics – Free printable classic books for hobby bookbinders

https://printableclassics.com
4•bookman10•2h ago•0 comments

Apple XNU: Clutch Scheduler

https://github.com/apple-oss-distributions/xnu/blob/main/doc/scheduler/sched_clutch_edge.md
157•tosh•18h ago•31 comments

Experts Have World Models. LLMs Have Word Models

https://www.latent.space/p/adversarial-reasoning
149•aaronng91•20h ago•151 comments

More Mac malware from Google search

https://eclecticlight.co/2026/01/30/more-malware-from-google-search/
240•kristianp•17h ago•164 comments

Custom Firmware for the MZ-RH1 – Ready for Testing

https://sir68k.re/posts/rh1-firmware-available/
70•jimbauwens•5d ago•18 comments

Clean Coder: The Dark Path (2017)

https://blog.cleancoder.com/uncle-bob/2017/01/11/TheDarkPath.html
29•andrewjf•4d ago•54 comments
Open in hackernews

Show HN: Minimal NIST/OWASP-compliant auth implementation for Cloudflare Workers

https://github.com/vhscom/private-landing
20•vhsdev•3h ago
This is an educational reference implementation showing how to build reasonably secure, standards-compliant authentication from first principles on Cloudflare Workers.

Stack: Hono, Turso (libSQL), PBKDF2-SHA384 + normalization + common-password checks, JWT access + refresh tokens with revocation support, HTTP-only SameSite cookies, device tracking.

It's deliberately minimal — no OAuth, no passkeys, no magic links, no rate limiting — because the goal is clarity and auditability.

I wrote it mainly to deeply understand edge-runtime auth constraints and to have a clean Apache-2.0 example that follows NIST SP 800-63B / SP 800-132 and OWASP guidance.

For production I'd almost always reach for Better Auth instead (https://www.better-auth.com) — this repo is not trying to compete with it.

Live demo: https://private-landing.vhsdev.workers.dev/

Repo: https://github.com/vhscom/private-landing

Happy to answer questions about the crypto choices, the refresh token revocation pattern, Turso schema, constant-time comparison, unicode pitfalls, etc.

Comments

TheTaytay•1h ago
Thank you for writing/publishing this. I especially appreciate the prominent warning at the top not to mistake it for a production library and to suggest an alternative. (It’s surprising to me how often people forget to add disclaimers like that to their code.)
vhsdev•1h ago
Appreciate it, TheTaytay!
usefulposter•1h ago
Oy.

Who specifically is this intended for? It's a wonder that the model didn't spice things up with some tangential compliance catnip like FIPS or PCI DSS.

I would be curious to see the prompts used to create this.

Recently, I don't think there could be a better example of applicability of Brandolini's law.

vhsdev•1h ago
Everything you or your agent need to see is in the commit history.
amichal•43m ago
I would love to see alternatives of educational code that implements these things in a "compliant" way.

Security does not come from Compliance (sometimes they are at odds) but as someone who is not an academically trained security professional but who has read NIST* in detail, implements such code and has passed a number of code reviews from security professionals. And who has been asked to do things like STRIDE risk assessment on products I write code for I do appreciate the references and links along side actual code of any kind.

Now to be fair, I have not yet looked at any of the code here, it's commit history or its level of AI-induced fantasy confidence in the validity of the specific solutions. That could be good or bad but the intent of this is really on point for me.

Edit: I looked at some code:

This is missing a lot from NIST SP 800-63B

Looking at https://github.com/vhscom/private-landing/blob/main/packages...

    - the db select runs before the password has so you can detect if the account exists with timing attacks
    - there is no enforced minimum nor maximum length on the stored secret (e..g para 5.1.1.1 and 5.1.1.2 recommend length range of 8 to 64 unicode printable chars normalized to some form i forget)

    - there is no enforced min max length on the account identifier (in this case email) and no normalization
At least not in the code i saw. so there is still a lot of basics/low hanging fruit from NIST recommendations at least you would find in any production grade auth framework missing
vhsdev•27m ago
Hi, amichal. Nice finds. I will dig into more of the particulars where sensible. Please feel free to send up a pull request! Thanks for taking a peek.
vhsdev•21m ago
Pretty sure all those are covered, upon more careful review. PRs open!

Edit: The create account I hadn't thought of for the email enum. Thanks!

chrisweekly•33m ago
Brandolini's law, aka the bullshit assymetry principle: it takes way more effort to refute bs than to create it.

FTR I'm not commenting on whether the posted project is bs, just clarifying the meaning of your last sentence.