Programming Tutorials

  The Reality of Client-Side Storage It is 2025, and we still see Senior Developers storing Access Tokens in  localStorage . Let’s be unequivocal:  localStorage  is not a secure vault.  It is a global key-value store accessible by any JavaScript executing on your origin. If your application has a single XSS vulnerability—whether through a compromised npm package, a rogue third-party analytics script, or improper input sanitization—your user's entire identity is compromised. The attacker simply reads  localStorage.getItem('accessToken')  and sends it to their server. However, the alternative—standard HttpOnly cookies—introduces friction for mobile applications (which prefer Authorization headers) and requires strict CSRF mitigation strategies. The architectural compromise that satisfies strict security requirements while remaining platform-agnostic is  Refresh Token Rotation (RTR) with Reuse Detection , backed by Redis. The Root Cause: Why Stateles...

  In distributed systems, silent data loss is often more dangerous than a loud crash. A common architectural pattern involves using Redis Streams with Consumer Groups to distribute workload across microservices. However, a specific failure mode exists that often goes undetected until reconciliation reports show missing data:  The Stuck Pending Entry. If a consumer pulls a message using  XREADGROUP  but crashes (OOM, network partition, unhandled exception) before executing  XACK , that message remains in the Pending Entries List (PEL). It is not lost, but it is effectively frozen. Other consumers will not process it because Redis knows it was delivered to the now-dead consumer, and the stream cursor has moved on. This post details how to implement a rigorous recovery mechanism using the modern  XAUTOCLAIM  command (available in Redis 6.2+) to reclaim and process these stalled messages. The Root Cause: The PEL Lifecycle To fix this, one must understand h...