Vibe Coding’s Huge Problem

Welcome to Syntax. Today, we're talking about vibe coding. It has a serious problem, specifically around I think vibe coding has a lot of problems, and I'm saying that as somebody who who likes the vibe code as much as the next guy.

But I'm saying Vibe coding has no problems and is excellent just so that the the comments are balanced on this one. There we go. Okay. So there's obviously a lot of problems, but today, I wanna specifically talk about something that has hit me and something that hit a major website, the t app, and that is authentication and access control on Vibe Node things. And I think that we are about to see a wave of security issues pop up. And I wanna talk today about what those problems are and how you, the brain dead vibe coder, can solve solve these things or or how I think you should be actually approaching access control in apps that you're you're building. So what's up? My name is Wes Bos. I am the winner of the Kitaboga Node jam.

If you didn't catch it yet, we all built CAPTCHAs, and we have a video on our the Syntax YouTube channel about the worst CAPTCHAs you could ever build. Kitaboga is a YouTuber who, Scott scammers.

And what he does is he'll he has his VM, and that he just has these hilarious captchas, and we all built a couple captchas for it. And mine was the winner because it was the best voted by him, Kitaboga, or Kitboga. Why do I say Kitaboga?

There's no one in there. Yeah. Kitboga. That's always that's always fun. Yeah. If you haven't seen that video, we'll link it up. That is absolutely a a video you need to watch.

Was the most the funniest thing ever, which is I think Wes' was the funniest thing ever.

Mine mine was, like, like, funny to watch, but Scott did one where you had to sing a note in order to pass the caption.

Just laughing even thinking about it.

I you guys gotta watch it.

This was just, like, the most fun video I think we've ever released. So if you haven't seen it by now, now's a great time to put it on. And if you want to see all of the errors in your application, sentry.i0/syntax.

You don't want a production application out there that, well, you have no visibility into in case something is blowing up, and you might not even know it. So head on over to century.i0/syntax.

Again, we've been using this tool for a long time, and it totally rules. Alright.

Alright. Let's talk real quick. So this was an app that it's it's Century Hack Week right now, and and we're building some apps. And I'm building this, like, LED grid that you can control over the Wes, and I needed some very basic auth, basically, where I was just gonna throw a cookie in my own browser, and I'm checking for that cookie, in a specific value on Wes. Right? At the very most basic auth that you can get. I I added that in and whatnot, and then I just, like, typed into cursor, like, go ahead and and protect these routes with it. And it started adding the auth client side. Like, it was checking for the authentication client side, and then it was also adding an error message that says, you don't have access to this.

Add a cookie with this following value in order to have access to it.

That's literally literally telling the person how to get access to it. Hey, Wes. Have you ever considered this is the future of apps, and

AI never makes any mistakes and is perfect. And the fact that it's suggesting this to you means that you need to upgrade your brain matter.

Yeah. Yeah. Have you considered that? No. I have not considered that. But, honestly, the fact that I I caught it so what it was doing is it it created an auth dot t s file, and it was putting the client code and the server code in the same file.

And sometimes in apps, you can do that, and it gets tree shaking. But, like, literally, it was adding that into the same file, and it was only doing the check client side. So before you click a button, it would check if you had the cookie there side. It wasn't protecting the route at all. And the fact that I caught that and I said, are you checking the auth client side? I says, you're absolutely right, which drives me nuts.

I shouldn't be checking the admin auth client side. That would be completely insecure, which which it is. Right? And and those types of things, like like, luckily, I I know what I'm doing, and I had caught that, and it wasn't a high stakes app. But I don't think that that's the case with with a lot of them. So another example is there's this app called the Tea app, which what was it? It was like an app where people could figure out if they're dating the same person. Was that the cool idea? It was a dating app, but it

yeah. That man.

A part of the application that I think is kind of shocking in all of this is that they had women upload their driver's licenses.

And, like, the the fact that this would have been taken in a way that was so insecure or, you you can explain how it was insecure, but when you're dealing with such secure data and information being so list. You ever heard of it? Is just shocking and mind blowing to me. And this person should I I I don't know what the legal consequences, but this person

the people responsible for this, this is like negligence. They should face legal consequences in my mind. Exactly. So what was happening was that they're, you know, they're having women upload the driver's license or something else in order to to be validated. Right? And then they were storing those photos in a, a Firebase bucket, right, just JS, like, an asset.

However, they also had an endpoint that could pull all of those assets, and then it basically, it was just a wide open endpoint. I'm I'm showing it right now on the screen. It's still in Firebase. These these attachments are no longer accessible, so I've heard.

And people could just scrape this API endpoint and then and then download every single asset that was was available. And these warp private assets not to be accessed, by the general public. Right? So that's that's a that's a major security issue having people's sensitive documentation.

Even storing something that sensitive requires, like like, security officers and all of the stuff. And and I do believe that this T app was primarily VibeCoded, and you're hearing these stories. And I believe you're gonna hear a lot more of these stories of these awful security instances where either you go too fast and you don't notice it or you don't actually know what you're doing and you build an application that JS insecure. And I think we're gonna we're gonna see a lot of this. So we're here today just to run through a couple things of, like like, what can you do if you are vibe coding this type of stuff? Or, also, just like, if you're building an app that has access control in it, it's probably one of the most important pieces to your to your app. Like, authentication alone, you can you can use a package like better auth or or whatever. You can use a third party thing to to actually put authentication into it. But when it comes to once that person JS signed in and locking down access to your data, API endpoints and post requests and and whatnot, making sure that people who should not be able to access specific data don't have access to it. That's very important. So here are our tips. First, don't vibe code access control. It's really not that hard. It's Scott.

Access control can get can get complex in, like, you having to manage who has access to what, but being able to say yes or Node, does somebody have access to this thing? And, generally, you can break it down to, do do you have access to it? Yes or no? Or you can bring it break it down even into to CRUD. Can they can they create these things but not read them? Can they read them but not create them? Can they delete them? Can they can they read their own? These are common things that are built into a lot of of access control apps out there if you're using some sort of CMS back end, or you Vercel can build a very simple access control where you check off,

boxes for each of them. Yeah. And it is, like you mentioned, usually a matter of can edit all or can edit own or, you know, can edit some very specific ones based on some other criteria. But 99% of the time, it's like can edit own or can edit all, can view own, can view all, can delete own, can, you know, can create. Those types of things, there is not that much there. No. And it's

it's mostly if statements at the at the end of the day. And I believe BetterAuth, they're gonna be putting out like, wherever we're asking, like, we did an episode on BetterAuth, and we're like, I would love a UI for actually managing access control. And and a lot of people said that's what the pay their paid product is going to be. Yeah.

I would like that too. I would pay for that. I I would like Drupal's permission system because it was just this big kind of wall of checkbox. Of checkbox. Do that. Yeah. I Sanity. Yeah. I tried to build that with a pocket Bos the other day, actually. I, it was actually kind of fun. So our next step here is let Node, don't lock down. Meaning that

you should not be allowing people to access data or or send post Wes to endpoints, and then you have to go in and lock it down. You you should be the opposite. JS everything should be locked down by default, and you should only be letting through the people that are allowed. And Firebase had kind of an oopsie over, I don't know, a long time ago, and they're still paying for it JS when Firebase first rolled out, everything was wide open.

And and it was great because you could just throw it in there, and you could just start saving stuff and and build an app really quickly. Yeah. And you didn't get you didn't get, like like, bogged down by this annoying access control. The problem is people never actually went back and and locked it down.

Yeah. I will say the creator of Meteor said that that was one of his biggest regrets in creating it, was not having it be locked down by default. And, Deno Sync had the same issue. It was opened by default, and then they have since, because it's ESLint alpha, have since changed it to be the opposite. It's it's denied by default, and you have to open it up, which is great. That's the way it should be. Even like, I have one Firebase

database from, like, a tutorial I did a long time ago, And it they send me an email every single day, like, hey. Your access controls are insecure because of of x, y, and z. And it's because people can if if you have it wide open by default, you can just say list all of the endpoints, and then you can loop through each of the endpoints and see what is available there. So this is not a new thing. Right? This is how a lot of firewalls work. Right? Block everything by default, but let people in. Don't reactively go and lock things down.

Yes.

Next thing we have here is be very clear about code that runs in the server or the client. And in regards to locking things down, you cannot lock things down from the client in that way.

You cannot if if the access control is happening only on the client side, that's not access control. That's a sign that people can get around. You you need the access control to happen at, like, the the server level when you're querying from the database

itself. Yeah. And this can get a little bit muddy with a lot of these, like, rack server components and, like, all of these meta frameworks allow you to mix your server logic and your client logic in the same folders and, in in some cases, even in the same files.

That's great because it's the developer experience is awesome, especially if you've got utils Wes, like like, a format money function is something I have all the time. Right? I wanna be able to use that same function on the client and on the server. But there are there are some things like databases where you simply do not want that to to be able to accessible on the client side. And if you simply import the wrong thing into a file, there are lots of checks to make sure you're not doing something bad, but you can let things slip through. So be very clear

about how you do that. And I know, like like, Svelte has a dot server Scott JS file. They now have remote files. Oh, they now oh, yeah. Dot dot remote file. Not oh, they did have server, though. Right? Well, the server thing is for yeah. Code that runs specifically on the server could be endpoints or whatever. But now their new RPC thing, which is very more similar to React Vercel components, is these remote files, which only run on the Vercel. Because one of their core principles in designing these things Wes, we want zero ambiguity as to what is running on the client and what is running on the server. Like, zero ambiguity. We don't wanna we don't want them to mix, although we want it to be easy. Yeah. In ReactLAN, you can pop a used server

on there. So you have to be a little bit explicit where if you do want to do this, it's it's kind of hard to accidentally do it, but there are cases where where it can be like, in mine, I wasn't using a framework. So, before you know it, it's it's slipped all that code from the server into the client, and I'm lucky that I I caught it.

Yeah. For sure. Visualize your access control. We kinda talked about this as well, but, simply just have some sort of of Gobi editor, so you can see who has access to what. One thing I don't have on this list here, but I I do wanna say is that, like, AI might be the solution to AI. And and, like, you can vibe code something, and then you can take maybe even just another model and ask it to, like, hey. Can you go through this and check for for any security issues? Because AI is JS very good at at detecting possible issues that can pop up. So I don't think it's the single thing that can happen, but I do think that you can ask the AI to kinda rip through your code Bos, especially when you get into some of these bigger, like, cloud code or max mode on cursor, things like that Wes you can just, like, let it rip for hours on end. It will go through it and not just kinda do a a half ass job at it. Yeah. You know what? Even even,

with the visualizing your thing, there's a definitely, like, a conversation that we're not having in this episode. But when we say access controls, that could mean, you know, assigning individual access controls themselves, can edit, can delete, whatever, as a means of controlling access or a role based access system Wes this role has access to the following access parameters and only these ones. So this role can do this. Like, I'm an admin, therefore, I can do this. I'm a super admin, therefore, I can do everything. Or you can control it on a more micro level and say, this particular person is capable of doing these following things.

Last thing is is automate automate tests.

It's very easy to even you can go ahead and ask AI to to spin up a whole bunch of, automation tests for all the different access roles. And then anytime you have a change, you can you can run those tests. And if one of those fails, oops, something changed Mhmm. For these types of things. So, like, I don't know that the the AI is going to entirely help you here. I really think that it's one thing to vibe code a bunch of UIs and and some really neat stuff and to scaffold out components, be able to update stuff. But when it comes down to the very, very important stuff, which is protecting your users and the security of your application, security of your customers, this is one thing, at least for now, you really should pay attention to and not just throw out. Word. That that's all I got today. Very short episode, but it's it's something I wanted to talk about because I feel like we're in for a rough couple couple years of, these Vibe coded apps having major security issues. And and it's not just like a funny because, like, this is No. Yeah. This like, these these women that have these photos on there, like, that that could that could end poorly.

Yeah.

I I did see even, like, the the app that somebody made to counter the Tea app also had a massive security vulnerability. Oh, boy.

So, folks, yeah, serious business for real. Oh my word.

Let's grab some sick picks.

So, sick pick is the section of the episode where we pick things that are sick, can be literally anything from our lives. Couple episodes ago, I was talking about wanting to make my house smell better and how I want my office smell like Abercrombie or something like that.

So what we're doing right now is we're going through and looking for a scent that we want our our house to smell like. And what I did is I ordered, like, a tester Mhmm. Of a hotel a hotel collection. And I saw that. And this is it's like what? It has the Ritz Carlton, the Westin, Marriott, Fairmont, Hilton, and the Four Seasons. And, you know, when you walk into a lobby of a fancy hotel, like, it it smells nice in here. And for, like like, twenty bucks, you get a little essential oils. And we're right now, we're just throwing them into, like, a regular diffuser.

Yes. But the plan is to hook it up to the HVAC once we actually find something that we like.

I did do some research there. I don't know how much you've Deno, but, apparently, that you need a whole dang specific built in unit rather than just, like, dabbing them on the air filter, which is what I was hoping to be able to do. A a lot of people told me that they just

spray it on their air filter, and you're ready to go. But our furnace doesn't have, like, those, like, paper air filters. We have, Node, a metal one that zaps stuff. So every now and then, you'll hear, and it's like some some piece of whatever JS like, a a fly or a piece of dust went through it. So I don't know about it. Yeah. You gotta buy, like, this little atomizer unit, and then you gotta drill a hole through your your HVAC in it and pop the thing in there. And every twenty seconds or so, it'll do a tiny little into the into the air. But, anyways, this hotel collection, very cool. I don't know that it's one for our entire house, but I have fallen in love with the Ritz Carlton one.

You know? It's a little a little manly. My kids say it's almost like deodorant, which kinda kills me, but I I really like it. It's kinda kinda manly, but kinda nice. You know? It's got a little bit of sandalwood in it, and it's just been, like, a really fun way to, like, find different scents. I don't we haven't found the the one yet, but I would highly recommend grabbing one of these testers if you're looking to make your house smell good too.

That's so fun. I can't wait, to hear what you find out about the HVAC stuff because that it sounds so stupid, but, man, that sounds like something that actually would be nice to have. It depends on Yeah. How expensive that ultimately ends up being. But, like like a 100 or $200

for, like, an an atomizer. So it's not not dirt cheap, but, like, not brutal. I also don't know how much the Smaller brutal.

The cost of the the oils is. You know? Like, are you burning through a $100 a month in this? And if that's the case, I maybe wouldn't do that.

You could get essential oils for cheap. Maybe not the Ritz Carlton blend, but, I trust me. I I was hunting black widows with, essential oils because they there's some essential oils they don't like. And you could get some big old things of essential oils for cheap.

Really? Because yeah. Oh, yeah. I was dude, I was at Sanity and everything all the time, every night, get these black widows out of my house. And they weren't in my house. They were my patio furniture at my old house. That was the old house charm. It was by Whole Foods, but we had black widows. What are you gonna do there? What are you gonna pick? Yeah. No. I I I do I do love a good scent and definitely want something that's easier than just putting diffusers all around the house all the time. Yeah. Apparently, those, like, plug in ones are not good for you as well. That's that's why those. Yeah. Node worries. ESLint if they're good for you because, apparently, it's

it's awful just to breathe that in all day, but but essential oils is fine.

I don't know. Some people say the essential oils give you superpowers. I don't know if you remember that. There's, like, an LLM. Like, this is the oil. Makes sense. We've got the doTERRA thing. Oh, yeah.

I don't know if we fell for it or not, but, yeah, we like, one of our friends came Vercel, and, like, one of our friends is like a like a boss babe, like, makes Okay. Yep. Yep. Bank. Like, not like a like a shake your friends down and and ruin all your relationships MLM, but, like, like, top dog driving a Mercedes, like, buying houses, like, got in early on the whole doTERRA thing and is making bank on, central oils. Well, sick. I'm gonna sick pick a book. I read a book,

called A City on Mars.

I found this book to be really excellent. It's kind of a very practical look at what it would take to colonize places in space, whether that is like the moon or Mars or otherwise.

And it's very fun.

It's done in a fun way, and it talks very practically, like, about most, if not all, of the major challenges that would exist of which are endless and many seeming insurmountable.

So, like, for people who might have been like, oh, yeah. Let's just get a base on Mars or on the moon or something like that. This will, like, really help you understand just how insane of a challenge that would all be given our current technology today.

And it it's definitely kind of like a no no nonsense thing while being fun and a fun read. So, they talk about all things from, like, psychology to reproduction to food and farming to locations and radiation and, even travel.

It is it was a great little book. So, yeah, check it out. I guess it came out in 2023, 2024.

I I really enjoyed this one. Beautiful. Alright. Thanks, everybody, for tuning in, and we will catch you in the next one.

Peace.