I'm a full-stack web developer, and this is my blog. Please connect with me on LinkedIn or visit my Github for more! Also, you may be interested in learning more about me.

---

Projects

• Save Time With Postman's Pre-Request Scripts

  Apr 5, 2025 • things-i-learned • api, js

  

  Postman is an incredibly powerful tool for prototyping and testing APIs. If you ever find yourself making any kind of API request to any service (regardless whether it’s one you built or one you use), I really think you should be using Postman.

  In this post I’m going to share how to use pre-request scripts to make Postman even more powerful.

  One common pattern in many web APIs is exchanging an API key for a token. In short:

  A developer generates an API key once. Then, using that key (and possibly other secret credentials), they can call a token endpoint, which reads the key and returns a short-lived bearer token. The bearer token usually expires after a short time, such as an hour, at which point the token must be refreshed.

  As an example, take a look at the docs for Shopify’s API:

  Step 1: Ensure you have a valid session token. Your app’s frontend must acquire a session token…

  Step 2: Get an access token. If your app doesn’t have a valid access token, then it can exchange its session token for an access token using token exchange.

  In this scenario, a developer makes a POST request to https://{shop}.myshopify.com/admin/oauth/access_token with her app’s API key and a few other secret parameters, and receives back this response:

  {
    "access_token": "f85632530bf277ec9ac6f649fc327f17",
    "scope": "write_orders,read_customers",
    "expires_in": 86399,
    "associated_user_scope": "write_orders",
    "associated_user": {
      "id": 902541635,
      "first_name": "John",
      "last_name": "Smith",
      "email": "[email protected]",
      "email_verified": true,
      "account_owner": true,
      "locale": "en",
      "collaborator": false
    }
  }
  

  She now has an access token with two scopes that expires in 86399 seconds, or just under one (normal) day.

  If you’re a user of whatever this Shopify app is meant to do, all this happens invisibly, under the hood. But if you’re a developer testing against the Shopify API, you probably have to do this token exchange daily, manually. First make a POST request to the token endpoint, then retrieve the result, then paste the token into the API call you actually want to make.

  And many services provide tokens with much shorter expirations – an hour or even a few minutes.

  You could save a separate request in Postman and remember to hit the token endpoint before you make a new request, or you could use a pre-request script to chain the two calls together. Here’s how it’s done.

  Read on →

• Some Tips for Working With the Google Sheets Java SDK

  Mar 31, 2025 • things-i-learned • google, gcp, java

  At work, I’ve been working on a project that involves reading and writing data to and from a Google sheet. One could argue about the wisdom of using Google Sheets to hold any data, but for the sake of this post (and my sanity) let’s assume that the business requirements to use Google Sheet are watertight.

  So I have to be able to talk to Google Sheets through my Java service, and of course Google has a Sheets SDK that we can use. Their quickstart tutorial assumes a different method of access/authorization than I expect to use, but that’s okay.

  For my purposes, I needed to create a project in my company’s GCP account, and a service account that had access to that project. That gives me a set of credentials in JSON that we can store anywhere (we’re using AWS paramstore, because this is a two-cloud-provider kinda project!), but in order to access a specific sheet we also have to share that sheet with the service account. I bolded that because I’ve forgotten that step multiple times throughout the lifespan of this project.

  Repeat: the service account credentials, even when scoped to SPREADSHEETS:ALL, still cannot access individual spreadsheets in your organization’s workspace unless you share the spreadsheet with them. Seems kinda cray that we have to treat the service account like a person in order to access resources, but I guess Google ended up picking a person-based model years ago and now they’re probably stuck with it.

  (This is not a real example.)

  Once you’ve shared your sheet you can start talking to it in Java. I built credentials like this:

  Read on →

• What I Learned at Work Today: Status Code Tricks

  Mar 26, 2025 • things-i-learned • java, math

  At work yesterday, I came across this snippet of code in a Java class meant to handle HTTP responses:

  boolean isSuccessful(int statusCode){
      return statusCode / 100 == 2;
  }
  

  My first instinct was to chuckle (and in fact I sent it to a coworker and we both chuckled). What a silly way to test if something equals 200! I figured whoever wrote this years ago was just having a clever laugh at future coders’ expense.

  Then today I sent it to another coworker, who pointed out my error, which is that most (all?) typed languages handle integer division by returning an integer.

  In Javascript you can just do:

  console.log(3/2);
  

  and you’ll see 1.5 displayed on the screen. This is how humans do division, and it’s still how I instinctively think about numbers. But in Java (and Python2, and C, and plenty of other languages), dividing an int by an int produces another int. (This is not intuitive for a lot of people, as evidenced by the cornucopia of posts on sites like Stackoverflow.) That means in the snippet above, statusCode / 100 == 2 would return true for a 200, but also a 204, a 202, or any other 2xx code.

  Pretty smart!

• Cool Discovery: Over the Wire's Wargames

  Mar 17, 2025 • things-i-learned • command-line, linux

  I was nerd sniped this weekend by a coworker who told me about Over The Wire’s wargames, which are self-directed cybersecurity challenges. I am just about halfway through the easiest one, Bandit, which in addition to having me scan for open ports and base64 decode strings, is also teaching me quite a few new command-line tricks. Here’s a little random selection:

  • sshpass is a fun little utility that lets you enter your ssh password in visible text on the command line. This seems like a terrible idea to use with a production server that you care about, but these games have me storing 30 separate passwords and I want to make sure I’m putting in the right one, and I’m not worried about someone hacking Over the Wire.
  • Have a weird binary that you don’t know what to do with? strings will print any human-readable set of characters that it finds. Useful for playing CTF challenges and probably other things.
  • grep -v thingyoudontwant will display records that DON’T match the phrase. The v stands for invert, clearly.

  Off I go to hack into the next level…

Breaking news

Get Unblocked Faster: Ask Questions Like a Journalist is now on Youtube!