
Ask HN: What do you use to handle auth in side projects? - jaredwiener
I am working on a side project and want to secure an ExpressJS API.  I really do not want to roll my own auth, but would love to be able to own my own user table -- not just federate out to Facebook&#x2F;Google&#x2F;Twitter&#x2F;etc.<p>I cannot imagine I am alone in this.  What are you using for your auth?  What are the pros and cons of your solution?  Is it worth it to go with a service like Okta&#x2F;Auth0?
======
davismwfl
Honestly I still use passport with express and create a local strategy which
is easy and you can keep it secure without writing much code. I dislike the
idea of handing auth off to Google/Facebook in general, but I also don't
generally work on anything where people would want them involved anyway.

What is nice about passport is that it makes it easy to support local auth
along with many third parties if you need it, all without having to write lots
of code. Not saying it is perfect, but with an expressjs app it is really
simple and lets you maintain a user table etc even if you use a third party.
Also with an API, I'd be really remiss to outsource auth, it just complicates
things and honestly doesn't really add to security. That is of course, if you
follow solid fundamentals.

~~~
jaredwiener
Interesting. How do you handle things like password resets,etc?

~~~
davismwfl
It is relatively trivial to integrate Twilio and email for 2FA/OTP and/or
password resets etc. That's my personal method. I also use the jsonwebtoken
package and passport-jwt typically for the JWT which keeps that all pretty
clean and means I don't have to mess with doing any of the header parsing etc
(not that it is that much work).

If you exclude the database access/update code from the auth portion of the
setup and use passport with the supporting packages, you'll write probably on
the order of less than ~200 lines of JS to handle all the standard auth type
things (just did a rough count on one project I have). That included in my
case using twilio to send 2fa and OTP codes via SMS (sends via email too but
that uses a different library I wrote).

The choice of database and specific schema of course isn't factored in to
those figures. For mongodb, it typically only adds an additional ~200 lines,
but for postgres (no ORM tooling) it'll be more like 300-600 lines. But you
will need to write this code no matter what if you want to maintain a user
table, even if you use a third party, you'd just have a federated key instead
of a username/password combo.

So in the end, I would say for < 300 lines of proper code (excluding db crud)
you have the basic structure setup and working.

BTW -- I am excluding from my LOC counts above my middleware I wrote for
things like logging, metrics, etc. But even including them wouldn't make it
change by much.

