
Your Node.js authentication tutorial is wrong - Sujan
https://medium.com/@micaksica/your-node-js-authentication-tutorial-is-wrong-f1a3bf831a46
======
hobarrera
Authentication is hard. And that's exactly why you should never have to be
writing your own auth code, but rather, use existing frameworks.

There's so many tiny details and edge cases that can have such catastrophic
results, it's too much of a risk to do it yourself. Unless writing auth
frameworks is your job, for course.

~~~
ameliaquining
So what are the current good options in Node?

~~~
micaksica
There isn't one.

I think that the Node ecosystem tends toward minimalism and
compartmentalization in modules, and in doing so monolithic authentication
solutions don't really exist like they do in other frameworks in which there's
more "magic", like Ruby/Rails.

You'd have to choose a higher-level Node.js-based framework, and there isn't
an emergent solution yet. Personally I've been directed toward Hapi and
Feathers.js as of late. Feathers I committed some PRs to and filed some issues
against this weekend, which the maintainers are taking seriously, but it could
use some more functionality and deeper testing. Hapi I haven't personally
looked at, but is backed by some of the Auth0 guys.

------
camus2
> Stack Overflow isn’t of too much help, as developer relations from a company
> called Stormpath loved plugging their IaaS startup on every imaginable post
> regarding this. Their documentation also popped up everywhere and they have
> a blogvertisement on password reset, as well. However, all of this is for
> naught as Stormpath is defunct, and it shuts down entirely August 17, 2017.

I remember these guys and I had a serious argument back them with one of the.
I pity companies who bought into their services and depend on it today. People
often push the idea that security and ID management should be "outsourced".
They shouldn't, security audits should.

------
kennydude
This is why I love Django. Django's defaults seem to be sensible and "just
work"

~~~
ralusek
Node is analogous to Python, not Django.

Django would best be compared to LoopBack, although at this point there are
many reasonable competitors.

------
davidmurdoch
Has bcrpyt become the node standard? There's no mention of pbkdf2, which I
thought was NIST's current recommendation.

~~~
cyphar
bcrypt is a hashing algorithm, pbkdf2 is a key derivation function. Am I
missing something?

~~~
tracker1
pbkdf2 can be used as a computationally expensive hash... bcrypt does a few
other things in terms of the output format beyond just the hash though, it
contains enough information to repeat the hashing settings to verify another
entry against it.

IIRC bcrypt isn't an in-the box feature in crypto, but pbkdf2 is.

