Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: What do you use to handle auth in side projects?
8 points by jaredwiener on June 13, 2019 | hide | past | favorite | 3 comments
I am working on a side project and want to secure an ExpressJS API. I really do not want to roll my own auth, but would love to be able to own my own user table -- not just federate out to Facebook/Google/Twitter/etc.

I cannot imagine I am alone in this. What are you using for your auth? What are the pros and cons of your solution? Is it worth it to go with a service like Okta/Auth0?



Honestly I still use passport with express and create a local strategy which is easy and you can keep it secure without writing much code. I dislike the idea of handing auth off to Google/Facebook in general, but I also don't generally work on anything where people would want them involved anyway.

What is nice about passport is that it makes it easy to support local auth along with many third parties if you need it, all without having to write lots of code. Not saying it is perfect, but with an expressjs app it is really simple and lets you maintain a user table etc even if you use a third party. Also with an API, I'd be really remiss to outsource auth, it just complicates things and honestly doesn't really add to security. That is of course, if you follow solid fundamentals.


Interesting. How do you handle things like password resets,etc?


It is relatively trivial to integrate Twilio and email for 2FA/OTP and/or password resets etc. That's my personal method. I also use the jsonwebtoken package and passport-jwt typically for the JWT which keeps that all pretty clean and means I don't have to mess with doing any of the header parsing etc (not that it is that much work).

If you exclude the database access/update code from the auth portion of the setup and use passport with the supporting packages, you'll write probably on the order of less than ~200 lines of JS to handle all the standard auth type things (just did a rough count on one project I have). That included in my case using twilio to send 2fa and OTP codes via SMS (sends via email too but that uses a different library I wrote).

The choice of database and specific schema of course isn't factored in to those figures. For mongodb, it typically only adds an additional ~200 lines, but for postgres (no ORM tooling) it'll be more like 300-600 lines. But you will need to write this code no matter what if you want to maintain a user table, even if you use a third party, you'd just have a federated key instead of a username/password combo.

So in the end, I would say for < 300 lines of proper code (excluding db crud) you have the basic structure setup and working.

BTW -- I am excluding from my LOC counts above my middleware I wrote for things like logging, metrics, etc. But even including them wouldn't make it change by much.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: