undefined | Better HN

0 pointsfny8y ago0 comments

Auth is genuinely hard, and a hand-rolled solution's definitely not enough...

Given the massive attack surface for a web application, it's absurd to think someone could (or should*) develop an entire auth framework from scratch for all their projects. Turnkey solutions, like Ruby's Devise, are a godsend. Even in situations were a custom flow was needed, it's saved both me and my clients hundreds of hours.

In addition, I benefit from the community around a turnkey solution. Think of all the years the software has been tested by in umpteen production environments. Think of all the people that have an eye on the code and report security flaws while you sleep. Your custom session management implementation will never have that benefit.

Also, why the hell are you building auth when you could be building app? Is that really such a critical experiential part of your app that you can't possibly rely on something turnkey and then move on to the features that actually matter?

0 comments

pdimitar8y ago

All of what you say is true but I feel important details are lost.

Elixir's Phoenix framework has very good plugins -- like Guardian -- that give you 95% of the tools you might need for your own security solution and you can assemble it together in 15-60 minutes (this of course assumes your security model isn't wildly different than what the various plugins support). You have separate Plugs -- think of them as pipes of sort -- who handle cookie session management, another that handles JWT tokens, HTTP basic auth etc.

The only thing you must do is to assemble such pieces in a code module that basically serves as a pipeline with several Plugs (pipes) connected in the order you deem appropriate for the security model of your app. Any of these Plugs can modify or remove headers or tokens, can consult a 3rd party system (say, for single sign-on), can provide throttling, temporarily lock out an account that made too many invalid login attempts, can refuse a session due to non-whitelisted IP, etc. etc.

So no, you're not inventing cookie session management or anything there. You simply have control on which security mechanisms -- and when, and at which conditions -- happen on request.

jacquesm8y ago

> Even in situations were a custom flow was needed, it's saved both me and my clients hundreds of hours.

And it possibly saved you from embarrassment as well.

j / k navigate · click thread line to collapse