[PaulHoule]

  - very easy to mess up auth stuff. At some point Supabase even put out a YT    
  video [0] where their implementation caused auth to be accidentally cached. There 
  are 3 levels of checks you need to do just to be safe, but this is all very opaque.

Auth is all you need. It is a non-functional requirement in that your site is non-functional if auth is broken.

In the large it is Yahoo or Google or Facebook buying a site and hooking it up into their entire service but in the small it is "I want an email newsletter script" and instead of messing around with HMR and file-based routing and other inessentials to develop my own, I just pick a best-of-breed application and hook it up to my user database and auth system and I am in business. (Today, without a clean API, I can hack that application to query my user database and be behind my auth module if the tech stack is sufficiently similar to my own at risk of braving whatever inessentials that route entails)

[malfist]

Rolling your own auth is like the first big no no in application security. Unless you're an expert, leave it to the experts

[darby_nine]

Absolutely disagree. You shouldn't roll your own bcrypt, but you should have full knowledge of how it's used to offer authentication. Hell this is required to even move forward with sales in many enterprise software contexts. If you don't know how passwords work, for the love of god don't offer password-based login.

[PaulHoule]

Exactly. It is not the implementation of the auth module that matters to me so much as is the API through which it slots into the rest of the system. I want the expert designed modules that I can plug various systems into.

Because we haven’t seen good frameworks at the user management level, I think, the mistakes made by the creators of that YT video are common in the industry.