Hacker News new | ask | show | jobs
by dzonga 261 days ago
only in javascript where auth is such a big issue.

in rails you can use the rails 8 auth or a better alternative authentication-zero. before it was devise.

java - spring security, shiro etc. but just complex things.

alternatively - use services like fusionAuth
4 comments
presentation 261 days ago
Part of it is that most of the libraries that came before we’re tightly coupled to a particular framework that itself went out of fashion, like Passport and Express, which is a problem because frameworks themselves have been moving in and out of fashion very rapidly; or are coupled with service offerings from vendors, like Auth0.

Auth.js is actually one of the first attempts that tries to be framework and vendor agnostic while still including a good deal of the batteries you need to make a full authentication system, which they only recently did, as they were originally tied to next JS like every other library in the graveyard of authentication libraries.

If you just want to specifically do an OAuth handshake or salt and hash a password or produce a JWT, those libraries are all rock solid. But a full batteries included framework and vendor agnostic solution hasn’t really existed until recently.

link
evv 261 days ago
Why is auth "such a big issue" in JS? I've used a number of solutions but haven't had big issues with them.
link
readline_prompt 261 days ago
Same. I've personally never had issues with any auth packages, granted I've never used auth0. Personally, they all seem quite similar, especially in the react world.

Anything that can help me utilize oauth standards is fine to me.

link
jamesjulich 261 days ago
It’s not that auth is unsolved in other languages/frameworks, but it’s often way too complex or configuration-heavy. If adding passkey support to my app is going to take 2 hours, that’s two hours I’m spending away from building my core product. For smaller projects, that’s not time that I could afford.

For example, if I want to add passkeys to my .NET CORE app, this is the guide Microsoft provides:

https://learn.microsoft.com/en-us/aspnet/core/security/authe...

Contrast that to better-auth (which is 7 lines of code total in server changes, and virtually no change to client API usage):

https://www.better-auth.com/docs/plugins/passkey

For some projects, the flexibility of other solutions might be needed. But for ease-of-use and development speed, better-auth has been a clear winner for me.

link
LordN00b 261 days ago
Excuse me, incoming contrarian! learn.microsoft, is for learning about the concepts as well as the practical applications. Also for user facing security, wouldn't you want all the knowledge available to you? Much easier to find the foot guns in these kinds of situations.
link
9dev 261 days ago
It’s Microsoft. Did you expect less than 30 pages of useless techno-babble?
link
kbumsik 261 days ago
In case if you don't know, Auth.js is not a frontend-only framework. It uses a backend server to make it secure.

So it basically has no difference from the alternatives you mentioned.

link
pmdr 261 days ago
> make it secure

It's convenient, I'll give them that. Secure? https://projectdiscovery.io/blog/nextjs-middleware-authoriza...

link
kbumsik 261 days ago
Well, that has nothing to do with JS itself though.
link