How do you build authentication?
Hi all,
I’m starting yet another project and running into the same issue I always run into, building the user login system.
I’ve thought about using auth0, but I don’t like their hosted pages + I don’t like the price tag associated with scaling that it presents.
I’ve thought about using Firebase, but I’m not sure I want to tie into another a google owned service.
Are there any other solutions out there for building native authentication experiences inside of SPA style apps?
What do other people use and what do you like and not like about it?
Trending on Indie Hackers
Depending on your preferred stack, you could use something like BulletTrain or Laravel Spark.
https://bullettrain.co/
https://spark.laravel.com/
Firebase is great and I've used it extensively on a number of projects. Auth is fine, but I've read some horror stories about being charged >$10K because a query was poorly written and racked up usage over a launch week at a startup. You can also apply to their startup program where they'll give you ~$10k in free usage when you're at a place to scale.
Definitely a bit fearful that their scaling incentives are at odds with mine... nice that they have a startup program though
And here I was actually thinking going passwordless on rate my meeting. Just send an email with expiring verification link and that's it. Worth a consideration, or? Love to hear any thoughts.
I’ve thought about passwordless, but I’ve found too many people who get confused by having to go to their email ... I think it really depends on the type of user you have :)
I settled with firebase auth after considering other options(Auth0, passport).
I wanted a simple auth management with no lock-in, create custom tokens(jwt) so I went with firebase.
Curious why you didn't want another google owned service, for privacy reasons?
I have firebase auth at https://wikicoins.com, I think also IndieHackers uses it!
Yeah, partially for privacy reasons. I worry about it for my own data and also for my user’s data... I might still go with it, but I definitely worry less about a company like Auth0’s incentives than I do Firebase’s, since Google bought them
I know it's rough tying into yet another Google service, but I do have to say that Firebase Authentication makes it dirt simple. You just call methods for registration or sign in.
It also allows for anonymous login which I use for my app, ShopLystr. The user still has their own personal data but never has to actually register. Of course, the data is only available on that one device until the do register, but still provides a low friction way to get people using your app.
At the minimum, you could just use firebase to validate your app idea faster and then export your users out once you've got some traction. Or, even just turn it off entirely if it fails knowing you saved some infrastructure time.
Seconding this. I'd recommend third party auths vs creating your own backend just to get started fast. I'd doubly recommend firebase as it is super simple.
If you do end up doing your own implementation I'd recommend something like passport.js
Good luck! Authentication is a beast to start with
Yeah, I’ve built auth so many times over the years. It feels like a known problem and more of an annoyance than anything, I just wonder if the short term pain is worth the long term savings
The validating your idea argument is a good one, for sure.
The anonymous login thing is interesting. I’ve built similar systems to that before, so I definitely can see the use cases there. Cool to see it is integrated in
A bit late to the party, but I am working on using Secure Remote Password, which is used by password managers like 1Password, Dashlane, etc. It's great because the user's password is never sent to the server, but it does have some major drawbacks. Like, dealing with password resets can be very complex (if you tried doing so with 1Password, you'll see what I mean).
My experience is that things can get very challenging technically, and there's less people out there that can help you with it.
Even if your front-end is a SPA, you can still implement a token-based auth on your back-end.
At its core, a major difference between the front-end and the back-end is that the front-end is shared with the user while the back-end holds secrets. Auth requires secrets, so if you want auth at all, you need a back-end—if not your own, then services cobbled together from one or more 3rd parties.
It's pretty easy to set up auth these days (especially if you've done it yourself before several times as you say), so I don't really see any significant benefits to injecting Auth0 or Firebase into the equation.
Even with them, there's still some integration work involved!
Yeah, this.
I posted mostly out of annoyance of having to build another set of login/create account/forgot password apis, wondering if there was a good alternative yet. Seems like Firebase is that right now, but at a potential cost.
I get the “just replace it later once you’ve proved the concept” argument. Part of me wants to just build YAOSS project to share, but then iim just doing something unrelated to my app.
Rolling out your own auth system shouldn't be difficult if you have the resources to do so. For example with Node.js/Express.js, there are many good libraries that can speed things up for you.
e.g Passport.js , express-session.
There is also the decision to consider stateful(Sessions) vs stateless(JWT) mechanisms.
All the best!
I've been using AWS Cognito with plugs into AmplifyJS really well. They have an existing sign-up UI that's pretty nice, overall.
Thought about using Cognito, but overall find AWS services like this more complicated than writing my own ...
Just have a look at https://aws-amplify.github.io/.
This library makes some services very easy( little bit more work compare to Firebase, but you can deal with it once you understand which will not take much time ) .
This comment was deleted 6 years ago.