How do you handle authorization for your projects?
Hey all, I just spent the last week implementing authentication and authorization for everypage and it took a lot longer than expected. In my day job we have an awesome (in-house) system that allows very granular permissioning to particular APIs and resources.
I'm curious what indie hackers use to solve this problem for their projects? Bonus points if its for a multi-user account based solution (something like what webflow would require).
Cheers!
Trending on Indie Hackers
Firebase for sure. It's really simple and fast. You can build your own auth to work in parallel woth Firebase and have it work as a fail-safe should you need it :)
I wrote my own user authentication system. It may seem like this would take longer than just using Auth0 or Firebase, but for me, it takes longer to configure those things than just write my own. Plus, I want to have more control over how my onboarding process works.
I would do the same, though reading above I hadn't heard of the 3rd parties other devs mention.
Ye i agree i've already written my own and it wasnt until i looked up that i realised there are lots of offerings. I cant seem to find any that facilitate (easily) the granularity of authorisation i would need but im totally sure they exist.
Recently starting using https://powauth.com/ with elixir and phoenix.
If you want a GraphQL backend, I'd recommend you look into Hasura, hasura-backend-plus and NHost. It gives you a great base to start from and get up & running really quickly, with local auth & OAuth providers for Google, GitHub, Facebook, Apple, Twitter, Microsoft Live, Linkedin. You also get Hasura's very powerful permissions model.
I use my own product to bootstrap side-projects and always go with Firebase auth and my custom useAuth() React hook.
Interesting how many answers are for authentication not authorization. Shows how tied they are. Django has a flexible group-based permissions system to authorize crud operations. Have used at model and object level e.g. to give users complete control over objects they own. Not sure if supports field-level authorisation but if not there's possibly an extension that does.
Ha ye definitely and tbh i picture authentication as relatively easy and was way more interested in authorization.. probs should have made the question more specific. My problem is I have created a super granular authentication mechanism because i couldnt find good advice anywhere, including the large amount of content Auth0 has produced. i.e. how do i structure my claims to future proof (within reason) having to come back every week to add more for each feature. most of the solutions mentioned are authentication only which would imply the claims are structured pretty much on user id but that wouldnt work for models where you can delegate to other users
Auth0 makes things more complicated than necessary imo; partly due to desire to be solution to all, but not only. Does role based authorization not help you?
For monolith systems or services sharing backend database then putting arbitrary authorization logic in models works. Adding novel features means extending logic in models as necessary.
I don't know anything that has nailed this for distributed / micro-service architectures. Passing claims like canEditPost seems too low-level to me. Novel features may require new claims & cause problems as you say.Maybe running an authorization service would be better; ends up as a god-like (or multiple gods) service. But one size doesn't fit all and all that.
I normally use Strapi or Laravel's authentication systems. It's ok to build your own to learn the concepts but I think there is no need to code the same thing all over again when there are solutions already in place.
You can also use other providers like Auth0, Firebase or Amplify by AWS.
Ah ye always nice to use a library. How much do they help in terms of permissioning tho rather than just user management? for example allowing users access to update specific resources in the system?
With Strapi, you get that out of the box, you just need to configure the permissions with a few clicks in the dashboard. If you need something very specific, you might need to add some code but for normal scenarios like admin users with access to everything, and logged users with limited access and non logged, everything is almost ready.
With these solutions the idea is that you spend more time working in the features of your product rather than doing this kind of things.
Perfect this is exactly the kind of thing im looking for, thanks Antonio!
I'm working on the very early stages of a new product idea that would help with the authentication part with an open source and self-hosted solution, at https://prototyped.dev. I got some nice ideas from this post especially in regards to handling authorization, something I haven't considered yet.
nice, signed up will keep an eye open. we spent so long building our system at work and its granularity is something i cant find anywhere. Would be curious how people would respond if we one day opened it up to allow all applications to use it
Deleted my long ass comment because I completely misread what your post was asking :(
Typically will tend to role my own authorization system and use JWT's (Access + refresh) for authentication. Authorization system will typically be very basic. I usually find that during the early stages of side projects etc. authorization isn't the biggest deal (in terms of granular permissions) and generally basic user role level permissions (usually only a single role) will suffice.
We recently switched to Feathers JS to have OAuth. It's amazing to use and well built to ensure maintainability on the long run.
Custom solution here.
I used to pass JWT around, now I'm using the rust crate actix_identity on the back end to set a secure https cookie in the user's browser for Yomi.ai. Argon2 hashing of passwords is done via argonautica crate. For password recovery tokens, I also store a hashed value of the token in the database with a ttl of 300 seconds.
Ah nice to see rust has a useful crate for it.. does it handle authorization too (i.e. allowing a user to edit his posts but not someone elses) or is this something you have to build yourself on top?
It certainly assists with that. I should create and share some content about it. I have been approached of writing a course about auth for node.js, but I'd like to write one for rust. There's already so much good stuff for node.js out there, while guidance for rust development is somewhat lacking.
I'm not massively clear on why you wouldn't want to use your own. I know that if its already done then use it (for some things) but really adding authentication shouldn't be a big deal. (i'm reading into the 3rd party mentioned above)
I would use OAuth and Jwt with asp.net... What is wrong with that?
This comment was deleted 6 years ago.
For my project I use firebase. It's easy to setup and work with. For every signed in user I generate a Firestore entry which data I use for more complex authentication/authorization rules. In my app I have constant access to the user object which allows me to implement authorization in every detail.
You can also use Keycloak hosting by yourself https://www.keycloak.org/ good if you are expecting to have a lot of free accounts and dont want pay 3rd party.
Ah yes i was shown keycloak by a colleague once. Have you tried it? Would love to hear what you think if you have
I used it and agree with @qds : takes some time to read the docs but once done you can set it up and use it for other projects as well.
I’ve used it in 2 startups before and it’s a great product. Bit more work to setup than auth0 or firebase, but imo definitely worth it If you have a lot of free users for example. As okta or auth0 can become quite pricey.
At work I've used mostly custom solutions or Django authentication but I'm going to try 0Auth for my next project.
I always seem to underestimate the amount of work is needed for a good auth system with register/login/password reset UIs.
Ditto.
How do you find django/python ?
Its supposed to save you time. But with the learning curve and complexity it was taking me longer than core php to build an app.
Haven't used it in years though. Maybe its improved by now.
Well I've been using Django for quite some time so I'm used to working with it. And I really like some features like the ORM and admin panel and built in support for database migrations.
As opposed to core php I'm sure there's a learning curve but for me some of the advantages a framework brings are worth it especially when your codebase gets bigger.
I'm currently looking for other options though because nowadays I mostly use Django for defining database models and building APIs and I think there's easier/faster tools out there.
For my product upstamps.com, I am using Auth0 this lets me implement with ease and I support Github login.
I've always made something custom in my day job, or used Auth0 which is pretty flexible. For another side-project I'd probably look at one of the ones I've collected here: https://stackselect.tech/tags/auth but I'm curious what others say since I'm always on the lookout for good options.
I'd imagine for a side-project lots of people don't need or want the complexity.
Oh wow hadn't come across such an extensive list.. thanks for that!
Glad to hear it's of some use!
To begin with I usually use something like firebase
No please, not Firebase! ^__^
Why not?
It's good for quick prototyping, but for any serious long term solutions, it's a no go [1]. And it gets quickly expensive!
[1] https://medium.com/@reactsharing.com/5-reasons-to-not-use-firebase-for-a-big-project-81b543c77e8c
This article is from 3 years ago.. :)
Firestore have brought enormous power to the table! If your data-structures allow it I'll recommend it any day, MVP or production.
I don't think the author of this article understands Firebase. It may be the case that Firebase isn't the right tool for the author's use case, but most of the points in this article are either misguided or flat out wrong.
Completely agree, I use it more as a tool to validate something quickly, then migrate forwards.
lol indie hackers uses firebase
And that has broken login on my mobile browser (DDG).
This comment was deleted 6 years ago.
Nice, and does firebase handle the authorization parts of this well as well (i.e. allowing a user to edit his posts but not someone elses) or is this something you have to build yourself on top?
You can set some rules that define which user has what kind of permission, but these rules are not dynamic, cannot be changed via the API, which makes it mandatory to have a separate user handling (say, another collection of users) where the roles are defined in accordance to your usecases. But IMHO that is quite normal. Especially if you have extra data on top of those users (like User profile).
Yep, makes sense. Thanks!
Hey There,
This is bit of an old post but we have build one which you can connect in minutes and offer custom roles & permission to your users in your SaaS.
We also offer pre-build hosted Admin Page.
You can check out - permify.co
Hey There,
This is bit of an old post but we have build one which you can connect in minutes and offer custom roles & permission to your users in your SaaS.
We also offer pre-build hosted Admin Page.
You can check out - permify.co
Firebase and social logins. Not about to implement my own auth system any time soon.
I use Auth0 https://auth0.com
They have an SDK for most languages and a REST API if no SDK is available.
I use firebase authentication with custom database, to check if a user has permission I compare the firebase Id with the uid stored in the database document
I’m planning on using something similar. What do you use for the backend( api) and which database do you use? Also where do you deploy these?
Currently I use node for the backend and mongodb for the database, deploy the backend with google cloud run and the dB with atlas
To be honest now I would use firestore as it is easier and cheaper
auth0
This comment was deleted 3 years ago.
I suppose it depends on what tech stack you wish to go with. PHP can be great obviously, but also has its limitations and flaws. Also, most developers I know moved away from the language many years ago.
This comment was deleted 3 years ago.
Oh completely, I wasn't saying every language doesn't. PHP props up over half of the internet (Mainly due to Wordpress) however, it's use on large scale applications is definitely declining.
This comment was deleted 5 years ago.
Oh ye i cam across magic.link recently, it was super buggy the one time i used it (as a user not dev) though but the premise is definitely very interesting. thanks for reminding me of it :)
This comment was deleted 4 years ago.
Code is king, thanks for sharing!
This comment was deleted 4 years ago.
This comment was deleted 6 years ago.