Rolling your own vs. SaaS: how far is too far?
Hey all!
I'm back with another missive from my Startup in a Month challenge. Here it is: https://startupinamonth.net/how-far-is-too-far/
I just got finished implementing the user authentication system I'm going to be using for Pic Story. It was a serious challenge to build everything. There is so much that goes into it all: databases, hashing algorithms, secure automated password reset emails, on and on. There is a lot of stuff you need to research and implement if you're trying to build a robust, secure auth system on your own.
Not only that, it was a very emotionally challenging journey at the same time. The whole time I was waging a series of side-battles with myself: am I doing the right thing? Is it safe or even economically responsible to implement these features on my own? Wouldn't I be better off shopping this stuff out to a SaaS provider?
Anyway, I'd be curious to hear your thoughts on my approach!
Hey Andy,
I think the answer to that question depends heavily on your desired outcome. Unless your goal is to learn how an authentication system works from end to end, I would strongly consider using an out-of-the-box solution. Here are a few ways that I thought about this...
Most of my career has been spent implementing business logic. I do that very well. < 1% of my career has been spent deeply reasoning about authentication systems. I probably do that not so well.
Given my inexperience, the probability of me writing a bug-free authentication system is probably close to 0. I would consider this a high-risk component to implement from scratch.
Given my inexperience, this is code is definitely somewhat of a liability. Down the road, more research, and time will be needed to patch tricky bugs, and educate other developers about the nitty-gritty details of this component.
I depend on all of the developers who work on Clojure and any other dependency I use. They greatly multiply my productivity. Building this component puts me in a position where I alone am responsible for patching, testing, designing, documenting, and refactoring this code. In a sense, the core feature team (me) now owns the authentication system.
It feels like the reward of this work is more work. Would I pay a contractor to do this work for me?
Given the chain of reasoning above, I would consider a different approach unless...
Implementing this system from scratch is business-critical. It better make my product 10x better than anything out there.
It is cost-prohibitive to use another solution. I just can't afford it.
Whew... that was a lot, but I hope it was helpful in some small way. Good luck with your project!
This is why I find myself coming back to Ruby on Rails. Throw Devise and/or Omniauth and you are done setting up authentication in less than 10 minutes with all the bells and whistles that you can imagine, but it's free and it's open source and it's very well tested including years of people trying to break in. Every time I go to another framework, I miss that (Django gets close second).
I can really see the appeal of that @pupneo, especially after having spent so much time implementing auth on this first go around!
I'm using Clojure for the frontend and backend in all of my apps, and there are a few Rails-like options available to me for the language, Luminus and Pedestal being the two big ones.
I'm pretty deep into my home-rolled web server already for this project, but maybe I'll learn my lesson the next time around and just use a starter kit. Rolling your own has been awesome for learning the language in general (I just started in January), but at some point I'll have to achieve a more productive balance between an educational home-rolled solution and something which can ship a product out the door.
Clojure is my favorite programming language, I think it's the best Lisp out there, but I wouldn't use it for a startup.
There are two reasons. Clojure has a strong roll-your-own culture. Even Luminus and Pedestal are not as good as Rails (I contributed to Luminus for a while). The end result is that every web application I was hired to work on that was written in Clojure was susceptible to CSRF. The problem with only adding the components you want, is that you might need things that you don't want or even know about.
The second issue is that hiring Clojure developers is hard and expensive, so even if it's a great technical decision it's a bad business one, and as CTO my decisions need to be sound both technically and business wise.
I really wish I was using Clojure all day long.
Yeah, hiring is a tricky one for sure. If you're at a place where you need to hire a bunch of people, then you're probably not gonna find many programmers who know Clojure right off the bat. Probably the best you could do is hire Java or JS devs and train them, but that takes time and depends on having a teacher around too!
Given that I'm working on my own, I don't really need to worry about that too much yet. A knock against Clojure for me is the fact that if you run into an error or if you need to figure out how to implement obscure feature X in library Y, there aren't going to be very many blogs or stack overflow answers out there for you, which can be pretty rough depending on what it is you're trying to do.
But the REPL alone makes it worth it for me! I feel five times more productive with it than I ever did writing JS.
I hope you get into a place where you can write Clojure all day long some day :)
Even if I'm working on my own, I hope to be hiring soon. Python, Ruby, JavaScript (and TypeScript), they all have REPLs too, and they are pretty good. I agree they are important, but they are not so rare anymore.
What you mentioned about blogs... that's what I call staying on the beaten path and it's one of the most important lessons I learned when running my own startups: you get to deviate from the beaten path once, so don't deviate for things that are not core to your product. I should write a blog post about it.
100% this. I live in Rails land for my APIs. I've switched to API only as I now like to do Flutter/Svelte as mobile/frontend, but the true backend is and will stay as Rails for a long time because it's just too easy/fast!
After doing some research and working with it this year I’ve decided not to implement any custom user auth solution for the product I’m building and instead use Keycloak (or other open source alternatives) that are build on top of open standards.
From what I’ve seen this keeps the business logic of my backend focused just on the added value it brings and I can easily integrate with other providers to offer more enterprise features later on.
I also get a state of the art permissions system, all auth flow logic out of the box and I don’t need to pay for every user I have like in the case of a SaaS provider.
Have you considered using something similar first instead of building it on your own?
Interesting, I actually hadn't even thought to research that angle: a standalone self-hosted auth app. The best you've got in Clojure is either Friend or Buddy, which are both libraries, but the idea that you can have a separate self-contained server just for auth is really intriguing. Better still if it's so robust that you don't ever need to go into the app itself to implement a feature. Looks like all you need to do to set it up is edit some config in the GUI.
I will bookmark this for future reference! Thanks for mentioning it. If I ever outgrow the homerolled thing I just made I'll give this some serious consideration.