When do you start thinking about auth when creating a membership website?

My developer experience when building some kind of membership app usually follows these simplified, high-level steps:

  1. Sketch up a prototype & UX flow.
  2. Code up the skeleton of my app (set up the basic front end, back end, middle end).
  3. Then I get the auth out of the way before adding any more user-centric functionalities, because a lot of the UX depends on which user is logged in.
  4. Complete the rest of the code.

Curious to know when other developers start thinking about auth. I'm guessing your answers might differ depending on:

  • Whether or not you're building out your own auth solution.
  • Whether you're a seasoned or beginner dev.

Looking forward to be enlightened 😌🧘🏻‍♀️

  1. 3

    Normally I'd work on Auth first, and build out the business logic from there.

    I tried it the other way around once, by building all business logic first and then adding Auth last. It was a massive pain in the butt, and I'd hesitate to do it again.

    Most of my projects use ASP.NET Core, which can build authentication into the initial boilerplate which speeds things up further.

    1. 3

      Haha yeah, I imagine it's a massive pain in the butt because you'd need to refactor a lot of your code right?

      And Ooh, ASP.NET Core sounds awesome. I love when web frameworks has auth built into them. Whatever it takes to make the developer experience as smooth as butter!

  2. 2

    Authentication is usually one of the first things I add to an app I'm working on. I look at it like standard setup and I tend to group it with other boilerplate things like setting up my testing framework and getting CI working. However, I primarily build web apps using Rails and I usually add the Devise gem in for auth. I have a set of standard Devise/auth customizations that I use in most of my apps, so setting up auth is largely a copy and paste job from another one of my apps with some minor tweaks where necessary. This makes it fairly easy to get up and running with. However, there tends to be a lot of variance from app to app on the authorization front. The stuff that users get to see and manage can be simple or really complicated depending on the app. So I tend to put this off until I have to introduce it.

    1. 2

      Wow, really great points you shared. I should probably create a a standard Devise/auth customization that I can reuse for my side projects.

      And it makes sense to get a feel for when users actually needs auth. I'm working on a social media app, but I've found that building out the entire user experience is taking way too long. I was thinking of following the "ship fast, improve slowly" approach. Meaning I would launch silently without a complete membership feature at first.

      1. 2

        I think it makes sense to remove friction and focus on what makes you productive. It's easy to lose steam working on a part of your software that you're not excited about. But, I also agree with @AndyP. Auth is difficult to layer in after the fact. It touches everything. Almost every one of your routes/endpoints are going to check if the user is logged in and create some kind of current user object. Then this will get used in a slew of places throughout your system to make decisions. You can put off making some of those decisions, but your life will probably be easier if you have the basic part of auth in place as you build stuff out. I'd recommend just having a login system and the concept of a user/current user. The rest of the user workflows (registration, confirmation, forgot password, email and password update, etc.) you can easily add in later. But the basic user concept is painful to add in after the fact.

        1. 2

          AHH. Haha, okay okay. Noted. I'll make sure to get the login system and a basic concept of a logged in user done first, and then worry about the rest later.

          This: "It's easy to lose steam working on a part of your software that you're not excited about." is definitely a tweetable cause I resonate with it a lot haha.

          Thanks for the actionable tip Elliot 🙏🏼

Trending on Indie Hackers
4 of my biggest mistakes from 2 years of building 👎 23 comments Best Gumroad Day Ever 18 comments "all that can be invented has been invented" syndrome, how do you deal with it? 16 comments Uncomfortable = Learning 12 comments From 13 followers to 1000 in less than 2 weeks 😱 9 comments Offering free 1:1 mentoring to Indie Hacker for 8 weeks 1 comment