As a Junior Dev, Auth is hard. I couldn't find much online explaining how to have a secure authentication system for my app other than the quick-start JWT guides or Auth0. At one point having 30+ tabs to try and understand this shiz. Long story short Auth0 ≠ Oauth. Heh. So after talking on Reddit, I was recommended a product (It's open source) here in the comment section.I found SuperTokens! it took me 1 day to implement and can now peacefully delete all my tabs. And I am loving it! It uses Cookies that contain an access token which expire and must be refreshed with a refresh token. It can detect intrusions and provides more protection than I could have if I'd done it myself. Didn't bother trying it until looking online for a month and giving up.https://preview.redd.it/q1rwrmdx80p41.png?width=1682&format=png&auto=webp&s=46b2269011225a4d563f7265514def8f54a81561Had to post here to show gratitude as one of their team screenshared to answer some of my questions on how it works. And this is what I've understood:How it works:Using a stack of your choice (currently Node + MySql/Postgres) you find in the docs that you need the CLI, to start the process daemon, an Init() function in your app providing the port for the Auth service and then must create the necessary DB and tables. DB for example called auth_db, with 3 tables, key_value, which has the rotating signing access key (for access token) this is automatically generated and rotated. The past_tokens table and a sessions table that contains all user sessions currently logged in.To implement in your code, you call createSession(...args) at /login, this returns a Response with headers that contains all of the cookie/token information. Next you'll have middleware (if using express) that checks the cookies on every api request. And if this fails you have a /refreshSession (or whatever) endpoint for creating a new session for a user that's already logged in. So first Login (/login), then Middleware, then Refresh (/refreshSession).The docs explain how to log users out, destroying their sessions and error handling for detecting breaches And all of this info has useful examples.It all works smoothly and one thing I didn't really understand but now do and want to share just incase is that: all of this is tested in insomnia/postman via passing correct headers and cookies with each request. But all of the cookie management and header management is handled on the front-end automatically via the front-end SDK they've built (ios/android/web).My opinion is that this is a great solution in comparison to the lock-in options like Firebase, Auth0. Which have benefits in their own ways but this takes the cake for me. With very-little set up. Smooth transition between free (community + opensource) and pro (paid but less than $300 a year). And some really nice security features. Blacklisting, session revoking, refresh & rotate, anti-CSRF. Anti XSS.I'm using this because I reason that it is a dedicated solution and probably better than what I can create myself. Easy to set up and I've never seen something that I actually trusted a little.So here's the Docs,Cheers
Submitted March 26, 2020 at 12:07PM by Anasurimbor_Cale
No comments:
Post a Comment