How to Roll Your Own Auth

Ben Awad

26 Jul 202413:05

Summary

TLDRIn this video, the speaker outlines the process of setting up authentication for a project, particularly for an MVP. They emphasize the simplicity of using OAuth (such as 'Login with Google' or 'Login with Discord') to handle user sign-ins, bypassing the need for email verification or password recovery. They also compare session storage and JWTs for keeping users logged in, discussing the pros and cons of both methods. The speaker recommends using cookies for secure token storage and offers practical advice on avoiding common security pitfalls. The video concludes with a GitHub repository for viewers to follow along.

Takeaways

😀 Minimize reliance on third-party SaaS services and set up your own authentication system for better control over your project.
😀 OAuth (e.g., Discord login) simplifies the sign-up process by skipping email confirmation and password recovery, but has security limitations like unverified emails.
😀 Using OAuth for authentication (Google, Discord) is a quick way to onboard users with minimal setup, especially for MVPs.
😀 Choosing between JWT (JSON Web Tokens) and sessions depends on your project’s needs: sessions are easier to manage but require frequent database calls, while JWTs are stateless and more scalable.
😀 JWTs should be short-lived (e.g., 15 minutes) with refresh tokens to maintain a longer session without requiring constant database lookups.
😀 With sessions, you can easily invalidate access, but every API call requires checking the session ID in the database, leading to potential performance issues.
😀 For token storage, cookies are preferred over local storage for better security, as they can be protected with HttpOnly and Secure flags.
😀 Cross-Site Scripting (XSS) attacks can compromise both cookies and local storage, so focus on securing your app to avoid this risk.
😀 Using JWTs allows for easy token validation without needing a database call each time, but revoking tokens early (like for logging out) can be tricky.
😀 If using JWTs, storing a refresh token version in the user’s database helps invalidate old tokens if needed (e.g., during a logout across all devices).
😀 Hosting services like Hostinger offer affordable VPS options for hosting your server, providing better value and scalability for new projects.

Q & A

Why is OAuth considered a good choice for authentication in MVPs?
-OAuth simplifies the login process by allowing users to authenticate via third-party services like Google or Discord, removing the need for email confirmation and password recovery, which accelerates onboarding.
What are the risks of relying on third-party OAuth services like Google and Discord?
-If the third-party service goes down, users won't be able to log in to your application. Additionally, if a user's Google or Discord account is banned or deleted, they lose access to your service.
What are the benefits of using a VPS for hosting authentication services?
-A VPS offers full control over the server, allows for easy scalability, and typically provides more affordable long-term hosting options compared to managed services.
What is the key difference between sessions and JWTs for handling user authentication?
-Sessions store temporary session IDs in the database to track user sessions, while JWTs store user data (like user ID and expiration date) in the token itself, eliminating the need for a database call on every request.
How do JWTs help in reducing server overhead compared to sessions?
-JWTs don't require a database lookup on each request. Instead, the token itself holds the user's information, and validation is done using the cryptographic signature, reducing server load.
Why might you choose to use a short-lived JWT and a refresh token combination?
-A short-lived JWT (e.g., 15 minutes) ensures that access tokens are regularly refreshed, while the refresh token allows the user to obtain new access tokens without needing to log in again, enhancing security and session persistence.
What is the significance of the refresh token version in the database?
-The refresh token version helps to manage token invalidation. When a user logs out from all devices, the version number is incremented, which makes all existing refresh tokens invalid, requiring re-authentication.
Why should cookies be preferred over local storage for storing authentication tokens on websites?
-Cookies, with the HTTP-only flag set, prevent access via JavaScript, thus protecting against XSS (Cross-Site Scripting) attacks, whereas tokens stored in local storage can be exposed to such attacks.
What role does Secure Storage play in mobile apps for token management?
-Secure Storage provides a safe way to store tokens on mobile devices, preventing unauthorized access and ensuring that sensitive data remains protected even if the device is compromised.
How can you check if a user is logged in on the frontend when using cookies?
-To check if a user is logged in, you can make an API call to the server, which will validate the user's cookie. If the cookie is valid, the server will return the user data; otherwise, the frontend can redirect to the login page.