Authentication is hard. And that's exactly why you should never have to be writing your own auth code, but rather, use existing frameworks.
There's so many tiny details and edge cases that can have such catastrophic results, it's too much of a risk to do it yourself. Unless writing auth frameworks is your job, for course.
I have yet to see a good clean solution. I was fairly new to auth and node when I was given a similar task. Ended up doing a ton of research and I felt I was making decisions I should not have had to make. I recall the tutorials that the article mentions. I was not impressed with the end result.
I think that the Node ecosystem tends toward minimalism and compartmentalization in modules, and in doing so monolithic authentication solutions don't really exist like they do in other frameworks in which there's more "magic", like Ruby/Rails.
You'd have to choose a higher-level Node.js-based framework, and there isn't an emergent solution yet. Personally I've been directed toward Hapi and Feathers.js as of late. Feathers I committed some PRs to and filed some issues against this weekend, which the maintainers are taking seriously, but it could use some more functionality and deeper testing. Hapi I haven't personally looked at, but is backed by some of the Auth0 guys.
If you're looking for a rails/devise like solution there is none. Passport is just an express middleware which is mostly useless, just like express in general.
Probably firebase, auth0, cognito or a similar third-party system. To me that fits in with the node ethos, which has always seemed to be to be, roughly, "mash things up".
Honestly, I don't think there is a real shortcut for in depth knowledge of how secure authentication should work. I think if your going to be writing a program with authentication, you need to know what is going on, what the framework is doing under the hood. If you don't, you are likely to misconfigure it or trust it to do something it doesn't do.
Writing a secure auth isn't exactly hard, and there is good info on the web about it. It just requires time to implement and not taking shortcuts to do it right.
In node there are not really official solutions - it's just packages. Php has a nice password_hash function which hashes and salts your password for you securely.
I disagree. Do you believe that web application developers should be able to write an efficient JavaScript interpreter, or build a working CPU in Verilog? As technology increases in complexity, roles specialize. Skillsets diverge and junior developers should have frameworks accessible to them they can rely on.
Most of us have made our careers standing upon the shoulders of relative giants until we have grown enough to become taller ourselves. I don't believe that you should have to be able to build a reliable authentication framework to be able to write a decently secure web application.
If you don't understand CPU cycles, your application might get a teeny bit slower. If you don't understand security, your application could get hacked! It's definitely nice to have a good auth framework, but I think security is important enough that it's worth taking 1 hour to learn how to do it right.
pbkdf2 can be used as a computationally expensive hash... bcrypt does a few other things in terms of the output format beyond just the hash though, it contains enough information to repeat the hashing settings to verify another entry against it.
IIRC bcrypt isn't an in-the box feature in crypto, but pbkdf2 is.
> Stack Overflow isn’t of too much help, as developer relations from a company called Stormpath loved plugging their IaaS startup on every imaginable post regarding this. Their documentation also popped up everywhere and they have a blogvertisement on password reset, as well. However, all of this is for naught as Stormpath is defunct, and it shuts down entirely August 17, 2017.
I remember these guys and I had a serious argument back them with one of the. I pity companies who bought into their services and depend on it today. People often push the idea that security and ID management should be "outsourced". They shouldn't, security audits should.
16 comments
[ 4.6 ms ] story [ 39.3 ms ] threadThere's so many tiny details and edge cases that can have such catastrophic results, it's too much of a risk to do it yourself. Unless writing auth frameworks is your job, for course.
I think that the Node ecosystem tends toward minimalism and compartmentalization in modules, and in doing so monolithic authentication solutions don't really exist like they do in other frameworks in which there's more "magic", like Ruby/Rails.
You'd have to choose a higher-level Node.js-based framework, and there isn't an emergent solution yet. Personally I've been directed toward Hapi and Feathers.js as of late. Feathers I committed some PRs to and filed some issues against this weekend, which the maintainers are taking seriously, but it could use some more functionality and deeper testing. Hapi I haven't personally looked at, but is backed by some of the Auth0 guys.
Writing a secure auth isn't exactly hard, and there is good info on the web about it. It just requires time to implement and not taking shortcuts to do it right.
In node there are not really official solutions - it's just packages. Php has a nice password_hash function which hashes and salts your password for you securely.
Most of us have made our careers standing upon the shoulders of relative giants until we have grown enough to become taller ourselves. I don't believe that you should have to be able to build a reliable authentication framework to be able to write a decently secure web application.
IIRC bcrypt isn't an in-the box feature in crypto, but pbkdf2 is.
I remember these guys and I had a serious argument back them with one of the. I pity companies who bought into their services and depend on it today. People often push the idea that security and ID management should be "outsourced". They shouldn't, security audits should.
Django would best be compared to LoopBack, although at this point there are many reasonable competitors.