Ask HN: Why do almost no web frameworks have User auth as first class features?
And although many frameworks have plugin or module extension capabilities, they still seem to lack "just works" user auth modules.
It is probably fair to say that a significant percentage of web applications are public facing and need user logins, accounts, and even profiles. This is not unlike how many web applications need persistent storage.
On the storage side, there are often clear and easy paths to databases and even cloud storage systems via plugins, and ORMs and such to simplify persistence.
But on the user auth side, the user of the framework is left with the task of integrating whatever external auth module. This is especially challenging when framework and external module versions shift, documentation and guides become out of date, and StackOverflow questions and answers become stale.
Why are we still reinventing this wheel so often?
12 comments
[ 2.9 ms ] story [ 28.9 ms ] threadIn any case, Django has provided this for years, and it probably is one of the reasons why a lot of apps get built on Django. I am really not a fan of Django, so I only use theirs if I'm paid to work on it. But if they can do it, why aren't the other popular frameworks giving that common need more attention?
I would argue that it is actually a value proposition and that it is one reason why Django has some of the marketshare it has.
It is probably much easier, from a maintenance standpoint, to simply allow other libraries take the mantle and just structure your project to play nice with middleware.
Much easier to just say “use package x for auth support.”
https://hexdocs.pm/phoenix/mix_phx_gen_auth.html
The permissions framework is also so complicated that most projects don't use it.
At this point it's worth asking whether frameworks should even have built-in authentication when it's a simple matter of storing a session id in a cookie.
Now User Profiles as a first-class thing would be nice (I really do not want to reimplement managing profiles), but there's a lot more variation there. Though some out-of-the-box basics would be nice: name, nickname, time zone, preferred contact info, etc.