I was one of those that really felt like Runes was going to ruin svelte. But after working with it on a small team for a month now, I can see the benefits. We previously had a lot of devs confused with `$:` and other…
The post presents this like it's a novel and noble idea. Yet, nowhere does it mention the term severance(or redundancy pay). I guess I should applaud them for voluntarily following what would just be standard labor laws…
One of the biggest issues we have with Rails these days is finding Rails devs (at least where I work). Our next project's backend may very well have to be Node or Python specifically for this reason.
Yeah, you know that thing Vue did with the composition API that a bunch of their users didn't like and then subsequently turned to Svelte over? Well, it turns out they were right and we're going to do the same thing.
Thanks for the re-assurance. We've been migrating a huge app to svelte over the last 6 months and it's nice to hear it won't be become legacy on arrival ;) Looking forward to the easy & incremental paradigm shift…
As someone who worked for over a decade in post-production, I can tell you this was most likely edited on FCP 7 because it was considered the better tool and not because of cost considerations (FCP 7 was actually much…
What I am not overlooking is that they as a company and in this comment have an implicit bias against Dev's rolling their own auth since their business model is based on them not doing that. The most critical point that…
Mitigating an attack is really, really, really hard. How hard is it? What are the challenges? Could you be more specific? Cause I keep seeing the blog and article headlines telling me how hard Auth is but a lot of them…
captcha integration is super easy and doesn't require a full auth integration service. Detecting a brute-force maybe less so maybe, though I get a lot of DDOS pretection for free with AWS & cloudfront. But I was more…
There's a lot of food for thought there and I can actually get on board with a lot of what you said. I enjoyed your perspective at the very least. I too have been a part of some tough audits, fedRAMP, etc. I've worked…
What I mean by tightly coupled, is if you can have your Frontend and Backend on the same domain, then yes by all means an httpOnly cookie is ideal. Now days there are a lot of SPA's that don't do that, or that have…
Auth is actually a combination of two things: authentication and authorization. Whatever you do, please do not build either by yourself. It's blanket statements like this that really make me rant on this subject. Lets…
Existing crypto libs like bcrypt, which I mentioned? Or are you talking about something more? The credential stuffing mention you make makes me think you must mean something more. Does Auth0 by default advise users that…
I mean, yeah, sure. Or for a number of other use-cases. I'd argue the best way is for the client to keep the token in memory over local storage. Of course if you have a tightly coupled app, session-based secure cookie…
I mean, it's stored in a DB somewhere, even if it's not your own. I would argue your own DB probably has less of an attack vector than major providers.
I don't quite follow the moral here. Was the Dev who rolled their own auth back when MD5 was the norm supposed to time travel forward to a time when cloud services like Auth and Cognito existed? Or does the fault lie…
Oh yeah, for sure, there are a really good libs. Someone mentioned passport. I've personally used Devise/warden in Rails. Though we had to monkey patch/extend it so much that 6 years later it was almost a different…
Too true and worthy of a rant of all it's own...
I've never head that adage. I did hear one from Miles Davis that says, "If you have to ask, you'll never know." I ask a lot of questions though so I never paid much attention to old adages I guess. If auth isn't your…
Yeah, that's why I prefaced with "the basics of auth are actually pretty easy". Rather than trying to opt-in to those other auth flows before you need them, I'd suggest starting with the basics and extend as needed.…
Two factor is actually pretty easily solved too though?
There's nothing wrong with JWT as a token spec. I prefer stateful sessions as well but but a stateless token also serves specific use-cases. It has also become a standard practice for decouple front-ends that live on…
I agree, stateful sessions can handle a number of problems and use-cases more gracefully. I work with a lot of api's the service multiple clients though and I do see a use-case for stateless as well.
Yes, that's why I said "the basics are really easy"? This was not meant to imply 10 lines of code handle the complete user experience workflow around auth. In saying that I have implemented oauth for multiple providers…
I didn't advocate for storing your session in local storage. I posed it as a question.
I was one of those that really felt like Runes was going to ruin svelte. But after working with it on a small team for a month now, I can see the benefits. We previously had a lot of devs confused with `$:` and other…
The post presents this like it's a novel and noble idea. Yet, nowhere does it mention the term severance(or redundancy pay). I guess I should applaud them for voluntarily following what would just be standard labor laws…
One of the biggest issues we have with Rails these days is finding Rails devs (at least where I work). Our next project's backend may very well have to be Node or Python specifically for this reason.
Yeah, you know that thing Vue did with the composition API that a bunch of their users didn't like and then subsequently turned to Svelte over? Well, it turns out they were right and we're going to do the same thing.
Thanks for the re-assurance. We've been migrating a huge app to svelte over the last 6 months and it's nice to hear it won't be become legacy on arrival ;) Looking forward to the easy & incremental paradigm shift…
As someone who worked for over a decade in post-production, I can tell you this was most likely edited on FCP 7 because it was considered the better tool and not because of cost considerations (FCP 7 was actually much…
What I am not overlooking is that they as a company and in this comment have an implicit bias against Dev's rolling their own auth since their business model is based on them not doing that. The most critical point that…
Mitigating an attack is really, really, really hard. How hard is it? What are the challenges? Could you be more specific? Cause I keep seeing the blog and article headlines telling me how hard Auth is but a lot of them…
captcha integration is super easy and doesn't require a full auth integration service. Detecting a brute-force maybe less so maybe, though I get a lot of DDOS pretection for free with AWS & cloudfront. But I was more…
There's a lot of food for thought there and I can actually get on board with a lot of what you said. I enjoyed your perspective at the very least. I too have been a part of some tough audits, fedRAMP, etc. I've worked…
What I mean by tightly coupled, is if you can have your Frontend and Backend on the same domain, then yes by all means an httpOnly cookie is ideal. Now days there are a lot of SPA's that don't do that, or that have…
Auth is actually a combination of two things: authentication and authorization. Whatever you do, please do not build either by yourself. It's blanket statements like this that really make me rant on this subject. Lets…
Existing crypto libs like bcrypt, which I mentioned? Or are you talking about something more? The credential stuffing mention you make makes me think you must mean something more. Does Auth0 by default advise users that…
I mean, yeah, sure. Or for a number of other use-cases. I'd argue the best way is for the client to keep the token in memory over local storage. Of course if you have a tightly coupled app, session-based secure cookie…
I mean, it's stored in a DB somewhere, even if it's not your own. I would argue your own DB probably has less of an attack vector than major providers.
I don't quite follow the moral here. Was the Dev who rolled their own auth back when MD5 was the norm supposed to time travel forward to a time when cloud services like Auth and Cognito existed? Or does the fault lie…
Oh yeah, for sure, there are a really good libs. Someone mentioned passport. I've personally used Devise/warden in Rails. Though we had to monkey patch/extend it so much that 6 years later it was almost a different…
Too true and worthy of a rant of all it's own...
I've never head that adage. I did hear one from Miles Davis that says, "If you have to ask, you'll never know." I ask a lot of questions though so I never paid much attention to old adages I guess. If auth isn't your…
Yeah, that's why I prefaced with "the basics of auth are actually pretty easy". Rather than trying to opt-in to those other auth flows before you need them, I'd suggest starting with the basics and extend as needed.…
Two factor is actually pretty easily solved too though?
There's nothing wrong with JWT as a token spec. I prefer stateful sessions as well but but a stateless token also serves specific use-cases. It has also become a standard practice for decouple front-ends that live on…
I agree, stateful sessions can handle a number of problems and use-cases more gracefully. I work with a lot of api's the service multiple clients though and I do see a use-case for stateless as well.
Yes, that's why I said "the basics are really easy"? This was not meant to imply 10 lines of code handle the complete user experience workflow around auth. In saying that I have implemented oauth for multiple providers…
I didn't advocate for storing your session in local storage. I posed it as a question.