this. Everyone made auth sound so hard until i decide to roll my own.

​@@Bu7MaiD075don't to this. try implementing hashing, salting, 2fa, mfa, oauth, sso, session management, webauthn, password reset, and magic links all without a single vulnerability.

@@Bu7MaiD075 and then your db gets leaked and users' passwords are all over the internet

Fully agree, they will write articles how implementing your own auth is difficult and even if you do it yourself it won’t be tested as good as their so don’t even bother doing it and buy their product right away. Basic backend knowledge, JWT, bcrypt and that’s it

there is very narrow bridge between that imho, the moment you want dashboard the complexity explodes and its nice to have option to just let completely different team handle that part. I m currently part of very small startup and having entire block of issues off-loaded to other guys (that do it for free until they charge amount that is laughable compared to other costs you have - team salaries) it makes a difference between surviving and not and we do these decisions daily ...and when needed you can always make your own service to replace it

I moved from clerk to better auth too. It’s much better. It’s what Lucia almost was…

oh so true authjs bring a lot of pain while working with and to top it off no proper docs

It requires a database to store the user, what if i have my own separate backend?

​@@ahmedhassan_saverthen it is a no go and you have to stick with auth.js

Agreed! I’m not sure why @theo is promoting Clerk so strongly without discussing the drawbacks of third-party auth providers.

If your product has 100,000 signed in MAU and you’re not making significantly more than $2k/mo you’re doing something wrong

"They throw a ton of ads at people just starting their careers to convince them that auth is some complex thing that only “experts” can handle." I would never use Clerk for a project I was serious about, but...wow. Anyone who says that authentication is easy in these convos is confused about the point: AUTHENTICATION is easy, AUTHORIZATION is hard. Different compliance layers, fine-grained permissions, identity reconciliation, security, these are all things that come into play. And if your project gets to the point that you have 100k users, having to pay $20k for a security audit and failing because you made a small mistake is much, much more expensive than paying $2k monthly for a likely-profitable business. I'm genuinely trying to not sound like a jerk but it just grinds my gears when people try to create villains in this type of thing...complex problems = people will make money from solving it.

​@@RhysSullivanI've had an app that reached 100 000+ unique users and I wasn't making any money with it. there wasn't a way to make money with it too

Oh, don’t worry-Theo’s followers won’t throw you away. They’ll even defend you! Unless, of course, you dare not use Clerk-then they’ll tear you apart. But hey, my comment got deleted, so will your. 😂😂😂😂😂😂

It requires a database to store the user, what if i have my own separate backend ?

Then use a httponly cookie

He said himself, he's gotta pay the bills

robiiii

Ethiopia mentioned

≠BetterHelp

@@SeanCassiere Thanks I will check it out. Simplewebauthn was a great library for passkeys. He said he regrets an auth Lucia touching databases as it's too complicated to please everyone. You call a library while a framework calls you. Big different

hopefully once they release the payment side of things it'll get a bit more attention. that said I'd love them to bring out a bunch of components (like clerk) for user management.

You have every project implementing auth their way. Such a bad idea. And when you have any substantial app and get audited and they hear you doing your own auth…lol. You have 2Fa? Multi tenant support? Library is best bet. Standardization and delegating concern to lib

I find this over generalization unhelpful. Auth is easy to start, but hard to master. Ask library maintainers, and SaaS companies alike. All the edge cases, security concerns, and surface areas to cover can make a simple thing complex very quickly.

@@natedunn3933 this, if you aren’t building a toy app, rolling your own auth is a massive mistake

Have not asked yourself why even massive companies out source with??? “Not that hard” to get your company hacked

Just the business logic and corresponding UX alone that comes with dealing with oauth is a huge time sink. What happens when a user signs in with an oauth identity with an unverified email address that matches an existing accounts email address? I’ve rolled my own before, never again.

Keyclock is very popular in java community

Same here! Using one of these newer solutions in banking sound risky considering Keycloak is 10 years old, has a lot of funding, and it still has many security vulnerabilities being discovered every single month.

why shouldn't you store sensitive data in LocalStorage?

Jwt doesn’t need to be signed. Can be signed AND can be encrypted. And if you’d use oauth, you can get the JWKS (json web key sets) through GET /.well-known/openid-configuration. Which gives you access to public keys which you can use yo verify the signed jwt.

@@_tr11 Because localStorage can be accessed from within JS, meaning it's vulnerable to XSS attacks. You should use http-only cookies for session data.

@@_tr11 Local storage should not be used to store sensitive information like user IDs, session tokens, personal information, credit card details, or API keys. Its lack of encryption, vulnerability to XSS attacks, and lack of access control make it a risky place for sensitive data

Any JavaScript code running on your app would have access to it.

betterauth supremacy

And you have no knowledge of auth. What I have noticed is that any full app framework with lots of magic are poverty devs cause everything is done from them.

@mr.random8447 Because I have some knowledge of authentication, I didn’t want to pay for authentication with SaaS, so I just used Laravel to get the job done quickly

​@mr.random8447 what do you suggest?

It's a bit pricey

Feel you bro, tbh it's much easier to skip spring security and implement you own using AOP, you can create @Authenticated annotation for method or class

Keycloak is oauth provider and openauth is library for implementing auth patterns for you. You can use it to store users in your db and in the same time configure login with keycloak.

we use it at work and I found the login screen of keycloak sooo ugly😢

@@guillaumeclimentygarcia8143 you can easily customize. They have custom themes and all this stuff.

@@guillaumeclimentygarcia8143 it isn't a beauty, but you can style it a bit

@@guillaumeclimentygarcia8143 you can customize it, they have custom themes

http-only, secure-only cookies 👍🏻

It depends if you use oauth or not. If you have your own backend with auth then just store tokens in secure, http only cookies. If you use oauth then use implicit flow with pkce enabled.

I didn't want to state it because I was waiting to do this video

@@t3dotgg Yeah that makes sense, your approach on authentication is great though. Keep up the good work man!

Basically just ads

I solved it by implementing a request interceptor and having a mutex lock acquired before token refresh. This allows only one request to actually refresh the token.

@@abhishekmehandiratta4241 I tried that and I wasn't successful which most likely a skill issue. Do you have a repo I can review?

If it's client-side JS then yes, but I believe what he demonstrated was server-side

Most people/programmers won't know he really means nodejs server backend (and not your device's browser (front-end)).

​@@phendanwhy?

@@_tr11 You'll have to be a bit more specific. Why what?

@@phendan why is js with access to cookies a security issue? it's *your* js on *your* webpage after all

it's even possible to version control it in a git repo and have a file per entity type

This is exactly what I’m doing right now in production. Never had any problems. It’s hilarious how these JS devs add a new framework every week to solve a problem that’s already been solved by GitHub and text files

how much data are you gonna store in that file 😭 how do you handle locking too? just use SQLite at this point

bro just banned himself from employment

What he probably meant is that he always will have a bit of bias towards Clerk because they sponsored him in the past

Bro use better auth

I found you in yt too 😅

Im trying to figure out why this is overlooked

people probably think you gotta roll the whole supabase stack, you don’t, and the docs are great. Open source too

real

Laravel itself is an added problem

javascript hater 😂😂😂 doesn't even understand how js works 😂

no. you were second

@@_tr11 yes ur right