How are people able to just spin up Google login using these libs? When I tried it doing it directly my site had to be reviewed multiple times by some Google rep and I had to change the privacy policy, not have any beta features etc etc. What am I missing? I find it really strange that I must fully launch my product before I can enable the most common login mechanic. It feels like a catch 22.
Looks interesting. I like that you can plug your own identity provider quiet easily. One nit: They should really rename their Node integration to Express integration because that’s what it is looking from examples (and that’s what people might commonly look for).
I've been hoping on some library to better simplify passkey auth, especially in "serverless" situations with KV DB like Deno Deploy/Netlify/et al. I'm sick of passwords and passkey should be all I need, but the high level libraries just don't seem to exist in good enough forms yet and everyone keeps instead relying on overkill vendors like Auth0/Okta.
Does anyone have experience with https://lucia-auth.com ? OP says that it's deprecated, but it seems like it just changed from a library to a short guide on how to implement auth yourself.
I'm planning to migrate our authentication and session management from auth0 to this to save costs and make things simpler.
I am currently self hosting former gotrue, now supabase auth and am having a hard time implementing oath and will probably try to switch to better auth. The docs look super comprehensive.
As someone developing with both Nuxt and Next, I find these "full-stack" JavaScript libraries and frameworks really confusing and difficult to grok. I understand the benefit of only having one ecosystem to worry about (JS/TS in Node and browser) but I'm not convinced that having backend and frontend in the same codebase is actually a good idea. It might be due to being a more "old school" full stack developer, but this new wave of of SSR-led full-stack frameworks is tricky.
I've worked on a wide range of projects that use a number of different approaches to this. At the end of the day, you usually want at least some parts of it to some extent. If you don't want every page the user sees to be full of loading spinners at first, whatever is serving the initial HTML needs to know at least something about what the UI components are like and how to lay them out. In fact, the closer the initial load to the final result, the better. On the other hand, you also want interactivity, especially in this day and age. Very few web applications are just static data you look at and don't interact with. So you also need some frontend stuff that adds all of that magic. So all these frameworks are essentially trying to solve this problem, how do you get both of those things without just duplicating and syncing all of that code between the frontend and the backend. I do agree that many of the solutions we see today are immature, but when it's done right, it's wonderful.
100% agree with how confusing it all feels. Smudging data and code back together feels like a massive step backwards. I can't but be reminded of the disaster that was ASP.NET Webforms.
It took me a while to grok that in SSR frameworks, you shouldn't treat the SSR backend as a data backend. The best mental model is that the "SPA" just now has a client-server boundary in the middle of it. You should have a normal data API servicing the SSR backend.
With this approach, this does mean that client-server auth can now either live in the SSR backend or as normal on the data api. Arguably doing it on the SSR backend makes the most sense since that is now your server boundary. In this context the resurgence of auth in the SSR space make sense.
In my, arguably limited experience compared to some other folks, completely agree. It feels lite the correct solution here is to treat it as another kind of backend. I always keep the truth-keeper backend separate and with much higher quality requirements.
I am a big fan of Gleam language's Lustre[0], and due to its functional nature, the full stack experience is much better.
Instead of becoming this mishmash of backend and frontend, there's a clear delineation between the two. They share common functionality via functions (like model and views), which is much easier to do when they're pure.
You basically get the advantages of those magic frameworks without all the magic.
I started a side-project in SvelteKit a while ago, and so far I still like it a lot. When I saw what projects using it look like, it somehow just intuitively 'made sense' to me. For me it's also just the right amount of 'magic' so that it's still quite flexible, but takes care of the parts that would be tedious otherwise.
(I've never worked with Nuxt or Next though, so I can't directly compare them.)
I don’t think the issue lies in using the same language to write the client & server. IME projects become brittle & hard to refactor when you use a full stack framework because you wind up writing a ton of controller code or a sprawling service layer to support different features for each page. This isn’t exclusive to using a framework, I’ve done the same thing with API endpoints in the past.
Making a general purpose API as if it were its own product seems to lead to better, more sustainable outcomes.
In my opinion the only real point of those frameworks is so that developers can focus on coding while the experts figure out how to do code splitting, search engine optimization and what to render where (browser, server) and when.
Since http protocols and browsers change and especially google never ceases to push new optimizations, it is extremely difficult to keep up and do the right thing.
Auth.js is not made by Vercel. Quote: “ The Auth.js/NextAuth.js project is not provided by, nor otherwise affiliated with Vercel Inc. or its subsidiaries. Any contributions to this project by individuals affiliated with Vercel are made in their personal capacity.”
You're not wrong but it's a very understandable mistake when the footer has a big old "powered by Vercel" logo and the creator works for them.
The logo is probably just supposed to another opportunity for them to grab mind share by hosting the site for free and sticking that there, but it creates a confusing impression.
Hey, author of Better Auth here. I created Better Auth because I couldn’t find any other auth library that goes beyond simple login with OAuth. Even then, the only properly maintained ones were NextAuth (Auth.js) and Lucia (which is now deprecated). I’m not sure where the idea of "too many auth libraries" is coming from.
They're probably including libraries tied to hosted offerings, and there are a lot of them (Cognito, Firebase, Auth0, Clerk, FusionAuth, Kinde, Descope, WorkOS, and many many more)
Auth.js isn't really by Vercel even if they scooped up the creator and stuck one of their "powered by" stickers on it... it does have a fun tie-in with Rauch's cartel though
Clerk sponsors it extremely heavily so that when you get fed up with dealing with it, every single page has a CTA funneling you to them.
Honestly the whole situation has a terrible terrible smell, but that's post-Rauch JS for you.
Recent and related:
Show HN: Comprehensive authentication library for TypeScript - https://news.ycombinator.com/item?id=41678652 - Sept 2024 (44 comments)
How are people able to just spin up Google login using these libs? When I tried it doing it directly my site had to be reviewed multiple times by some Google rep and I had to change the privacy policy, not have any beta features etc etc. What am I missing? I find it really strange that I must fully launch my product before I can enable the most common login mechanic. It feels like a catch 22.
Looks interesting. I like that you can plug your own identity provider quiet easily. One nit: They should really rename their Node integration to Express integration because that’s what it is looking from examples (and that’s what people might commonly look for).
I've been hoping on some library to better simplify passkey auth, especially in "serverless" situations with KV DB like Deno Deploy/Netlify/et al. I'm sick of passwords and passkey should be all I need, but the high level libraries just don't seem to exist in good enough forms yet and everyone keeps instead relying on overkill vendors like Auth0/Okta.
Does anyone have experience with https://lucia-auth.com ? OP says that it's deprecated, but it seems like it just changed from a library to a short guide on how to implement auth yourself.
I'm planning to migrate our authentication and session management from auth0 to this to save costs and make things simpler.
This is actually very nice, thanks for posting.
Not sure this will save you time and money, but it is very comprehensive.
There are so many auth libraries on the roll nowadays. I am using firebase js and it is very simple and straightforward to use.
I'm not a security expert, so please advise any pitfalls that the new libraries address which cannot be done with firebase
Why do you give them you your data? Why would you pay for that ?
I am currently self hosting former gotrue, now supabase auth and am having a hard time implementing oath and will probably try to switch to better auth. The docs look super comprehensive.
Yeah I really love the doc!
It says it's better auth, but it's actually the best auth library.
As someone developing with both Nuxt and Next, I find these "full-stack" JavaScript libraries and frameworks really confusing and difficult to grok. I understand the benefit of only having one ecosystem to worry about (JS/TS in Node and browser) but I'm not convinced that having backend and frontend in the same codebase is actually a good idea. It might be due to being a more "old school" full stack developer, but this new wave of of SSR-led full-stack frameworks is tricky.
I've worked on a wide range of projects that use a number of different approaches to this. At the end of the day, you usually want at least some parts of it to some extent. If you don't want every page the user sees to be full of loading spinners at first, whatever is serving the initial HTML needs to know at least something about what the UI components are like and how to lay them out. In fact, the closer the initial load to the final result, the better. On the other hand, you also want interactivity, especially in this day and age. Very few web applications are just static data you look at and don't interact with. So you also need some frontend stuff that adds all of that magic. So all these frameworks are essentially trying to solve this problem, how do you get both of those things without just duplicating and syncing all of that code between the frontend and the backend. I do agree that many of the solutions we see today are immature, but when it's done right, it's wonderful.
100% agree with how confusing it all feels. Smudging data and code back together feels like a massive step backwards. I can't but be reminded of the disaster that was ASP.NET Webforms.
It took me a while to grok that in SSR frameworks, you shouldn't treat the SSR backend as a data backend. The best mental model is that the "SPA" just now has a client-server boundary in the middle of it. You should have a normal data API servicing the SSR backend.
With this approach, this does mean that client-server auth can now either live in the SSR backend or as normal on the data api. Arguably doing it on the SSR backend makes the most sense since that is now your server boundary. In this context the resurgence of auth in the SSR space make sense.
In my, arguably limited experience compared to some other folks, completely agree. It feels lite the correct solution here is to treat it as another kind of backend. I always keep the truth-keeper backend separate and with much higher quality requirements.
I am a big fan of Gleam language's Lustre[0], and due to its functional nature, the full stack experience is much better.
Instead of becoming this mishmash of backend and frontend, there's a clear delineation between the two. They share common functionality via functions (like model and views), which is much easier to do when they're pure.
You basically get the advantages of those magic frameworks without all the magic.
[0]: https://blog.nestful.app/p/gleams-lustre-is-frontend-develop...
so your solution is a niche language nobody uses ?
Isn't that what every technology was at some point?
I started a side-project in SvelteKit a while ago, and so far I still like it a lot. When I saw what projects using it look like, it somehow just intuitively 'made sense' to me. For me it's also just the right amount of 'magic' so that it's still quite flexible, but takes care of the parts that would be tedious otherwise.
(I've never worked with Nuxt or Next though, so I can't directly compare them.)
I don’t think the issue lies in using the same language to write the client & server. IME projects become brittle & hard to refactor when you use a full stack framework because you wind up writing a ton of controller code or a sprawling service layer to support different features for each page. This isn’t exclusive to using a framework, I’ve done the same thing with API endpoints in the past.
Making a general purpose API as if it were its own product seems to lead to better, more sustainable outcomes.
In my opinion the only real point of those frameworks is so that developers can focus on coding while the experts figure out how to do code splitting, search engine optimization and what to render where (browser, server) and when.
Since http protocols and browsers change and especially google never ceases to push new optimizations, it is extremely difficult to keep up and do the right thing.
Ok, but how is that related to this auth library?
It’s a full-stack auth solution for full-stack JS frameworks
[flagged]
Auth.js is not made by Vercel. Quote: “ The Auth.js/NextAuth.js project is not provided by, nor otherwise affiliated with Vercel Inc. or its subsidiaries. Any contributions to this project by individuals affiliated with Vercel are made in their personal capacity.”
You're not wrong but it's a very understandable mistake when the footer has a big old "powered by Vercel" logo and the creator works for them.
The logo is probably just supposed to another opportunity for them to grab mind share by hosting the site for free and sticking that there, but it creates a confusing impression.
Hey, author of Better Auth here. I created Better Auth because I couldn’t find any other auth library that goes beyond simple login with OAuth. Even then, the only properly maintained ones were NextAuth (Auth.js) and Lucia (which is now deprecated). I’m not sure where the idea of "too many auth libraries" is coming from.
They're probably including libraries tied to hosted offerings, and there are a lot of them (Cognito, Firebase, Auth0, Clerk, FusionAuth, Kinde, Descope, WorkOS, and many many more)
Out of curiosity, how is Better Auth funded?
Auth.js isn't really by Vercel even if they scooped up the creator and stuck one of their "powered by" stickers on it... it does have a fun tie-in with Rauch's cartel though
Clerk sponsors it extremely heavily so that when you get fed up with dealing with it, every single page has a CTA funneling you to them.
Honestly the whole situation has a terrible terrible smell, but that's post-Rauch JS for you.
[flagged]
"Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something."
https://news.ycombinator.com/newsguidelines.html
You should give it 1 minute before you assume it's lacking.
It's the real deal.
bst i can do 40 seconds take it or leave it