Should you write your own user authentication code? As I prepare to build some new applications this question is first in my mind. I generally feel very uncomfortable with the idea of handing the most critical part of an app over to a 3rd party. What if that 3rd party is a Google or a Facebook and they decide that they need to censor you since they seem to think that they are moral authorities nowadays? Besides that risk, here a few other pros and cons I think apply to implementing custom authentication:
Pros
- Full control
- No vendor lock-in
- Lower cost
Cons
- More code to maintain
- User records in different database
- High risk of unknown vulnerabilities
I recently heard about Supertokens from a YouTube video. Because it is open source, runs on postgres, and can be self hosted I wanted to see if it could eliminate some problems associated with using 3rd party authentication.
The fastest way for me to do try it out was to refactor my Hasura Starters code to use Supertokens for auth instead of custom JWTs.
My existing codebase uses several custom actions to provide common authentication workflows:
- register
- login
- whoami
- changePassword
- destroyUser
- resetPassword
Instead of using the UI components provided Supertokens I wanted to re-write each action to interact with Supertokens instead of my custom code. Everything turned out nicely! For example, all of my hand-made user registration code turned into this one line:
const signup = await EmailPassword.signUp(email, password)
All of my other custom actions were also easy to convert. The only code that is slightly ugly is the process of getting the jwt to return from the login action (based on this code):
await Session.createNewSession(res, user.id)
let sessionHandles = await Session.getAllSessionHandlesForUser(user.id)
let token = ''
for (const handle of sessionHandles) {
const sessionInfo = await Session.getSessionInformation(handle)
const jwt = sessionInfo.accessTokenPayload["jwt"]
if (jwt) {
token = jwt
}
}
I'm not sure what could happen here if the user has a ton of sessions. The response object supplied to createNewSession also comes from Hasura's call to node and not the request from the user's browser. It would be nice if there was a version of createNewSession that didn't need a response object.
Some other nice things I found about Supertokens are:
- Provides ways to customize emails (or just generate email validation and password reset tokens yourself).
- Was able to store data in same postgres instance as my app.
- Docker image was easy to use and customize.
- Project is active on GitHub.
However, I'm not 100% sure yet if I will use Supertokens in my upcoming projects. There were a few things that I'm worried might become long-term liabilities:
- Database schema is fragmented and would be hard to use.
- Documentation can be difficult to navigate.
- It would be difficult to expire existing JWT's on password change (would have to implement a token blacklist).
- What would the switchover path be if Supertokens stops being maintained?
- How could multi-tenant roles be implemented within Hasura when users are in a separate schema (or even database).
Top comments (4)
We appreciate that you tried SuperTokens. Please find below the reply to your questions.
1- It would be difficult to expire existing JWT’s on password change (would have to implement a token blacklist).
Answer - Yea. That’s one of the downsides of using JWTs. We could implement a blacklisting feature for them, but that would require users to integrate with caching solutions as well.. we can do this eventually.
2- What would the switchover path be if Supertokens stops being maintained?
Answer- Same as what it would be to move to supertokens from another auth provider. Example of moving from auth0 to supertokens - supertokens.com/docs/thirdpartyema...
3- How could multi-tenant roles be implemented within Hasura when users are in a separate schema (or even database).
Answer- We are not sure how you mean by implemented within Hasura. Could you please elaborate?
4- Database schema is fragmented and would be hard to use.
Answer- why do you think so could you please elaborate on this as well.
And we encourage you to join our discord server to discuss your use case or send us an email at team@supertokens.com
Thanks for the feedback! For items number 3 and 4 I was hoping to find a simple "users" table in the schema so that I could easily track it in hasura : hasura.io/docs/latest/graphql/core.... Instead, supertokens provided a more complicated schema that would have taken a significant time investment to understand and manage. This is likely due to the nature of building an auth service so not a bad thing.
The nHost team does provide an open source auth solution that has a nice clean schema that works out of the box with Hasura :
github.com/nhost/hasura-auth
Hi @aaronblondeau Thank you for trying SuperTokens. I am DevRel at SuperTokens. If you would like to discuss your use case we can connect or you can join our discord and connect with our founders. we are happy to help you.
Here is the link supertokens.com/discord
Best,
Ankur
please add a post on how to test supertokens with jest