January 12th, 2024, Clerk, an authentication and user management solution for web and mobile applications, notified the public about a critical security vulnerability discovered in the @clerk/nextjs SDK. The vulnerability allowed malicious actors access to act on behalf of other users.
After this information was made public on X (formerly known as Twitter), developers reacted to the news from different angles.
“Roll your own auth” is the most common reaction.
The incident with Clerk is one of the reported recent security incidences in the tech space in the last few weeks. On January 7th Resend reported a security incident where attackers gained access to customer data like emails sent, contacts, domain, etc., due to a leaked environment variable of Resend’s database API key. Sometimes in December last year, MongoDB also reported an unauthorized actor gaining access to systems with customer information (names, phone numbers, email addresses, and a customer’s logs)
With the recent Clerk incident, some developers are worried about the frequent occurrence of these security breaches.
Details of the Clerk’s security vulnerability
Clerk discovered a security vulnerability in their Next.js SDK during an internal audit. The vulnerability impacted only applications that use Next.js backend with @clerk/nextjs versions 4.7.0 - 4.29.2. Specifically, applications that call auth() in App Router and getAuth() in Page Router.
Clerk’s post-mortem is not very transparent about the details of the vulnerability. They claim they are unaware of any exploit until they access their server logs. They also said, “Detailed instructions for inspecting logs for an attack will be made available to impacted customers who request them, but will not be published publicly.”
Customers are to upgrade their Next SDK to version 4.29.3 immediately. The company also announced that cloud providers like Vercel, Netlify, and Cloudflare have deployed mitigations at the network layer to keep customers safe.
Should you roll out your own Auth?
“Roll your own auth” is a popular saying among developers whenever an auth provider performs inefficiently or a security vulnerability is discovered.
Auth companies with millions of dollars in funding still face security incidences. Chances are that a small team will face an even bigger problem securing their auth pipeline if they decide to roll out one. Building and maintaining authentication systems is a tough job requiring a lot of time and effort. Small companies do not have that much time to spare as they are more focused on implementing the details of their actual product - as it should be! Rolling your own auth for companies means that development time is diverted away from building the actual product to building and maintaining an auth system.
Auth companies do regular internal audits and even pay security experts to try and exploit their systems. This is not something that small teams (and some large teams) can afford because they do not have the resources for it. Plus, doing so is a diversion from their core therefore a waste of dev time.
The following are why you should not roll out your own auth:
- Development and maintenance: Building and maintaining your own auth system requires significant developer resources. Small teams do not have the resources to spare to maintain a system that is not a part of their core product offerings.
- In-house expertise: Having your own auth system requires in-house expertise to secure the system. It is costly to hire security experts.
- Building what already exists: Re-inventing the wheel is a redundant process. There are auth services with proven features and functionalities that you can use.
- Scalability concerns: As your user base grows, you will worry about scaling your auth system instead of prioritizing serving your users.
- Diversion from your core application: If auth service is not part of your product offering, building one would be a diversion from your application core and a waste of development time and resources.
If you feel less confident about a particular auth provider, you can try out others to find the one that meets your needs. Singlebase, Supabase, Okta, and Auth0 are powerful auth providers you can pick from.
More than just an auth provider, Singlebase also offers unlimited usage for Vector Datastore, Document Datastore, Search, and Storage, making it a complete solution for backend needs.
Conclusion
Maintaining an auth system requires a dedicated effort and is not something you do on this side if security is a priority for your product. For this reason, you shouldn’t roll out your own auth if you cannot afford a dedicated in-house team to serve that purpose.
Rolling out your own auth without in-house experts would more often than not end in a disaster. Building and maintaining a secure auth system is a tedious job requiring the expertise of a dedicated team. Do not roll out your own auth, unless you absolutely need to and have the resources to build, maintain, and secure it.
Singlebase is an auth provider that offers great features and industry-standard security for a small fee.
Top comments (0)