Some time ago, we were struck by a real-world case: a Kick (Twitch alternative) user got hacked, and the attacker started streaming from their account.
The issue? Kick was using JWTs stored on the client side to manage sessions, and they couldnโt invalidate a single compromised session without rotating the secret โ which would log out everyone. All of this was done to avoid database queries.
That situation taught us a powerful lesson:
๐ Optimizing for fewer DB calls should never come at the cost of security.
We decided to build our own authentication system inspired by NextAuth โ but entirely based on database-backed sessions.
As far as we know, thereโs no public implementation with this level of control yet.
Since then, weโve continued to improve our security stack even further.
๐ฌ Would you be interested in a deep dive into how we built it?
Top comments (0)