How to Roll Your Own Auth

Поділитися
Вставка
  • Опубліковано 24 гру 2024

КОМЕНТАРІ • 349

  • @con-f-use
    @con-f-use 5 місяців тому +664

    I was fully prepared for sarcasm and snark. Instead I got the most useful short intro on web-authentication there is.

    • @snowballeffect7812
      @snowballeffect7812 5 місяців тому +6

      We were taught how to roll our own auth at my boot camp just so we could have a deeper understanding on how it works and what can go wrong. Super valuable skill to have!
      to clarify, we did this from scratch, including hashing and salting passwords and using session tokens.

    • @vaishnavejp9247
      @vaishnavejp9247 5 місяців тому +1

      that all of ben's videos

    • @petleveler8366
      @petleveler8366 5 місяців тому +3

      @@snowballeffect7812 that is the basics everyone should know that

    • @snowballeffect7812
      @snowballeffect7812 5 місяців тому

      @@petleveler8366 you'd be surprised, apparently. maybe they do know that, but it seemed rare for anyone to implement working auth from scratch.

    • @snowballeffect7812
      @snowballeffect7812 5 місяців тому

      @@petleveler8366 not sure why my response was deleted lol. but I'll try again and say that I don't think most devs have implemented auth from scratch on their own.

  • @msilence2009
    @msilence2009 5 місяців тому +434

    I PERSIST MY TOKENS ON MY ARMS USING TATTOOS.

  • @goober9105
    @goober9105 5 місяців тому +316

    No way hes back

  • @emptytank604
    @emptytank604 5 місяців тому +36

    This was quite possibly the best and most concise explanation of how to implement auth I have seen. Thank you!

  • @AndrewScofield
    @AndrewScofield 5 місяців тому +18

    Great high level tutorial for a very confusing topic! There are so many tutorials out there that make it seem like you have to start out at enterprise level complication, when in reality a setup like this is going to work great for most people.

  • @zb2747
    @zb2747 5 місяців тому +16

    Very concise explanation of JWT vs Sessions. Interesting to see how your take on the two has developed over the years. I find your videos super helpful when it comes to doing auth without 3rd party
    Lastly, it’s great seeing you Ben. Much peace and success brother

  • @vinceerkadoo45
    @vinceerkadoo45 5 місяців тому +62

    Literally popped on my suggestion seconds before i was going to search for this!

    • @ghdshds1899
      @ghdshds1899 5 місяців тому +1

      damn google really has your personal data dead to rights

  • @mtnrabi
    @mtnrabi 2 дні тому

    A note regarding your cookie configuration - same-site lax can still lead to csrf attacks… (it allows for cross site requests via links but not via images, and only GET - but still it’s possible)
    Only same-site strict would totally prevent csrf attacks (setting CORS to the origin site only would also work)
    Love your content btw and hope you keep creating !

  • @cryptophil85
    @cryptophil85 3 місяці тому

    I've just watched several videos on this topic whilst deciding on how to proceed and this is by far the best one. I love fireship vids but this extra depth into pros and cons gives Jeff a run for his money. Keep it up! I'd love to see a collab between you two.

  • @nigelyong9060
    @nigelyong9060 4 місяці тому

    ⏱ CHAPTERS ⏱(By TimeSkip AI)
    00:00:00 - Introduction to Authentication Setup
    00:01:30 - Setting Up Your VPS with Hostinger
    00:02:51 - User Account Verification and Security
    00:04:30 - Session Storage vs JWTs Explained
    00:05:36 - Implementing JWTs for Authentication
    00:06:52 - Managing User Sessions and Tokens
    00:09:40 - Best Practices for Token Storage
    00:11:35 - Front-End User Authentication Checks
    00:12:41 - Conclusion and Resources

  • @mikealejandro3938
    @mikealejandro3938 5 місяців тому +2

    Ben, you're mi inspiration for becoming a web dev, it's been like 3 years since I started this journey seriously (at 17), now I have a decent job, thanks for existing brother, love your vids, we miss you homie !

  • @schism15
    @schism15 5 місяців тому +2

    Perfect timing for this. I had just decided to try rolling my own auth on my latest side project since its not critical, will be low traffic and I'm tired of auth feeling like such a black box.

  • @MaxPicAxe
    @MaxPicAxe 5 місяців тому +9

    I can't believe you just explained so much about auth I had no idea about in this short video, so well. Thank you.

  • @rohithk6466
    @rohithk6466 5 місяців тому +3

    Hi Ben this video was pretty useful, kindly keep coming back with these

  • @bojidaryovchev9995
    @bojidaryovchev9995 3 місяці тому

    that's why we love you Ben, what an amazing video, mad props yo, tight, tight tight tight!

  • @devxsadik
    @devxsadik 4 місяці тому +1

    i missed this type of content bro
    pls keep doin it

  • @kevinroleke2769
    @kevinroleke2769 5 місяців тому +2

    You don’t need to buy a service for email. It’s a bit annoying but you can setup postfix on a VPS and point MX, SPF, DMARC records.

  • @Andres-Estrella
    @Andres-Estrella 5 місяців тому +1

    Thanks!
    Auth is one of those things you have to implement 2 or 3 times to fully understand.

  • @ayushgupta0010
    @ayushgupta0010 5 місяців тому +1

    My go-to method is to use JWT with a refresh token and token version, make the access token short-lived, like 15 min, and store it in the memory on the frontend.

  • @rutvikpatel7640
    @rutvikpatel7640 5 місяців тому +2

    You uploaded this video right when I needed it! You answered so many questions of mine in just 15 mins than I found answers online for last 2 days. Thank you so much. And please make a next video on how you setup username and password auth.

  • @PedroPedruzzi
    @PedroPedruzzi 5 місяців тому +4

    Very nice. I've used this design with two JWT, but never seen it explained anywhere. Cool!

  • @ygvanz
    @ygvanz 5 місяців тому +1

    From all of the authentication videos I have seen, you explained everything very well.

  • @pt_trainer9244
    @pt_trainer9244 4 місяці тому

    Summarized months of learning all of this in a short video, good stuff

  • @buzz1ebee
    @buzz1ebee 5 місяців тому +1

    He's back! Great overview. I've rolled my own auth quite a few times and this is a great guide.
    Recently I've been using a self hosted zitadel instance for the user management and I have a reusable nestjs module for handling all the zitadel oauth stuff and session management etc. Super easy to add additional auth providers or implement 2fa via settings on zitadel without changing anything at all on my backend which is just basic session cookies storing access and refresh tokens for zitadel.

  • @user-zo2ky4mz7d
    @user-zo2ky4mz7d 5 місяців тому +3

    I was just researching this for a side project. Thanks Ben for reading my mind.

  • @pingxtratech
    @pingxtratech 2 місяці тому

    This is so good. Nice one.
    With regards to Cookies vs LocalStorage, I always have my reservations and would usually choose LocalStorage as it'll only keep the user logged in on the Frontend. If it is tempered with, the user is kicked of out the system.
    I realized one thing that even with cookies, when I copied the cookies with their values on a certain browser and put it on a different browser, all I had to do was reload the page and I was logged in.
    Great insight though.

  • @KevinNaughtonJr
    @KevinNaughtonJr 5 місяців тому +1

    great vid super informative benjamin

  • @Smurfis
    @Smurfis 2 місяці тому

    I absolutely love this, was asking for it and he provided thanks Ben

  • @alessiotucci0
    @alessiotucci0 5 місяців тому +2

    Great intro to authentication, Thanks a lot Ben

  • @Yaxqb
    @Yaxqb 5 місяців тому

    here I have walked literal years wondering why we have refresh tokens. Your explanation is so clear

  • @TechTube-22
    @TechTube-22 4 місяці тому +1

    Auth with cookies makes you're API only callable via browser, so if you want to use them in a mobile app, you have to change maaaany things

  • @Kayzewolf
    @Kayzewolf 11 днів тому

    It’s appealing and tempting to do the JWT flow but just feels like a session lookup is the best match since you probably want data that you wouldnt want to expose in a JWT payload, or perhaps would want to revoke faster. Say, if you ban a user, they still got access for as long as the JWT is valid. Even with a small expiration via refresh token flow, it’s still a window of opportunity you gotta then trade off to where you’ll probably start refreshing every other request anyways.
    I mainly use JWT for expiring temp tokens like email verification or even password resets (hash value to check db, inside an expiring token). If I’m doing a microservices approach, JWT benefits where you have the auth service do the lookup and then send a potentially sensitive JWT via internal network to that microservice, decoupling auth from services.
    JWTs are fine for auth but I just prefer more control and safety of sessions (via redis) for access changes (banning, access permissions, etc).

    • @Kayzewolf
      @Kayzewolf 11 днів тому

      For a point in JWT auth’s favor, I suppose checking permissions via query might reduce these concerns, though the potential performance/coding complexity might still be a reason not to? I dunno

  • @theo_ludwig
    @theo_ludwig 2 місяці тому

    Well explained, straight to the point with pros and cons of each method.
    Thank you!

  • @SalimOfShadow
    @SalimOfShadow 5 місяців тому +2

    I always really really liked how you explained everything!!!
    Really enjoyed this quick rundown

  • @Sindoku
    @Sindoku 5 місяців тому

    Oooohhh crap, our boy Ben Awad is finally back. Welcome back baby, we missed you.

  • @erickshaffer6615
    @erickshaffer6615 5 місяців тому

    PLEASE KEEP THIS GOING, VERY EDUCATIONAL

  • @V0LAT1LE_
    @V0LAT1LE_ 5 місяців тому +1

    The 2 doors in the back are hitting some weird parts in my brain. Its like they are saying red pill or blue pill

  • @KazSadeghi
    @KazSadeghi 4 місяці тому

    This is insane, best auth video / resource I've seen

  • @_solstice
    @_solstice 5 місяців тому

    very good video, everything was super clear, maybe this is a bit niche or too specific to be useful but a video about how you'd go about rolling your own oauth provider would be very interesting imo

  • @danielsharp2402
    @danielsharp2402 4 місяці тому

    For me refresh token is usually not a JWT since accessing the database is happening there anyway. And that gives you the best of both worlds with revoking as well. Usually stored in redis with EX.
    Also for early MVP services I like to do a Frankenstein approach of letting an access token close to expiry refresh itself (works quite well, but obviously isn't as good as refresh tokens).

  • @Alphfirm
    @Alphfirm 4 місяці тому

    Sweet, thanks! For my situation, a tutorial on expo react native app with using secure storage as you mentioned and session storage would be great!

  • @yasharma2301
    @yasharma2301 5 місяців тому

    One benefit of cookie I think is SSR? JWTs stored in local storage cant be read on SSR since you won't be able to send it in the first document call, while if you use cookies you can fetch user data on the frontend server. Correct me if I am wrong

  • @i-am-artur
    @i-am-artur 4 місяці тому

    Thanks for the video a lot! I am currently working on a project with JWT, and was about to read on xss

  • @petaflop3606
    @petaflop3606 5 місяців тому

    the first auth I self-rolled was an OIDC IdP server to connect a third party to our existing session-based auth (not SaaS it was just for one particular partner). It was fiddly at first but once you get it, like most things, it doesn't feel so bad and I'd be much more confident doing it again if I had to

  • @maneeshparihar
    @maneeshparihar 4 місяці тому +3

    Thanks a ton ... nobody explained it better and all in one video.. I will need to dig a bit more in CSRF and XSS bits.. but still crisp and yet adequately detailed. Kudos

  • @SeanCassiere
    @SeanCassiere 5 місяців тому +12

    A wild Ben has appeared!

  • @CardinalHijack
    @CardinalHijack 5 місяців тому +1

    step by step tutorial on doing this, like the old style videos this channel did, would be super cool

  • @regularyt-pz4ki
    @regularyt-pz4ki 5 місяців тому +1

    bro just back like he never left

  • @gbbelloponce
    @gbbelloponce 5 місяців тому +1

    Amazing video man!!! It's literally what I've been looking for lately. I would personally love a video talking about the username/password login approach. Greetings!

  • @toTheMuh
    @toTheMuh 3 місяці тому

    5:30 - in a microservice environment you are most likely going to have a token AND a session cache, especially if you are working on a complex business SaaS (software like Salesforce, AWS, SAP, etc.) with RBAC/ACL/etc. The API Gateway will validate the token and then look up the users permissions in the cache.
    You could store the permissions within the token, yes. BUT that is very complicated. Imagine you have a user and that user has a role with a bunch of permissions. What if the permissions of the role change or the role of the user changes while the user is logged in?

  • @ryank9719
    @ryank9719 5 місяців тому

    A simpler way to invalidate tokens would be to create a table/collection for all your tokens. Then, when a user logouts, you search the table/collection for all tokens associated with that user and delete them.

    • @Sylvoo01
      @Sylvoo01 4 місяці тому

      Congrats you have just reinvented regular sessions

  • @jonacempelule9876
    @jonacempelule9876 4 місяці тому

    For the logic to invalidate the JWTs for ‘Signing out all devices’ why not have a Redis Cache/DB to keep track of blacklisted tokens, and set the expiration of that cached token to 15mins(or however your access token take long to expire).
    Now in your middleware, to validate the JWT you first check if the access token is blacklisted.
    Now when a user signs out of all devices, just have the other tokens in the blacklist cache.
    Your thought?

    • @prabaleshp1359
      @prabaleshp1359 3 місяці тому

      You can use it but in the end it'll become the same as sessions

  • @WillDelish
    @WillDelish 5 місяців тому

    Yep, oath + jwt + cookies be my fav flow right now. I have to use this at work.

  • @blancartembl
    @blancartembl 5 місяців тому

    One way to do it without relying on a sass product its to use Lucia Auth... full fine grained control of the flow without magic like others

  • @eleah2665
    @eleah2665 5 місяців тому +1

    He back! But the room, mic and cuts make it look like he's been kidnapped.

  • @eedoan
    @eedoan 5 місяців тому +1

    The true token is the friends we made along the way

  • @gabrielbiacchi6169
    @gabrielbiacchi6169 5 місяців тому +4

    Hell yeah you're back homie

  • @krishnabirla16
    @krishnabirla16 5 місяців тому

    Best web-dev video I saw this week.

  • @DanTheMan-rr3yg
    @DanTheMan-rr3yg 5 місяців тому +2

    great video, you should do a video on the username + password, but do the whole shebang too! Reset password, forgot username, two factor authentication, magic link too, etc.

  • @h45e32u4f
    @h45e32u4f 5 місяців тому

    This section looks great. And going deep into passwords, how to get credentials, why is not ok to send the token in cookies and get it in headers... Can be good.
    And in the future, I see you doing a video like this but " Exploring Coolify", host your own "vercel". It would be awesome to see that.
    Thank you for the information!

  • @akashdeb9823
    @akashdeb9823 5 місяців тому

    babe wake up ben's new video just dropped

  • @timkunze603
    @timkunze603 5 місяців тому +2

    Fun fact: saying "JWT" takes longer than just saying "JSON Web Token"

    • @SimonPaul-u7x
      @SimonPaul-u7x 4 місяці тому

      Fun Fact: everyone pronounced these two words now

  • @ashrafuzzamankhalid3465
    @ashrafuzzamankhalid3465 5 місяців тому

    Hey Ben, will you please make a video about career choices and their difficulties and how to make sure to learn it...

  • @TestFirstTestLast-m7u
    @TestFirstTestLast-m7u 3 місяці тому

    You can literally send the tokens through server cookies and if they sign out just remove the cookies and token itself from the db

  • @amagicpotato5511
    @amagicpotato5511 5 місяців тому +6

    Had to figure all this out myself a year ago. This video will serve well for anyone else that finds themselves in the same position. Thanks Benji!

  • @SoreBrain
    @SoreBrain 5 місяців тому

    I would have paid for this video more than I paid my auth provider 3 years ago.

  • @alexjmohr
    @alexjmohr 5 місяців тому +13

    Personally I still don't buy into using JWTs for auth in the front-end. I think they're more applicable to server to server contexts. The argument that you don't have to make a database call to validate the user's session isn't that strong, since in most requests you're going to hit the database anyway in order to do anything useful. The extra database call isn't that big of a deal. Refresh tokens add unneeded complexity for most projects. It's a LOT simpler to just store a cryptographically unique session ID (like a UUIDv4) in a cookie and use that to look up the session in the DB/Redis.
    Not hating on the video, I just think people jump to JWTs, refresh tokens, etc because they're fancy and trendy, but they're often misused.

    • @0xA
      @0xA 5 місяців тому +3

      You are absolutely correct. JWTs irrevocability make them a great target in security assessments. If there is restricted data being hosted by the application (PII), I would never allow JWTs to be used for authentication from a security architecture perspective. Learn it, use it on non-sensitive apps, but don't rely on them to be a truly secure means of authentication. Not to mention the common misconfigurations that often allow them to be altered or bypassed altogether.

    • @adithyagowda4642
      @adithyagowda4642 5 місяців тому +3

      It would be easier to use sessions to authorize a user if you already use sessions for other things, like tracking user behaviour, storing useful information like user's wishlist (in e-commerce websites) etc.,. You just need to add one more parameter of userId in the database and you have a working authorization mechanism.
      But creating a whole new database server (assuming sessions are mostly stored in a separate Redis DB), just for authorizing would seem to be a overkill as compared to using something like JWTs which are much easire to integrate with no added work of managing another database. But again, it largely depends on the use-case of your application.

    • @adamfarmer7665
      @adamfarmer7665 3 місяці тому

      If you are not using jwts on high concurrent users you are going to get pegged by lots of db requests on each request because you needed database for validation, and your application will suck. Of course If you are developing an in-house app that will be used by less than 10000 users, you can get by using beefier servers, since you are not paying for the servers anyways.

  • @comproprasad6438
    @comproprasad6438 5 місяців тому

    you can sign the session token as well and store in a cookie

  • @tanglesites
    @tanglesites 5 місяців тому

    Ben where you been? Good to see you back.

  • @hoangtrinh3448
    @hoangtrinh3448 5 місяців тому +4

    As a senior software engineer, I found this video is useful

  • @Zayetzo
    @Zayetzo 4 місяці тому

    This was a very good explanation thank you!

  • @amzabdrahim3350
    @amzabdrahim3350 5 місяців тому

    amazing video, please do more. this popped on my suggestions, clicked on it immediately. had to do jwt for a client, i didn't know how to set up the refresh token.

  • @alimahdi1012
    @alimahdi1012 4 місяці тому

    Throwback to a very similar video you made 4 years ago.

  • @marcgentner1322
    @marcgentner1322 5 місяців тому

    Love it. Practical and simple. I have build the db setup in php but I like your methods on the jwt way

  • @AlexCrocker
    @AlexCrocker 4 місяці тому

    Thanks! 🐊🐊🐊

  • @armaan-ci3nv
    @armaan-ci3nv 4 місяці тому

    can you make a more in depth version really focusing on best security practices that owasp has laid out?

  • @Niksorus
    @Niksorus 5 місяців тому

    Fantastic, I'm down for a longer video 😄

  • @MrMudbill
    @MrMudbill 5 місяців тому

    I really want to use secure cookies more, but it's next to impossible when you deal with an SPA that is hosted on a different domain as the API (for example using an "app" and "api" subdomain on the same primary domain). Cookies are extremely picky (hence their security), so getting cross-site cookies is a massive pain.
    Cookies are trivial in stuff like NextJS because you have the API on the same domain.

    • @0xA
      @0xA 5 місяців тому

      Should just have to set the domain attribute in the cookie no? Unless you're trying to access it with JS..

  • @dumbfailurekms
    @dumbfailurekms 5 місяців тому +2

    Is lucia analogous to passport.js or is it a higher level of abstraction

  • @vrinfotechies
    @vrinfotechies 4 місяці тому

    Yoo thanks for the explanation of creating a fully working auth model for my website thanks

  • @schoolofbillt2656
    @schoolofbillt2656 4 місяці тому

    This is so helpful. Thank you for this video!

  • @FatahChan
    @FatahChan 5 місяців тому

    Ben Awad making a video? what a surprise

  • @avi12
    @avi12 5 місяців тому +12

    Dev: How do I deal with auth?
    Ben: Yes

  • @N7Tonik
    @N7Tonik 5 місяців тому

    I can recommend firebase auth its dirt cheap, very fast (although its session based auth), and simple to setup (no need to manage auth via ur database or redis urself)

  • @jakeave
    @jakeave 4 місяці тому

    Good job! I like the explanation of the log out of all devices. Next let's do authorization 😂

  • @lynxcat4life
    @lynxcat4life 5 місяців тому +1

    the ThioJoe effect has hit Ben

  • @JOJO_THE_PROGRAMMER
    @JOJO_THE_PROGRAMMER 5 місяців тому

    he is back with tutorials!!!

  • @radunicolaeeduard9194
    @radunicolaeeduard9194 5 місяців тому +1

    I always use keycloak !

  • @trimpta
    @trimpta 4 місяці тому

    Where was this video when i had to go and do all this research myself

  • @knwanze
    @knwanze 5 місяців тому

    Good stuff Ben. Looking at your database queries in your screenshots, is that some ORM you're using or your own custom functions wrapped around SQL queries?

  • @jeremyshorter2641
    @jeremyshorter2641 5 місяців тому

    Please do an email password auth video, I need it. Most useful video you've dropped in a few years tysm

  • @joshuasingh854
    @joshuasingh854 5 місяців тому

    Bro thanks so much for this!! This was very useful and cleared a bunch of stuff for me!! Yes please do the next video if how you set up username/email and password

  • @richayy
    @richayy 5 місяців тому

    Hey Ben this was super helpful! I was wondering what's your strategy for refreshing tokens? Do you have a /refresh endpoint to handle this?
    But then how do you know when to call it?
    For example, say the expiry on your access token was 15 minutes. How does the client know "oh my 15 minutes is up, better go call the /refresh endpoint"? Do you use a timeout or do you poll in the background?

  • @jimshtepa5423
    @jimshtepa5423 4 місяці тому

    where have you been Ben?

  • @houssemchr1539
    @houssemchr1539 4 місяці тому

    Thank you for explication Ben, but how about using OAuth 2.0 ?
    I think it's the most secure one

  • @parlor3115
    @parlor3115 4 місяці тому

    Hope you can also cover how to do Auth with SSR apps like ones created with NextJS. Refresh / Access no longer works or, at least, not in the same way as with SPA's. I think both tokens will be stored in cookies except for mutation requests.

    • @rod6722
      @rod6722 4 місяці тому

      Look into Lucia Auth. It's very straightforward and it has guides for NextJS and a few other frameworks.
      NextAuth should also be good, but I haven't tried it.

  • @w.e.b_b
    @w.e.b_b 5 місяців тому +8

    I am stoked for this. You’re such an incredible engineer and I owe much of my success as a programmer to your teachings!
    Thank you my friend

    • @monsieurLDN
      @monsieurLDN 4 місяці тому

      What did you learn from him? I see mostly reaction videos

    • @w.e.b_b
      @w.e.b_b 4 місяці тому

      @@monsieurLDN you’ll have to go back to his content from 2018-2019ish when he was making more long form content

  • @PhilippBlum
    @PhilippBlum 5 місяців тому

    You also could have used Supabase and get this whole Auth with multiple service login out of the box.
    Yes, self-hosted.

  • @gavilansalcedo2422
    @gavilansalcedo2422 4 місяці тому

    THE KING IS BACK

  • @RyanLynch1
    @RyanLynch1 4 місяці тому

    welcome back king