Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
What if I told you you can put a thing called a database behind your own app and do your own user auth?
-
@JustThat I'm using a 3rd party service for user auth. They tout "trust" in much the same way.
After talks with their devs it's revealed they're just using AWS cognito for the actual auth.
BUT, their API collects the clipboard when the app connects to it.
Thusly, we have involved an entire third party, 2 seconds of API calls and callbacks just for auth, the need to revalidate a token every 15 minutes, and we HAVE to do so against an API I'm about 80% sure I personally could inject SQL into, and I'm not even a "hacker".
Meanwhile, some RDS with bcrypt and SSL does ACTUAL security that doesn't have 100 fuckin endpoints to secure and sanitize.
TL;DR ~ Security went retarded about 4 years ago and nobody, literally NOBODY, has a fucking clue how any of it works. Even the experts just abstract cognito and then bill you monthly for being a middleman that just slows down your app. -
Marl3x26764y@HiFiWiFiSciFi Security is a topic that really cuts my motivation on projects. I don't want to depend on something or even pay for passion projects, but always when I look into implementing my own I'm told: "Don't. ". On the other hand there are people who write their own authentication system for every project.
What's your opinion? -
@HiFiWiFiSciFi I wouldn't trust this particular database to save my life. I also prefer to outsource auth to companies like Auth0 because they can also leverage global threat data against all of their customers. We get protection because another company saw brute-force attacks. Sure, I can write better auth in my database, but personally I hated Okta's implementation, and I loved Auth0. When I see this, I'm already looking for alternatives. Cognito has quirks that makes it just perfectly "non-standard" anymore.
-
@Marl3x I have a prebuilt lamp and node (my own) user auth, management, and session tracking.
I usually offer that up for about 8 hours.
Often I do need to do auth through AWS cognito tho for a lot of IOT stuff already, so it’s kind of ok.
But having to go against a third party REST API who in turn is just abstracting Cognito to make it “easy” is just a step too far for me.
I mean if the client is paying I’ll code it, but I don’t like it and I think it’s just so Users can be made into a monthly billable SaaS like every other damn thing.
Auth0 and Okta merge.... Is Cognito the only other major player here? This merge now makes an Auth monopoly!
rant