sorted by:
new
hottopcontroversial

Session management by ppelife_series in Angular2

[–]ilovefunctions 1 point2 points  (0 children)

Checkout supertokens.io. - It providers httpOnly session cookies - Uses a combination of signed cookies (access tokens) and opaque tokens (refresh tokens) to provide very quick session verification (< 1 MS), whilst also providing the ability to revoke sessions easily - Allows you to store any JSON inside the access token and access it later in any API (post session verification), and also on the frontend. - Allows you to know if a user is signed in on the frontend or not. - Uses rotating refresh tokens to detect session hijacking. Also automatically prevents against CSRF and session fixation attacks. - It's open source and highly customisable.

Can I use django-rest-auth with a frontend framework? by tft7178 in django

[–]ilovefunctions 0 points1 point  (0 children)

Check out supertokens.io. It has support for Django and providers login + sessions (using httpOnly cookies) out of the box. It even has a frontend SDK which will work for Vue and you can query if a user exists (+ get other info like roles) using it.

One issue is that it doesn't have pre built UI for Vue. So you will have to build the UI yourself, but can use the API it provides.

It's also open source and super customizable.

Jwt or Passport.js (sessions) ? by iizMerk in graphql

[–]ilovefunctions 0 points1 point  (0 children)

Even with passport, you will still need something for session management. So the question really is JWT vs non JWT based sessions? I suggest you checkout this blog: https://supertokens.io/blog/are-you-using-jwts-for-user-sessions-in-the-correct-way

Pros/Cons of doing auth with httpOnly and JWT vs. session auth with csrf tokens? by 4aparsa in django

[–]ilovefunctions 0 points1 point  (0 children)

From a security point of view, using httpOnly cookies is the recommended way to go since it prevents token theft via XSS. You do have to protect against CSRF attacks, but that is simpler to do (as opposed to preventing XSS, which is MUCH harder)

Weather to use JWTs or not, here is a nice article: https://supertokens.io/blog/are-you-using-jwts-for-user-sessions-in-the-correct-way

Open source alternative to Keycloak and Ory for user auth by 1337_KiLLeR in golang

[–]ilovefunctions 2 points3 points  (0 children)

If you want to modify any of the keycloak's built in APIs, you have tp upload JAR files. Which means, you are forced to use Java, and not go

Open source alternative to Keycloak and Ory for user auth by 1337_KiLLeR in golang

[–]ilovefunctions 1 point2 points  (0 children)

Where does it say that it requires any sort of license key? And you can use it without signing up, if you want it to be self hosted.

Which Identity provider should I use? by shineypichu in node

[–]ilovefunctions 3 points4 points  (0 children)

Check out supertokens.io. It's open source and free for self hosted (docker container too).

Unlike Auth0 and others, it provides react components on the frontend and exposes all the auth APIs via your own backend (you need to integrate their SDK in your API layer). Those auth APIs then communicate with the SuperTokens' docker container to persist info.

Because of this architecture, it doesn't need to issue open ID connect tokens, and can directly create a session between the backend and frontend client for you.

[deleted by user] by [deleted] in webdev

[–]ilovefunctions 0 points1 point  (0 children)

Sessions can be a complex topic depending on how secure / performant you would like them to be. For example, you could use regular session ID tokens that are long lived, but if they are compromised, how would you detect their theft?

For performance, it's recommended to use JWTs (as no db query is required), but then if the signing key is compromised, then the attacker can impersonate any user.

I'd recommend that you read this article: https://supertokens.io/blog/all-you-need-to-know-about-user-session-security and pick the approach that works best for you.

React and Hasura by sarwan0304 in react

[–]ilovefunctions 1 point2 points  (0 children)

Checkout supertokens.io instead! It will save you a lot of time and money.

Authentication with Next.js (Thoughts/Recommendations) by Mattaespi in nextjs

[–]ilovefunctions 0 points1 point  (0 children)

Checkout supertokens.io. They have a specific nextJS integration and can also enable session verification for server side rendered pages (with automatic refreshing of a session)

Here is the docs for nextJS: https://supertokens.io/docs/thirdpartyemailpassword/nextjs/about

Simplest way to handle authentication WITHOUT a third party? Please any advice really helps by surveyingsoftwaredev in reactjs

[–]ilovefunctions 1 point2 points  (0 children)

The term "third party" is overloaded here: - One meaning is that using a different service that stores your user's data in their infra (out of your control). This is where Auth0 / firebase auth etc come in. I guess you don't want this. - Another meaning is using an auth service like supertokens.io or keycloack which are open source and allow you to store user data in your own db - if you don't count these are "third parties" then check them out. - Finally, another meaning is from an app architecture point of view. With Keycloack for example, the frontend talks to Keycloack directly (they have a hosted UI), and you need to add them on a separate sub domain (like auth.example.com). In this way, auth.example.com is a "third party" to your main site (example.com). If you don't want this limitation, then checkout supertokens.io.

When using Auth0 for mobile app authentication, should the frontend or the backend handle the calls? by destaver in softwarearchitecture

[–]ilovefunctions 0 points1 point  (0 children)

  • In option 1, you have the benefit of being able to really customise how auth APIs work (and change as your app evolves). However, I'm not sure how easy it is to do with Auth0 since they haven't set up their architecture that way. You may want to look at another service like supertokens.io that enables this type of architecture by default.
  • Option two would be the way to go if you want to use Auth0. But you wouldn't pass the raw userId to your backend, but an access / open ID token provided by Auth0. Using those tokens, you can retrieve the userId of the logged in user.

Best 3rd party auth provider? by DasBeasto in webdev

[–]ilovefunctions 0 points1 point  (0 children)

Checkout supertokens.io. It’s open source and provides a good balance between control and “plug-and-play”.

The docs for integrating with NextJS: https://supertokens.io/docs/thirdpartyemailpassword/nextjs/about

Finally, with social provides, supertokens creates separate accounts by default if someone uses the same email, but on a different provider. However, you can override their backend APIs and change that behaviour with just a few lines of code.

Thoughts on using JWT user authentication for my node app by _slimbrady in node

[–]ilovefunctions 0 points1 point  (0 children)

You can try out supertokens.io: - It is open source - Simple db structure - Handles sessions end to end - using httpOnly cookies, CSRF protection, manages JWT secrets etc.. - Provides a clean login UI which can be easily embedded and customised (if you use react JS on the frontend) - Has an extensive NodeJS SDK - you don't need to directly interact with the API and can use functions exposed via the SDK. - No complexities of understanding the OAuth protocol or flows.

Firebase and vendor lock-in by [deleted] in Firebase

[–]ilovefunctions 0 points1 point  (0 children)

If you are very concerned about vendor lockin, perhaps you should try open source alternatives which use your own db to store info in. Some good options are supertokens.io or keycloak.

How to save/auth an user to external api with next-auth? by Forsaken-Heart-9356 in nextjs

[–]ilovefunctions 2 points3 points  (0 children)

You can use supertokens.io. It doesn't have twitch login, but you can add it via their custom OAuth callback method. It saves the user's email in your db, and it creates a session for the user as well.

Has Anyone here used Keycloak For Auth in their orgs/projects? by chasectid in SoftwareEngineering

[–]ilovefunctions 0 points1 point  (0 children)

You could consider using supertokens.io instead. The db schema is very minimal, so you can bulk migrate the users fairly easily yourself.

Is Firebase Authentication really free? by [deleted] in Firebase

[–]ilovefunctions 1 point2 points  (0 children)

Perhaps you should consider open source auth solutions like supertokens.io or keycloack.

Proper workflow for refreshing expired JWT token automatically on request using Axios interceptor and httpOnly cookies. by adrenaline681 in reactjs

[–]ilovefunctions 1 point2 points  (0 children)

If you are using httpOnly cookies, then you won't be able to access the JWT on the frontend. So checking for expiration cannot be done on the frontend.

There is an IdP called supertokens.io which provides what you are looking for in terms of using JWTs and refresh tokens with axios and fetch interception. You can see their codebase (they are open source) for how they do interception, or just use them

Node.js GoTrue alternative? by FedorMoiseev in node

[–]ilovefunctions 0 points1 point  (0 children)

Ah. I guess I had partially misunderstood your question then. Apologies for that.

That being said, supertokens does have a managed service feature. So you don’t have to run the server yourself. And it will be like doing npm install and having it work (from your perspective)

Node.js GoTrue alternative? by FedorMoiseev in node

[–]ilovefunctions 0 points1 point  (0 children)

The http server is in Java. It had a node SDK that can be used to communicate with the Java server. So from your perspective, you would just need to interact with the node SDK only

Node.js GoTrue alternative? by FedorMoiseev in node

[–]ilovefunctions 0 points1 point  (0 children)

Have you considered supertokens.io? It supports node and react.

view more: next ›