首页
Ask HN: What type of Auth are you using on your side projects?
I was looking at the Supabase docs and it was nice to see a long list of Auth work flows supported/documented. So my question is, here in October 2024, what are y'all using for Auth on your side projects. Password based, social, email, something else? If you are using social, which social do you support? Is there any public data on which types of Auth have the best conversion/bounce rates? And for you, which Auth is just easy to support long term and which just ends up being a drag? TY
38 条评论
grepfru_it8 个月前
Keycloak or auth0. The app should support oauth2, if it does not it gets traefik-forward-auth (or whatever it’s called) to enforce mfa then you are in.<p>There are tons of open source projects to complete the self service experience, from sign up systems to self service password resets
评论 #41759290 未加载
评论 #41753006 未加载
diggan8 个月前
This is the absolutely simplest of authentication (not authorization) schemes I've used that is both easy for people to use and prevents the simplest of spam/robots:<p>- Be able to store two types of tokens, one that is temporary, and one that is "permanent"<p>- Users can use their email address to get sent a temporary token (which expires if unused after X minutes)<p>- Users can click that link to change the temporary token for a "permanent" token they (the frontend) can use for authentication<p>- Clicking "Logout" invalidates the currently used "permanent" token<p>Biggest issue is making sure that whatever email provider you use for the "Login Emails" consistently sends emails quickly, as there is nothing worse but sitting for 2-3 minutes waiting for a login email because the provider batches sends or something.<p>This would specifically be for side projects. If it grows beyond that, you really should implement something with proper rotation and more, but there are tons of resources about that out there.
评论 #41752455 未加载
评论 #41752743 未加载
codingclaws8 个月前
I develop an internet forum [0] that uses express-session with a Redis datastore for standard username and password website login. Separately, it also has a JSON API that uses OAuth 2 auth code flow with PKCE [1].<p>[0] <a href="https://github.com/ferg1e/comment-castles">https://github.com/ferg1e/comment-castles</a><p>[1] <a href="https://www.commentcastles.org/api#api-user-authentication" rel="nofollow">https://www.commentcastles.org/api#api-user-authentication</a>
notamy8 个月前
I’ve been using <a href="https://clerk.com" rel="nofollow">https://clerk.com</a>. Not needing to build authentication / the UI / … as well as not worrying about hosting it myself has been nice.
评论 #41762106 未加载
masto8 个月前
I've been in big tech and out of touch with the real world for a while, and I started a project only a couple of weeks ago to get a feel for what the cool kids are doing in web dev in 2024. So I can't claim any deep authority or experience with a lot of different approaches. But I picked Clerk because it was in a tutorial, and so far so good. It couldn't have been much easier, and the free tier seems more than generous enough to get through the prototype stage.<p>My main concern is that I don't want to weld too much of my design to any one service provider, so I've got to be careful about taking too much advantage of their feature set and API so that it won't be a pain if they go away or it becomes necessary to migrate to something else.
评论 #41753922 未加载
xena8 个月前
A lot of my side projects are only visible over a VPN. I have no auth for them as it is not needed.
评论 #41752876 未加载
fragmede8 个月前
Amazon Cognito. If I ever scale past a handful of users and it starts costing money I'll revisit but for a side project? Auth is the least interesting part and I just want it to work securely with no fuss.
koliber8 个月前
In my latest side project I am allowing people to start using the tool without signing up. You can see it working on sandbox.wasitsent.com.<p>I am using Django’s user system. When a user comes and wants to use the app, I create a Django user and mark it as auto-created. Later, when they decide to sign up, I fill the details and I mark it as auto-created.<p>Using password auth for now. Will migrate to auth0 if enterprise customers knock on the door and want SAML.
dizhn8 个月前
I first install and configured Authentik with totp then found a million things I can integrate it into because it basically supports everything.
tommiegannert8 个月前
I use Traefik with OpenID Connect for everything, and Google as IdP. It's few enough people that I simply add them manually to traefik-forward-auth's settings in Docker Compose.<p><a href="https://github.com/thomseddon/traefik-forward-auth">https://github.com/thomseddon/traefik-forward-auth</a>
j458 个月前
Appwrite, all in one, and it shockingly just works from install to go focus on building the side projects.<p>Cheap/ free to self host. I have tried a bunch of the other ones and they all had things I liked but Appwrite gave me nothing to complain about other than getting on with building :)
WhatsName8 个月前
Django allauth, 10 years later still a no-brainer.<p>For selfhosting Authentik + Traefik forward auth is a unbeatable combo
评论 #41764646 未加载
评论 #41761368 未加载
ukuina8 个月前
I delegate to Puter for <a href="https://hackyournews.com" rel="nofollow">https://hackyournews.com</a><p>HN post: <a href="https://news.ycombinator.com/item?id=41738273">https://news.ycombinator.com/item?id=41738273</a>
ldenoue8 个月前
I use firebase auth with Google, Facebook and email (magic link)<p>This is live at <a href="https://screenrun.app/" rel="nofollow">https://screenrun.app/</a>
naveen998 个月前
No login required.<p>Just some ip based rate limits.<p>Ban misbehaved bot ip addresses.<p><a href="https://hn.garglet.com" rel="nofollow">https://hn.garglet.com</a> (advanced search for hacker news)
infogulch8 个月前
I was thinking Kanidm [1] for authentication and SpciceDB [2] for authorization would be a good combo, but I haven't gotten around to trying it yet.<p>[1]: <a href="https://kanidm.com/" rel="nofollow">https://kanidm.com/</a><p>[2]: <a href="https://authzed.com/docs/spicedb/getting-started/discovering-spicedb">https://authzed.com/docs/spicedb/getting-started/discovering...</a>
sandreas8 个月前
Social auth almost always means oauth (2.0). It's good to have this, because you could technically Deploy your own oauth provider.<p>However, for my smaller personal side projects I rely on a simple JWT auth based on JWT, QR-codes and https-only AS secure AS possible cookies.<p>I plan to try openid but i did not habe the time yet.<p>If you have a userbase, a local username/password login should be at least an Option...
SLKerrigan8 个月前
Selfhosted <a href="https://goauthentik.io/" rel="nofollow">https://goauthentik.io/</a>
JanisErdmanis8 个月前
For admin panels, I use SSH port forwarding, as no additional configuration is needed for that. For users, I use email invite codes that contain the hash of the server’s public key and are pasted into a stand-alone client. That way, I don't need to maintain TLS certificates.
random_savv8 个月前
We use Keycloak
skeptrune8 个月前
Keycloak OIDC. Cannot go wrong doing this. Enterprise tested, easy to custom style, well documented hosting story, and no lock-in.
bearjaws8 个月前
Supabase has very easy to setup auth while scaling beyond auth. You can use it standalone without issue.
djaouen8 个月前
Phoenix Auth
antonpirker8 个月前
None or username/pwd
shortrounddev28 个月前
I used to use Facebook because it's really easy to work with
vdelitz8 个月前
clearly biased: <a href="https://corbado.com" rel="nofollow">https://corbado.com</a>
chgs8 个月前
X509 certs. They work nicely in an offline situation.
dylanzhangdev8 个月前
i use lucia in svelte.<p><a href="https://lucia-auth.com/" rel="nofollow">https://lucia-auth.com/</a>
impure8 个月前
Google, Apple, and Email using PocketBase.
John238328 个月前
Supabase
marginalia_nu8 个月前
I make it a point not to have public user accounts for my stuff because it's such a liability.<p>For admin, I use HTTP basic auth like the boomer I strive to be.
thot_experiment8 个月前
None. Users should handle their own data.
purple-leafy8 个月前
Firebase
mjomaa8 个月前
Auth.js!<p>Supported providers: <a href="https://authjs.dev/getting-started/providers/github" rel="nofollow">https://authjs.dev/getting-started/providers/github</a><p>It's been really great so far and I can recommend it if you have a JS/TS codebase.<p>----------------------------<p>You can test Auth.js (v5 beta.22) in my Next.js 15 boilerplate:<p><a href="https://achromatic.dev" rel="nofollow">https://achromatic.dev</a><p>• Credentials auth<p>• Google and Microsoft login<p>• Connected accounts<p>• Multi-factor authentication (via authenticator app)<p>• Session management
评论 #41752808 未加载