Web News

Web Development Pitfalls: The Dangers of DIY Auth

September 5, 2023
September 13, 2023
Episode Number:

Authentication is a critical part of modern websites and web apps. Everything from ecommerce stores through membership sites will almost always have some form of authentication for their users. As a web developer, creating an authentication system can seem daunting because of the security that's involved in storing people's passwords and sensitive account data. It's difficult to keep up with all the security threats out there when you're juggling a DIY authentication system, maintenance, and developing new features. Luckily, there is tooling available for web developers that can help them authenticate their users with minimal effort. Products such as Firebase, Lucia, and NextAuth.js all provide ways to help offload authentication from your developer to-do list. In this episode, Matt and Mike discuss why you would (or would not) roll your own auth, and your available options if you don't want to make your own.


Also available on...
...and many more, check your podcast app!

Who’s in This Episode?

Show Notes

What you'll learn in this episode

  • The dangers of rolling your own auth (DIY)
  • Why some situations call for a DIY auth
  • DIY authentication alternatives:
    - Authentication libraries such as NextAuth.js and Lucia
    - Backend-as-a-Service via Firebase and Clerk

How to support the show


Prices subject to change and are listed in USD

  • Support the show from as little as ~$1/month
  • Get a shoutout at the end of the episode (while supplies last) for just ~$3/month
  • Help support the HTML All The Things Podcast: Click Here

Scrimba Discount!

We receive a monetary kickback when you use our link

  • Learn to code using Scrimba with their interactive follow along code editor
  • Join their exclusive discord communities and network to find your first job!
  • Use this URL to get 10% off on all their paid plans:


What does Authentication do in your web app?

  • From a basic high level what do we need auth for in our apps?
    - Sign up and Sign in
    - Control access to sensitive information
    - Allow users to CRUD 
  • That doesn’t mean that it’s a simple system
  • You need to account for different sign in methods
    - oAuth (google, apple, github, etc)
    - Magic links
    - Web3
    - Password
    - SSO (enterprise)
  • Enhanced security
    - 2FA
    - Encryption
    - Hashing
  • Client Server session auth
    - How do you make sure that your users are actually who they say they are
  • Storing and accessing user account information 
    - Email
    - Social links
    - Any custom fields you need for your users

Why you shouldn’t Roll your own Auth (DIY)

  • Don’t reinvent the wheel
  • What could go wrong
    - Account hacking
    - Data leak
    - Users seeing each others account data
    - Brute force attacks
    - XSS
    --Allowing a user to add js to a link that will run on load of the application and steal session tokens (login as you)

What you should use Instead

  • Auth frameworks (authentication libraries)
    - Next-auth
    - Lucia
  • Auth as a service (sometimes referred to as BaaS | Backend-as-a-Service)
    - Firebase/Supabase
    - Clerk

When does it make sense to roll your own Auth?

  • Learning how auth works
  • Major confidential work that requires extremely specific security protocols
    - Still would use pieces that have be thoroughly tested rather than roll your own cryptography library for example