DEV Community

Cover image for Learn and Build Web Authentication System (Universal Principles)

Learn and Build Web Authentication System (Universal Principles)

Deepak Ahuja 👨‍💻 on September 02, 2019

What's an Authentication? Servers are basically stupid computer programs who cannot remember who and what made a request after serving i...
Collapse
 
alostboy profile image
A Lost Boy

I had to build an authentication system just like you described this weekend and there are lot of things that I have done in the same way.

One thing that it is worth noting is that bcrypt is not the most recommended way for salting & hashing passwords anymore, I will not try to get in details because I'm not and security expert, but there are several blogs and questions about this and the consensus today is to use Argon2. I suggest people to make a research to the their own conclusions.

ps: There is a typo on remember in the GenerateRemeberToken function.

Collapse
 
dpkahuja profile image
Deepak Ahuja 👨‍💻

Thanks a ton for reading the article thoroughly! I get it there are many other better and worst alternatives, but for most cases (like person starting out web dev journey) with decent computer the compression algorithm to generate hash would be just fine. There are alternatives like scrypt, PBKDF2 and argon2 which are said to be better but i'd say not every platform i have seen supports scrypt, argon2 needs a GPU to churn out better results. The idea is to learn what hashing is and how it is different from encryption, Then these can be looked into. Thanks for pointing out the typo. I am truly grateful for guiding readers towards more curious driven solutions.

Collapse
 
raymag profile image
Carlos Magno

Nice post. It helped me to understand a few concepts I was in doubt. Thank you.

Collapse
 
dpkahuja profile image
Deepak Ahuja 👨‍💻

Thanks a ton for reading it through! Please implement it on your own in a side project before using ready made authentication services. It gets real easy to understand and explain. One cool thing you could do is add some sort of caching so that you don't have to query database using rememeberTokenHash for each page visit.

Collapse
 
raymag profile image
Carlos Magno

On my last project, I encrypted the user ID and stored it on cache. So when the user access a authenticated page, the server takes the cached ID, decrypt it (only the server knows the key) and store it as a session variable, so the user will always be logged in. But I don't know if it was a good idea.

Thread Thread
 
dpkahuja profile image
Deepak Ahuja 👨‍💻

Let me think about it for a while, I will get back to you with some cons of this approach which had chosen earlier. :)

Collapse
 
patarapolw profile image
Pacharapol Withayasakpunt

Web server can be made stateful by adding session storage. I don't know when it is required, though.

Collapse
 
rishidadheech profile image
Rishi Dadheech • Edited

It is very informative and valuable blog for me in order to understand "Web Authentication System By Universal Principles". But I would suggest one blog should be on "clean code core concept"

Collapse
 
dpkahuja profile image
Deepak Ahuja 👨‍💻

Thanks a lot for reading it through! Yes Clean Code practices is a thing i wanted todo since a while now. I think a pocket guide is a good idea with examples. Cheat sheets comes out handy and people use it more often so it is retained in memory.

Collapse
 
ayaanraj profile image
ayaanraj

what do you think of JWT tokens

Collapse
 
dpkahuja profile image
Deepak Ahuja 👨‍💻

Once you get a hang of these basic principles you can chose any readymade stuff you want. The idea is to learn why certain service exist and how to create our own. The ready made services are not much alter able :)