DEV Community 👩‍💻👨‍💻

Discussion on: Node.js Express Login example with PostgreSQL

justintime4tea profile image
Justin Gross

We need to stop teaching people it's ok to roll their own identity. I've seen so many of these tutorials/articles lately. These kinds of posts should be hedged with a disclaimer like "not in production" or "for learning only" because this is exactly the kind of thing that will result in the building of wildly insecure applications and websites. Getting auth wrong hurts users. Teaching people to roll your own auth hurts developers and users. It's very closely related to people following stack overflow posts (by follow I mean copy pasta) where those posts are a "make it do a thing" answer and not a "do it right, how you would do it in production" answer.

sometimescasey profile image
Casey Juanxi Li

"we need to stop teaching people it's ok to roll their own xxx"

I think this sentiment is pretty anathema to the purpose of The author of that article works for Azure. It's in Azure's interest to make all developers feel like auth is out of their wheelhouse and something they should be paying someone else to do. All the solutions he listed - Auth0, Azure, Google, Okta - are paid services which profit from the above mindset.

A company might very well come to the cost-benefit analysis that it makes more sense to pay Okta's fees than to write their own auth solution. Nobody disagrees with that. But that doesn't mean tutorials shouldn't exist, or that people shouldn't try to learn more about how auth works when they have the time, or when the stakes aren't all that high. I personally appreciate OP taking the time to create content on something that I want to understand better. Shaming them for their work seems unnecessary.