DEV Community 👩‍💻👨‍💻

Discussion on: JSON web tokens are NOT meant for authenticating the same user repeatedly: Use session tokens instead

justintime4tea profile image
Justin Gross • Edited on

The problem with most articles that most people are reading is that they aren't articles about security, what it means, or what it should look like. Part of the problem is that people go looking for these exact articles (ie: how do I do security). Not only that, most resources for the why, how it works, examples of in the form of real production "grade" solutions, and the like are dismissed because "I'm just making a POC" or "I don't expect any users", or "I know enough, it's just auth! How hard can it be? It's like user input and hashing right?", or "I'm just learning", "I'm just looking for something simple or easy", etc.. etc... etc... That's all great. If you want to learn how databases work you can totally write your own but you should probably, for the sake of your users, simply use an existing database for a "real" product. Unless of course your product in fact is a database. This is very similar to the countless individuals who cowboy code their way to success rebuilding wheels and reinventing concepts (generally very poorly) because the resources they were searching for were how to do something (how do I use JWTs, how do I access redis in node, etc...) instead of why you would want to do something, what it means, how it works, what things have evolved over time by a collective of incredibly smart people that I can learn from by their example, etc... Emphasis should be on learning and understanding not just on doing. Too many people skip straight to "how do I do?" Those "how I do" articles rarely if ever go over how you should do it essentially teaching you the bare minimum, at a very low bar of quality, absolute minimum to do XYZ and rarely talk about what it means and why you shouldnt do this tutorials and that stack overflows copypasta's in a real product.

All of that being said there are numerous resources for understanding what security is, can be, why it's important to standardized it, and there are several organizations which have been thinking about, studying, and evolving security concepts and standards for years and years. These are the resources one should look to when trying to understand what security means, which standards and expectations to follow, and how they may fit for a given product or company. If you're interested in understanding what security is, what it means, and how it may fit into your product, in the context of identity and authorization, I implore you to check out the following couple resources and start looking for resources which aren't just tutorials and "how I do" articles.