Show HN: The most comprehensive authentication library for TypeScript

35 pointsposted 12 hours ago
by khanmitdoit
(github.com)

22 Comments

9dev

an hour ago

With direct dependencies on Node.js modules, you outright prevent using other runtimes like Cloudflare workers, Deno, etc.

Node has decent support for WebCrypto, for example, which renders all usages of node:crypto obsolete.

At this point, I’d also argue that anything not promoting PassKeys as the default method is on the wrong track.

bekacru

21 minutes ago

The only place where "node" is necessary is for password hashing, as there’s no cryptographically secure way to hash passwords on CF Workers or other edge runtimes. So, there really isn't any other option. At this stage of the project, supporting Deno isn't a priority but for those not using email and password auth, CF Workers and other edge/serverless runtimes should work just fine

bilater

an hour ago

The API looks basically the same as any auth library and i have no idea how you approach this differently than other solutions?

I checked out the docs and it looks great and you seem to have all the bases covered but I think having a Why in the intro is helpful and comparisons to other solutions like next-auth, supabase auth etc.

jakubmazanec

3 hours ago

I cannot comment on the quality of the library, but please change the name to something else than "Better auth" - such generic names are difficult to search for. You do want your users to find stuff relating to the library without false positives, right?

bekacru

3 hours ago

Thanks for the suggestion. Surprisingly, it’s actually quite easy to search for. There aren't much false positives. It’s already the first result that comes up on Google.

mnahkies

3 hours ago

Looks pretty interesting, I see it supports social logins but doesn't look like generic oauth oidc / saml is supported yet - I think that'd be the killer feature, as rolling your own user/pass login isn't all that hard but generic SSO is where things get tricky.

If you added that, I've started working on a SCIM client implementation in typescript that could be a nice complement (or just jumpstart) in future (https://github.com/mnahkies/node-scim)

bekacru

2 hours ago

Thanks. Yeah that should be supported down the road.

melenaos

an hour ago

It might be better auth, but it really needs better docs!

Is this for node.js projects? I thought it would be something for a client side project.

pdyc

an hour ago

i dislike auth libraries directly messing up with db forcing particular table schema on apps but i keep seeing it in most auth libraries in typescript/js ecosystem.

bbor

3 hours ago

Can you share your reasoning behind the tagline? It seems like a hard sell, which doesn't necessarily help the otherwise gorgeous looking website and solid-seeming API choices. Like;

  JWT-Based Authentication: We won’t support JWT-based auth unless provided by a third-party plugin.
Right there you've missed something that, say, next-auth covers natively + extensively. What kind of "comprehensiveness" are you targeting?

EDIT: Wow, just want to double down on the "gorgeous website" comment after clicking through your docs. Well done, inspiring work! Clear, concise, and eminently navigable.

bekacru

3 hours ago

Thanks for the kind words! I don’t think a single library should support two fundamentally different session methods—it adds unnecessary complexity, especially with the plugin ecosystem. That said, I could see it being added as a plugin if there’s a real need.

splatterxl

4 hours ago

I'm not a big fan. I think the advantages of rolling your own fully custom auth outweigh the simplicity of a plug-and-play framework like this.

Sure, there might be some use-cases and I can see why people might opt for it, but not me...

neilv

3 hours ago

I've rolled my own before (including implementing several distinct F500 SSO variants atop it). I'm sympathetic to the benefits of that, but I think most Web developers would get the nuances of it wrong, to the point of increasing both system downtime and security vulnerabilities.

That said, I recently went to add off-the-shelf JS/TS authn to a new SvelteKit app, looking at a few different packages, and was surprised how rough it was to do any method other than sell out your users to adtech companies just a little bit more. (The last off-the-shelf auth framework I used, for Python Flask, was more straightforward to add, and for a rich feature set.) So there seems to be an opportunity to do better.

mckirk

3 hours ago

Did you take a look at Lucia? If so, what were your thoughts on it?

neilv

3 hours ago

I think I'll probably use Lucia for my second attempt, though initially Auth.js looked like it would work more rapidly out of the box.

(I threw out the first attempt, and decided that my most urgent needs, for standing up the beta site and then showing previews for prospective partners, only needed a mix of Nginx HTTP Basic Auth and then simply non-public URLs. Which I could do in minutes, and would also have lower friction for partners to look at. Once authn for normal users percolates back up the project management urgency-sorted backlog, I'll take another quick look at off-the-shelf options, in case there's changes, and then expect I'll probably go with Lucia. Or maybe this Better Auth will be looking like what I want.)

bschmidt3

3 hours ago

> most web developers would get it wrong

> need a technical co-founder?

Insufferable. What's the most impressive thing you've ever done? Just curious

neilv

2 hours ago

">" is a convention for verbatim quotes. Please don't use it for paraphrasing.

Also, please try to avoid uncharitable interpretations, as well as ad hominem attacks. HN guidelines: https://news.ycombinator.com/newsguidelines.html

madeofpalk

2 hours ago

FWIW, it is a verbatim quote from their bio. Using one’s bio to dunk on them is an age old tradition.

Comment is still insufferable. Perfect caricature of SF HN tech bro.

neilv

43 minutes ago

> FWIW, it is a verbatim quote from their bio. Using one’s bio to dunk on them is an age old tradition.

That's not what was paraphrased.

> Comment is still insufferable. Perfect caricature of SF HN tech bro.

I believe that a related idea, "Don't roll your own crypto[graphy]", is widely accepted good advice.

Authentication in Web systems overlaps with that, and has a bit of the same nature.

Though the nuances in Web systems aren't as hard as the nuances can get in cryptography math and protocols, and in computer implementation of same. Still, it's much harder than it looks, to get sufficiently right. Most people don't have time for that.

Personally, I take both seriously. I don't touch cryptography implementation myself directly. And lately (as I said in the original comment), I'm trying to use off-the-shelf Web authentication. Because, as I implied, it's hard get all the nuances right.

Aside: "Dunk on" of other commenters sounds to me like contemporary social media personal attack sport, which I'm trying to avoid on HN. When I stopped by HN on Saturday morning, to get a little startup business mindset/enthusiasm, before spending the day working on an indie Web project, I wasn't looking to have a reasonable assessment called "insufferable", by some random new account. (A new account of someone who seems to be having a bad day, and getting off on the wrong foot with HN, with every single of their 6 comments attacking other commenters.) And then, after I tried to respond reasonably constructively to them, some other person, who might've misread the situation, jumps in, to double-down for the new account. Maybe all 3 of us would like to start the day over, and not spread bad day contagion further?

davedx

3 hours ago

Yup, come to the same conclusion. I browsed the source of this project, in particular the password hashing and encryption, it seems overcomplicated compared to a KISS bcrypt implementation. I’ve also spent way too much time integrating Auth0 on previous projects, and I now think the cost/benefits of using third party auth is very debatable.