Login system
Hi guys, I'm trying to make a production-grade app and have never done a login system before. I feel like I have the general gist: make a form, get username and password, check against a database table, and if valid, send a 200 and a JWT for subsequent requests for the client to authenticate. Problem is, I don't know a secure way to do this. I don't want to take any chances as this will be a production grade app, so does anyone have any resources I can follow to make a foolproof, secure login system? I am using MERN
8 Replies
If your login service is yours and not an external service, I would highly suggest not using JWTs. Sure, they're all the rage and the new hawtness but they solve a very specific problem that's not usually a problem that's faced: truly stateless auth.
It's great if you're using Login With Microsoft/Google/Discord/etc b/c the actual auth server is not under your control. But if it's your own system then a sessions cookie (https only, secure) is going to be better for you. Especially if you have any info that needs to be safeguarded. You can't "log out" a JWT…it's stateless. The JWT is valid until the expiry date so a hijacked token can't be de-authorized. Well, not without having a list of de-auth'd tokens…but then you'd need to check your DB each time and that completely defeats the purpose of JWTs being stateless :p
In addition to that, you need to have a pretty solid grasp on cryptography because you should never ever ever store non-hashed passwords. And you must salt the password before hashing to protect against rainbow table attacks.
And you need to know what hashing algorithm to use (Argon2 or scrypt) with your salt to make it as secure as possible.
Login systems are not easy to do well, and super easy to do very badly. It's probably one of the most complex bits of any service because of all the security considerations (timing attacks, rainbow table attacks, error messages that give too much info, etc).
Here's some good info on storing passwords:
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Info on sessions:
https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html
And some great info on JTW (while it specifies Java the advice is solid for any JWT implementation):
https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html#token-explicit-revocation-by-the-user
Thank you a lot for the info! I really don't want to do it myself as I know I can't possibly think/code for everything, are there some apis/services I can use like you were saying before?
To add to your question and to Beck's ominous message, it would indeed be better for you to use an Auth service instead of making your own, when it comes to backend services there's few things even large teams like to avoid implementing themselves, Auth is one of them.
Payment processing another btw
there's a few services you can use depending on what you're usecase is, I see you're using MERN so Auth0 might be the best option
Yea I was actually just looking at Auth0 haha, I just need a simple login/register system
Services (meaning you pay unless free tier is enough for you)
https://auth0.com/
https://firebase.google.com/docs/auth
https://aws.amazon.com/cognito/
https://clerk.dev/
Open-source (meaning you can self-host)
https://www.keycloak.org/
Also keep one thing in mind, there's a difference between Authentication and Authorization
if you're using Next, there's also Next-Auth
Thank you again for all the information 😁 I'll have to carefully look through all this stuff in a bit
yeh, don't get overwhelmed,if auth0 does what you want and the free tier is enough for you (or if you expect the app to grow check if the pricing seems fair to you) then just go with that
Yea that's definitely what I'll do, just trying to keep it simple haha