Building a full stack web application can be a daunting challenge. One made much easier when you break it down into smaller pieces, tackling them one at a time. You need your server for an api and your front end GUI for user interaction. More than likely a database will be needed to persist data.
Security is also a huge concern and one I don’t take lightly. I’ve worked a long time in the IT industry and have seen the damage that security breaches can cause to people and companies. Making sure user data is safe and contained is very important too.
This was the most intimidating part of the planning process for my project.
Sure, I learned how to hash passwords with bcrypt and how to use Node email libraries to send out recovery emails. Understanding sessions and JWT was something else I delved into as well. I built a few prototype APIs for practice, did my best to test them–only to feel a measure of uncertainty that I was building a truly secure application.
I’m still relatively new to software development. I’ve never built an enterprise or serious authentication system myself. Reaching out to some of my mentors, a lot of them suggested that I practice (as I have been), but never roll a system I made myself into production.
At least their reassurance made me feel better as far as my lack of confidence. That meant I needed to use someone else’s service. My first instinct was to go with Firebase, which I had used before with previous projects. But, decided to do some research.
I had seen other tutorials and postings from Auth0, a service specializing in helping people delegate the process of authentication.
Note: I have no relation to Auth0, I was just a curious customer. Funny story though--I discovered them months ago because of a job ad they posted. I sent my resume and never heard anything at all back. I bet my resume fell into the ATS abyss, or they found an engineer way better than me.
Documentation & Ease
For my experiment, I decided to roll a Node and Express server with Vue.js as my front end library. Immediately upon creating my account with Auth0, and I was presented succinct examples using said technologies.
Doesn’t get much easier than that.
I followed the walkthrough and was able to get the front end setup within a few minutes in a new Vue.js instance and integrate the auth with protected routes. Everything I needed to secure my little client side application was done.
I couldn’t believe it.
Documentation is a huge thing for me as a developer. I tend to shy away from libraries or products that aren’t well documented. For example, I also looked towards Okta, another similar service–and their documentation didn’t seem as straight forward or well presented. So, kudos to Auth0 there.
Not to knock on Okta. Because, both services are way better than Firebase, which in my previous experience left me bewildered, confused, and Googling for hours. (In fact, it’s kinda a weird universe where I need to Google to find out how to use a Google product, but I digress.)
The attempt wasn’t without issues. I had a few things pop up, but mostly due to my own errors and not configuring things correctly inside of my Auth0 dashboard. Once I fixed those, it was smooth sailing.
Securing API on the Node/Express side of things was even easier than the Vue setup. Keep in mind–if Node isn’t your flavor of serve-side code, they have similar tutorials for just about all the major frameworks in all the major programming languages.
Auth0 really cares about making the developer experience simple, fast, and intuitive.
They win at that goal, in my mind. Their documentation is probably second to only Gatsby’s, which I’ve raved about before in other impression articles I’ve written.
There’s more to Auth0 than just a simple authentication service. You can link up social logins from all your favorite OAuth providers, as well as having your users register with email and password.
I tried out using Google OAuth and also the default email and password authentication provided by Auth0.
Data is imported to build a profile for you in the client side of your app. Also, you can add metadata fields for the other data need about your user. For example, if you want a field for a user’s light/dark theme preference–it’s easily added to the profile.
Also, they give you the ability to implement roles–which falls into the authorization side of things. I didn’t toy with that much (I’m still in the planning stages of my app), but I can already see that being a huge boon.
I remember having to come up with my own way of doing that with Firebase authentication.
Auth0 has a smorgasboard of other features–for example SSO integration, logging, hooks (which let you write logic that happens, much like a database trigger), and multi-factor authentication.
All in all, if it’s an important or well known authentication or authorization feature, they’ve implemented it.
The elephant in the room. All the features in the world are amazing, but if something is too pricey–no one is going to use it. As with most cloud providers these days, Auth0 offers a very generous free tier. It lets you play around with their product and learn–without requiring an up front investment.
The price is going to vary depending on how big your app is. I am thinking I may never need to pay them a dime. However, if my app does grow, the next tier is only $23 a month for 1,000 active users. It should more than pay for itself at that point.
If you’re looking to use it in enterprise, the price is somewhere around $1k a month or more. I have no idea if that’s reasonable or not, as I’ve never built an enterprise scale application. I guess at that level it depends on how much development time you want to spend rolling your own authentication and authorization. You probably could save a lot of time and money simply handing that responsibility off to the experts, who do it well.
This example app is nothing crazy but it will give you an idea of how it works and what the code looks like. Most of it can be found in the documentation, but here’s what I put together in a few hours of messing around.
Live Version: https://vue-express-auth0.herokuapp.com/
I plan to use this example as a boilerplate for future applications.
I’m a huge fan of Auth0 now. What do you guys think? Has anyone else played around with their service or have any insight?