Login and Register Authentication

[Darealtube]

Login and Register Authentication and Authorization

We already have a Login page found in `pages/index.tsx` and also a Register page in pages/register.tsx`.
All we need now is a kind or method of Authentication and Authorization of users, we will worry about **Sessions** for later.

We will have to choose a way of Authentication

Auth0, JWT tokens, and many more that might do the trick.

Copyright © Canvas, 2020

[Darealtube]

This is now completed with the use of Auth0. Auth0 will handle both the Authentication and the Authorization process in our website. Although it will get pricy the more users we have, the profit will pay off. If anyone of you have found something that's cheaper, add another Issue.

[Darealtube]

I have switched from Auth0, which is a paid authentication service that we used to implement, to NextAuth.js, an Open Source authentication system. I will list the Pros and Cons of each one, so hopefully we'll be able to finalize our decision.

[Darealtube]

AUTH0 VS NEXT-AUTH

AUTH0 and NEXT-AUTH are both Authentication Services that provide secure and safe Authentication on Browsers. This is going to compare the two so we can decide on what Authentication Service we should use.

AUTH0

Pros

• Provides Very Secure Authentication and Authorization
• Universal Login for Safe Authentication
• Protect API Routes with requireAuthentication function
• Free plan is good for startups
• Paid plan offers many good features such as Passwordless Login, MFA, and many more.

Cons

• Paswordless Login (More secure than Email/Password Login) is not available to the Free plan.

• 7k Active Users Limit from the Free plan.

• Authentication is expensive the more users there are using the website (can be maintained properly IF company can accumulate more money than what is needed).

• You don't own the data on the Free plan, as Custom Database usage is only for paid plans.

• Limited Social Providers with Free plan. (Logging in with Google is a way of logging in from a Social Provider)

• If we think we could maintain the paid plan for Auth0 (which is 565,218.94 PHP/year for Developer Pro, or we can 'Talk to Sales' about the pricing), then that means we could (almost) guarantee the safety and security of our website and our users' data.

NEXT-AUTH

Pros

• Free
• Provides Very(?) Secure Authentication and Authorization
• Provides Passwordless Login
• Customizable Callback Sign in Page
• Unlimited Social Providers
• You own your data, own Database

Cons

• Open Source (That means that the source code is open to everyone, which means there may be a possible attack on the actual source code which will badly affect every website that uses NextAuth.js)

• Probably does not provide MFA (Multi Factor Authentication)

• Documentation is lacking

• Not known by many people

• As long as the Source Code for NextAuth remains unharmed, then NextAuth would provide us (almost) the same level of safety and security that Auth0 has, and we'll have advantage such as Passwordless Authentication and Own Database Storing.

Right now, I've implemented NextAuth into our website, because of its advantages over the Auth0 Free plan, and because it made some things so much easier, I even got to delete alot of files that I needed for Auth0. It is not an easy choice, because we must think of our Auth in the long term. Auth0 in the long term depends on how well the website is doing, how much money is getting generated, how many users are getting active every month, etc. NextAuth in the long term depends on how well will the Source Code get maintained and be safe from possible attacks, although we can actually add features on our NextAuth if we wanted to since Auth0 is only open source, we can add more features to our NextAuth. It is not an easy decision to make, but it's good if we establish a solid one.

For more info on each Authentication Service, check out these sites:

Auth0 Pricing

https://auth0.com/pricing/

Auth0 Features

https://auth0.com/security https://auth0.com/authentication

NextAuth Features

https://next-auth.js.org/ https://next-auth.js.org/faq#security

Comments:

I actually really like both Auth0 and NextAuth, but the only thing I'm worried about is if we use Auth0, the price for the paid plan may not be maintained, so it all depends on the performance and how well our website would do in the long run. If we use NextAuth on the other hand, we can cover things that Auth0 does not provide on the Free plan, such as Passwordless and having our own Database, but I have a sense of uncertainty because aside from those, there isn't really much documentation on NextAuth, and we need all kinds of protection that Auth0 offers, but I don't know for sure if NextAuth implements those as well.