search

dwyl / hapi-auth-jwt2

:lock: Secure Hapi.js authentication plugin using JSON Web Tokens (JWT) in Headers, URL or Cookies
ISC License
798 stars 126 forks source link

Difference from official https://github.com/hapijs/jwt ? #351

Closed mariusa closed 4 years ago

mariusa commented 4 years ago

Hi, I'm just getting started with hapi. Trying to see what to use for JWT auth.

The official jwt module doesn't have any docs: https://github.com/hapijs/jwt

Would you please list the differences between this & official module? Would you consider asking the hapi team to make hapi-auth-jwt2 the official module, to reduce confusion for new users?

Thanks

nelsonic commented 4 years ago

Hi @mariusa thanks for opening this issue to seek clarity on this question. 🥇

As you have noted, the documentation for hapi-auth-jwt2 is comprehensive whereas the "official" module, as you have called it, has none. hapi-auth-jwt2 is never going to be the "official" module because the creators of Hapi cannot "own" it. The Hapi team could easily have avoided the "confusion for new users" by not creating the undocumented copy module.

https://www.npmjs.com/package/hapi-auth-jwt2 hapi-auth-jwt2 has more useful/tested+documented features contributed by people in the community who use the plugin in thousands of Apps. hapi-auth-jwt2-npm-downloads

https://www.npmjs.com/package/@hapi/jwt is a copy without any documentation attempting to power-grab from the well-established community-maintained module because they have a chronic case of "Not invented here" syndrome. npm-hapi-jwt-no-docs-low-usage

"I can't stand anyone else's code, so I don't use anyone else's code"
~ Eran Hammer

Instead of using a popular well-maintained, tested and documented JWT library like jws from Auth0, they have re-implemented everything from scratch without clear reason why. 🤷‍♂️ If they at least had performance benchmarks to illustrate why they needed to re-implement it, I would understand the decision. But even then, why not just open an issue on this repository so that the already popular module could be improved for all the existing users? This obviously creates confusion in the community, but they don't care.

If you are "just getting started" with Hapi I would advise you to immediately consider an alternative. I would suggest you and anyone else reading this to stop using Hapi and switch to something faster, more stable and a better Dev & User experience: https://www.phoenixframework.org

I don't say this lightly as I have invested thousands of hours in building Apps, modules and examples for the Hapi ecosystem. But I regret using and promoting Hapi. There have been so many breaking changes over the years that it's been painful and expensive to maintain the Apps we have built with it. I wish I could go back in time to 2014 and switch to Elixir sooner. 😢

I will continue to patch this module so that the people who rely on it can continue using it. But the writing is very much on the wall. By creating https://www.npmjs.com/package/@hapi/jwt, the maintainers of Hapi are saying: "this is ours now", they haven't made anything better or more performant, just something they can own and charge money for a Commercial License.

I won't be adding anything to the README.md of this repo as I don't want to say anything "negative". But I definitely would not use Hapi for any new Apps, there are much better alternatives with less drama.

Sorry if this is not the answer you were looking for. I really wish I didn't have to write this. 😞 I just want to save you time. ⏳ == 💰

mariusa commented 4 years ago

Wow, I really appreciate your in-depth answer! Thanks so much @nelsonic , I'll stay away from hapi. Will stick to express and will look into phoenix too.

As a separate thanks, this project has one of the most impressive & useful set of docs I saw. For example, you point to JWT libs that can be used with node, but without hapi. Thanks Nelson!

mariusa commented 4 years ago

PS: Would be useful to have this https://github.com/dwyl/hapi-login-example-postgres done with another framework that you recommend (express or phoenix), as a good example on how JWT auth should be handled in node.

nelsonic commented 4 years ago

@mariusa we already have a "turnkey" authentication solution for Phoenix: https://github.com/dwyl/auth We applied everything we learned from building auth systems at various companies and studying the implementation of Auth0, AWS Cognito, etc. Our code is always well-documented, tested and beginner-friendly. We know exactly how frustrating it is to be learning a new language/technology/framework/etc. That's why we write comprehensive step-by-step tutorials for everything. e.g: https://github.com/dwyl/phoenix-todo-list-tutorial and https://github.com/dwyl/phoenix-chat-example

Express is good for lightweight Apps where you don't have too much application logic. The issue with Node.js in general is that being a single-threaded event loop, one error crashes the single process, i.e. a single (uncaught) error can bring down your site. So you end up having a lot of error-catching/handling boilerplate code ... Elixir has none of that. The VM assigns an ultra-lightweight process per request/user, so if one request has an error nobody else is affected. It's a far more robust and scalable way of building things.

Everything Hapi can do, Phoenix does much better. Even if you don't end up using Phoenix, you should add it to your "learn list" to expand your horizons. Once you see the power of Phoenix LiveView to create scalable realtime apps with minimal code you will see how archaic Hapi is ... https://github.com/dwyl/phoenix-liveview-counter-tutorial