We were taught how to roll our own auth at my boot camp just so we could have a deeper understanding on how it works and what can go wrong. Super valuable skill to have! to clarify, we did this from scratch, including hashing and salting passwords and using session tokens.
@@petleveler8366 not sure why my response was deleted lol. but I'll try again and say that I don't think most devs have implemented auth from scratch on their own.
Great high level tutorial for a very confusing topic! There are so many tutorials out there that make it seem like you have to start out at enterprise level complication, when in reality a setup like this is going to work great for most people.
Very concise explanation of JWT vs Sessions. Interesting to see how your take on the two has developed over the years. I find your videos super helpful when it comes to doing auth without 3rd party Lastly, it’s great seeing you Ben. Much peace and success brother
Ben, you're mi inspiration for becoming a web dev, it's been like 3 years since I started this journey seriously (at 17), now I have a decent job, thanks for existing brother, love your vids, we miss you homie !
Perfect timing for this. I had just decided to try rolling my own auth on my latest side project since its not critical, will be low traffic and I'm tired of auth feeling like such a black box.
I've just watched several videos on this topic whilst deciding on how to proceed and this is by far the best one. I love fireship vids but this extra depth into pros and cons gives Jeff a run for his money. Keep it up! I'd love to see a collab between you two.
You uploaded this video right when I needed it! You answered so many questions of mine in just 15 mins than I found answers online for last 2 days. Thank you so much. And please make a next video on how you setup username and password auth.
Thanks a ton ... nobody explained it better and all in one video.. I will need to dig a bit more in CSRF and XSS bits.. but still crisp and yet adequately detailed. Kudos
He's back! Great overview. I've rolled my own auth quite a few times and this is a great guide. Recently I've been using a self hosted zitadel instance for the user management and I have a reusable nestjs module for handling all the zitadel oauth stuff and session management etc. Super easy to add additional auth providers or implement 2fa via settings on zitadel without changing anything at all on my backend which is just basic session cookies storing access and refresh tokens for zitadel.
This is so good. Nice one. With regards to Cookies vs LocalStorage, I always have my reservations and would usually choose LocalStorage as it'll only keep the user logged in on the Frontend. If it is tempered with, the user is kicked of out the system. I realized one thing that even with cookies, when I copied the cookies with their values on a certain browser and put it on a different browser, all I had to do was reload the page and I was logged in. Great insight though.
My go-to method is to use JWT with a refresh token and token version, make the access token short-lived, like 15 min, and store it in the memory on the frontend.
very good video, everything was super clear, maybe this is a bit niche or too specific to be useful but a video about how you'd go about rolling your own oauth provider would be very interesting imo
Amazing video man!!! It's literally what I've been looking for lately. I would personally love a video talking about the username/password login approach. Greetings!
great video, you should do a video on the username + password, but do the whole shebang too! Reset password, forgot username, two factor authentication, magic link too, etc.
amazing video, please do more. this popped on my suggestions, clicked on it immediately. had to do jwt for a client, i didn't know how to set up the refresh token.
This section looks great. And going deep into passwords, how to get credentials, why is not ok to send the token in cookies and get it in headers... Can be good. And in the future, I see you doing a video like this but " Exploring Coolify", host your own "vercel". It would be awesome to see that. Thank you for the information!
Bro thanks so much for this!! This was very useful and cleared a bunch of stuff for me!! Yes please do the next video if how you set up username/email and password
⏱ CHAPTERS ⏱(By TimeSkip AI) 00:00:00 - Introduction to Authentication Setup 00:01:30 - Setting Up Your VPS with Hostinger 00:02:51 - User Account Verification and Security 00:04:30 - Session Storage vs JWTs Explained 00:05:36 - Implementing JWTs for Authentication 00:06:52 - Managing User Sessions and Tokens 00:09:40 - Best Practices for Token Storage 00:11:35 - Front-End User Authentication Checks 00:12:41 - Conclusion and Resources
For me refresh token is usually not a JWT since accessing the database is happening there anyway. And that gives you the best of both worlds with revoking as well. Usually stored in redis with EX. Also for early MVP services I like to do a Frankenstein approach of letting an access token close to expiry refresh itself (works quite well, but obviously isn't as good as refresh tokens).
A simpler way to invalidate tokens would be to create a table/collection for all your tokens. Then, when a user logouts, you search the table/collection for all tokens associated with that user and delete them.
the first auth I self-rolled was an OIDC IdP server to connect a third party to our existing session-based auth (not SaaS it was just for one particular partner). It was fiddly at first but once you get it, like most things, it doesn't feel so bad and I'd be much more confident doing it again if I had to
One benefit of cookie I think is SSR? JWTs stored in local storage cant be read on SSR since you won't be able to send it in the first document call, while if you use cookies you can fetch user data on the frontend server. Correct me if I am wrong
5:30 - in a microservice environment you are most likely going to have a token AND a session cache, especially if you are working on a complex business SaaS (software like Salesforce, AWS, SAP, etc.) with RBAC/ACL/etc. The API Gateway will validate the token and then look up the users permissions in the cache. You could store the permissions within the token, yes. BUT that is very complicated. Imagine you have a user and that user has a role with a bunch of permissions. What if the permissions of the role change or the role of the user changes while the user is logged in?
I can recommend firebase auth its dirt cheap, very fast (although its session based auth), and simple to setup (no need to manage auth via ur database or redis urself)
![BOWKYLION - วิงวอน (ex-change) [Official MV]](http://i.ytimg.com/vi/cLdnZWDaO-w/mqdefault.jpg)
I was fully prepared for sarcasm and snark. Instead I got the most useful short intro on web-authentication there is.
We were taught how to roll our own auth at my boot camp just so we could have a deeper understanding on how it works and what can go wrong. Super valuable skill to have!
to clarify, we did this from scratch, including hashing and salting passwords and using session tokens.
that all of ben's videos
@@snowballeffect7812 that is the basics everyone should know that
@@petleveler8366 you'd be surprised, apparently. maybe they do know that, but it seemed rare for anyone to implement working auth from scratch.
@@petleveler8366 not sure why my response was deleted lol. but I'll try again and say that I don't think most devs have implemented auth from scratch on their own.
I PERSIST MY TOKENS ON MY ARMS USING TATTOOS.
Most secure! ☠
😂
No way hes back
We are so back
hostinger bro :)
guess what, he is
This was quite possibly the best and most concise explanation of how to implement auth I have seen. Thank you!
Literally popped on my suggestion seconds before i was going to search for this!
damn google really has your personal data dead to rights
Great high level tutorial for a very confusing topic! There are so many tutorials out there that make it seem like you have to start out at enterprise level complication, when in reality a setup like this is going to work great for most people.
Very concise explanation of JWT vs Sessions. Interesting to see how your take on the two has developed over the years. I find your videos super helpful when it comes to doing auth without 3rd party
Lastly, it’s great seeing you Ben. Much peace and success brother
I can't believe you just explained so much about auth I had no idea about in this short video, so well. Thank you.
Ben, you're mi inspiration for becoming a web dev, it's been like 3 years since I started this journey seriously (at 17), now I have a decent job, thanks for existing brother, love your vids, we miss you homie !
Perfect timing for this. I had just decided to try rolling my own auth on my latest side project since its not critical, will be low traffic and I'm tired of auth feeling like such a black box.
I've just watched several videos on this topic whilst deciding on how to proceed and this is by far the best one. I love fireship vids but this extra depth into pros and cons gives Jeff a run for his money. Keep it up! I'd love to see a collab between you two.
Hi Ben this video was pretty useful, kindly keep coming back with these
I was just researching this for a side project. Thanks Ben for reading my mind.
Very nice. I've used this design with two JWT, but never seen it explained anywhere. Cool!
You uploaded this video right when I needed it! You answered so many questions of mine in just 15 mins than I found answers online for last 2 days. Thank you so much. And please make a next video on how you setup username and password auth.
Thanks!
Auth is one of those things you have to implement 2 or 3 times to fully understand.
From all of the authentication videos I have seen, you explained everything very well.
Thanks a ton ... nobody explained it better and all in one video.. I will need to dig a bit more in CSRF and XSS bits.. but still crisp and yet adequately detailed. Kudos
that's why we love you Ben, what an amazing video, mad props yo, tight, tight tight tight!
i missed this type of content bro
pls keep doin it
You don’t need to buy a service for email. It’s a bit annoying but you can setup postfix on a VPS and point MX, SPF, DMARC records.
He's back! Great overview. I've rolled my own auth quite a few times and this is a great guide.
Recently I've been using a self hosted zitadel instance for the user management and I have a reusable nestjs module for handling all the zitadel oauth stuff and session management etc. Super easy to add additional auth providers or implement 2fa via settings on zitadel without changing anything at all on my backend which is just basic session cookies storing access and refresh tokens for zitadel.
I am stoked for this. You’re such an incredible engineer and I owe much of my success as a programmer to your teachings!
Thank you my friend
What did you learn from him? I see mostly reaction videos
@@monsieurLDN you’ll have to go back to his content from 2018-2019ish when he was making more long form content
Summarized months of learning all of this in a short video, good stuff
Well explained, straight to the point with pros and cons of each method.
Thank you!
This is so good. Nice one.
With regards to Cookies vs LocalStorage, I always have my reservations and would usually choose LocalStorage as it'll only keep the user logged in on the Frontend. If it is tempered with, the user is kicked of out the system.
I realized one thing that even with cookies, when I copied the cookies with their values on a certain browser and put it on a different browser, all I had to do was reload the page and I was logged in.
Great insight though.
I absolutely love this, was asking for it and he provided thanks Ben
here I have walked literal years wondering why we have refresh tokens. Your explanation is so clear
A wild Ben has appeared!
Had to figure all this out myself a year ago. This video will serve well for anyone else that finds themselves in the same position. Thanks Benji!
Oooohhh crap, our boy Ben Awad is finally back. Welcome back baby, we missed you.
My go-to method is to use JWT with a refresh token and token version, make the access token short-lived, like 15 min, and store it in the memory on the frontend.
PLEASE KEEP THIS GOING, VERY EDUCATIONAL
I always really really liked how you explained everything!!!
Really enjoyed this quick rundown
Great intro to authentication, Thanks a lot Ben
Hell yeah you're back homie
bro just back like he never left
This is insane, best auth video / resource I've seen
very good video, everything was super clear, maybe this is a bit niche or too specific to be useful but a video about how you'd go about rolling your own oauth provider would be very interesting imo
step by step tutorial on doing this, like the old style videos this channel did, would be super cool
Amazing video man!!! It's literally what I've been looking for lately. I would personally love a video talking about the username/password login approach. Greetings!
Best web-dev video I saw this week.
great video, you should do a video on the username + password, but do the whole shebang too! Reset password, forgot username, two factor authentication, magic link too, etc.
Thanks for the video a lot! I am currently working on a project with JWT, and was about to read on xss
Yep, oath + jwt + cookies be my fav flow right now. I have to use this at work.
great vid super informative benjamin
Love it. Practical and simple. I have build the db setup in php but I like your methods on the jwt way
Auth with cookies makes you're API only callable via browser, so if you want to use them in a mobile app, you have to change maaaany things
Sweet, thanks! For my situation, a tutorial on expo react native app with using secure storage as you mentioned and session storage would be great!
amazing video, please do more. this popped on my suggestions, clicked on it immediately. had to do jwt for a client, i didn't know how to set up the refresh token.
he is back with tutorials!!!
babe wake up ben's new video just dropped
THE KING IS BACK
This section looks great. And going deep into passwords, how to get credentials, why is not ok to send the token in cookies and get it in headers... Can be good.
And in the future, I see you doing a video like this but " Exploring Coolify", host your own "vercel". It would be awesome to see that.
Thank you for the information!
the ThioJoe effect has hit Ben
The 2 doors in the back are hitting some weird parts in my brain. Its like they are saying red pill or blue pill
Bro thanks so much for this!! This was very useful and cleared a bunch of stuff for me!! Yes please do the next video if how you set up username/email and password
I would have paid for this video more than I paid my auth provider 3 years ago.
He back! But the room, mic and cuts make it look like he's been kidnapped.
Fantastic, I'm down for a longer video 😄
Ben coding tutorials back lets goo🔥
The true token is the friends we made along the way
welcome back king
Ben Awad making a video? what a surprise
The good old Ben is back
Yoo thanks for the explanation of creating a fully working auth model for my website thanks
Good job! I like the explanation of the log out of all devices. Next let's do authorization 😂
This was a very good explanation thank you!
Welcome back I guess, thanks for the video
⏱ CHAPTERS ⏱(By TimeSkip AI)
00:00:00 - Introduction to Authentication Setup
00:01:30 - Setting Up Your VPS with Hostinger
00:02:51 - User Account Verification and Security
00:04:30 - Session Storage vs JWTs Explained
00:05:36 - Implementing JWTs for Authentication
00:06:52 - Managing User Sessions and Tokens
00:09:40 - Best Practices for Token Storage
00:11:35 - Front-End User Authentication Checks
00:12:41 - Conclusion and Resources
Hey Ben, will you please make a video about career choices and their difficulties and how to make sure to learn it...
Ben where you been? Good to see you back.
For me refresh token is usually not a JWT since accessing the database is happening there anyway. And that gives you the best of both worlds with revoking as well. Usually stored in redis with EX.
Also for early MVP services I like to do a Frankenstein approach of letting an access token close to expiry refresh itself (works quite well, but obviously isn't as good as refresh tokens).
Please do an email password auth video, I need it. Most useful video you've dropped in a few years tysm
This is so helpful. Thank you for this video!
Good tech content is back ❤❤
You actually have YT. I just saw you on tiktok 😂 now I'm gonna be your subscriber
I always use keycloak !
Fun fact: saying "JWT" takes longer than just saying "JSON Web Token"
Fun Fact: everyone pronounced these two words now
Where was this video when i had to go and do all this research myself
A simpler way to invalidate tokens would be to create a table/collection for all your tokens. Then, when a user logouts, you search the table/collection for all tokens associated with that user and delete them.
Congrats you have just reinvented regular sessions
I wish this video came out 24 hours earlier
Is lucia analogous to passport.js or is it a higher level of abstraction
Welcome Back
One way to do it without relying on a sass product its to use Lucia Auth... full fine grained control of the flow without magic like others
the first auth I self-rolled was an OIDC IdP server to connect a third party to our existing session-based auth (not SaaS it was just for one particular partner). It was fiddly at first but once you get it, like most things, it doesn't feel so bad and I'd be much more confident doing it again if I had to
One benefit of cookie I think is SSR? JWTs stored in local storage cant be read on SSR since you won't be able to send it in the first document call, while if you use cookies you can fetch user data on the frontend server. Correct me if I am wrong
Throwback to a very similar video you made 4 years ago.
Amazing video bro!
5:30 - in a microservice environment you are most likely going to have a token AND a session cache, especially if you are working on a complex business SaaS (software like Salesforce, AWS, SAP, etc.) with RBAC/ACL/etc. The API Gateway will validate the token and then look up the users permissions in the cache.
You could store the permissions within the token, yes. BUT that is very complicated. Imagine you have a user and that user has a role with a bunch of permissions. What if the permissions of the role change or the role of the user changes while the user is logged in?
ben is back 🎉🎉
thanks for the video i was just looking up this last night lol
Dev: How do I deal with auth?
Ben: Yes
Wrong answer. You would use passkeys. Those should become the standard
I can recommend firebase auth its dirt cheap, very fast (although its session based auth), and simple to setup (no need to manage auth via ur database or redis urself)
He's alive great
you can sign the session token as well and store in a cookie
Bro is back 🚀🚀🚀🚀🚀
You can literally send the tokens through server cookies and if they sign out just remove the cookies and token itself from the db
Easy to understand and covers everything :)