Should new apps have authentication already set up and working?

[flybayer]

Now that the built in session management has landed in canary, we need to decide on the best way to provide the higher level authentication code like hashing passwords.

The auth preview docs currently shows all the code you need to add to have user signup, login, and logout. Missing pieces right now are password reset and email confirmation.

I am following the same approach as José Valim is for Elixir. (he's the creator of Devise for Rails and the creator of Elixir)

That means that we need to generate the basic auth code into apps.

My proposal is to go ahead and include all the basic auth code in new apps, like a User and Session db models and all the code for signup/login/logout etc. If someone doesn't want it, they can easily delete it.

Later once we have installer recipes fully implemented, we can move the auth code into a recipe. Then during blitz new we can show a prompt that allows you to add auth or not.

What do y'all think?

[marquelzikri]

Yes, I think that would mean a lot of time being saved😬

[merelinguist]

Yep I agree with all that completely!

[wKovacs64]

Yep! 👍

[nyn0x]

For me sure. In my cases I will always need user management.

[parweb]

yes

[gabrilator]

Great idea!!!

[aem]

A natural evolution of recipes is to be able to uninstall them, so I bet we can add an easy way to remove the auth setup if you don't want it.

[flybayer]

Ok, the crowd has spoken! We'll add auth to the new app template 😎

[leonardofaria]

Thanks for blitzjs. I had blitzjs in my todo list for play projects for a long time and I loved your docs and the general concept 💯

I am looking at your docs but I am not sure how to uninstall the authentication system (I don't think it got implemented)

Use case: I am working in a small app with a single model (and using a shared database for unrelated reason) and I don't need authentication.

What would be the best option to remove it? Thanks in advance

[flybayer]

@leonardofaria delete the app/auth/ folder, remove sessionMiddleware from blitz.config.js and then remove any ctx.session usage from your queries/mutations

[SharadKumar]

@flybayer it would be good to have Email (passwordless) and one Social (Google with OneTap) working out of the box. Both backed by our datastore. Email with password credentials is not a best practice no more and perhaps not a good representation for new users adopting our shiny new framework.

NextAuth.js has a good simple implementation of Email passwordless, for example. One-Tap adoption is picking up for its ease and Google auth is virtually everywhere.
https://google-one-tap.now.sh/

[flybayer]

We can add installer recipes for passwordless and social, so it'll be easy to add those. But for the default app, I feel pretty strongly that email/password is the best for most people. As long as you are doing proper password hashing and require a minimum password length, it's highly secure.

[SharadKumar]

Okay @flybayer, recipes will get the similar outcome.

Yes of course, hashing is secure.
It is the human side of things that makes passwords vulnerable and hence losing marketshare.