How To Build Auth From First Principals

For the past 2 iterations, we have use the Phoenix Web Application framework to build our Auth system. The reasons for this choice are outlined in: dwyl/technology-stack#phoenix so won't be repeat it here. Phoenix is a "batteries included" framework that includes many features out-of-the-box.

Our Auth system is a standalone Phoenix instance that has its' own separate database. This is a very deliberate choice. We want to enforce a complete separation of concerns between Auth and the App that uses Auth.

@TODO: insert diagram illustrating relationship between Auth and App.

Beyond the security benefits of separating Auth the practical rationale is simple: the code for building an Auth system is ~3kloc see: wikipedia.org/Source_lines_of_code If we include all the Auth code in our main App it adds to the complexity of the App and thus increase the time it takes someone to grok. The longer it takes people to understand the App code the less likely they are to contribute to the App.

Note: we are not suggesting that people should not also try to understand what Auth is doing. On the contrary we want as many people as possible to understand all aspects of our stack. However we acknowledge that Auth and "People Management" is not the most interesting part of the stack. It's akin to the "plumbing" in your home. Absolutely necessary and needs to function flawlessly. But not something you actively think about unless there's something that isn't working as expected ...