How To Build Auth
From First Principals
For the past 2 iterations,
we have use the Phoenix
Web Application framework
to build our Auth
system.
The reasons for this choice
are outlined in:
dwyl/technology-stack#phoenix
so won't be repeat it here.
Phoenix
is a "batteries included" framework
that includes many features out-of-the-box.
Our Auth
system is a standalone Phoenix
instance
that has its' own separate database.
This is a very deliberate choice.
We want to enforce a complete
separation of concerns
between Auth
and the App
that uses Auth
.
@TODO: insert diagram illustrating relationship between Auth
and App
.
Beyond the security benefits
of separating Auth
the practical rationale is simple:
the code for building an Auth
system
is
~3kloc
see:
wikipedia.org/Source_lines_of_code
If we include all the Auth
code in our main App
it adds to the complexity of the App
and thus increase the time
it takes someone to
grok.
The longer it takes people to understand the App
code
the less likely they are to contribute to the App
.
Note: we are not suggesting that people should not also
try
to understand whatAuth
is doing. On the contrary we want as many people as possible to understand all aspects of our stack. However we acknowledge thatAuth
and "People Management" is not the most interesting part of the stack. It's akin to the "plumbing" in your home. Absolutely necessary and needs to function flawlessly. But not something you actively think about unless there's something that isn't working as expected ...