DEV Community

Userfront Devs for Userfront

Posted on

When has rolling your own auth gone wrong?

This week we're thinking about what happens when rolling your own auth snowballs into a giant headache. Tell us your own story in the comments!

For a lot of us, this probably feels familiar: everything starts out simple. Add a little home-grown password-based authentication into your app and it seems great - everything just works! But then your app grows, your userbase grows, and your needs get more complicated: suddenly that simple DIY auth solution doesn't do everything you need. Where do you go from there? Do you keep building on top on your existing auth, or do you have to start from scratch with a third-party solution? Are the sunk costs too high to change course, or is the trade-off worth it? And what do you do with all those existing users?

As devs we've been there ourselves. Check out this cautionary tale from Steve Cattaneo, Userfront's Head of Engineering:


Once upon a time, Steve worked at a company that was a Rails shop. Their first product leveraged out-of-the-box Rails password authentication. When they built their second product, for speed to market reasons, much of the boilerplate from the first product was copied into the second product—including the authentication. There was a lot to do and not much time to do it.

Fast forward a few years and Steve’s team built their third product. That, too, included the boilerplate password auth. It was, after all, a simple, straightforward solution that worked.

...then a customer asked for Google authentication, and that's when things started to get complicated.

Steve's team assigned the work to one of the engineers: create an OAuth 2 module. Then migrate users: transition the username-password user to the username backed by a Google identity. He figured it out. He wired it up. And they rolled it out.

Two or three weeks later, that engineer went on a much-deserved vacation. On that Friday — of course — the customer reported issues. Users were unable to log in. Without the engineer who had built the system, they spent the day looking at the code, looking at the database... but couldn't figure it out. The core data pipeline product was fine, but users couldn’t access their dashboard for three days—not counting the weekend.

Eventually they gave their customer a status update: “We’ll have to get back to you.”

(read the rest of the story & find out what happened to Steve's team here!)

Top comments (1)