Who even needs authentication?

More like: I'm not the kind of developer who likes this stuff, so I gotta find a way to make this easy for myself...

Dec 05, 2023

A lot of building Just Read Comics has been directionless. I have a whole symphony of ideas playing in my head around about what needs to be done and my tendency to work on various pieces has been to simply go wherever my mind is focusing at the time.

Fortunately, I spent a good chunk of time thinking about getting some decent roots for everything down which has allowed me to follow this winding path towards eventual launch1. And while I’ve talked a bit about the foundation already, one of the things I knew I’d need to get to eventually was a split between an administration of data and the public facing site.

As it turns out, I couldn’t let that idea go.

I’ve spent, maybe, half of my time working on this project getting the admin interface working. Most of that time was without authentication, and, let me tell you, my 15-year-old-coder-in-a-basement-lizard-brain really struggled with that. Even when my build process was only for me locally on my computer, there was something wrong about being able to slip easily between the front-facing site and the administration site without any kind of hiccup of authentication blocking me from accessing the latter.

And that’s probably why I couldn’t let this part go.

How do login?

Given the simple means in which this project originated, I was looking for something that didn’t have me reinventing the wheel for “logging you in.” I was hoping for a solution that could be done one-off and, much later, expanded to be usable for future users2.

Initially, I was thinking of going with a third-party solution. A year or two ago, I would have gone with Twitter because it was pretty straight forward and I always liked using Twitter. But seeing now that Twitter is basically a hellfire waiting to collapse in on itself, I took a step back and looked to some other regulars on the internet: Facebook (Meta) and Google.

Facebook is dicey. And not because Meta is kind of gross to be attached to but because, in my experience, for the niche corner of comic book peoples who would be using this site, they may have a strange relationship with Facebook already--a disabled account, an abandoned account, or they don’t even know how to login to that account any more. So the idea of forcing folks to use Facebook just so they could log in to Just Read Comics was a strange reason to go with that.

This, overall, led me down a thought path of: Social site login might make sense from a “I don’t have to worry about security” angle, but to make sure I could open this up for enough people, I would probably have to support a few social site logins aka more work just to login.

My next logical step was to look to Google. Who doesn’t have a Google account? It can’t be that hard to setup, right?

Dudes, the setup for Google Authentication seems massively complicated to me. When I was hackin’ fast at the start of this project, that page was like a puzzle I couldn’t wrap my head around. Even looking at it now, I shake my head at it. For this little site, it seems like implementing Google’s authentication functions feels a major investment for a pretty small payoff--especially given how unsure I am with what “accounts” for this site may even entail.

But let’s back up. If I’m being honest: If Google is too complicated for me, I should just bite the bullet and go back to Twitter or Facebook, right? I mean, the setup for Facebook and Twitter aren’t too wild to implement... but, in the end, it felt like a hassle3. And maybe I was getting ahead of myself--I wouldn’t need to authenticate OTHER people for a while, but I kept going.

I still needed a solution for me, at least!

After doing maybe an hour’s worth of thinking on these solutions, I ended up doing a lot of other searching for some best practices around “simple” authentication. In some exquisite combination of Google search terms, I wound up back at StackOverflow on a post (lost to the histories now) where a top-voted solution asked: “If it’s just for YOU to log in, why not just use JWT and environment variables?”

It was like this post was written for me.

Thank you for reading Attempting to Code. This post is public so feel free to share it.

Blocking out the haters

Sorry.

You may be asking: What even is JWT?

From the JWT website:

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
JWT.IO allows you to decode, verify and generate JWT.

And in more detail from their Intro page:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

This is a pretty smart, trusted, and, fortunately, simple way to do authentication that is very battle tested. So I went with it. Not only did the explainer I found on StackOverflow (and then other more in-depth sites) convince me, I had used this before at a previous job, but I never got into the weeds about it.

So I dug in.

Dig Dug - IGN — Everyone loves Dig Dug, right?

For my case, I pass along via a login form and and compare it against a plain-text4 environment variable. If the values match, then I can use a JWT library for node (in my case, jsonwebtoken) to create an encrypted hash to respond back to the login form that can be used to access things like APIs and other locked-away places.

What’s cool about this approach is that it’s fast to implement and, in my opinion, a great start to a more robust authentication system in the future. Ideally, I wouldn’t be storing a friggin’ username and password in plaintext on a server (even if it is deployed and rotated using AWS Secrets Manager), but it unblocked me from doing authentication.

A 6 step diagram showing the steps of authentication using JWT and how the token generated using JWT can later be stored and used — And it goes a little something like this (thanks draw.io)

The thing I find really cool about this setup is the way you can configure JWT to suit your needs in a really simple way. Doing something like generating an encrypted API key with an 8 hour expiration is as simple as a few parameters using jsonwebtoken in node and I love that. If I was going to go crazy with this down the line, I could generate one off tokens using a series of rotated keys for AWS Lambda runs to do some of the regular data manipulation tasks I talked about before5.

Once I have a token on my local browser, I can use it to access all of the backend features and APIs I need to. In turn, this does a great job of locking out all the pesky haters who would want to get into the Admin side of things.

JWT is a pretty powerful tool that can be used to do a lot more than what I’m doing. In a previous job, we used JWT to pass extraneous metadata as part of authentication to determine granular permissions and send some moderately sensitive data over the wire without having to pass it in plaintext. From what I’ve read, this is a pretty common use case and I know that with a little more work, I can make this a pretty robust way to authenticate for myself and potentially other people in the future.

Long term planning?

I’ve sort of mentioned some of this, but long term, I’ll likely invest in doing something a bit more secure to ensure that any authentication I do go with beyond just myself is less exploitable. I mean, no one can say they’re making a perfect security solution. Many, Many, Many companies who employ smarter folks than me have had their fair share of data breaches and security issues. I’m just one guy who’s building a site for comic stuff, but I’ll eventually be working on those pesky things every SRE has to deal with, but at a much smaller scale.

For now, I like how what I’ve built is shaping up. I’ll likely need to get smart about implementing AWS Secrets Manager more diligently with regular key rotation6, and then I’ll need to form a plan around storing login credentials (likely as a series of hashes to anonymize things as much as possible).

All of that is way down the line but it’s on my radar because as much as I want Just Read Comics to be a simple resource, I know every comic reader’s journey from “want to read” to “found it” is different. Rather than trying to dictate things, I’d like folks to be able to customize their experience and that starts with getting authentication right.

Next Time

Baby’s first attempt at AWS Lambda or Mike sends you a few comic reviews instead of code speak because the last few weeks have been busy. Shout your preference in the comments!

WAIT. COMICS TIME.

Yeah yeah yeah, I know I gave you the option for a future post and you’re definitely listening to IRCB, but I gotta talk about a few books before I go.

Where The Body Was

Maybe you’ve read some books by Ed Brubaker and Sean Phillips (and Jacob Phillips) but their latest work, Where The Body Was, is a very solid twist on their usual take of crime and murder. In all honesty, I’m surprised this wasn’t dropped early next year because it’s got more romance, lust, and love in it than other books by this team. Either way, it’s a fantastic change of pace in story telling. Sean’s art has never felt more impassioned and Jacob on colors is, as many comic fans already know, unbelievably well done. It’s a perfect mid-80s story that doesn’t answer the “question” posed on the cover until the bitter end. The narrative is done so incredibly well, you won’t be able to stop reading until you hit the back cover.

This book is pretty new, so go pick it up at your Local Comic Shop or book store.

Oh, and Ed Brubaker was just on IRCB chatting with me and my pal Paul about this very book. Maybe I’m biased, ¯\_(ツ)_/¯

Akane-banashi Vol. 1

I’ll be honest, this book might not be for everyone, but I found it really fun to read. Following a young Rakugo artist named Akane, we learn about the art of Rakugo as Akane follows in her father’s footsteps to become a master of this unique style of performance and storytelling. This book is a really entertaining learning experience (similar to Hikaru no Go) into something I doubt I would have ever known about, let alone looked into. The credits include a Rakugo consultant, which lends to that “learning” element. The art on this book by Takamasa Moue is really fun and works incredibly well for telling a story about an active performance art in a medium that is tragically static on the page.

And hey, if you throw me a subscription, you’ll be the first to check this bad boy out

Lest I overpromise anything, I’ll say that ideas for “accounts” and personalization is something I want to do, but I need to ruminate on those ideas more before I even start to build them, let alone write about them

Let’s be real: I’m lazy

I know this isn’t great, but I promise I’ll get to why I’m doing this

Now that I’ve written that out… that’s not a bad idea.

As of right now, I’m 3/4 of the way there. I just need to get the rotation part squared away.