Introducing the New Auth Flow for PPResume

Introduction

We are very pleased to announce that PPResume (opens in a new tab) has introduced a new auth flow. This is the result of two months of hard work with many important features for an optimized onboarding experience:

• sign in with the password
• sign in with the verification code
• reset your password
• update your username in /settings (opens in a new tab) page

Long story short, let's take a look at the new auth flow:

Auth is Difficult and Complicated

The first step to build any SaaS product is to consider how users can be authenticated. When I started with PPResume about a year ago, I didn't think too much about it, which proved to be a mistake and I wasted a lot of time.

Auth is often overlooked or underestimated in the early stages of building a SaaS product. However, it plays a crucial role in ensuring the security and integrity of user data. Building an effective auth flow requires expertise in cryptography, security best practices, UI/UX design and more. Moreover, keeping up with evolving security threats and regulations can be a daunting task for developers focused on their core product.

Auth is difficult, and complicated.

When I first tried to create my own auth flow, I quickly realized the immense challenge of building a secure, reliable, and fully functional auth flow.

You many wonder is it really that difficult to build a functional auth flow? Isn't it as simple as matching a username and password? The answer is both yes and no.

Two decades ago, as the web evolved from static websites to web applications, users gained the ability to post content online for the first time. This era saw the birth of blog, social networks (facebook/twitter), media sharing platforms (youtube/instagram), etc., transforming the web into a ecosystem for consuming, creating and sharing thoughts and ideas.

In the good old days, the most common approach of authenticating a user was to use a username and password. Usually the username is stored in plain text and the password is encrypted with a hash function (some also store the password in plain text, which is pretty bad practice and leads to many security incidents). When a user signs in, the password is hashed and compared with the stored hash value. If the two values match, the user is authenticated.

Contemporary web applications encounter greater challenges than ever before and necessitate more secure, resilient, and adaptable auth solutions. The simple combination of a username and password is insufficient to meet the demands of modern web applications

The conventional username and password approach has several inherent drawbacks:

1. Memorability: Passwords are notoriously difficult to remember, leading to frequent forgetfulness.
2. Simplicity and Guessability: Simple passwords are susceptible to easy guessing and compromise.
3. Complexity and Usability: Complex passwords, while more secure, pose challenges in memorization, hindering user onboarding.
4. Reuse and Security Breach: Enforcing strong passwords during user sign up doesn't prevent users from reusing them across multiple websites. A compromise of one website can compromise all others using the same credentials.
5. Identity Verification: The system cannot verify the actual person behind the credentials, making it vulnerable to unauthorized access, even by non-human entities like cats typing in the correct password.

To address the shortcomings of basic username and password authentication, the industry has developed several advanced techniques like:

1. One-time password (OTP): A password that is only valid for a single login session or transaction.
2. Multi-factor authentication (MFA): An authentication method that requires users to provide multiple forms of identification, such as a password, a physical token, or a biometric measurement, to gain access.
3. Passwordless authentication: An authentication method that does not require users to remember a password, but instead relies on verified third-party authentication providers, such as social media accounts or fingerprint scanners.

Imagine the countless hours and complexities involved in building your own auth flow from scratch. This process would require you to develop features such as:

• User sign up with email/username and password.
• Email verification for confirming user identity.
• A mechanism for password reset.
• Choose appropriate hash algorithm for password encryption.
• Email connector setup for sending emails related to user sign up and sign in events.
• Support for Single Sign-On (SSO) with providers like Google, LinkedIn, and others.
• Linking social sign-in identifiers with local accounts when email addresses match.
• Designing a robust session management mechanism to control access to protected resources and pages.

In summary, building a comprehensive auth solution involves meticulous planning, technical expertise, and adherence to security best practices. It's highly recommended to consult with security experts and leverage existing frameworks and libraries to ensure the utmost security and reliability of your auth solution.

Home Made Auth Flow of PPResume

When I started with PPResume, I had gained some experience of building auth flow during my previous projects. I've read the book of Getting Started with OAuth 2.0 (opens in a new tab), understanding the basic concepts of OAuth 2.0 and I know that there're different grant types (opens in a new tab) in OAuth 2.0. I had successfully implemented Google Single Sign-On (SSO) in a previous project, allowing my colleagues to conveniently sign in using their work Google accounts.

Despite my existing knowledge and experience, I still underestimated the intricacies involved in developing a fully functional and production-ready auth flow. As a result, I ended up wasting a significant amount of time on this task.

OK long story short, let's take a look at my home made auth flow. During the sign up process, users are required to provide their email address, select a username, and create a strong password.

Usernames are enforced with the following rules:

• at least 3 characters
• at most 39 characters
• may only contain alphanumeric characters or single hyphens, and cannot begin or end with a hyphen.
• must not be in the reserved list (like admin, administrator, root, etc.)

Password has even more strict requirements for security best practices:

• At least 1 number
• At least 1 lowercase letter
• At least 1 uppercase letter
• At least 1 special symbol
• At least 12 characters
• No whitespaces

Despite dedicating approximately a month to implementing this auth flow, I received feedback indicating that the password rules were excessively complex, hindering user sign up on PPResume.

While users acknowledge the importance of strong password requirements for enhanced security, they find it challenging and painful to create and recall such complex passwords.

In addition to the complexity of creating strong passwords, I have yet to implement a password reset feature and lack the means to verify user identities through verification emails. This exposes PPResume to the risk of spam attacks by bots.

Some users encounter difficulty in remembering their passwords over time, and I have not yet provided a self-service password reset feature. Implementing this feature is likely to require an additional one to two weeks of development effort.

After some struggle and suffering, I realized that creating a functional auth flow is not as straightforward as I had initially anticipated. I am not an expert in auth and do not wish to invest a significant amount of time (a year or more) in building a fully functional auth flow.

Time to make a change.

Introducing Logto

Yes we need a third party auth solution to help us out.

Auth0 (opens in a new tab) is definitely a top player in this area, but it's a bit costly, and you don't have complete control over your user data, which means you might get locked in with the vendor.

On the other hand, logto (opens in a new tab) is an open source (opens in a new tab) auth solution that provides a seamless identity infrastructure for developers. In addition to offering logto cloud (opens in a new tab), you can also host it on your own server, giving you complete control over your user data.

After dedicating two months to integrating logto into PPResume, I'm pleased to share that the outcome has been highly satisfactory. As a token of appreciation, I've contributed several PRs back to the logto community to further enhance the platform.

• logto-io/logto (opens in a new tab)
• logto-io/docs (opens in a new tab)
• logto-io/js (opens in a new tab)

Besides basic auth features like sign up, sign in, reset password, user profiles, etc., logto also offers a very powerful dashboard for user management, which is extremely beneficial for product growth.

Data Migration

The auth flow is extremely important for any SaaS product. It took me one or two days to migrate all the user data from our home made auth system to logto. Almost all user data remained unchanged, except for the passwords. The passwords are not stored in plain text and never will be; instead, they are encrypted using a hash algorithm (opens in a new tab). The original auth system used the bcrypt (opens in a new tab) hash algorithm, while logto uses the argon2 (opens in a new tab) hash algorithm, which are not compatible with each other. From a technical standpoint, it is impossible (opens in a new tab) to decrypt the passwords and encrypt them with a different hash algorithm, so the original passwords are all lost.

Look Ahead

Adopting logto has significantly improved the security and user experience of PPResume. As an independent developer, I can now focus on developing core features and delivering value to PPResume users, confident that their auth experience is seamless and smooth, and they are not rejected and leave away because I asked them to create a strong password, LOL.

By leveraging the capabilities of logto (opens in a new tab), we're going to introduce a range of new auth features that will make it easier for users to get onboard. One such feature is the integration of Google SSO, allowing users to seamlessly sign in using their existing Google accounts. Additionally, we'll be introducing Linkedin SSO, enabling users to connect their Linkedin profiles and instantly generate visually appealing resumes. Stay tuned for these exciting updates that will further enhance your experience with PPResume!

In conclusion, auth is essentically difficult and complicated, it is generally not advisable to build your own auth systems. But it doesn't have to be a burden for independent developers. By leveraging dedicated auth solutions like logto, developers can streamline their development process, enhance security, and deliver a superior user experience at the same time.

Thanks again, logto and the team (opens in a new tab) behind it, for providing such a great auth solution.