Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> If you want to implement a non-FB anon login, you basically have to implement a full account management solution yourself, assuming you want the anon account data to be persistent (that is, it's not truly anonymous in the sense that you sign in, do things, sign out, and it's as if you were never there)

That's just not true. Modern web frameworks come with modules that let one have fairly good account management systems without much work.



What you say is not always true either.

I do Python mostly. Django? Fine. It has an excellent auth system out of the box. But that kind of auth system isn't very flexible either. Now I barely do Django development today so please excuse me behind any insane changes.

Flask and Pyramid world? Custom auth to me. They both have community modules for auth stuff, but do I really like them? I am not the kind of guy just pip install random "useful" package these days. Let's give another example. A year or two ago I tried to do social auth in some of my django and flask apps. Maybe I was dumb but using that social-auth library took me a while to get some of login working. Plus, the code was messy and buggy. In the end, I said screw that and implemented all of the custom login myself, just reading the official doc from twitter and facebook. That also took me a while but I knew the whole implementation inside-out. If I don't trust my own implement because it is insecure, then I must spend the same amount of time inspecting other people's custom modules.

The truth is, generic auth system is hard and is not flexible. In fact, too flexible can be a bad thing: http://plope.com/pyramid_auth_design_api_postmortem

I like customized auth system based on the api provided by the framework - that' what makes Pyramid powerful to me. Sometimes your community auth module can have limitation that you probably have to hack around.


What kind of customization were you trying to do in Django that you couldn't? I know you can one-to-one models that extend the backend, you can customize the backend, chose custom templates for the login forms, create your own forms, etc. And the docs seem to indicate this was possible since 1.5: https://docs.djangoproject.com/en/1.5/topics/auth/customizin...


Django did update their auth app, it's very flexible now


Until you want Ajax login. Then you write boilerplate for two hours. If there was a really good ajax reg/login module for Django, I'd gladly pay $10 for it the way I do bootstrap themes.


Hmm. Hadn't thought about that. Good point.


off topic: What is a good way for someone who is unfamiliar with account management to evaluate modules and select one?

I'd like to setup an account management system and I was planning on doing it manually but figured there had to be a better way.


Google around and pick the most popular one usually works, as least if you're using a more "trendy" framework.

For Rails, Devise seems to be the way to go, as it's the most popular by far[0]. It's what I'm using for my project.

[0]https://www.ruby-toolbox.com/categories/rails_authentication


This is simply untrue.

Most modern web frameworks do NOT come with fairly good account management systems.


I’m sure what you are saying is right — but I’m not in anyway smarter reading it then reading the one before. You can’t just say ‘No, not true’ on Hacker News. What makes the existing options not “fairly good”?


well, the burden of proof is on selmnoo, as he made the claim that they are good enough. the default state should always be negative.


To make it easier for him (and others who agree with him), here's a simple question. Name the modules (packages, whatever) that implement password-reset functionality in:

    1. Python + Django 
    2. Node.js + whatever
    3. PHP + CakePHP/CodeIgniter/Yii
I'm not aware of any.

By "password-reset" I mean user clicks "Forgot password" and goes through some process like asking a secret question, doing catpcha test, sending a password reset link via e-mail, handling the click on the link, asking for a new password and resetting it.

P.S. Pick different frameworks if you wish.


In Django? django.contrib.auth.views.password_reset seems like it would do the job, no? If you have specific logic you need to implement, rather than using the framework's default logic, there's likely not much it can do for you.

Alternatively, there appears to be a CBV version of password resets over here that looks fairly easy to extend: https://github.com/brutasse/django-password-reset

I can't talk for node.js (although I have found that its authn/authz frameworks are lacking in general) or various PHP frameworks, but Django at the least is fairly professional.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: