Lockin might be too strong of a word, but my point is that it is difficult to spin up other parts of your api outside of netlify’s function and still being able to verify user’s requests.
I’m trying to help improve the serverless deployment, and as part of that I want to migrate my own project over to severless to have skin in the game as I work on it, though I’v hit a roadblock with netlify identity, because normally when using netlify functions with their identity service they have a magic layer that adds the users info to the event context (if it’s valid based on the authorization header/token).
When sending requests to infrastructure outside of the netlify functions than you would need to verify the token yourself, however there’s no way to do that because netlify does not expose the secret they are using for your identity instance.
Chris Biscardi has a solution, but it’s an async one based on making a call to the identity service for each request. Seems like a last resort solution to me.
Puts me in a bit of a pickle since I’m already using the identity service.
Anyway just wanted to document what I’ve found recently.
I believe lock-in is exactly the correct term. It’s great for tutorial simplicity, but I don’t recommend using it for much beyond hobby app for this reason.
I’m impressed with Clerk in terms of set up simplicity. It might be a good tutorial replacement to that end.
And of course dbAuth if you’re comfortable with self hosting.
Otherwise, top three options by my count are Superbase, Firebase, and Auth0. (Note: @chenkie worked at Auth0 and @giannelli.tech is there now)
Lastly, don’t be intimidated about porting. Relatively little logic will need to be swapped. And you can get your users migrated. Just have them create a new password at next login (and/or email notice, etc).
Besides making me a little nervous, I’m really tempted to make the switch to dbAuth!
I really like the idea that having a staging db means I’ll get staging auth for free.
I read through some of the docs this morning and one question I have is: because I’m interested in allowing third party identity providers (github login etc) would it be possible to extend dbAuth to allow this, if so do you have much of an idea of what might be involved?