you should only make your own auth, when you know what you are doing. And as you can see here (you ask for help), you don't know what you are doing. That can lead to security issues, unexpected bugs and more errors.

If you still want to do it on your own, you should take a look at JWT auth and Session based auth. Understand it and implement it yourself.

If you want to have something on your own, but don't want to have the issues that I mentioned, you might want to take a look at next-auth (NOT the beta and not authjs. Those are pretty buggy). Thought authjs you should already know the basics for this lib

what should i do if i want to use credentials instead of oauth?

next-auth isnt really good at credentials

you are right, next-auth added a credentials provider. With that you can check the credentials yourself. There you can't do that much wrong: fetch your user with the provided data from your database and compare the hashed password

Don't discourage the dude from trying out to roll out thier own auth.. it's a good thing to know how it works :/
A security issue won't hurt.. since none of our projects have users anyways :)

It's quite simple actually, go on YouTube and start looking at jwt auth. That's when someone logs in, you send them an encrypted jwt with a token, and a user id (if needed) and any public info you would like to send like emails and usernames :)

On further requests just check the token if it matches in db.


Wrt to passwords, you don't just save passwords as is... You hash them and then salt them, check out some tutorials on what salting and hashing means. This is something you don't want to reinvent since it's just pure maths and using just the bycrypt package on npm

So 2 npm packages to use are bycrypt and jose, bycrypt for hashing passwords, jose for encrypting and decrypting jwt tokens.

After that it's just upto you, magic link auth is when you send them an email with a url which does all the logging in for you,

Oauth is also easy to do wherein you just read the docs for the api routes for each step of auth. Google is s good starting point :)

In the end, I don't know what he will use his Auth for. Possibly for a production app that has a lot of users. Then he tests the Auth in a project without users and due to a lack of knowledge he doesn't discover the existing security gaps. As a result, he then puts the Auth into a large project and ends up with security gaps and unexpected bugs. I definitely want to prevent this, because “A security issue won't hurt” can really hurt.

Its fine, op mainly wants to learn. Can't learn without failing...

Op just make sure to not use your own auth for large apps with actual users, since that's their data you are risking. As long as it's just a hobby project with barely any users, feel free to make stuff

thanks for the info, im doing it for a small project of my own for my school at 11th grade, just took web dev srsly this year so just wanna learn as much as possible abt auth

Ah yea then go for it lol, practice around and see how it all works, so in the future when you make actual real world apps, and you face bugs with some actual auth service, you know your way around it :)

@Thrianta please mark solution[:](https://cdn.discordapp.com/attachments/1043615796787683408/1117191182133501962/image.png?ex=6769ca5e&is=676878de&hm=2130fb4b3081ddf1c9d062b34d465958d6e05f56c9ff06436f12096ef66fc682&)