I'm in the process of planning a web app that I want to build in my free time, combining it with my experience as a Cloud/DevOps engineer. I'm considering using a stack that includes Nuxt for the frontend, FastAPI for the backend, and PostgreSQL for the database. However, I'm unsure about how to handle authentication effectively. I found a solution called Better Auth, but it primarily works with TypeScript/JavaScript. I'm weighing a few options: 1) Integrate authentication within Nuxt using its Nitro server routes, 2) Use Hono with Better Auth and skip FastAPI altogether, or 3) Keep FastAPI for the backend logic while using Hono and Better Auth exclusively for authentication. What are your thoughts on these approaches, and which would you recommend as best practices in a production environment? I want something that will be easy to maintain and allow for future flexibility without heavy refactoring.
2 Answers
I'd suggest considering a SaaS solution for authentication, like Auth0 or Firebase Auth, especially if you're looking for something manageable. These services handle a lot of the security headaches for you, and they typically offer free tiers until your user base grows. The pros include established OAuth flows, easy management of signing keys, and security patches for vulnerabilities. Self-hosting might be valuable for learning, but it could complicate your focus on app functionality.
If you're sticking with FastAPI, you might want to explore Django as well. It handles user management and authentication quite effortlessly, complete with admin dashboards. Ideally, keeping everything within one backend that manages users, data, and business logic is often simpler. If you choose to go with the frontend, consider using httponly cookies to track login states. Sessions are typically easier unless you explicitly need JWTs for stateless operations. These days, many projects default to JWT, but it might not always be necessary for a simple application.
That's a good point! I've been leaning towards just going with Hono and calling it a day.
Definitely stick to one backend that handles everything, like data and authentication, and use server-side sessions with HttpOnly cookies unless cross-domain features are crucial.
Are you suggesting something like Supabase Auth or Clerk with those? Just curious about what's available.