HACKER Q&A
📣 hot_gril

Simple Auth for Website


I'm making a fairly simple website and browser extension where users will have accounts*. All I need to do is auto-create an account the first time someone uses it, then have that account auto reused every time the user visits later on the same device. A second factor like a password isn't needed. Ideally users should be able to transfer their accounts to other devices, but I'm even willing to forego that in version 1. It's supposed to be an open-source project, and to encourage adoption, I don't want it to depend on any external auth services, just a database.

Does anyone have a favorite drop-in way of doing something like this? Webauthn looks appealing, but I've never used it. Can also imagine just randomly generating some code server-side, storing it in cookies, and asking users to save it for recovery, but that feels like poorly reinventing a wheel.

Thanks

* For anyone curious, it's supposed to be a federated lightweight social network based partially on RSS.

  👤 Leftium Accepted Answer ✓
You can just store a simple cookie or data in localStorage that points to the anonymous guest user data in your DB.

The tricky part is later upgrading anonymous/guest accounts to real accounts linked to an actual auth user.

Here are some auth providers that support anonymous login/guest accounts:

- https://supabase.com/blog/anonymous-sign-ins

- https://firebase.google.com/docs/auth/web/anonymous-auth

- https://backendless.com/docs/js/users_guest_login.html

👤 noashavit
I get what you are trying to do, but it feels a bit insecure. Why not use an OSS passwordless project like https://github.com/supertokens/supertokens-core/ or https://github.com/teamhanko/hanko