frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Hot weather and low sunshine linked to mental health-related healthcare use

https://www.uea.ac.uk/about/news/article/everyday-weather-can-increase-demand-for-mental-health-s...
1•giuliomagnifico•3m ago•0 comments

Is a 'Frictionless' Society a Trap?

https://www.nytimes.com/2026/07/02/magazine/frictionless-productivity-marketing-tech.html
1•1vuio0pswjnm7•3m ago•0 comments

Free SaaS Landing Page Template – React, Vue, HTML for Claude Code and Cursor

https://github.com/hannah-wright/saas-landing-page-template
1•DreyGreatness•4m ago•0 comments

Microsoft Disclosure Provides Rare Glimpse of Tax Haven Tactics

https://www.nytimes.com/2026/07/03/technology/microsoft-europe-disclosure-tax-havens.html
1•1vuio0pswjnm7•6m ago•0 comments

Show HN: ProxyBoy. A Windows HTTP/HTTPS debugging proxy with an AI assistant

https://github.com/pjperez/proxyboy
1•InfraScaler•7m ago•0 comments

Show HN: FluxDown – Free, open-source IDM alternative in Rust and Flutter

https://github.com/zerx-lab/FluxDown
1•zero-lab•9m ago•0 comments

Running Engineering Teams Series

https://yusufaytas.com/series/running-engineering-teams
1•yusufaytas•9m ago•1 comments

Feynman's Garden

https://www.marginalia.nu/log/a_108_feynman_revisited/
1•jimsojim•9m ago•0 comments

Sharded Inference of a 229B-Parameter Moe over the Internet at Interactive Speed

https://twitter.com/c0mputeAI/status/2073150789640421537
1•MrBuddyCasino•20m ago•0 comments

Satoyama

https://en.wikipedia.org/wiki/Satoyama
1•ETH_start•22m ago•0 comments

Teaching AI to Run with the Turbines

https://www.technologyreview.com/2026/07/02/1138433/teaching-ai-to-run-with-the-turbines/
1•joozio•23m ago•0 comments

Will betting on wildfires lead to arson?

https://www.hcn.org/articles/people-are-betting-on-wildfires-should-they/
1•1vuio0pswjnm7•24m ago•0 comments

Show HN: Visual Knowledge Canvas for Learners

https://www.solus.so/
3•allybahaei•25m ago•0 comments

Claude's Criminally Bad Electron Mac App Is an Inside Job

https://daringfireball.net/2026/07/claudes_criminally_bad_mac_app_is_an_inside_job
1•tosh•25m ago•0 comments

Show HN: An AI that brutally rates your cat, and 18 games where your cat plays

https://catz.io
1•muzwalks•29m ago•0 comments

DocHero: PDF Editor and Sign PDF

https://apps.apple.com/us/app/dochero-pdf-editor-sign-pdf/id6781691509
1•suryanshJ•40m ago•0 comments

Fin: A Jellyfin Client for the Terminal

https://tangled.org/tsiry-sandratraina.com/fin
2•nerdypepper•42m ago•0 comments

Scientists decry conference's use of hidden prompts to snare AI peer reviews

https://www.thetransmitter.org/publishing/scientists-decry-conferences-use-of-hidden-prompts-to-s...
1•jruohonen•46m ago•0 comments

Could the next great novel be written by AI?

https://www.theguardian.com/books/ng-interactive/2026/jul/04/future-of-fiction-next-great-novel-a...
1•scandox•50m ago•3 comments

HackathonHub – the control room for hackathons, game jams, and team competitions

https://hackathonhub.xyz/
1•igorthenomad•50m ago•0 comments

Provenance: Proving That Your Code Is Really Yours

https://medium.com/@vektormemory/provenance-proving-that-your-code-is-really-yours-603c09407a97
1•vektormemory•51m ago•1 comments

AI models' values are different from most people's

https://www.economist.com/briefing/2026/06/25/ai-models-values-are-very-different-from-most-peoples
2•Anon84•51m ago•0 comments

We Are Running Companies on Chat Windows and Calling It a Revolution

https://irishtechnews.ie/running-companies-on-chat-windows-calling-it-rev/
3•belkin1•54m ago•0 comments

Jersey Mike's IPO illustrates how bad the AI hype is

https://finance.yahoo.com/technology/ai/articles/jersey-mike-ipo-illustrates-bad-201159743.html
4•cybermango•54m ago•1 comments

Arbitrary code execution breaking sandboxes in KDE Plasma

https://blog.kimiblock.top/2026/07/01/arbitrary-code-execution-in-kde-plasma/index.html
2•birdculture•58m ago•0 comments

BiOptimizers Magnesium Breakthrough Reviews – Truth Check

https://gamma.app/embed/Magnesium-Breakthrough-By-BiOptimizers-Honest-Review-tbe77aupzt7tnrd?mode...
1•prepostseo•1h ago•0 comments

Show HN: AI Coloring Page Generator for printable classroom worksheets

https://aicoloringpagegenerator.org/
1•robot1996•1h ago•0 comments

Show HN: AI Video Detector – check whether a video may be AI-generated

https://aivideodetector.video
1•robot1996•1h ago•0 comments

Dangerously-skip-permissions is the only safe mode

https://www.granola.ai/blog/dangerously-skip-permissions-is-the-only-safe-mode
3•jamesfisher•1h ago•0 comments

Syscall: Ring ZERO assembly puzzle game for those who are tired of agentic AI

https://store.steampowered.com/app/4849330/SYSCALL_RING_ZERO/
1•thisisneat•1h ago•0 comments
Open in hackernews

Ask HN: Why is web auth not a solved issue?

2•zwnow•1y ago
Personally, every project I start, I quit due to not being comfortable with the auth implementation.

I've been into web development for 4 years now. During my research regarding auth in this timeframe, I have found a million reasons on why I should not roll it myself. The reason is always it being to difficult to implement, too much responsibility and basically no matter how I'd do it, it would be unsafe.

The general consensus among web developers seems to be to just let a third party do it. And I understand the reasoning, they are experts and have decades of experience on that specific thing. It makes sense as long as you're fine with third party service dependencies for your application. However, I don't want that. I do not feel comfortable submitting my users data to tech giants for obvious reasons.

I am wondering why it's so difficult to implement secure auth? Why can frameworks like Laravel or Phoenix just generate auth solutions? Why should I trust them, if everyone is saying I shouldn't roll it myself?

After all, if Laravels or Phoenix generated auth isn't safe, I am the one taking responsibility anyway, no?

To my understanding web auth has been an issue for decades now, why aren't there protocols in place to solve it? Or if they are, why aren't they talked about a lot?

Considering how often I read about auth breaches with the big players in the game (Firebase as an example) I am not comfortable trusting third parties with that task either.

So how is one supposed to do it? There are so many JWT tutorials on youtube, but apparently JWTs aren't safe either. Then there are session cookies, which also aren't safe? Why is that?

I am also not talking about authorization. I specifically mean authentication. If I wanted a micro blog platform where users can log into their accounts and write about stuff, how would I make sure it's secure without having to trust third parties, especially big tech companies who repeatedly prove they cant be trusted over and over again?

Comments

arrowsmith•1y ago
> if Laravels or Phoenix generated auth isn't safe

What makes you think they're not safe? Zillions of successful apps have been built using Laravel and Phoenix and (afaik) no-one has hacked their auth code yet. The code is open-source for anyone to inspect for vulnerabilities. I wouldn't feel unsafe using them.

You seem to misunderstand what it means to "roll your own auth".

"Don't roll your own auth" doesn't mean "use a third-party auth provider". It means "use an existing, expert-made auth solution and don't try to write it yourself."

That can be a third-party provider like Firebase, it can be a code dependency like Rails's Devise, it can be generated by `phx.gen.auth` in Phoenix, it doesn't matter - the point is that you're using a tried-and-tested auth solution written by someone who knows what they're doing.

Writing your own auth code is generally a bad idea because it's complicated, time-consuming and easy to get wrong. But there are zillions of off-the-shelf solutions you can use that have been created by security experts and battle-tested in thousands of production apps. As far as I'm concerned, web auth is a solved problem.

zwnow•1y ago
Interesting. When I generate auth for Phoenix the API endpoints are not piped through any security pipes. Only the browser endpoints. Why wouldn't I secure my API endpoints? The same kind of requests that are made for browser requests are sent to the API routes, so this is really confusing.
arrowsmith•1y ago
Ah yes. `phx.gen.auth` generates a cookie-based auth system, which is fine for the :browser pipeline but it's not generally what you want for a JSON API.

The Phoenix docs include a suggestion for how you can extend `phx.gen.auth` to add token-based authentication to your API: https://hexdocs.pm/phoenix/api_authentication.html

(No, this isn't "rolling your own auth" either, it's using someone else's pre-written auth code.)

johncoltrane•1y ago
> The general consensus among web developers seems to be to just let a third party do it.

Outside of personal projects, third-party auth providers must be audited (think GDPR or PIPL), budget must be allowed, contracts signed, etc. so web developers rarely, if ever, have their say on the matter. The decision is taken long before anyone wrote a single line of code. From a project management perspective, it's an easy trade-off to make: one sprint for integrating Okta versus who knows how many for badly implementing something that requires a level of expertise that no one on the team has reached.

For personal projects, the trade-off is a bit different. Resources are scarce so, even if implementing auth is actually not very complicated(1) and can even be quite fun, there are probably more immediately interesting things to do. So you integrate a third-party solution in a wednesday night and you move on.

[1] https://thecopenhagenbook.com/