Auth Overview

Auth is where most security vulnerabilities live. Before writing code, pick a model.

Three Models

Sessions

The classic web pattern:

1. User logs in
2. Server creates a session row in Redis/DB
3. Server sends back a cookie containing the session ID
4. Each request, server looks up the session by ID

Pros: revocation is trivial (delete the row), session data can be rich, simple to reason about.

Cons: needs a session store, sticky session concerns if you don’t use a shared store.

JWT

A signed token that contains the user info:

1. User logs in
2. Server signs a JWT with { sub: userId, exp: ... }
3. Server sends it to the client
4. Each request, client sends the JWT; server verifies the signature

Pros: stateless, scales horizontally, works across domains.

Cons: revoking is hard (token is valid until expiry), bigger than session IDs, easy to misconfigure (algorithm confusion, weak secrets).

Hosted

A provider handles login, signup, sessions, MFA, OAuth:

• Clerk — modern UI components, hosted
• Auth0 — enterprise standard
• Supabase Auth — bundled with Supabase
• Auth.js (NextAuth) — open-source, multi-framework

Your Express app verifies a token the provider issued. You write ~50 lines of integration code total.

Pros: skip auth entirely. MFA, password resets, OAuth for free. SOC2 / compliance simpler.

Cons: another vendor relationship, sometimes pricing.

Picking

• Server-rendered app: Sessions. Cookie-based, simple, works with browsers natively.
• SPA + Node API: JWT or Sessions with cookies. JWT for fully-stateless mobile + SPA. Cookies if same-domain.
• B2B / fast-moving startup: Hosted. Skip the whole problem.
• Microservices: JWT + an auth service. The token is the shared currency.

The rest of this chapter implements each pattern.