node-argon2 VS next-auth

❓ Why is hashing and salting passwords mandatory? A salt is simply a random data used as an additional input to the hashing function to safeguard your password. The random string from the salt makes the hash unpredictable. A password hash involves converting the password into an alphanumeric string using specialized algorithms. Hashing and salting are irreversible and ensure that even if someone gains access to the hashed passwords, they will not be able to decrypt them to recover the original passwords. Hystorically bcrypt is recognized as the best hashing algorithm. However, in terms of robustness against all the new cryptographic attacks targeting hashing algorithms, the current clear winner is argon2. However, since the “youth" (2015) of this algorithm, I chose to use bcrypt

Argon2: this is the newest highly recommended algorithm, and recommended by OWASP. (Edit: originally linked to a low-download library.)

Though I am using bcrypt to hash passwords, recommended approach currently is argon2

As per security.stackexchange.com the recommended number of rounds for Bcrypt is a number such that it takes atleast 250 ms to hash your password. Argon2 on the other hand takes multiple parameters it seems. What is the equivalent configuration you need for Argon2? I am talking about an express webserver here with passportjs if that helps

If you already have Bcrypt & want to start converting to Argon2, check out this guide → https://github.com/ranisalt/node-argon2/wiki/Migrating-from-another-hash-function

You can look at the argon2 npm (https://www.npmjs.com/package/argon2).

NextAuth.js is not perfect. One of the shortcomings is that it currently does not implement federated logout. This means that even if a user signs out of the Next.js app, he does NOT get signed out of the Cognito user pool client. As a consequence, the user is not really being logged out (i.e he is able to login again without providing the credentials). You can read more about this problem in this Github thread.

NextAuth for adding auth

Let's learn a bit about Descope and how to use it with Auth.js (next-auth) to protect our Next.js app with role-based access control (RBAC).

https://github.com/nextauthjs/next-auth/issues/5647#issuecom...

Next Auth CognitoProvider Internal Library: https://github.com/nextauthjs/next-auth/blob/v4/packages/next-auth/src/providers/cognito.ts

I mentioned this in an age-old discussion on NextAuth GitHub repo.

Authentication is a fundamental part of most web applications. Integrating authentication into your Next.js app can be simplified with NextAuth, a powerful authentication library that supports various authentication methods. However, the documentation around setting up NextAuth with the "Credentials" auth provider might not be as clear as you'd hope. My implementation is greatly enriched and partially based on Next-Auth docs and the following github thread.

For Auth: https://authjs.dev/ - works like a charm with Svelte https://authjs.dev/reference/sveltekit

NextAuth.js

I'm surprised nobody mentioned https://authjs.dev/