pilcrow
@pilcrowonpaper
Followers
7K
Following
4K
Media
387
Statuses
3K
Open-source developer interested in auth and security. Working on @lucia_auth and @oslo_project
Tokyo, Japan
Joined November 2017
Hi everyone. I now accept donations via GitHub Sponsors. Please consider supporting my open source work and help me make auth more accessible. I’m starting university next month so even a small amount would go a long way :D.
7
24
270
lmao they just replaceAll()-ed twitter(.)com with x(.)com.
← iOS で見たら netflix/.com に見えるってこと?.
42
463
5K
Announcing the Copenhagen Book - an open source guide on implementing auth for the web! It covers everything, including sessions, CSRF protection, passkeys, OAuth, 2FA, email verification, and password reset.
28
237
1K
Can we stop naming APIs `$`?.
Introducing the Bun Shell. Cross-platform shell language & interpreter for shell scripting with JavaScript
94
30
1K
I'm still confused why Hetzner is so cheap. Like 2vCPU/4GB (shared) is $5 while it's $20 everywhere else???.
80
27
941
okay hear me out
Do I need to rename the Twitter OAuth provider to X?.
13
33
862
I still can't believe this but. @astrodotbuild has awarded me a $10,000 grant for my work on Lucia!!!!!! Thank you!!.
Introducing: The $100,000 Astro Ecosystem Fund. Astro usage is exploding! To support our growing ecosystem, we are donating our own open-source funding to award ten $10,000 grants to essential maintainers across our community. Learn more:.
69
38
814
What makes this even funnier is that it's done on the client and not the server.
5
4
781
Please share your personal website or blog! I quite enjoy looking and comparing them.
439
25
706
Announcing Faroe - an open source, self-hosted, and modular backend specifically for email and password authentication! I crammed everything you hate about credential auth into a single binary :D.
18
46
627
Got it working! It's like 5x more complex than a regular OAuth flow
16
15
610
I am planning to deprecate Lucia early next year and make it a general learning resource on auth instead. It pains me but I am confident that this is the best way forward. The early preview is available below.
46
48
593
Do all JS formatters do this?. const result =. superLongFunctionName();. I'd much prefer this. const result = superLongFunctionName();.
38
5
541
Option 3: Use URLSearchParams.
Just found out some people prefer string concatenation over string interpolation. WAHHHH?!. What do you prefer?
15
10
520
Announcing Oslo - a new open source project to provide high-quality auth packages across the ecosystem! Runtime-agnostic, fully-typed, and zero third-party dependencies .
10
40
498
If you’re doing this. function create() {. return {. a: () => {}. }.}. just use classes.
42
23
482
Oslo packages are now stable! Simple, fully-typed, runtime-agnostic, and zero third-party dependencies. - oslojs/encoding.- oslojs/crypto.- oslojs/webauthn.- oslojs/otp.- oslojs/asn1.- oslojs/cbor.- oslojs/binary.
15
42
438
Please please please learn about the basics of HTTP, XSS, injection, database querying, cookies, CSRF, and CORS before doing any auth stuff in the server. This also applies if you're using ready made solutions like Auth0, Clerk, and NextAuth.
6
54
422
New blog post: Please stop using middleware to protect your routes .
31
43
369
Email verification + password reset + TOTP in 6 hours :D. Haven't implemented rate limiting and login throttling yet, but that should only take another day at most. I might build a full tutorial on it in the near future
21
6
354
Just learned about URL.parse(). It allows you to check the validity of URLs without using try/catch. Looks like its getting added to runtimes and browsers this year
12
30
336
New library :D. Finally figured out how to abstract JWTs into a library.
5
11
320
Not sure how to share this but I'm 19 lol. Same age group as @nexxeln and @aidenybai I guess.
38
5
310
Finished all 10 pages now. Gonna make some improvements over the next few days, and I'll probably have some people review it. Let me know if you're open to proofreading it, especially if you work on auth/security :D.
20
8
313
I moved all my static sites from Vercel to Cloudflare. I don't use the preview deployments anyway. Thinking about playing around with a VPS and moving stuff away from serverless too.
23
3
302
This is super embarrassing but my AT Protocol OAuth example had a major security vulnerability where one could authenticate as any user. If your app used my code, you should fix it immediately. This was a major oversight on my part and I'm sorry.
10
12
256
Share all the Auth0 and Keycloak alternatives you know, preferably open source.- SuperTokens.- Supabase.- Logto.- Clerk.- Athentik.- Stack auth.- PocketBase.- FusionAuth.- Zitadel.
25
15
250
The new site is now live!. Lucia v3 will be deprecated by March 2025. Big thanks to everyone who contributed to the library.
1
15
246
I'm going to test the latency/performance of popular DB providers. Any other providers I should test?.- Supabase.- Neon.- PlanetScale.- Vercel.- Turso.- Railway (maybe?). I'm going to test different drivers/ORM to see if there are any other performance implications as well.
72
10
241
Why are people so adamant on protecting resources with middleware? It’s like a single if statement. Just do it in a per-route basis. It’s not hard. It’s even less bug-prone and easier to debug since all the logic is in a single location. Just stop.
54
3
239
Fuck it. Lucia v3 stable will be released this weekend alongside Oslo v1 and Arctic v1.
21
12
229
Anything missing?.- Tokens (in general).- Sessions lifetime, storage.- Password validation, hashing, credential stuffing.- Email verification code/links, input validation.- Password reset links.- MFA (TOTP).- OAuth, PKCE, OIDC, account linking.- Passkeys.- CSRF.
27
7
229
Looks like it uses Drizzle ORM - so I guess Lucia supports Astro DB from day 0!.
Introducing: Astro DB. Add a hosted database to any Astro project in seconds. Includes a TypeScript ORM, schema manager, and automatic migrations out-of-the-box. Try it today! Every database comes with a generous free tier for you to get started.
6
9
223
Why are people installing it???? I SAID IT WAS VERY EXPERIMENTAL
23
1
216
Full email and password auth example in Astro with email verification, 2FA via TOTP, password reset, and rate limiting.
6
8
220
I'm excited to announce that Lucia now supports @nuxt_js, complete with docs, with version 1.7!!. Get started here:.
10
32
206
I actually made the logo! Pretty happy with it, tho a professional touch up would be nice
16
2
201
Full auth example in Astro with password, email verification, rate limiting, TOTP, passkeys, and security keys.
6
14
201
The hardest part about implementing Google OAuth is navigating through Google's docs and dashboard.
16
7
203
Astro DB adapter (unofficial). npm i lucia-adapter-astrodb.
10
19
197
People who say it's fine would use emojis as function names if they could.
12
1
196
I know some people are confused as to why I went to university instead of getting a job. I wanted to learn CS concepts and theories, and I thought it’d be a good opportunity to find like-minded friends. I might be wasting time but who cares.
18
2
188
If React doesn't want people to use it, they should just rename the variable on every release.
4
5
186
Auth built with Lucia :D.
The Astro Theme Portal just launched! Submit, update, and publish your themes in the official Astro theme catalog. ✨Built with Astro DB! Forms, user authentication, and image uploads all powered by Astro's new hosted database platform.
4
3
192
I'll be releasing the authentication guidebook this Saturday. It has not been thoroughly proofread tho (underestimated the time required) so keep in mind there may be numerous mistakes.
5
3
188
Big thank you to Prisma for supporting my work!.
💜Proud to support @lucia_auth through our FOSS fund. Lucia is a TS-first library-oriented approach to auth in JS. We love how it provides an easy-to-use alternative to large libraries or SaaS approaches. Kudos to @pilcrowonpaper!. Check it out⭐️.
1
3
176
Soft announcing Oslo! This is a much bare, yet feature rich alternative to Lucia. It provides utilities for:.- session management.- cookies.- OAuth.- generating random strings.- csrf protection.- hashing passwords.- managing verification tokens.
6
16
181
Announcing oslojs/webauthn, a new @oslo_project package for the Web Authentication API!. Needs a lot more testing but it's finally here!!! Learned so much about passkeys, CBOR, COSE, ASN.1, X.509, and ECDSA!.
3
9
172
Lucia hit 10k weekly downloads! 2023 has been an amazing year:.- +10K weekly downloads.- +4k github stars.- +2.5k twitter followers.- +1k discord members
9
4
169
I’m sorry but TanStack Start and Solid Start are horrible names.
7
0
172
I’m trying out Zed again and the biggest thing missing for me is a Git integration and a spell checker.
17
2
169
Hoooly shit - thank you to all my sponsors! That's more than enough to cover my expenses and then some, and this doesn't include all the one time donations.
3
0
159
4
12
154
Also, all the code examples are written in Go since I found it to be the most sane and readable :D.
7
3
153
Ughh, can we please stop spreading conspiracy theories, and like pretty much anything from Libs of TikTok?.
Two weeks after the event, Google autocomplete results for “assassination attempt on” do not include any mention of Trump
14
2
145
I don’t think people fully understand how much time is spent on API design and reviewing/testing PRs in open-source projects. It’s not just writing code, and in fact that’s usually the easy part.
4
2
149
Can we please stop trying to condense everything into a single function? Just create sha1(), sha256(), sha384(), etc
8
2
151
What's the fastest serverless database?. I compared the latency of tons of popular and upcoming database providers, including Neon, PlanetScale, Supabase, and Turso - see the results for yourself!.
13
32
151
I tried Nuxt again. - Docs lacking for H3 (had to read source).- $fetch() can't send url encoded forms.- API Routes *must* return an object (where was that mentioned?).- navigateTo() returns promise => can't use if statements to narrow types.- Vue is still confusing.
15
5
143
So. I built my own http framework lol. Not sure how portable this pattern is but it's based on Node.js, Express, and Go
9
0
140
my general approach to learning new stuff has been brute force - play around, look at examples, read stack overflow answers, and repeat that until something clicks.
6
8
139
What do you get from using JWTs instead of regular db sessions? I could see why some auth providers use them since there’s no guarantee their customers’ servers are close to their’s, but that really isn’t an issue if you self host.
34
8
143
I feel like 80% of modern websites can just be written with vanilla JS/TS and still be reasonably maintainable. Another 10% would just need to embed client rendered JS framework components on top of it.
14
7
139
@webdevcody I was afraid you’d bring this up lol. Technically I’m not fully abandoning the project but I’ll just take the L here.
5
0
137
tbh Lucia was probably a good introduction on auth for beginners. Maybe a video tutorial will cover the same itch? Videos feel more beginner friendly than text.
6
0
139
I treat Lucia, and all my other projects, as community *informed* projects instead of community *driven*. I'm open to feedback but I still have a certain vision and goals. That might make my stuff feel less open to contributions.
13
4
133
Announcing Arctic v2! Not a very big update but cleaner APIs and even more providers.
3
6
132
Early preview but over the past month, I've worked on fully fledged examples with password auth, 2FA, email verification, passkeys, rate limiting, and password resets for Next.js, Sveltekit, and Astro.
3
7
132
I would probably quit university if I get a job offer that would help me get a US visa (or even Canada).
9
4
129
Fun fact: The @oslo_project homepage is a single HTML file. No JS, no frameworks, no tailwind.
4
5
127
Lucia does not and will not support JWTs. Even if JWT based sessions didn’t suck, it doesn’t make sense for a single library to handle 2 widely different things.
9
2
121
I find third party login to be a solved issue. OAuth isn't particularly hard and sessions aren't either. I really don't see a reason to bring in a framework or paid service for it. But email+password. ;D.
7
3
122