Similar Articles
How to Effectively Integrate Playwright with Prisma Using Seeding? 🎭🌱
6/2/2025
How to Automatically Highlight Code Blocks in Your Next.js App (app router) ? 🌈📚
6/2/2025
How to oxide your shell / use Rust in your shell ?
6/2/2025
How to Monitor Your Server Disk Usage with Discord? 🚀🌟
6/2/2025
They Said It Would Burn: Tales from the Trenches of PC Enthusiasm
7/15/2025
Auth is a Dumpster Fire. Can 'Better Auth' Put It Out?
Let's be honest. If you've ever built a web app, you've stared into the abyss that is user authentication. It's the rite of passage for every developer, a seemingly "solved" problem that somehow remains a consistent, soul-crushing source of pain. You start with a simple goal: "I just need a login page." You end up three weeks later, drowning in OAuth redirect loops, insecure session tokens, and documentation that appears to have been written in a forgotten dialect.
We've all been there. You try to do the right thing. "Don't roll your own auth," the ancient scrolls command. So you pick a library. You pick a service. And the pain begins.
This isn't a theoretical problem. This is the shared trauma of our profession. A developer I follow, Zsolt Ero, documented his quest to find a sane auth solution for his new project. His needs were simple: social logins and sessions that don't randomly expire. His journey took him through a dozen options, from the siren song of Supabase to the confusing maze of NextAuth.js. His story isn't unique; it's universal.
So, let's dissect this dumpster fire. Why is auth so broken, and can the new kid on the block, Better Auth, finally be the fire extinguisher we've all been waiting for?
The Fall of the Old Guard: What Happened to Auth.js?
For years, if you were in the Next.js ecosystem, NextAuth.js (now Auth.js) was the default choice. It promised simplicity. It promised to handle everything. The reality? A nightmare of complexity and frustration.
The sentiment online is deafening:
"If this were my first experience with web auth, I would have just thought auth ought to be this hard."
That quote says it all. The documentation was notoriously opaque, leaving developers to piece together tutorials and GitHub issues like detectives. Common problems, like incorrect redirects to localhost in production, became infuriating time sinks. Worse, there were concerns about its maintenance. The original developer left, and while it's now in new hands, that kind of transition can shake confidence. When your app's entire security model relies on an open-source library, stability isn't just a feature; it's everything.
The Hidden Traps of "Easy" Hosted Solutions
"Fine," you say, "I'll just use a managed service. A SaaS for Auth!" This is a tempting path, paved with promises of a 5-minute setup. But here be dragons.
The Supabase "Gateway Drug"
Supabase Auth is often the first stop. The value seems insane: a full backend with auth for 100k users at a bargain price. But as Zsolt and others discovered, the devil is in the details. Users were experiencing random logouts, a cardinal sin for any application. Digging deeper revealed insecure practices like storing tokens in localStorage, making them vulnerable to XSS attacks.
But here’s the truly weird, crunchy bit of information that should make you pause:
As of 2023, Supabase, a company funded with over $110 million and trusted with user security, did not use 2FA on its own platform login.
Let that sink in. They offer 2FA as a feature for your users but seemingly didn't trust it for their own internal security. That's not just a red flag; it's a fireworks display.
The Real Cost of Hosted Auth
Beyond one provider's quirks lies a fundamental, often-overlooked problem with all hosted auth solutions: data synchronization.
Your auth provider (Clerk, Auth0, Firebase) has its own database with the user list. Your application has its own database with user profiles, posts, settings, and business logic. Now, you have to keep these two databases in sync. What happens when a user changes their email? You need a webhook. What if the webhook fails? Now your data is out of sync. What if you need to delete a user and all their associated data for GDPR compliance? You have to orchestrate a distributed transaction across two systems you don't fully control.
This "simple" problem can lead to years of bugs and edge cases. A self-hosted solution where your user table is the same table your app uses suddenly looks a lot more robust.
The Challenger: Is 'Better Auth' Really Better?
Out of this landscape of frustration, Better Auth emerged. The praise has been almost universal. Developers rave about its "dead simple API," its "full type safety," and the sheer joy of its Developer Experience (DX).
One developer famously tweeted that Better Auth was so good, it "literally delayed @zerotoshipped for a week" because he felt compelled to rip out his old solution and switch. That’s a powerful endorsement. It seems to have hit the sweet spot of being a complete, self-contained solution that "just works."
But Here's the Dose of Reality...
No tool is perfect. And before you bet your next project on Better Auth, you need to be aware of its unspoken limitations. The biggest one?
The Bus Factor.
As of my writing this, the project is overwhelmingly maintained by one person. This is not a criticism of the maintainer's skill or dedication—quite the opposite. But it is a business risk. What happens if they get sick, burned out, or hit by a bus? We've seen this movie before with other open-source projects. It can lead to stagnation or abandonment. While the project recently got funding, which is a great sign, it's a risk you must acknowledge.
Furthermore, some users have noted that while it's simple for new projects, integrating it with an existing, custom database schema isn't as seamless as advertised. It's not a magic wand.
The Counter-Narrative: An Anecdote on "Boring" Tech
Amidst the churn of the JavaScript world, I'm reminded of a powerful story. A developer's 7-year-old app, built on "boring" technologies (Python and PostgreSQL), was featured on a major news site. It handled a sudden spike of 19,000 concurrent visitors with average response times of 7-12ms. No drama. No frantic scaling. It just worked.
This is the ultimate lesson. The goal isn't to use the trendiest auth library. The goal is to build a reliable, secure application.
My Verdict: So, What Should You Do?
There is no silver bullet. Every choice is a trade-off.
- For a new project (especially in the Next.js world): Better Auth looks like a phenomenal choice. The DX is a massive productivity boost. Go into it with your eyes open about the bus factor, but it might be a risk worth taking.
- If you have a complex, existing database: Tread carefully with any new library. The migration cost might be higher than you think. Sticking with what you have, or a more established solution like
lucia-auth, might be wiser. - If you're considering a hosted service (Clerk, Auth0): Do it only if you can afford the steep price and, more importantly, if you have a rock-solid plan for handling data synchronization from day one. Do not underestimate this problem.
- Don't dismiss "boring": If you're using a monolithic framework like Rails or Django, their built-in, battle-tested auth systems are often more than good enough. They are secure, stable, and perfectly integrated with your database by default.
Authentication will probably always be a bit of a dumpster fire. But by understanding the trade-offs, learning from the mistakes of others, and looking past the marketing hype, you can at least make sure you don't get burned.