←back to thread

Better Auth, by a self-taught Ethiopian dev, raises $5M from Peak XV, YC

(techcrunch.com)
282 points bundie | 5 comments | 25 Jun 25 18:07 UTC | HN request time: 1.925s | source
Show context
yodon ◴[25 Jun 25 22:32 UTC] No.44382371[source]
Pretty sure auth is not something I want a self-taught dev (or even most CS-graduate devs) writing.

Oauth2, JWT's, hashes, timestamps, validations, and such, are all totally simple until they're not. The black hats have way more experience and way more time invested in this space than most any normal dev.

replies(8): >>44382542 #>>44382600 #>>44382664 #>>44383532 #>>44383603 #>>44385107 #>>44385540 #>>44459701 #
vmg12 ◴[25 Jun 25 22:53 UTC] No.44382542[source]
Auth is really not difficult to write. It's don't roll your own crypto, not don't roll your own auth. People need to stop spreading this fud.
replies(5): >>44382590 #>>44382617 #>>44383537 #>>44383587 #>>44383602 #
1. risyachka ◴[25 Jun 25 23:00 UTC] No.44382590[source]
Yeah it’s not difficult if you know all the specs.

The issue is 99% don’t know them and are not very good at following them. And the cost of error is very high.

I’ve seen a lot of startups that failed to implement even google oauth securely.

So yeah it’s a far cry from fud and you really should not do it unless you are actually good.

replies(3): >>44382621 #>>44383147 #>>44384218 #
2. threatofrain ◴[25 Jun 25 23:04 UTC] No.44382621[source]
But given that BetterAuth is an open source project with a large following, and also given that they just got funding so they can hire more help, now we can evaluate BetterAuth's competency in terms of their ability to coordinate help.
replies(1): >>44383117 #
3. kylecazar ◴[26 Jun 25 00:31 UTC] No.44383117[source]
Also, as far as I know, they aren't reimplementing the core auth libraries/specs mentioned
4. fmbb ◴[26 Jun 25 00:38 UTC] No.44383147[source]
OAuth is very complicated and fuzzy though.

I am not surprised anyone makes mistakes trying to integrate it anywhere.

5. motorest ◴[26 Jun 25 04:37 UTC] No.44384218[source]
> Yeah it’s not difficult if you know all the specs.

I don't think this is a valid point. Specs only cover a single responsibility: interoperability. This is not a critical requirement of auth services, unless you have a hard requirement on federated auth.