Recently I started watching this series to fill in gaps in my knowledge regarding back-end.
Authentication
Stateful
Where a lookup in the data store is needed to check the validity of the user.
Example: using http-only cookies with the session ID. To verify this, you check with the database if this session/token is active and exists for what user.
Disadvantages:
- Expensive when it comes scalable/distributed systems where you have to do this lookup operation a lot.
Stateless
No lookup table needed, no need to store tokens. Using cryptography.
Example: JWT which store the expiration date, user id, some other metadata, and the server simply checks if the signature is valid (since it has the private key to check).
Disadvantages:
- Another user can use your JWT tokens to impersonate you.
Hybrid
Instead of setting stateless tokens to expire with the session, they can be set with a short expiration and refreshed periodically.
TIP
The author of the video suggests to use authentication providers to handle authentication in your day-to-day job.
I liked using better-auth, and at my job I also used Clerk. Clerk uses the hybrid approach. Better auth uses session IDs, but they also have a plugin for JWT Support.