“It would be so nice if something made sense for a change.” — Lewis Carroll, Alice in Wonderland
When I first started thinking about authentication and authorization in a local-first context I found it super weird and confusing, like I’d stepped through the looking-glass. I found myself wrestling with big philosophical questions like “where does authority ultimately come from?” and “what does it mean to know someone?“.
I’m going to walk you through my journey, from that initial disorientation to what I believe are solid, principled approaches, in the course of developing the @localfirst/auth library.
Why this is weird and confusing
It might not be obvious why this might be disorienting, so I’ll explain.
Without a server, it’s not clear where authority or identity come from.
Traditional authentication and authorization ultimately “root out” in a physical piece of hardware, owned and controlled by a company that you’ve decided to trust. The hardware is a server that has your username and password and rules about what you’re allowed to do. It might be controlled by your employer, or a SaaS provider, or a big tech company.
The server is like a guard at the castle gates. If the server doesn’t recognize you, it doesn’t let you in. If the server doesn’t think you should be allowed to have something, it doesn’t give it to you.
Of course, the whole point of local-first software is that we don’t love that arrangement.
But when you take away that central server, you’re losing the thing that all our notions of security are anchored to.
If all you have is clients, who are peers — which means they relate to each other as equals — then how do we know who is who? How do we know who to trust? What do permissions even mean — who exactly is “giving permission”?
“Bootstrapping” has become a word that we associate with something as easy and routine as turning your computer on. But the whole point of bootstrapping as a metaphor is that it’s supposed to be impossible: You can’t lift yourself up by pulling on your bootstraps.
It’s like living in a monarchy and realizing that the king is just another person, and not someone appointed by the gods. Just like countries making that transition from monarchy to democracy, we’re suddenly adrift, and have to come up with completely new arrangements to solve problems that were already solved — even if in a suboptimal way.
Without a server, it feels like we’re having to pull ourselves up by our bootstraps on some fundamental questions: