Why We Don’t Need Authorization

A comment on doing what's necessary when necessary.

Image this: You start out on a new project. You don't entirely know what you want to build, but you have a rough idea. The energy is fierce and it is just about getting started. You think to your self: "I might as well just get a couple of things in that I know I will need". You have an idea, that probably a user needs to be able to create a user. And so the work begins!

Something similar happened when I worked with a previous client.

We were implementing a minimum viable product (MVP) based on their previous work. While scoping out the initial layout we added in the sign-up flow for users. Upon deliberation with the client, we found that it was not strictly needed, so we removed it from the scope.

To this day I am quite sure it still has not been implemented and is not needed. Money saved, more time with the family!

Anyways, on the contrary, case complexities arise, we spend time tweaking the passwordless signup flow. We implement JWT cause, hey, we want to support microservices, and so on.

As is usual, we lose interest in the problem, or we have to attend something else for a while, and the idea leaves us and flies to another person, or even worse, never gets built. Now managers are stuck with their inefficient ways of doing roadmaps and the scientists will need to figure out another way to organize their knowledge.

An alternative is, at least in the beginning, to remove authorization from the idea and focus on what is essential. This requires us to make some realization, to change the vision, to build something different. This is hard, we need to get rid of our darling. But how is this possible?

Say you want to make a shared word editor. Something like Google Docs. Would this be possible without an authorization system? Indeed it is. Actually, the predecessor to Google Docs was made without authorization. One would merely go to a website, start a new document, and share the link with their friends. The security would be in the random name of the document. Good enough for enterprise and national secrets? Merely, but good enough to showcase collaborative editing which has since been refined, with fully featured authorization into successful products.