Neither, really. I'm a developer and nothing in front of me is completely new, but taking a product from idea to completion has a fair amount of Coastline Paradox involved. Not looking for a "how do I do this" solution, more along the lines of, if I want to tackle this, here's a list of tasks I'll need to make sure to cover.
For example, creating a user account creation flow is easy enough, right? You just need a form for a username and password. And password complexity checking (client-side for UX, and server-side for security). And something like bcrypt server-side for hashing (and make sure to follow best-practices in hashing and storing). And you'll want to verify emails to cut down on spam, so you'll need some sort of way to send emails, probably a service because rolling your own email server is....a lot. Oh and where are you going to actually store the user data? MySQL/PostgreSQL or something like NoSQL? Managed database, or are you going to handle the setup, backups, hardening, etc yourself?
Congratulations, we've finished creating a user account! Except for password reset, session authentication tokens, rate-limiting login attempts, CAPTCHAs, and everything around the admin side of handling bad actors (account suspension, IP and/or email blocklists, etc etc etc). ;)
For example, creating a user account creation flow is easy enough, right? You just need a form for a username and password. And password complexity checking (client-side for UX, and server-side for security). And something like bcrypt server-side for hashing (and make sure to follow best-practices in hashing and storing). And you'll want to verify emails to cut down on spam, so you'll need some sort of way to send emails, probably a service because rolling your own email server is....a lot. Oh and where are you going to actually store the user data? MySQL/PostgreSQL or something like NoSQL? Managed database, or are you going to handle the setup, backups, hardening, etc yourself?
Congratulations, we've finished creating a user account! Except for password reset, session authentication tokens, rate-limiting login attempts, CAPTCHAs, and everything around the admin side of handling bad actors (account suspension, IP and/or email blocklists, etc etc etc). ;)