Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Alternatives to Devise
29 views
Skip to first unread message
DAZ
Aug 18, 2024, 10:00:34 AM8/18/24
to North West Ruby User Group (NWRUG)
Devise seems to be the go to gem for auth, but has anyone found any others that are worth trying?
Rob mentioned Clearance at the talk on Thursday, but I thought he also said it might be being sunsetted as well.
Are there any others that people have used?
Tekin Süleyman
Aug 18, 2024, 1:13:31 PM8/18/24
to nwrug-...@googlegroups.com
One option worth considering today is to roll your own. Rails has much of the basic building blocks for authentication built directly into the framework now, and Rails 8 will ship with a set of generators that does a decent job of giving you the scaffolding code right there in your app where you can easily reason about it and modify it to suit your needs. You can get access to those generators today from Rails main. https://www.bigbinary.com/blog/rails-8-introduces-a-basic-authentication-generator
I personally prefer the directness and flexibility of having my authentication code alongside the rest of my code over the indirection of it being loaded from a gem where it’s harder to reason about and more difficult to override/modify behaviour. The downside of course is you are now more directly responsible for ensuring your code is safe and secure.
The generated code approach is actually what José Valim, the original creator of Devise, now recommends auth-in-a-box approach of libraries like devise (https://dashbit.co/blog/a-new-authentication-solution-for-phoenix) and I believe they now have generators as part of the Phoenix framework.
Tekin
On 18 Aug 2024, at 3:00 PM, DAZ <daz...@gmail.com> wrote:
Devise seems to be the go to gem for auth, but has anyone found any others that are worth trying?
Rob mentioned Clearance at the talk on Thursday, but I thought he also said it might be being sunsetted as well.Are there any others that people have used?
--
You received this message because you are subscribed to the Google Groups "North West Ruby User Group (NWRUG)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to nwrug-member...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/nwrug-members/66555abd-7ca8-40d5-9da1-f4fb89864ad6n%40googlegroups.com.
Lee Hambley
Aug 19, 2024, 4:53:50 AM8/19/24
to nwrug-...@googlegroups.com
It also depends on how far you want to go.
In the wider world Google's Zansibar has become quite popular, which is a general authorization framework. There's also AWS's verified permissions where you can centralize rules about who can "verb" which "noun". Zanzibar has open source implementations, and all the good docs come from Auth0, but it's certainly worth a look.
With regards to authentication I find myself implementing OAuth2 and OIDC on every new project. I just assume that users are coming in with a UUID identifier, and a signed token. I don't care where that token comes from as long as my app has the relevant public/private key to authenticate it.
That means when I'm starting out a new project I can just make broad assumptions that a user will have a JWT/cookie and a UUID, and _how_ the user gets that token down the line is easy for me to handle later. Then you practically get SSO for free. It also makes testing easier, as your app can just assume that any valid token with a "sub" claim (subscriber ID) is a valid user (who likely has no email/profile/given name, etc) so you avoid a lot of boostrapping and factories in tests.
It also means that when I setup a new project I make a `/login` page which just has a list of 3/4 example users and with a click it sets a cookie/jwt and that lets me hope between demo users nice and easily.
I know that's pretty left of field for Rails apps where there's often a "batteries included" way of doing things, but in my experience it all pays off quite quickly.
(this idea was honed over a few years coaching startups in Google's accelerator, we needed to get product demos up and running ASAP and people would always spend a day working on login and lose 20% of the on-site tutoring time during the on-site weeks. This approach gave the folks more time to work on differentiating features, and also created an easy "demo" mode they could show to prospective customers when we sent them out doing user interviews)
Lee Hambley
To view this discussion on the web, visit https://groups.google.com/d/msgid/nwrug-members/C633FFA4-6A5D-4EE5-8B21-C40C79FADC40%40tekin.co.uk.
Darren Jones
Aug 20, 2024, 3:09:44 AM8/20/24
to nwrug-...@googlegroups.com
Thanks for those replies. Think I’ll give those generators from Rails 8 a try.
Some nice ideas there Lee. I’m thinking of setting up a template with some auth in place to make firing up a demo site easier.
To view this discussion on the web, visit https://groups.google.com/d/msgid/nwrug-members/CAN_%2BVLUsWTTXwKQUaQ-ysyrPUatTnaiDwwup9wt%2BBbOeHKbxkA%40mail.gmail.com.
Francis Fish
Aug 22, 2024, 5:35:03 PM8/22/24
to North West Ruby User Group (NWRUG)
I used this as a basis cos current gig said no Devise
https://dev.to/stevepolitodesign/rails-authentication-from-scratch-38m2
This was useful too
This was useful too
It's actually pretty easy. I can't quite work out what the omniauth gem does (injects something into Rack, I think) get methods get transformed into posts that go out to the provider. That I did not like, cos rails routes doesn't tell you anything useful and magic spells bad.
If I hadn't been pressed for time I'd have done Omniauth myself.
Darren Jones
Aug 23, 2024, 5:41:31 AM8/23/24
to nwrug-...@googlegroups.com
Thanks Frances. That’s really useful as well.
@Tekin - when you say those generators are available now … what’s the best way to get them into a rails 7 app?
To view this discussion on the web, visit https://groups.google.com/d/msgid/nwrug-members/b910eff9-72e3-4aa2-9251-2e7c9378751en%40googlegroups.com.
Ian Moss
Aug 23, 2024, 10:04:51 AM8/23/24
to 'Christine Wong' via North West Ruby User Group (NWRUG)
I'd not heard of Zansibar, but just found this gem. Looks worthy of a play:
To view this discussion on the web, visit https://groups.google.com/d/msgid/nwrug-members/CAPkhurr3RyNY6QExQ8%2BeJCVx3Uir2J73zss03tcL3jFP08fn3Q%40mail.gmail.com.
Tekin Süleyman
Aug 24, 2024, 5:14:01 AM8/24/24
to NWRUG Group
On 23 Aug 2024, at 11:41, Darren Jones <daz...@gmail.com> wrote:Thanks Frances. That’s really useful as well.@Tekin - when you say those generators are available now … what’s the best way to get them into a rails 7 app?
Probably the easiest way is to generate a new rails app off main and then run the generators there. You can get rails to generate you a rails app off main like so:
$ rails new app_name --main
You should then be able to generate the authentication code from that rails app:
$ rails generate sessions
Hope that helps,
Tekin
To view this discussion on the web, visit https://groups.google.com/d/msgid/nwrug-members/CAPkhurr3RyNY6QExQ8%2BeJCVx3Uir2J73zss03tcL3jFP08fn3Q%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages