Last Updated: December 24, 2021
·
4.765K
· imothee

Authenticating Rails Apps - Don't go it alone

If you're writing an App using Ruby on Rails, why roll your own authentication?

Devise (https://github.com/plataformatec/devise) is an incredibly simple, secure and well written gem that will have you going from guest to user in under 10 minutes.

It's been tried and tested and survived code reviews, penetration tests and real-world usage in huge websites. Has your own code? WIth all the recent publicity about leaked passwords can you afford to have your name on the list?

13 Responses
Add your response

Bad tip. Doesn't work for all cases. Rails has SecurePassword module.

over 1 year ago ·

I agree with NARKOZ. Think twice before choosing devise. It's easy to setup and brings lots of features. But beware of the beast. This is some heavy shit you are loading into your project. Lots of code and nasty when you really wanna do some serious customizations. So please think twice before adding this burden.

over 1 year ago ·

Devise can be incredibly powerful, but also very heavy-handed. I for one prefer a slimmer approach to authentication, especially since implementing secure_password is pretty straightforward. Just my 2 pennies.

over 1 year ago ·

+1 hassecurepassword is a much lighter way to go that's just as secure as devise

over 1 year ago ·

I've used Devise quite a bit with great results but have recently started using hassecurepassword.

Gems You Might Not Need - Authentication and Authorization

http://vimeo.com/39498553

over 1 year ago ·

Devise is one of the largest pain points in my application. I routinely find myself writing inane work-arounds.

If I could do it all over, it would be omniauth + omniauth-identity + rails secure password.

over 1 year ago ·

Amyone have feedback on Sorcery? seems to work work well at least for simple cases

over 1 year ago ·

For Authorization we use CanCan (https://github.com/ryanb/cancan)
That gem is easy to assemble and also works with mountable engines.

over 1 year ago ·

Whenever i used Devise in a project i had to rip it out at some point because i could not implement customer wishes with Devise (two factor login, special brute force protection, ...). Devise was just not as configurable as required and messing with it's internals was just to complicated.

over 1 year ago ·

Oh, forgot to add: Comparing securepassword with Devise and then saying securepassword is easier is not really fair. Devise tries to solve a bunch of other problems as well.

over 1 year ago ·

Funny to receive this as a pro-tip by mail:-) See my comment above.

over 1 year ago ·

I use this gem instead: https://github.com/ricn/authpro

over 1 year ago ·

Looks like a 5 second installation. I'll give it a go

over 1 year ago ·