Two months ago we were celebrating Devise’s birthday. We were not talking about its age, Devise had just 4 months of life, but we were happy to reach the 1.0 release.
Today we are celebrating again! We are very proud and glad to have Devise in its first Railscast! Ryan Bates has done a great job explaining how to get Devise up and running in a Rails 3 application, showing how to install Devise and choose the basic modules you want to use in your application.
We also made a promise to you: get Devise up and running for Rails 3. We keep walking this road, each Rails beta version released we are releasing a new compatible Devise version. For the time being, we have Devise 1.1.rc0, a release candidate version, compatible with Rails 3 beta 2.
Give Devise a try. You can post your questions to the mailing list and, if you find any issue, please use the Github Issue Tracker. Don’t forget to post information about your environment (like Devise, Warden and Rails versions) including the stack trace if you are facing an error, to help us help you =). Enjoy!
Today we are celebrating Devise‘s birthday. But wait, if you have started watching Devise since the beginning you may be asking: has Devise already completed one year of life? Nope. Today we are completing exactly 4 months since Devise was released at Rails Summit Latin America 2009. And we are very proud and glad to say that we have just reached version 1.0! Yeah! Let’s celebrate and talk a bit about history.
We decided to build Devise based on some requirements we had in a project last year. The majority of our projects usually require an admin interface to configure the application with some CRUD information. And in this specific project, we were needing two different roles in the same application, the admin itself with all its powers to manage the application, and the end users that should be signed in to do some stuff inside the application. Usually only one model would be required in this situation, with some “type” column or flag to determine if the user is an admin or not, right? Okay, but we didn’t like this approach that much. So we started looking at some of the possibilities:
- Authlogic: a really great piece of code and functionality, but a bit messy by handling the session in a model. It also only handles the model part.
- Clearance: full stack, Rails Engine, extra modules, everything we needed. However, packaged with a User model and without the ability to customize it.
Okay, we could pick one of these and with a bit of extra work we would achieve our requirements. But would we need to do it every time this situation happens? We said no. It’s not DRY enough. And we like DRY. So Devise was born.
The main objective of the first Devise version was to get up and running the entire sign in process, including password recovery and confirmation stuff. And everything should work with different roles, which mean you could easily plug and play an Admin, User, Account, or whichever role you needed, in your application, without much effort. And we had a deadline: Rails Summit. It took almost 1 month of work before Rails Summit. I still remember the days before the event, we putting a lot of effort to have Devise up and running, and the README being written during the event. So, we were ready there and presenting Devise to the world.
How it works
Devise was born with the intuit of handling different roles without effort, automatically, and it is achieved with Rails Engines. In addition, Devise is build in top of Warden, a great rack authentication framework. It allowed us to be flexible enough and add different strategies, hooks, and modules easily. In short, Devise:
- Is Rack based;
- Is a complete MVC solution based on Rails Engines;
- Allows you to have multiple roles (or models/scopes) signed in at the same time;
- Is based on a modularity concept: use just what you really need.
The road so far
Devise has started with the basic modules needed for that specific application:
- Authenticatable: responsible for signing users in through a basic login form, handling password validation and authentication.
- Confirmable: manages confirming users account.
- Recoverable: handles password recovery.
- Validatable: basic email and password validation.
Okay, everything we needed were there. Everything else was in a wish list, nicely called TODO. And we decided from the beginning to not add features to Devise until us or somebody else really needed them. But people asked, people needed new features. And they were always there to help, to fork and fix a bug, to comment. We started soon to add new features, the first was:
- Rememberable: handles signing users in automatically from cookies.
After people were asking for easier ways to create their migrations, so we introduced a new module with Devise 0.2:
- Migratable: hooks into ActiveRecord migrations to add helper methods for creating Devise colums. So you can do stuff like
t.confirmableand so on.
To help people getting up and running faster, we created some generators. Now they are:
script/generate devise_install: create devise initializer file to enable some configs and copy default locale file.
script/generate devise MyModel: create a model with setup for Devise, routes and migration.
script/generate devise_views: copy all Devise views to your app/views folder, so you can change it as needed.
Devise 0.3 and 0.4 came soon after, with a lot of bug fixes in generators, I18n, initialization, some deprecations and a bunch of code refactored.
Contributions from community were coming more and more. The first big contribution came with the addition of encryptors. Nowadays Devise supports encrypting passwords with SHA1, SHA512, and BCrypt. It has also support for using the same encryptors as Authlogic, Clearance and Restful Authentication, to help you migrating from these solutions.
We were receiving a lot of issues with functional tests, so we introduced some test helpers to help people with the sign in/out process in this kind of tests called Devise::TestHelper.
As applications grow, more roles may be needed. So we created the possibility to scope your views for each role/scope in your application. This way your user can have a different sign in view than the admin, for example. Reaching Devise 0.6, a lot of improvements on routes and DataMapper support were added.
We were full of nice ideas to add new features, and our TODO was bigger than we like. So we came up with:
- Timeoutable: verify each request to timeout the user session after a certain period of inactivity, asking for credentials again.
- Trackable: records how many times each user has signed in, last timestamps and ips.
Also the loading process and ORM support received a lot of work before launching Devise 0.7.
For Devise 0.8 we looked at tests for MongoMapper and the code got a great review. Also some work was done to get Devise up and running with latest version of Warden and its new features, such as serializers. We also extracted a new base module from Confirmable:
- Activatable: allow setting up extra activation methods for your models.
We were receiving a lot of feedback from the community, and then we merged a cool new feature:
- Lockable: lock accounts based on a number of invalid sign in attempts.
What is new
- Token Authenticatable: validates authenticity of a user while signing in using an authentication token (also known as “single access token”).
In addition, we created the two most requested features for Devise:
- Registerable: handles sign up users through a registration process, and also editing/updating user info and deleting user account.
- HTTP Authenticatable: http basic authentication.
We also added the possibility to use Migratable while editing a table using
change_table, among other fixes.
What comes next
We are preparing a new release of Devise fully compatible with Rails 3. It means Devise has now closed its development for new features in Rails 2.x. We are still going to maintain a 1.0 branch in github for bug fixes to keep everything up and running.
In the end
We would like to say thank you to everyone who has helped us achieve 1.0 version and who is using Devise, testing, creating issues, and giving all this feedback.
Also, for those who were at Rails Summit last year, we proposed something: get the biggest number of watchers on github as fast as possible! When we presented Devise, there were 7 watchers, and if I am right we were 4 of them. At the time of this writing we have 762 watchers. Yeah! I think I can take the risk and say we accomplished it. Thanks!
Happy birthday Devise!
UPDATE: This post was an introduction to Devise and a couple of things changed since then. There is a more recent post which describes the same steps as below using generators and, for a more complete and always updated explanation, please check the README.
In Rails Summit Latin America 2009, we showed Devise in a lightning talk and today we are officially releasing it! Before we show you some code, we are going to explain what we want to achieve with Devise, starting with the most used authentication solution nowadays: Clearance and Authlogic.
Clearance is a full stack authentication solution, implementing all Model, View and Controller layers using Rails Engines. It deals with account confirmation and password recovery. You just need to plug and play! However, you are required to use the model User and it does not allow you have add and/or customize different roles.
When comes to the Model, Authlogic is definitely the most complete solution out there. It handles several cryptography providers and many other goodies which are completely configurable. However, it’s not a full stack solution (it does not say how users should confirm their account or recover their password) and it has a little bit of controversy since it handles the session in a model. So here is the question, where the session could be handled then?
Here comes Warden!
Warden is a general rack authentication framework, developed by Daniel Neighman, which handles the session in a rack middleware. The main benefit from it is that you can share your authentication strategies with several apps, so if you are using Sinatra, Rails and some others middlewares at the same time, they all rely on the same rules!
Devise: strategies for authentication
After we fell in love with Warden and used it in some projects, we decided to create a full stack solution as Clearance, but flexible as Authlogic, on top of Warden. The solution is Devise, a Rails Engine which handles multiple roles, each one of them with different strategies. Devise currently comes with 5 strategies:
- Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in;
- Confirmable: responsible for verifying whether an account is already confirmed to sign in, and to send emails with confirmation instructions;
- Recoverable: takes care of reseting the user password and send reset instructions;
- Rememberable: generates and clears a token to remember the user from a saved cookie;
- Validatable: creates all needed validations for email and password. It’s totally optional, so you’re able to to customize validations by yourself.
The nice thing is: imagine that you are building an app which needs to handle invitations. You just need to create a Invitable strategy on Devise and never implement it again!
Show me the code!
In the README, you will find all the information you need to start using Devise in your projects, so here we are going to cover the main aspects of it. Let’s suppose you are creating an user model, which needs to be authenticated and recover his password. The first step is to create the columns using Devise migration helpers:
create_table :users do |t| # creates email, encrypted_password and password_salt t.authenticatable # creates reset_password_token t.recoverable end
Then you need to declare inside your model which strategies you want to use:
class User < ActiveRecord::User # Authenticatable is always included devise :recoverable, :validatable end
And create the routes:
ActionController::Routing::Routes.draw do |map| # Check for configuration params on README map.devise_for :users end
The route will access your model and create only the routes for the strategies declared. That ensures that your user won’t access the confirmations controller inside Devise. Devise also adds a couple of helpers and filters to be used inside your controllers:
# Inside your protected controller before_filter :authenticate_user! # Inside your controllers and views user_signed_in? current_user user_session
user_session is a hash scoped only to the user. So if you have two roles, they will have different session hashes and their data won’t conflict! This awesome feature come straights from Warden!
Devise also has I18n support and since it’s an engine, you can customize your views just by placing a copy of it in your application. A small application build as example is also available on Github!
What’s more to come?
We are planning to add several other strategies to Devise, including brute force protection, session timeouts and also other features, as generators. You can spy our TODO list whenever you want.