{"id":365,"date":"2009-10-21T00:46:58","date_gmt":"2009-10-21T02:46:58","guid":{"rendered":"http:\/\/blog.plataformatec.com.br\/?p=365"},"modified":"2009-11-05T20:48:32","modified_gmt":"2009-11-05T22:48:32","slug":"devise-flexible-authentication-solution-for-rails","status":"publish","type":"post","link":"https:\/\/blog.plataformatec.com.br\/2009\/10\/devise-flexible-authentication-solution-for-rails\/","title":{"rendered":"Devise: flexible authentication solution for Rails"},"content":{"rendered":"<p><strong>UPDATE:<\/strong> This post was an introduction to Devise and a couple of things changed since then. There is a <a href=\"http:\/\/blog.plataformatec.com.br\/2009\/11\/devise-authentication-for-lazy-programmers\/\">more recent post which describes the same steps as below using generators<\/a> and, for a more complete and always updated explanation, please check the <a href=\"http:\/\/github.com\/plataformatec\/devise\">README<\/a>.<\/p>\n<p>In <a href=\"http:\/\/railssummit.locaweb.com.br\/en\/pages\/home\" target=\"_blank\">Rails Summit Latin America 2009<\/a>, we showed <a href=\"http:\/\/github.com\/plataformatec\/devise\" target=\"_blank\">Devise<\/a> in a lightning talk and today we are officially releasing it! Before we show you some code, we are going to explain what we want to achieve with <a href=\"http:\/\/github.com\/plataformatec\/devise\" target=\"_blank\">Devise<\/a>, starting with the most used authentication solution nowadays: <a href=\"http:\/\/github.com\/thoughtbot\/clearance\" target=\"_blank\">Clearance<\/a> and <a href=\"http:\/\/github.com\/binarylogic\/authlogic\" target=\"_blank\">Authlogic<\/a>.<\/p>\n<h3>Clearance<\/h3>\n<p><a href=\"http:\/\/github.com\/thoughtbot\/clearance\" target=\"_blank\">Clearance<\/a> is a full stack authentication solution, implementing all Model, View and Controller layers using Rails Engines. It deals with account confirmation and password recovery. You just need to plug and play! However, you are required to use the model User and it does not allow you have add and\/or customize different roles.<\/p>\n<h3>Authlogic<\/h3>\n<p>When comes to the Model, <a href=\"http:\/\/github.com\/binarylogic\/authlogic\" target=\"_blank\">Authlogic<\/a> is definitely the most complete solution out there. It handles several cryptography providers and many other goodies which are completely configurable. However, it&#8217;s not a full stack solution (it does not say how users should confirm their account or recover their password) and it has a little bit of controversy since it handles the session in a model. So here is the question, where the session could be handled then?<\/p>\n<h3>Here comes Warden!<\/h3>\n<p><a href=\"http:\/\/github.com\/hassox\/warden\" target=\"_blank\">Warden<\/a> is a general rack authentication framework, developed by <a href=\"http:\/\/github.com\/hassox\" target=\"_blank\">Daniel Neighman<\/a>, which handles the session in a rack middleware. The main benefit from it is that you can share your authentication strategies with several apps, so if you are using Sinatra, Rails and some others middlewares at the same time, they all rely on the same rules!<\/p>\n<h3>Devise: strategies for authentication<\/h3>\n<p>After we fell in love with <a href=\"http:\/\/github.com\/hassox\/warden\" target=\"_blank\">Warden<\/a> and used it in some projects, we decided to create a full stack solution as Clearance, but flexible as Authlogic, on top of <a href=\"http:\/\/github.com\/hassox\/warden\" target=\"_blank\">Warden<\/a>. The solution is <a href=\"http:\/\/github.com\/plataformatec\/devise\" target=\"_blank\">Devise<\/a>, a Rails Engine which handles multiple roles, each one of them with different strategies. Devise currently comes with 5 strategies:<\/p>\n<ul>\n<li><b>Authenticatable<\/b>: responsible for encrypting password and validating authenticity of a user while signing in;<\/li>\n<li><b>Confirmable<\/b>: responsible for verifying whether an account is already confirmed to sign in, and to send emails with confirmation instructions;<\/li>\n<li><b>Recoverable<\/b>: takes care of reseting the user password and send reset instructions;<\/li>\n<li><b>Rememberable<\/b>: generates and clears a token to remember the user from a saved cookie;\n<li><b>Validatable<\/b>: creates all needed validations for email and password. It\u2019s totally optional, so you\u2019re able to to customize validations by yourself.<\/li>\n<\/ul>\n<p>The nice thing is: imagine that you are building an app which needs to handle invitations. You just need to create a Invitable strategy on Devise and never implement it again!<\/p>\n<h3>Show me the code!<\/h3>\n<p>In the <a href=\"http:\/\/github.com\/plataformatec\/devise\" target=\"_blank\">README<\/a>, you will find all the information you need to start using Devise in your projects, so here we are going to cover the main aspects of it. Let&#8217;s suppose you are creating an user model, which needs to be authenticated and recover his password. The first step is to create the columns using Devise migration helpers:<\/p>\n<pre lang=\"ruby\">\r\ncreate_table :users do |t|\r\n  # creates email, encrypted_password and password_salt\r\n  t.authenticatable\r\n\r\n  # creates reset_password_token\r\n  t.recoverable\r\nend\r\n<\/pre>\n<p>Then you need to declare inside your model which strategies you want to use:<\/p>\n<pre lang=\"ruby\">\r\nclass User < ActiveRecord::User\r\n  # Authenticatable is always included\r\n  devise :recoverable, :validatable\r\nend\r\n<\/pre>\n<p>And create the routes:<\/p>\n<pre lang=\"ruby\">\r\nActionController::Routing::Routes.draw do |map|\r\n  # Check for configuration params on README\r\n  map.devise_for :users\r\nend\r\n<\/pre>\n<p>The route will access your model and create only the routes for the strategies declared. That ensures that your user won't access the confirmations controller inside Devise. Devise also adds a couple of helpers and filters to be used inside your controllers:<\/p>\n<pre lang=\"ruby\">\r\n  # Inside your protected controller\r\n  before_filter :authenticate_user!\r\n\r\n  # Inside your controllers and views\r\n  user_signed_in?\r\n  current_user\r\n  user_session\r\n<\/pre>\n<p><strong>user_session<\/strong> is a hash scoped only to the user. So if you have two roles, they will have different session hashes and their data won't conflict! This awesome feature come straights from Warden!<\/p>\n<p>Devise also has I18n support and since it's an engine, you can customize your views just by placing a copy of it in your application. <a href=\"http:\/\/github.com\/plataformatec\/devise_example\" target=\"_blank\">A small application build as example is also available on Github<\/a>!<\/p>\n<h3>What's more to come?<\/h3>\n<p>We are planning to add several other strategies to Devise, including brute force protection, session timeouts and also other features, as generators. You can spy our <a href=\"http:\/\/github.com\/plataformatec\/devise\/blob\/master\/TODO\" target=\"_blank\">TODO list<\/a> whenever you want.<\/p>\n<h3>Our many thanks to<\/h3>\n<p><a href=\"http:\/\/carlosantoniodasilva.wordpress.com\/\" target=\"_blank\">Carlos Ant\u00f4nio<\/a> which worked on Devise and made it ready for prime time! <a href=\"http:\/\/twitter.com\/jncoward\" target=\"_blank\">Jonas Nicklas<\/a>, which introduced us to <a href=\"http:\/\/github.com\/hassox\/warden\" target=\"_blank\">Warden<\/a> and <a href=\"http:\/\/twitter.com\/hassox\" target=\"_blank\">Daniel Neighman<\/a> for building and maintaining it! <\/p>\n<p>We also want to thank <a href=\"http:\/\/robots.thoughtbot.com\/\" target=\"_blank\">Thoughtbot<\/a> guys, which wrote several <a href=\"http:\/\/robots.thoughtbot.com\/post\/159805420\/sign-up-sign-in-sign-out\" target=\"_blank\" >decisions<\/a> and <a href=\"http:\/\/robots.thoughtbot.com\/post\/159805560\/tips-for-writing-your-own-rails-engine\" target=\"_blank\">tips<\/a> they took while developing <a href=\"http:\/\/github.com\/thoughtbot\/clearance\" target=\"_blank\">Clearance<\/a> which helped us while building <a href=\"http:\/\/github.com\/plataformatec\/devise\" target=\"_blank\">Devise<\/a>.<\/p>\n<p>Finally, thanks to <a href=\"http:\/\/www.akitaonrails.com\/\" target=\"_blank\" >F\u00e1bio Akita<\/a> for giving us the chance to release it at Rails Summit and Gregg Pollack for releasing <a href=\"http:\/\/ruby5.envylabs.com\/episodes\/21\" target=\"_blank\">Devise on Ruby 5<\/a>!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>UPDATE: This post was an introduction to Devise and a couple of things changed since then. There is a more recent post which describes the same steps as below using generators and, for a more complete and always updated explanation, please check the README. In Rails Summit Latin America 2009, we showed Devise in a &#8230; <a class=\"read-more-link\" href=\"https:\/\/blog.plataformatec.com.br\/2009\/10\/devise-flexible-authentication-solution-for-rails\/\">\u00bb<\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ngg_post_thumbnail":0,"footnotes":""},"categories":[1],"tags":[37,36,39,23,7],"aioseo_notices":[],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/365"}],"collection":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/comments?post=365"}],"version-history":[{"count":24,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/365\/revisions"}],"predecessor-version":[{"id":424,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/posts\/365\/revisions\/424"}],"wp:attachment":[{"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/media?parent=365"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/categories?post=365"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.plataformatec.com.br\/wp-json\/wp\/v2\/tags?post=365"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}