I am writing a Ruby on Rails application and started looking into adding user accounts so I can scope access of different parts of the application.
The Devise documentation recommends that beginners start by setting up their own authentication before using the gem.
Setting up custom authentication logic seems to be okay but what would be the trade-offs? And if I would like to move to Devise after a while would that be challenging or even worth doing?
Would appreciate to hear from more experienced RoR devs. 🙏
Thanks a lot!
Either option is feasible, it seems that going with a custom implementation allows more control over the authentication and authorization aspects of the app. It can a good way of learning about how these features work in general. The cons can be that it can be a complex aspect of the app that needs to be maintained and monitored to make exploits are fixed over time if any.
This is a great guide to get started creating an auth system in Rails:
Additionally, Chris Oliver's Ruby on Rails for Beginners covers this topic: https://gorails.com/episodes/rails-for-beginners-part-11-creating-the-user-model
Using Devise is an out of the box solution, everything needed for auth is already available including e-mail confirmation and password recovery. Since it's used and maintained by a large number of developers improvements are constantly being made and the gem is kept up to date which can make it more secure to use. On the other hand it can be a black box and its source and features is something that is known over time by using it and reading the code (which is not a bad thing).
A guide for getting started with Devise can be found here: https://github.com/heartcombo/devise#getting-started