Question
I am writing a Ruby on Rails application and started looking into adding user accounts so I can scope access of different parts of the application.
The Devise documentation recommends that beginners start by setting up their own authentication before using the gem.
Setting up custom authentication logic seems to be okay but what would be the trade-offs? And if I would like to move to Devise after a while would that be challenging or even worth doing?
Would appreciate to hear from more experienced RoR devs. 🙏
Thanks a lot!
What I've learned
Either option is feasible, it seems that going with a custom implementation allows more control over the authentication and authorization aspects of the app. It can a good way of learning about how these features work in general. The cons can be that it can be a complex aspect of the app that needs to be maintained and monitored to make exploits are fixed over time if any.
This is a great guide to get started creating an auth system in Rails:
Additionally, Chris Oliver's Ruby on Rails for Beginners covers this topic: https://gorails.com/episodes/rails-for-beginners-part-11-creating-the-user-model
Using Devise is an out of the box solution, everything needed for auth is already available including e-mail confirmation and password recovery. Since it's used and maintained by a large number of developers improvements are constantly being made and the gem is kept up to date which can make it more secure to use. On the other hand it can be a black box and its source and features is something that is known over time by using it and reading the code (which is not a bad thing).
A guide for getting started with Devise can be found here: https://github.com/heartcombo/devise#getting-started
Top comments (8)
I don't think I'm qualified to answer but here in some of my input
This is my personal opinion if you look at any gem and viewing the source code and you don't understand how it works. I think you're better of building your own or finding another gem that is easier to understand. The reason why I say this most often you will have to go back to the code and and tweak it, you may have to add feature on top of it and if you don't understand the underlying code then there is a problem. Just imagine yourself if a client comes up tomorrow with different requirements and request you to build something of top of that gem maybe extending the functionality
Going back to your original question about using devise, my follow up question is have you ever build your own auth before? It's surprisingly easy in rails with
has_secure_passwordand the session method in the controller you could easily build your own in hour or even less.What I do like about the devise gem it gives you a lot of nice helpers that you can use in your testing. I would probably recommend building your own and make sure you write some integration test as well.
Thanks guledali, appreciate your comment.
I ended up doing both to test it out. Writing my own implementation seems to be fast initially but it seems Devise comes with a lot of other useful features out of the box like email confirmation, password recovery and more.
For someone looking to get something going I think it's best to go with Devise if someone if trying to learn how auth works like Robert mentioned its worth doing one from scratch.
I guess these sort of questions are difficult to answer without giving it a try ourselves! Appreciate you taking the time to help out. 🙏
Yeah devise gives you the whole setup of-the-box, in all fairness you could still rebuild all that like email confirmation with action-mailer. I don't know this process on top of my head, has been a while ago but I recommend checking out the Michael Hartl railstutorial, it goes through much of that process really well, it used to be free. Just make sure you know what's happening behind the scenes because I would certainly avoid devise if I never build auth before.
One thing that this conversation has convinced me, is that rails should at this point really ship with some authentication helpers. A bit surprisingly that they ship with ActionText, it's not something that belongs in most apps, it's more suited if your are building a blog engine
Yeah that’s a good observation, it does include ActionText but no authentication helpers. Perhaps there’s a reason behind it, authentication could have different layers of complexity and maybe creating a convention for might not be that straight forward?
Thanks for the suggestion. I did read Hartl’s book last year cover to cover, super helpful!
I mean I do understand anything can be built from scratch in fact I have built an account creation system years ago in PHP and it is a great learning experience but it also shows how many things need to be taken into account and how much effort needs to be put into it. ReallY grateful these libraries exist otherwise it would take a long time until anything gets shipped. 😂
Use Devise. Read the docs and use the core modules like secure password. This will expose you to deliberations and considerations made by experienced developers, especially in the domain of app security.
Rolling your own solution will train writing Ruby code and working with Rails, but that's about it.
Hi! What is your learning goal?
Hey Robert! It would be helpful to know why it would be recommended to write my own first before installing Devise.
I do understand it might be because then I'll know how to go about it. I imagine it would be something along the lines of creating a User model with validations and a few methods to scope the views to the ones logged in users are authorized to access, and create/destroy user sessions?
On the other hand if that's the goal, I guess it doesn't mean that I'll know how Devise works behind the scenes no why not installing it from the start and read the source and documentation if I get stuck?
Maybe I'm overthinking this really. 😂
I don't see a specific learning goal, so, to come back to your post title: Devise is a 'good' choice. Unless you want to learn more about authentication in the first rails app.