DEV Community

Janko Marohnić
Janko Marohnić

Posted on

Rodauth 2.0 and rodauth-rails released

Jeremy Evans has recently released Rodauth 2.0, which revamps the multifactor authentication flow, adds active sessions and audit logging features, and brings numerous other improvements. See the release notes for the full list of changes.

For those who are not familiar, Rodauth is a full-featured Rack-based authentication framework built on top of Roda & Sequel, but usable in any web framework. It's an alternative to Devise, Sorcery, Clearance, Authlogic etc, with the following features that make it stand out for me:

  • amount of features built in, including multifactor authentication (TOTP, SMS codes, recovery codes, WebAuthn) and email authentication (aka "passwordless")
  • JSON API support with JWT
  • advanced security features, such as ability to protect password hashes even in case of SQL injection (using 2 database accounts), and including account id in tokens allowing brute-force attempts only for a single account
  • features are contained in a single file, instead of being spread across many different places
  • authentication behaviour is configured in a one place (your Rodauth app), and each setting can be configured statically or dynamically based on request context and account record

In order to bring Rodauth closer to the Rails community, I've created the rodauth-rails gem, which provides the Rails glue that I needed for my own Rails app at work (see the demo app). It brings the following features:

  • generators for Active Record migration, views and emails
  • configures Sequel to reuse Active Record's connection
  • template rendering with Action Controller & Action View
  • email creation with Action Mailer
  • integration with Rails' CSRF protection and flash messaging
  • easier set of Rodauth defaults and other niceties

I'm preparing to write a full blog post, but for now here is some example configuration:

class RodauthApp < Rodauth::Rails::App
  configure do
    enable :create_account, :verify_account, :verify_account_grace_period,
      :login, :remember, :logout, :reset_password, :close_account

    # Remember all logged in users.
    after_login { remember_login }

    # Redirect back to originally requested location after authentication.
    login_return_to_requested_location? true

    # Redirect to home page after logout.
    logout_redirect "/"

    # Redirect to wherever login redirects to after account verification.
    verify_account_redirect { login_redirect }

    # Autologin the user after they have reset their password.
    reset_password_autologin? true

    # Delete the account record when the user has closed their account.
    delete_account_on_close? true

    # Method that creates email with reset password instructions.
    create_reset_password_email do
      RodauthMailer.reset_password(email_to, password_reset_email_link)

    # Method that creates email with account verification.
    create_verify_account_email do
      RodauthMailer.verify_account(email_to, verify_account_email_link)

  route do |r|
    rodauth.load_memory # autologin remembered accounts

    r.rodauth # route rodauth requests

    if r.path.start_with?("/dashboard")
      rodauth.require_authentication # require auth for /dashboard/* requests
Enter fullscreen mode Exit fullscreen mode

On a personal note, Rodauth is one of these projects that keep me genuinely interested in web development with Ruby. I'm thoroughly impressed by its design, and I feel like contributing to it has made me grow as a developer. I'm curious to hear your thoughts :)

Top comments (0)