DEV Community

Robertino
Robertino

Posted on • Updated on • Originally published at auth0.com

💎 Five Ruby Gems for Authentication and Authorization 💎

#ruby #programming #security

Original post written by Carla Urrea Stabile for Auth0 blog.

Learn about five different Ruby gems used for authentication and authorization and when to use them.


If you have built a web application, you most likely had to implement user registration, login, and logout and have restricted access to resources depending on the user. This is what authentication and authorization deal with. There are many ways to implement this in Ruby, and they all have pros and cons. In this post, you'll learn about five different gems you can use to implement authentication and authorization in your Ruby application.

Authentication vs. Authorization

Before you jump into the gems, you must understand the difference between authentication and authorization because they are commonly confused.

Authentication is proving if someone or something is who they say they are, while authorization checks if something or someone has access to a particular resource and is allowed to perform a specific action.

One of the reasons these two concepts get misused is because, usually, authentication has to happen first for authorization to occur. You could need to verify a user's identity to determine whether or not they have access to a particular resource.

With these concepts in your mind now, let's head up to the gems.

Authentication Gems

Devise

Devise is an authentication gem for Rails based on Warden, a Rack authentication framework that is based on the modularity concept of only using what you need. Devise is an MVC solution based on Rails engines; it allows you to have authentication on multiple models, meaning you could, for example, have a User model and an Admin model, and they will have different controllers and routes to login, logout, etc.

Because Devise is so heavily based on Rails, it is recommended you have some Rails knowledge before jumping in and using it.

To get it to work in your app, you need to add it to your Gemfile and follow the installation steps from their documentation. Finally, you can create a new model; let's say you want to call it User, for you'll need to run:

rails generate devise User
Enter fullscreen mode Exit fullscreen mode

The above command will create the model, and the migration, which, when you run rails db:migrate looks as follows:

== 20221020152252 DeviseCreateUsers: migrating ================================
-- create_table(:users)
   -> 0.0009s
-- add_index(:users, :email, {:unique=>true})
   -> 0.0003s
-- add_index(:users, :reset_password_token, {:unique=>true})
   -> 0.0002s
== 20221020152252 DeviseCreateUsers: migrated (0.0015s) =======================
Enter fullscreen mode Exit fullscreen mode

The migration creates a new User table and adds a few indexes to the table, such as a unique index for the email and the reset_password_token without you having to do much else.

It will also generate all the necessary routes for you to handle sign-up, login, logout, and even password-set flows:

➜  five-gems git:(main) ✗ rails routes
                  Prefix Verb   URI Pattern                    Controller#Action
        new_user_session GET    /users/sign_in(.:format)       devise/sessions#new
            user_session POST   /users/sign_in(.:format)       devise/sessions#create
    destroy_user_session DELETE /users/sign_out(.:format)      devise/sessions#destroy
       new_user_password GET    /users/password/new(.:format)  devise/passwords#new
      edit_user_password GET    /users/password/edit(.:format) devise/passwords#edit
           user_password PATCH  /users/password(.:format)      devise/passwords#update
                         PUT    /users/password(.:format)      devise/passwords#update
                         POST   /users/password(.:format)      devise/passwords#create
cancel_user_registration GET    /users/cancel(.:format)        devise/registrations#cancel
   new_user_registration GET    /users/sign_up(.:format)       devise/registrations#new
  edit_user_registration GET    /users/edit(.:format)          devise/registrations#edit
       user_registration PATCH  /users(.:format)               devise/registrations#update
                         PUT    /users(.:format)               devise/registrations#update
                         DELETE /users(.:format)               devise/registrations#destroy
                         POST   /users(.:format)               devise/registrations#create
Enter fullscreen mode Exit fullscreen mode

Because of its modularity concept, Devise allows you to include different modules to your models to add the functionality you need for your app. For example, the database_authenticable module allows you to hash the password and validate the authenticity of a user while signing in. The recoverable module enables the password reset functionality, and so on.

Also, on the controller level, Devise provides you with some helpers and filters like the authenticate_user! helper function, which denies controller access to unauthenticated users.

So yeah, Devise sets up many things for you, but once you have added it to your project, you need to maintain your user's table and all the information related to the user's identity.

Read more...

Top comments (0)

Read next

jonathanbrizio profile image

Avoiding Code Chaos: The Broken Windows Principle in Software Development

Jonathan Brizio -

amaanmohib profile image

Use Notion as your CMS along with Next.js

Amaan Mohib -

annoh_karlgusta profile image

The Most Important Thing I learned About Writing Readable Code

Karl Esi -

sainsec profile image

Information Disclosure

Hussain -