As it currently stands, this question is not a good fit for our Q&A format. We expect answers to be supported by facts, references, or expertise, but this question will likely solicit debate, arguments, polling, or extended discussion. If you feel that this question can be improved and possibly reopened, visit the help center for guidance.
Closed 10 years ago.
I'm looking for a pre-built solution I can use in my RoR application. I'm ideally looking for something similar to the ASP.NET Forms authentication that provides email validation, sign-up controls, and allows users to reset their passwords. Oh yeah, and easily allows me to pull the user that is currently logged into the application.
I've started to look into the already written pieces, but I've found it to be really confusing. I've looked at LoginGenerator, RestfulAuthentication, SaltedLoginGenerator, but there doesn't seem to be one place that has great tutorials or provide a comparison of them. If there's a site I just haven't discovered yet, or if there is a de-facto standard that most people use, I'd appreciate the helping hand.
AuthLogic appears to be the new kid on the block and seems to be the next evolution of restful_authentication, easier to use, etc
http://github.com/binarylogic/authlogic/tree/master
Edit: now that Rails 3 is out, Devise seems to be the new, new kid on the block
https://github.com/plataformatec/devise
or I have been rolling my own authentication now with the has_secure_password built in to Rails http://railscasts.com/episodes/250-authentication-from-scratch-revised
Side note: Ruby Toolbox is a great site for finding the current best solution in various categories (based on the number of GitHub watchers):
http://ruby-toolbox.com/categories/rails_authentication.html
I would really recommend Restful Authentication. I think it's pretty much the de-facto standard.
For a really simple solution go with Clearance.
If you are looking for more options Devise is a great solution. It uses Warden which is a rack based authentication system.
There's also RestfulOpenIDAuthentication if you want OpenID support in addition to password support.
Just a note, LoginGenerator and SaltedLoginGenerator have been superseded by Restful Authentication and are unsupported on newer Rails releases -- dont waste any time on them, though they were great at the time.
I'd also like to point out an excellent tutorial/discussion on extending the core functionality of Restful Authentication, in case you're looking for something a bit more robust.
I'm really liking thoughtbot's clearance. Very simple and has a few good hooks and is testable.
AuthLogic seems to be what you want for this. It's very configurable, and although it doesn't generate the code for you, it's quite easy to use. For email validation and password recovery you probably want to use the :perishable_token column. AuthLogic takes care of it, you only need to reset it when it's used. For information on how to set up a basic app, you can take a look at Ryan Bates' Railscast on AuthLogic, and the "official" example app. Ben Johnson, the creator of AuthLogic has also written a blog post on how to RESTfully reset passwords.
Unfortunately I can't post more than one link, but the links to the railscast, the password reset blog post and the example app are all in the README (see the AuthLogic repo for the README)
Update: Now I can post more links, so I linked some more. Thank you marinatime for adding the link in the meanwhile
restful_authentication is a powerful tool which is very flexible and provides most of what you are looking for out of the box. However, a couple of caveats:
Don't think in terms of 'controls'. In Rails the Model, View and Controller are much more independent than in 'Webforms-style' ASP.NET. Work out what you want from each layer independently, write tests/specs to match and make sure each layer is doing what you expect.
Even if you are using a plugin there is no substitute for reading (at least some) of the code generated. If you have a big-picture idea of what is going on under the hood, you will find debugging and customising much easier.
The plugin restful_authentication and other plugins that extend it, answer your needs perfectly. A quick search on github.com will reveal a lot of tutorials, examples, and extensitons. Just go here:
- http://github.com/search?q=restful_authentication
There are several projects that use restful_authentication just to provide examples of a bare-bones Rails app with just the authentication parts.
http://github.com/fudgestudios/bort -- A base rails app featuring: RESTful Authentication
http://github.com/mrflip/restful_authentication_example -- Another project with a great examlpe of how to use restful_authentication
http://github.com/activefx/restful_authentication_tutorial -- Same as above, with some other plugins bundled.
http://railscasts.com/episodes/67-restful-authentication -- a great screencast explaining restful_authentication
This information should be enough to get you started finding heads and tails ... good luck.
Just updating this: Ryan Bates' Railscast #250 shows building an authentication system from scratch....
Another vote for Clearance - perhaps not as customisable or as 'in' as authlogic, but in terms of just being able to drop it in place and go, it's definitely worth having a look at.
Related
I have been searching a lot on the net to get facebook-connect integrated with authlogic in rails3. There are a number of solutions based on facebooker, oauth etc. but none of them seem to say anything on whether they work with rails 3 or not. Can anyone guide to me on how to get facebook-connect working with authlogic in "rails3". I see that there are a lot of questions related to this on the site but none seems to have actually answered the question.
I strongly recommend you to use http://www.janrain.com/products/engage with this gem https://github.com/tardate/authlogic_rpx. This combo works amazing with two of my projects and it is free if you only want to use authentication (like in my case).
PS. look at railscast: http://railscasts.com/episodes/233-engage-with-devise. I know that, this podcast show how to use Janrain with Devise, but it helped me with Authlogic so it also can help you.
This question aims to understand RoR and frameworks in general. It looks like RoR never had any standard user authentication system. Was it just historical reason (just happened naturally as it did)... or could it be intentional? Because RoR is a website building tool, more often than not, user authentication is a crucial part of a website.
To put it into perspective, another question is, do other popular frameworks, Django, Symfony, CakePHP, have user authentication built in?
There is no reasonably generic way to do user authentication. Most frameworks leave it up to you to choose the plugin that most closely matches what you're trying to accomplish.
For example, consider these two situations:
a blog which has a single administrator with password-protected admin-facing tools
a site like YouTube which allows users to sign up and administer their own content
Both of these sites would require vastly different authentication systems; which of these systems should Rails cater to out-of-the-box?
The Rails core team wanted to ensure that Rails was open-ended enough to make anything you want. There is no one-size-fits-all authentication scheme, so the core team decided to leave it out. Rails is easily extendable via gems and plugins, so that is where they belong.
Some examples are Warden and the Rails Warden plugin, Devise, Authlogic, and Restful Authentication.
CakePHP has a built in Authentication component that is pretty straight forward and easy to implement.
Most of these frameworks you mentioned are toolkits, not complete products. You build these things yourself, or leverage plugins from the community. Django's admin plugin/module has authentication out of the box though. Drupal does too, as a matter of fact.
Authentication can be(and is in my opinion) a matter of taste and need. If Rails was including things like that, it would start to become a website and not a framework. The programmer has to be free to choose among various implementations. That is why gems are available.
I've been programming a little in Rails and CakePHP, and I can say that Rails doesn't need to provide a mechanism like this. The community is very very good, and there are many examples (already said, like Devise, Authlogic...) made by very good programmers. Of course, there are many tutorials online (and also, railscasts, which are simply awesome) to program a succesful set-up for your project. So, if we have all of this, why should we need something like cakePHP mechanism? It's OK, it works, but there's just a very good tutorial and that's all( and maybe enough..). So, in the end, if u have a nice community you shouldn't care about the core of the technology, there will be always someone else more experienced with your needs that will do it for you. And if you don't find it, do it by yourself and in the proccess you will find a lot of help! :)
It seems that a lot of Ruby on Rails questions are related to AuthLogic. What are the advantages of it that it is so popular?
It's popular because with Rails 2.2, it was the most complete authentication plugin system.
The authentication is often the base of each web application. It's quickly used on a lot of projects and often beginners start by blindly adding the authlogic plugin. The beginner doesn't understand how it's works, and ask some questions on SO.
There is a new, great, and complete plugin for Rails 2.2 and Rails 3. It's called devise. A lot of people come with questions about it as well.
Each plugin is good, each is different. You just need to choose what you want.
There are a few self-contained user frameworks, and AuthLogic is one of the earliest full-featured varieties. Thoughtbot is also pretty good at marketing their technology, and their other gem, Paperclip, is very popular as well.
The advantage of AuthLogic is that you can get slap on a user authentication system quite easily to an existing application without having to roll your own, something that is challenging for someone unfamiliar with Rails.
Because it works.
What ruby based forum software would you recommend for integration into an existing rails application and allows single sign-on? I have seen many suggestions in posts for forum software that is no longer maintained (2008 and earlier).
Beast is the most current one I know of, and I'm sure it's the one you are referencing.
The rest is more of a side note, but, when I first got into rails, i asked similar questions, aka, what is the best blog, cms, forum, etc to use? As it turns out, the Rails community as a whole is interested in use cases that fit outside the plug-n-play web apps, so most people will end up rolling their own to fit their needs exactly if they find occasion to build such an app in Rails. The good news is that I think that I remember hearing that beast is like 800 lines of code, so it can't been too burdensome to either upgrade out of 2.2ish rails or just copy over the logic you need for your forum.
Thredded is very actively maintained!
Thredded is a Rails engine, so it is very easy to integrate it into an existing app.
http://github.com/radar/rboard
Rboard is really pretty awesome. :)
I always refer to Ruby Toolbox on what the rails comunity prefers.
Here's a good reference http://ruby-toolbox.com/categories/forum_systems.html
Based on the list there are two projects
Rboard - last commit 25 days ago
altered_beast - last commit 12 months ago
I agree with Jed Schneider, in the end most rails guys will roll out their own to fit the exact needs.
Forem and Discourse look promising:
https://github.com/radar/forem
https://github.com/discourse/discourse
Does anyone know of a good guide on building your own authentication system in ruby on rails?
I want to roll my own system to use with my community im building :)
Thanks!
I'd recommend starting with Warden - it'll handle the very basics of sessions for you, and give you a good foundation to build your logic on top of. The Rails Warden plugin is a rather small library that helps integrate it into Rails. Both of these projects are fairly mature and well-constructed yet still under active development - they're good choices all around.
You should be aware of Devise, another authentication framework (like Authlogic or Restful Authentication) that is based on Warden. It may not be a good fit for your project (it wasn't for mine), but looking through the source might give you a few ideas on how best to use Warden.
The other thing I'll note is that, in terms of hashing passwords, you should absolutely use bcrypt.
michael hartl has a good book coming out soon and the first 8 chapters are available in pdf format for free here: http://www.railstutorial.org/ - they cover the entire process of creating a very solid rspec-driven authentication system - can't recommend it highly enough
Well, it came out a while after you asked your question but the best answer if you're keen to build your own authentication system rather than use something like Devise would probably have to be Ryan Bates' Authentication from Scratch Screencast.
Since authentication is a common problem that has been solved many times already, I would start by investigating the solutions already out there.
For example, have a look at Restful Authentication which provides a good foundation for authentication in Rails. Even if you'd rather roll your own system, playing around with Restful Authentication and understanding how it works should give you a good understanding of the components needed when you start building your own system.
Check out this article:
http://www.aidanf.net/rails_user_authentication_tutorial
The author goes, step by step, through an entire authentication framework, with suggestions on further improvements. Even tests are discussed.
I agree with Ritchie... Devise has some very nice features but it doesn't play nice with others. For many use-cases, the way it hijacks the routing can make your job more difficult. In many situations you may be better off rolling your own.
Devise has caused circular references in my Rails asset pipeline, and the settings in the initializer as installed (in the latest version as of yesterday) conflicted with the defaults in the migration it generated.
I have built enterprise-level authentication systems, including email verification, password recovery, etc. And none of it required the routing shenanigans that Devise uses. If you really need all the features, it may be for you. But there are lots of reasons to not use it, too.