I used this as a basis cos current gig said no Devise https://dev.to/stevepolitodesign/rails-authentication-from-scratch-38m2
This was useful too https://blog.corsego.com/omniauth-without-devise It's actually pretty easy. I can't quite work out what the omniauth gem does (injects something into Rack, I think) get methods get transformed into posts that go out to the provider. That I did not like, cos rails routes doesn't tell you anything useful and magic spells bad. If I hadn't been pressed for time I'd have done Omniauth myself. On Tuesday, August 20, 2024 at 8:09:44 AM UTC+1 Darren Jones wrote: > Thanks for those replies. Think I’ll give those generators from Rails 8 a > try. > > Some nice ideas there Lee. I’m thinking of setting up a template with some > auth in place to make firing up a demo site easier. > > > > On Mon, 19 Aug 2024 at 09:53, Lee Hambley <lee.h...@gmail.com> wrote: > >> It also depends on how far you want to go. >> >> In the wider world Google's Zansibar has become quite popular, which is a >> general *authorization* framework. There's also AWS's verified >> permissions where you can centralize rules about who can "verb" which >> "noun". Zanzibar has open source implementations, and all the good docs >> come from Auth0, but it's certainly worth a look. >> >> With regards to *authentication* I find myself implementing OAuth2 and >> OIDC on every new project. I just assume that users are coming in with a >> UUID identifier, and a signed token. I don't care where that token comes >> from as long as my app has the relevant public/private key to authenticate >> it. >> >> That means when I'm starting out a new project I can just make broad >> assumptions that a user will have a JWT/cookie and a UUID, and _how_ the >> user gets that token down the line is easy for me to handle later. Then you >> practically get SSO for free. It also makes testing easier, as your app can >> just assume that any valid token with a "sub" claim (subscriber ID) is a >> valid user (who likely has no email/profile/given name, etc) so you avoid a >> lot of boostrapping and factories in tests. >> >> It also means that when I setup a new project I make a `/login` page >> which just has a list of 3/4 example users and with a click it sets a >> cookie/jwt and that lets me hope between demo users nice and easily. >> >> I know that's pretty left of field for Rails apps where there's often a >> "batteries included" way of doing things, but in my experience it all pays >> off quite quickly. >> >> (this idea was honed over a few years coaching startups in Google's >> accelerator, we needed to get product demos up and running ASAP and people >> would always spend a day working on login and lose 20% of the on-site >> tutoring time during the on-site weeks. This approach gave the folks more >> time to work on differentiating features, and also created an easy "demo" >> mode they could show to prospective customers when we sent them out doing >> user interviews) >> >> Lee Hambley >> http://lee.hambley.name/ >> +49 (0) 170 298 5667 <+49%20170%202985667> >> >> >> On Sun, 18 Aug 2024 at 19:13, Tekin Süleyman <te...@tekin.co.uk> wrote: >> >>> One option worth considering today is to roll your own. Rails has much >>> of the basic building blocks for authentication built directly into the >>> framework now, and Rails 8 will ship with a set of generators that does a >>> decent job of giving you the scaffolding code right there in your app where >>> you can easily reason about it and modify it to suit your needs. You can >>> get access to those generators today from Rails main. >>> https://www.bigbinary.com/blog/rails-8-introduces-a-basic-authentication-generator >>> >>> I personally prefer the directness and flexibility of having my >>> authentication code alongside the rest of my code over the indirection of >>> it being loaded from a gem where it’s harder to reason about and more >>> difficult to override/modify behaviour. The downside of course is you are >>> now more directly responsible for ensuring your code is safe and secure. >>> >>> The generated code approach is actually what José Valim, the original >>> creator of Devise, now recommends auth-in-a-box approach of libraries like >>> devise ( >>> https://dashbit.co/blog/a-new-authentication-solution-for-phoenix) and >>> I believe they now have generators as part of the Phoenix framework. >>> >>> Tekin >>> >>> On 18 Aug 2024, at 3:00 PM, DAZ <daz...@gmail.com> wrote: >>> >>> Devise seems to be the go to gem for auth, but has anyone found any >>> others that are worth trying? >>> >>> Rob mentioned Clearance at the talk on Thursday, but I thought he also >>> said it might be being sunsetted as well. >>> >>> Are there any others that people have used? >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "North West Ruby User Group (NWRUG)" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to nwrug-member...@googlegroups.com. >>> To view this discussion on the web, visit >>> https://groups.google.com/d/msgid/nwrug-members/66555abd-7ca8-40d5-9da1-f4fb89864ad6n%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/nwrug-members/66555abd-7ca8-40d5-9da1-f4fb89864ad6n%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "North West Ruby User Group (NWRUG)" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to nwrug-member...@googlegroups.com. >>> To view this discussion on the web, visit >>> https://groups.google.com/d/msgid/nwrug-members/C633FFA4-6A5D-4EE5-8B21-C40C79FADC40%40tekin.co.uk >>> >>> <https://groups.google.com/d/msgid/nwrug-members/C633FFA4-6A5D-4EE5-8B21-C40C79FADC40%40tekin.co.uk?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "North West Ruby User Group (NWRUG)" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to nwrug-member...@googlegroups.com. >> > To view this discussion on the web, visit >> https://groups.google.com/d/msgid/nwrug-members/CAN_%2BVLUsWTTXwKQUaQ-ysyrPUatTnaiDwwup9wt%2BBbOeHKbxkA%40mail.gmail.com >> >> <https://groups.google.com/d/msgid/nwrug-members/CAN_%2BVLUsWTTXwKQUaQ-ysyrPUatTnaiDwwup9wt%2BBbOeHKbxkA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "North West Ruby User Group (NWRUG)" group. To unsubscribe from this group and stop receiving emails from it, send an email to nwrug-members+unsubscr...@googlegroups.com. To view this discussion on the web, visit https://groups.google.com/d/msgid/nwrug-members/b910eff9-72e3-4aa2-9251-2e7c9378751en%40googlegroups.com.
