Why there is no simple default auth in Rails?

Hello, I’m a Rails newbie.

I wonder why there is no simple auth (sign-in, sign-up, restore password) in the Rails app?

I found that I need to use devise but it’s too complicated for me, and would be much nicer to add auth option for new rails apps like:

rails new my_app --auth

The same like in Laravel.

Also, devise is not supported yet in Rails 7 yet? (I might be wrong).

Thanks.

2 Likes

Devise is the de-facto standard for Rails and it’s simple to use:

We’ve been using it for 10+ years without any problems and it will certainly support Rails 7.

1 Like

He is not wrong though? It still would be nice having a quick generator for doing auth? Rails is known for having bunch of useful generators actionmailer, activestorage

This something that been coming up time and time again for a very long time. What’s even crazy here is that many of the rails alternative and some of them even rails-inspired are nowadays offering a quick way scaffolding auth.

1 Like

This is the bug with Rails 7:

You can comment there.

I so agree with this. For some reason #DHH has decided that login, authentication, user management, etc. are all outside the scope. But basically every single rails app has that (which you can’t say about document uploading (active storage), emailing (active mail), and other built-ins. And pointing to devise doesn’t do it for me. Last I tried (and based on more recent blogs etc.) devise is not for everyone, it is very (overly) complicated for most apps. But I asked this question on this site (or another one) several years ago and was told to forget about it, it’s never gonna happen.

I think the question is not “does every app need this feature” but “is there a single solution for this feature that will work for most apps”. Things like file storage (ActiveStorage), email (ActiveMailer), etc the answer is generally yes.

Sure there are other solutions. For example we have Paperclip, Dragonfly, Carrierwave, etc for file storage. But ActiveStorage can be a solution that will work for most applications.

For authentication the answer is different. Authentication gets complicated and divergent quickly. Are you even using passwords or are you authenticating via email (like Medium). Do you allow social logins? If so which ones? What about enterprise identity management systems like ActiveDirectory? Do you support 2FA? If so which ones? TOTP? Hardware key? What about security? Should the authentication rate limit? Lockout after a certain amount of attempts? Validate your password is a certain length? Validate it’s not a dictionary word?

There are so many questions and answers to these question that there isn’t one solution to satisfy most apps. For an internal app HTTP Auth with hard-coded credentials might be sufficient. For other apps they don’t want the responsibility of dealing with credentials so only social logins are supported. Other apps want to outsource it to a provider like Auth0.

Because of this goal diversity a marketplace of options is probably best. My list is:

  • HTTP Auth - Toy/Internal apps. This is actually built-in to Rails!
  • Omniauth - Social-login focused (although there is a user/pass provider)
  • Devise - A kitchen sink of many features you likely want (and probably a few you don’t)
  • Auth0 - Enterprise apps that need integration with things like ActiveDirectory

There also is Clearance from Thoughtbot:

1 Like

A simple db auth should be provided by the web framework. If you want social auth that’s when you maybe should start looking into gems that handle this things.

I found two frameworks that I follow that have both included some kind of auth-system

https://dashbit.co/blog/a-new-authentication-solution-for-phoenix

1 Like