I think the question is not “does every app need this feature” but “is there a single solution for this feature that will work for most apps”. Things like file storage (ActiveStorage), email (ActiveMailer), etc the answer is generally yes.
Sure there are other solutions. For example we have Paperclip, Dragonfly, Carrierwave, etc for file storage. But ActiveStorage can be a solution that will work for most applications.
For authentication the answer is different. Authentication gets complicated and divergent quickly. Are you even using passwords or are you authenticating via email (like Medium). Do you allow social logins? If so which ones? What about enterprise identity management systems like ActiveDirectory? Do you support 2FA? If so which ones? TOTP? Hardware key? What about security? Should the authentication rate limit? Lockout after a certain amount of attempts? Validate your password is a certain length? Validate it’s not a dictionary word?
There are so many questions and answers to these question that there isn’t one solution to satisfy most apps. For an internal app HTTP Auth with hard-coded credentials might be sufficient. For other apps they don’t want the responsibility of dealing with credentials so only social logins are supported. Other apps want to outsource it to a provider like Auth0.
Because of this goal diversity a marketplace of options is probably best. My list is:
- HTTP Auth - Toy/Internal apps. This is actually built-in to Rails!
- Omniauth - Social-login focused (although there is a user/pass provider)
- Devise - A kitchen sink of many features you likely want (and probably a few you don’t)
- Auth0 - Enterprise apps that need integration with things like ActiveDirectory