He is not wrong though? It still would be nice having a quick generator for doing auth? Rails is known for having bunch of useful generators actionmailer, activestorage
This something that been coming up time and time again for a very long time. What’s even crazy here is that many of the rails alternative and some of them even rails-inspired are nowadays offering a quick way scaffolding auth.
I so agree with this. For some reason #DHH has decided that login, authentication, user management, etc. are all outside the scope. But basically every single rails app has that (which you can’t say about document uploading (active storage), emailing (active mail), and other built-ins. And pointing to devise doesn’t do it for me. Last I tried (and based on more recent blogs etc.) devise is not for everyone, it is very (overly) complicated for most apps. But I asked this question on this site (or another one) several years ago and was told to forget about it, it’s never gonna happen.
I think the question is not “does every app need this feature” but “is there a single solution for this feature that will work for most apps”. Things like file storage (ActiveStorage), email (ActiveMailer), etc the answer is generally yes.
Sure there are other solutions. For example we have Paperclip, Dragonfly, Carrierwave, etc for file storage. But ActiveStorage can be a solution that will work for most applications.
For authentication the answer is different. Authentication gets complicated and divergent quickly. Are you even using passwords or are you authenticating via email (like Medium). Do you allow social logins? If so which ones? What about enterprise identity management systems like ActiveDirectory? Do you support 2FA? If so which ones? TOTP? Hardware key? What about security? Should the authentication rate limit? Lockout after a certain amount of attempts? Validate your password is a certain length? Validate it’s not a dictionary word?
There are so many questions and answers to these question that there isn’t one solution to satisfy most apps. For an internal app HTTP Auth with hard-coded credentials might be sufficient. For other apps they don’t want the responsibility of dealing with credentials so only social logins are supported. Other apps want to outsource it to a provider like Auth0.
Because of this goal diversity a marketplace of options is probably best. My list is:
HTTP Auth - Toy/Internal apps. This is actually built-in to Rails!
Omniauth - Social-login focused (although there is a user/pass provider)
Devise - A kitchen sink of many features you likely want (and probably a few you don’t)
Auth0 - Enterprise apps that need integration with things like ActiveDirectory
There are many ways in which an authentication system can be bespoke. (Just look at all of the ways Devise can be configured!) I believe the aversion to a default authentication system is based on the desire to encourage developers to design a system that is right for their app.
With that in mind, I’ve submitted a few PRs that I hope could make it nicer to implement a bespoke system:
They haven’t gotten much traction yet, but feedback is welcome.
I have a few more ideas for features I would like to see (such as automatically re-hashing a password on login if the BCrypt cost has changed), but I’m not yet sure how to make them suitable for Rails. For anyone who has implemented their own bespoke authentication system: what would make your code nicer?
Just found this thread. I think including a auth framework would make starting new apps easier but it would encourage folks to leave the defaults and deploy insecure apps. WordPress is an example of a super popular framework that is so easy to deploy and it’s the most hacked web app because of that. I think by forcing us to implement auth Rails encourages better security practices. Just my two cents.