authlogic: Another Take on Rails Authentication
There are certainly plenty of plugins available to handle authentication in Rails, with perhaps the most commonly-used being Restful Authentication. But there's always room for one more, and the latest I've run across is Ben Johnson's authlogic. It takes a fresh approach to the problem space, with one big advantage over many existing solutions: because it's a pure plugin rather than a generator, it doesn't litter your application with a ton of code.
The key to making this approach work is that you need to define a special user session model that inherits from authlogic's internals, rather than from ActiveRecord::Base:
class UserSession < Authlogic::Session::Base end
With that in place, you can use the regular Rails generator to spin up a controller for user sessions, and write "natural" code. For instance, logging a user in is just a matter of running @user_session = UserSession.new(params[:user_session]). Similarly, destroying a UserSession instance logs the current user out.
In addition to the source code, you can explore an Authlogic Setup Tutorial or play with an implemented example online. I haven't used authlogic in a client project yet, but after experimenting with it in some test code, it's definitely on my list for the next time I need to roll out authentication as a feature.
November 6th, 2008 at 7:17 am
Thanks for posting this, this is really nice. Definitely going to be my choice for authentication in my next app.
November 6th, 2008 at 12:05 pm
Great. I'll give this a try!
November 6th, 2008 at 1:48 pm
OMG, i think this is one of the best news of this year.
I could not stand anymore the intrusive way that Restful Authentication treated this problem.
November 6th, 2008 at 6:10 pm
Certainly a great plugin, way better than the intrusive Restful Authentication.
Thanks for sharing this...
November 6th, 2008 at 6:57 pm
I haven't updated the template yet, but note that this post was written by Mike Gunderloy. One of Rails Inside's new writers :)
November 6th, 2008 at 11:23 pm
The fact that the User model deals with sessions and cookies concerns me a bit. I'm not a purist, but it breaks the MVC lines enough to give me pause.
November 10th, 2008 at 4:40 am
Great post, thanks for promoting this.
reck, you make some good / obvious points. But where do sweepers lie in the MVC architecture? In my opinion, they blur the lines of the MVC structure a little bit too, but they make expiring caches extremely easy. They are connected to models, who ultimately trigger if caches expire or not. I just took that same idea and applied it to sessions.
Lastly, the UserSession doesn't have to be labeled as a model. Why not label it as a controller utility? You can extract controller logic out into a class. I recommend putting it in the models directory to emphasize that it can be used like a model, which ultimately fits into the conventional style of RESTful development. But it could just as easily fit in your lib directory. Just something to get people to look at this from a different angle, hopefully this clarifies my perspective on the library.
March 10th, 2009 at 4:46 am
No offense to Rails core, but RESTful authentication is heavy and intrusive. It just doesn't make any sense. A user's session is an instance of a model, UserSession. Enough said.
March 11th, 2009 at 9:13 pm
Goes to say that less is indeed more :).