Introduction

A new authentication generator

Ruby on Rails is building a brand-new authentication generator that will be released in Rails 8, and I couldn't be more excited about it! But, why should we care? We've had Devise for years, and it's been working just fine. So why bother?

Authentication is business logic. Depending on your application's needs, you might need to:

The list of custom features you might need is endless.

Now, you can implement all of those with Devise of course, but sometimes those things are hard to do. Devise is a great library that covers a lot of use cases, but in my opinion it's also quite hard to customize. It uses a lot of metaprogramming internally and when I change the way it works I often feel like I'm fighting against it, and I'm also afraid that I might break something.

What I find great about the new Rails authentication generator, is that it's going to give us the permission to write our own authentication system. Before that, when suggesting to build authentication in-house, developers would get cold feet: "Isn't there a security risk? Could we just override Devise?".

I’ve worked on projects where using Devise was more than enough. I’ve also worked on projects where I wished authentication had been written from scratch, with Rails conventions, so that I could easily understand and modify it. Now we have the right to choose!

What are we going to build?

In this course, we are going to build a cookie-based authentication system from scratch, very similar to the one that will be released in Rails 8. We will allow users to:

Each time we build a feature, we will start with an insecure version and explain each security vulnerability so that you can learn to avoid them in the future! By the end of the course, you will have enough knowledge to implement a secure authentication system for your Ruby on Rails application and extend it with the additional features you need.

Ready to dive in? Let's get started!

Setup