Home
Sign inSign up
Lesson n°1

Introduction

A new authentication generator

Ruby on Rails has a brand-new authentication generator that was released in Rails 8, and I couldn't be more excited about it! But why should we care? We've had Devise for years, and it's been working just fine. So why bother?

Authentication is business logic. Depending on your application's needs, you might need to:

  • Add two-factor authentication
  • Implement a passwordless login
  • Only allow users to have one session at a time
  • Send an email every time the user signs in with a new device
  • Display the list of active sessions and allow users to revoke them (like on GitHub)

The list of custom features you might need is endless.

Now, you can implement all of those with Devise, of course, but sometimes those things are hard to do. Devise is a great library that covers a lot of use cases, but in my opinion, it's also quite hard to customize. It uses a lot of metaprogramming internally, and when I change the way it works, I often feel like I'm fighting against it, and I'm also afraid that I might break something.

What I find great about the new Rails authentication generator is that it's going to give us the permission to write our own authentication system. Before that, when suggesting building authentication in-house, developers would get cold feet: "Isn't there a security risk? Could we just override Devise?"

I’ve worked on projects where using Devise was more than enough. I’ve also worked on projects where I wished authentication had been written from scratch, with Rails conventions, so that I could easily understand and modify it. Now we have the right to choose!

What are we going to build?

In this course, we are going to build a cookie-based authentication system from scratch, very similar to the one that will be released in Rails 8. We will allow users to:

  • Sign up
  • Sign in
  • Reset their password
  • Update their password

Each time we build a feature, we will start with an insecure version and explain each security vulnerability so that you can learn to avoid them in the future! By the end of the course, you will have enough knowledge to implement a secure authentication system for your Ruby on Rails application and extend it with the additional features you need.

Ready to dive in? Let's get started!