💡
← Back

Rails 8 authentication: a built-in alternative to Devise

Rails Authentication

Rails 8 introduces a built-in generator that simplifies adding authentication to a Rails app. This feature eliminates the need for third-party email authentication services like Devise or external providers like Auth0, aligning with Rails’ “batteries-included” philosophy.

I've been an avid Devise user in the past so I never felt the necessity to build my own auth system from scratch. But I have encountered 2 frequent scenarios where I wish I did:

  1. When I need a very specific registration form (think multi-step onboarding with non-standard KYC/verifications)
  2. When I need more than just one user model using the same login form. There are hacks to bypasse this but they often go against Devise's design which wants you to use one model per registration/session route.

For those reasons, I was very excited to try out this new tool that unlike most all-in-one gems, gives you a nice headstart but doesn't hide the authentication mechanics and doesn't impose a strict worflow.

Key features

The setup is easy. Running bin/rails generate authentication automatically generates a User model and a Session model.

# app/models/user.rb
class User < ApplicationRecord
  has_secure_password
  has_many :sessions, dependent: :destroy

  normalizes :email_address, with: ->(e) { e.strip.downcase }
end

# app/models/session.rb
class Session < ApplicationRecord
  belongs_to :user
end

The User model includes has_secure_password, which uses bcrypt for password encryption. Careful, in the User model, Rails uses email_address instead of email for the email attribute. That means you can immediately create a user in your console: User.create(email_address: "foo@bar", password: "foo@bar")

The Session model stores user session data, including IP address and user agent, allowing for tracking and analytics.

The Session model and associated password also come together with dedicated routes, views, controllers and mailers in order to be created, edited and destroyed. Yes, even password recovery is included. Note that it doesn't come with registrations! It is up to you to define how users should sign up in your system (more on that below). 

# config/routes.rb
Rails.application.routes.draw do
  resource :session
  resources :passwords, param: :token
end

Subsequent available paths:

<%= link_to 'Sign in', new_session_path %>
<%= button_to 'Sign out', session_path, method: :delete %>

Rails 8 also introduces a singleton model called Current, which stores the currently logged-in user and session data, making authentication state easily accessible throughout the application.

# app/models/current.rb
class Current < ActiveSupport::CurrentAttributes
  attribute :session
  delegate :user, to: :session, allow_nil: true
end

Which means you can use:

Current.session.user_agent
# and
Current.user.email_address

The generated authentication logic is encapsulated in the Authentication concern, which:

  • Requires authentication before accessing controllers.
  • Redirects unauthenticated users to a sign-in page.
# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  include Authentication
end

How the default authentication system works

  1. A user visits a protected page, triggering require_authentication.
  2. If no active session exists, Rails redirects to the sign-in page.
  3. The user enters their credentials, which are authenticated using authenticate_by.
  4. A session is created and stored in the database.
  5. The user is redirected back to their original destination.

Customizing authentication behavior

  • Allowing public access: By default, every controller that inherits from the ApplicationController will include Authentication, so we can use allow_unauthenticated_access in controllers to make specific actions publicly accessible.
# app/controllers/articles_controller.rb
class ArticlesController < ApplicationController
  allow_unauthenticated_access, only: [:show]
end
  • Resuming a session: to make Current.user available on unauthenticated pages, we have to explicitly tell the controller resume a session if it exists.
# app/controllers/articles_controller.rb
class ArticlesController < ApplicationController
  allow_unauthenticated_access, only: [:show]
  before_action :resume_session, only: [:show]
end

Adding registrations

Currently the generator allows email-password log in for existing users. Let’s add registrations!

First, add a new registration route:

# config/routes.rb
Rails.application.routes.draw do
  resource :session
  resources :passwords, param: :token
+  resource :registration, only: %i[new create]

This opens up the following path: <%= link_to 'Sign up', new_registration_path %>. Now in the registrations_controller, instead of finding a User, we will create one:

# app/controllers/registrations_controller.rb
class RegistrationsController < ApplicationController
  allow_unauthenticated_access
  before_action :resume_session, only: :new
  rate_limit to: 10, within: 3.minutes, only: :create, with: -> { redirect_to new_session_url, alert: "Try again later." }

  def new
    redirect_to root_url, notice: "You are already signed in." if authenticated?
  end

  def create
    user = User.new(params.permit(:email_address, :password))
    if user.save
      start_new_session_for user
      redirect_to after_authentication_url, notice: "Thanks for signing up."
    else
      redirect_to new_registration_url(email_address: params[:email_address]), alert: user.errors.full_messages.to_sentence
    end
  end
end

Notice these 2 paths that Rails provides for us:

  • after_authentication_url: Returns the URL to redirect to after authentication.
  • start_new_session_for(user): Creates a new session for the given user with details of the user's device and IP address and then sets the current session.

Now we just need to create our registration form:

<!-- app/views/registrations/new.html.erb  -->
<%= form_with url: registration_url do |form| %>
    <%= form.email_field :email_address, required: true, autofocus: true, autocomplete: "email", placeholder: "Email address", value: params[:email_address] %>
    <%= form.password_field :password, required: true, autocomplete: "new-password", placeholder: "Password", maxlength: 72 %>
  <%= form.submit "Sign up" %>
<% end %>

Finally, validate User email address to show validation errors:

# app/models/user.rb
+  validates :email_address, presence: true, uniqueness: true, format: { with: URI::MailTo::EMAIL_REGEXP }

Overall, this new built-in tool is a great addition to Rails 8. It gets you started with a less invasive but complete access control tool on the backend, while offering much extensibility.

→ Let's get in touch

Got questions or feedback about this article? Interested in discussing your project? I'm all ears and always open to new opportunities. Shoot me an email and tell me what you have in mind.
← Back