finally! Waited the whole morning for your railscast ;-)
I've used Devise once pre-1.0 and am using it again with the current version. (Currently on a Rails 2.3.5 application) and I must say it is one of my favorite authentication solutions. It's easy to understand and set up, plus it provides most of the common real world solutions out of the box in the form of modules, so *most* of the time you're practically done with the base setup and all you need to do is style the views. Also good to note is that it supports other ORM's as well, not just ActiveRecord, and you can build your own custom modules if needed.
Definitely recommend to try out this authentication solution if you need one!
Thanks for the episode I will need to update some parts of my blog post in (Spanish). http://www.boliviaonrails.com/2010/04/05/como-usar-devise-con-rails-3/
Already in Rails making good authentication is really easy But I think with Devise plugin. authentication is became more easy..
Thank you.
May you introudce the access control plugin?
Because there are so many authentication solutions now. But no easily operated access control to use.
Always need to use keyboard. Is there any good UI for access control without typing?
Thanks Ryan, This screencast is very useful as always..
Can you please advise which one to use when:
1. nifty_authentication (yours)
2. Authlogic
3. Devise
I don't mind creating my own logic for Authlogic, you show us how to do that in chapter 160 :), just looking for the best solution out there, what would you use?
many thanks...
Thanks for putting the spotlight on Devise.
I put together a Rails 2.3 example app (with a walk-through tutorial) that shows how to set up Devise with subdomains: http://github.com/fortuity/subdomain-authentication (click above for the link). For anyone who needs a quick start for blog-style subdomains in Rails.
@dickstar, are you referring to acl9? I'm not a fan of that solution and prefer something like Declarative Authorization (episode 188) or CanCan (episode 190).
@elad, I only recommend nifty_authentication if you want a very minimal starting point and want to add most of the authentication from scratch without any external dependencies. The other solutions are quite complicated and sometimes writing from scratch is easier if you have very custom needs.
Authlogic is the next step up, where you are writing the controller and views from scratch but the authentication logic is handled for you. This is great if you want to customize that behavior extensively.
Devise is the full stack which means it does most of the work for you. It provides many features such as password resetting which you don't see in the others. If you want a really complete solution and don't need to customize it extensively then this is a good way to go.
Hm, I heard some guys were very opposed to Devise/Warden. The argument was that authentication should be on the model layer (like the user model), instead of being intercepted at the middleware level.
I'm curious what people think about this and if it might be a valid concern!
Thanks for this. Just starting a new Rails 3 project and was going to look at Devise (to replace authlogic I've used previously.). So your timing is impecable...
I just so happened to find Devise last week and I was particularly interested in the Subdomain tutorial (Linked above).
I understand that you will be getting into manipulating Devise such as changing the views etc, but I think it may be beneficial to the community (and Devise) if there was a tutorial based on 'Basecamp-style-Account-Subdomains'
Where is User under a specific account/subdomain security type model.
BTW, great work! My Monday mornings have become Railscasts and Tim Horton (Best Coffee in Canada) type of mornings.
Hi, Ryan.
I think on this page the migration code has been pasted twice, right?
BTW, just curious: why don't you like confirmation emails for registration?
@Soleone, I'd be interested in reading a more detailed article on the practical reasons against handling authentication in Rack middleware. MVC is a great principle, but it should not be followed blindly.
@BradM, subdomain handling has changed a little in Rails 3 so I'll likely be covering it in a future episode. However I don't consider it to be specific to a given authentication solution. You can apply my existing subdomain screencast (episode 123) to the Basecamp style. Just replace blogs there with projects.
Gotchas:
If you already have a
resources :users
you must remove it or put it after
devise_for :users
I found some of the documentation thin - it would have been nice if more comments were added to the code that was generated.
Bug (I will be submitting it):
If you app is not at the root
http://myhost/my_app/
devise will not get the right URLs for sign_in/out paths.
Just a minor suggestion:
# config/application.rb
config.filter_parameters << :password << :password_confirmation
Hi Ryan,
thx for another great screencast. One thing I wanted to mention is that your older screencasts were somehow sharper and had more authentic colors. You changed the screencapture tool?
KR
Bijan
Maybe customize with using twitter/facebook/google/yahoo connect.
Ryan,
I had already decided to use Devise with my new Rails 3 app so your screencast was perfect. Thanks and I'm looking forward to the next one!
Doug
Is it possible to use devise with LDAP (Active Directory)?
Does devise use an adapter pattern to switch from one auth type to another?
I hate that you have to define all your model attributes with attr_accessible. This could easily lead to cockups where you add a column to your table and forget to add it to the attr_accessible list
I recently wrote an application with the Clearance authentication gem, which uses the same attr_accessible technique as devise. Just before deployment I added a new column to my db and forgot to add it to the attr_accessible list for the user model. I only noticed the problem a month later, and so did my client. This caused a lot of useful data to be lost forever.
It seems silly to have to define the columns, and its a against the ActiveRecord standard
@Riccardo Devise uses Warden which has the concept of strategies.
Each role (like User and Admin) can have several strategies for authentication and you specify when they are triggered.
Devise ships with both :database_authenticatable (which validates the password given with one stored in the database, both using encryption) and a :token_authenticatable (where users can sign in using a token).
It's easy to add a new strategy. For instance, this guy developed one to authenticate through Imap:
http://github.com/joshk/devise_imapable
There are other extensions around.
@Chris using attr_accessible is a good practice. Your issue would easily be caught if you had write tests before deploying. Anyway, Devise does not push that, it's up to you to use it or not.
@Soleone Devise still has most of its logic in the model and not in the rack middleware. Take a look at Warden, you will find interesting to know how it works. :)
@Joes
I'm not sure what you mean. Are you saying Devise does not require you to use attr_accessible in order to access your attributes?
@Bijan, unfortunately the previous video encoding I was using had buggy playback in Snow Leopard so I'm forced to switch. I'm still experimenting with different compression settings.
@Chris, attr_accessible is not part of Devise at all, it's just best practice. If you don't have the attr_accessible line then all database columns would be settable by the user. This is a major security problem especially with the User model, so you should always use attr_accessible there. See Railscasts episode #26 for details.
Maybe customize with using twitter/facebook/google/yahoo connect.
+1 is facebooker Rails3 ready?
awesome Rails! I have fallen love one more time with Rails :)
Ryan,
Can something like this be used for protecting files as well?
For example, a protected document @ site.com/directory/protected.doc.
Can this intercept the request and verify the user's identity?
My initial thought is No as this might be something for apache, but i would love to hear what you have to say, thanks!
Ryan, thanks for another awesome screencast.
I'd like to suggest something for the next episode on devise:
- How to add roles to the user model, and then assign a role in the user signup form, (in order to then use cancan or declarative_auth) - I think this will be clear when you'll try to modify the views.
- How to override some of the gems methods
Thanks and really looking forward to it!
Oh and BTW, another +1 for Twitter/Facebook/Google integration!
Great cast as always. Devise seems to be a great all around solution for our application, so far, but we are now getting into the customization aspect of it so we will see!
another +1 for OAuth/Twitter/Facebook/Google integration!
I suggest doing a screencast on Captcah. http://ruby-toolbox.com/categories/rails_captcha.html
I see that you have added one just as I'm posting this.
Does Devise support a way to do "who is online" functionality? How could this be done?
If your next episode would also cover how to replace an existing install of authlogic, that would be great. I've been looking to replace it for awhile now. Also, one feature I find particularly useful in these tools is the ability to impersonate a user so if that exists, it would be nice to hear of too.
Hi Ryan, great screenscast. I've been wondering how could I replace restful_authentication plugin with Devise plugin in a clean way. Any ideas ?
Ryan (or anyone),
I am getting this error when running script/generate devise User
`load_missing_constant': uninitialized constant Devise (NameError)
Also, once I run the devise_install generator I can no longer start my server as I get the same error.
I know I just gotta be missing that one thing ...
Thanks in advanced.
Great stuff.. just starting to play with devise... Feels very foreign from Authlogic though
Had to checkout the code and look through it all to actually know what methods it overrides
Any good sites that provides info on how to do more indepth customizations?
@Ryan N. What version of Rails are you running? If you are running 3.0, then you have to change from script/generate to rails generate with the rest of the arguments and flags included if you need etc., but if not, then I think you have to have different gem Devise version for Rails 2.3.5... Also, make sure to have dependency. When you first run the app, the app needs to load all of those gems that are, or should be, part of the app... Hope this helps.
So, do the controllers stay locked away in the gem? If I wanted to protect the password during transmission using SSL (e.g., ssl_requirement), how would I do that? Make a copy of the controller in the gem to add the ssl_requirement code? Or is there a better way?
Ryan N -
I'm guessing that you are running Rails 2.x. Assuming that you installed the correct Devise gem (1.0.6) and are still getting the error:
`load_missing_constant': uninitialized constant Devise (NameError)
You probably are missing a couple of dependencies in your environment.rb file.
config.gem 'warden'
config.gem 'devise'
I tried Devise with Ruby on Rails 3.0 beta 3 and the gotcha mentioned in the screencast turned out to be with config.secret_token.
So with beta 3, you can leave cookie_verification_secret.rb untouched and you have to add config.secret_token to application.rb, e.g. .config.secret_token = 'secret'
P.S. Switching from Beta 2 to Beta 3 actually showed DEPRECATION WARNING when starting up the server or running RSpec specs.
DEPRECATION WARNING: ActionController::Base.cookie_verifier_secret= is deprecated. Please configure it on your application with config.secret_token=.
DEPRECATION WARNING: ActionController::Base.session= is deprecated. Please configure it on your application with config.session_store :cookie_store, :key => '....'.
I guess if you generate Rails app fresh with Beta 3, there is no error any more.
After I run "script/server devise User" and try to view any controller it throws the error message:
"Routing Error
No route matches "/" with {:method=>:get}"
This is a paste of the routes.rb file of the very simple project I was testing devise on ( http://slexy.org/view/s21I0JCOdA )
Has anyone else run across this and managed to rectify it? If so. Please let me know! Any feedback is greatly appreciated.
I managed to get it working by commenting out the 'map.connect' lines at the bottom of the routes.rb file
One gotcha that bit me was not having actionmailer configured to use sendmail. config.action_mailer.delivery_method = :sendmail in the environment.rb, and everything worked.
Now I'm trying to figure out why it's not reading the configuration changes -- all my e-mails are coming from please-change-me!
Thanks again!
@creston
see here for SSL logins: http://gist.github.com/393520
Is is possible to save to two models when signing up? For example I want to save User and Address model during registration.
For Rails 3.0.0.beta3, in config/application.rb, use this syntax --
config.secret_token = '[secret copied from cookie_verification_secret.rb]'
Ryan,
How did you get bundler to work with rake? I'm running bundle 0.9.26 and rake 0.8.7, but rake is erroring out when I do the first db:migrate. I've read on some other posts that you need to 'gem install' separately not using 'bundle', but you're doing it. What is your trick?
FYI to use device in Rails3 you now need to update your gem to gem "devise", :git => "git://github.com/plataformatec/devise.git"
I already have the user model.
How should I use Devise to integrate it with legacy system?
Thanks in advance.
Like Jason mentioned, you can also use Devise 1.1.rc2. This helped me solve an 'uninitialized constant UsersController' error at /sign_up.
I have the same problem as @Walter with the password email not working with smtp. Unfortunately, I can't set my environment to use sendmail. Has anyone gotten this to work with smtp? I get "A sender (Return-Path, Sender or From) required to send a message". Other than that, it's working great in Rails 3!
<h1><a href="http://www.win7key.net/windows-7-key-c-51.html" title="Windows 7 Key, Windows 7 Update, Windows 7 Product Key, Windows 7 Ultimate Key.">windows 7 key</a></h1>
Great Railscast!
Question: Are you using TextMate for your editing? What bundles do you have installed for the "ife" shortcut and the other HTML shortcuts?
I have the Ruby On Rails bundle installed, but all the shortcuts don't seem to work.
Our goods are popular all over the world with High Quality, Competitive Price, Best Service and Safe Delivery.Do not hesitate to have our merchandise is your best choice! Soon as likely to purchase the bar!
I have rails Rails 2.3.8 and Devise 1.0.8. I have followed the installation instruction, but when trying to access /users/sign_in for the first time after modified routes.rb, I get
Internal Server Error
undefined method `[]' for :users:Symbol
When I reload, I get
Routing Error
No route matches "/users/sign_up" with {:method=>:get}
If putting map.devise_for :users above other map.s, I get the same kind of routing errors when trying to access for example /artists or /songs.
Am I missing something?
Continue from previous comment: Oh, and by the way. In my eyes, the output of rake routes looks good:
http://pastebin.com/LEA2LXpV
Great post! Thanks for share. I will instantly grab your rss feed to stay informed of any updates.
I really liked your article and I shared with my friends in my facebook account ..
I gave my site a few examples below. If you appreciate my comments in you enter.
love converse all star,love yourself.High quality low price.It's fit for you.
What youre saying is completely true. I know that everybody must say the same thing, but I just think that you put it
in a way that everyone can understand. I also love the images you put in here. They fit so well with what youre trying to say.
Im sure youll reach so many people with what youve got to say.<b><a href=http://www.tygluegun.com>glue stick</a></b> |<b><a href=http://www.tygluegun.com>glue gun</a></b>
|<b><a href=http://www.wanjia-ylm.cn>booster cable</a></b> |<b><a href=http://www.wanjia-ylm.cn>power cord</a></b>
Well done, I admire the valuable information you offer in your articles. I will bookmark your blog
and have my children check up here often. I am quite sure they will learn lots of new stuff here than
anybody else<b><a href=http://www.hzhtdq.cn>power strip</a></b> |<b><a href=http://www.hzhtdq.cn>extension cord</a></b>
|<b><a href=http://www.hzhtdq.cn>trouble light</a></b>
To make this clear for everyone: If you are using Rails 3, and you're getting this message: No route matches "/" or something similar, you must use the latest version of Devise on github. Modify your Gemfile to say :
gem "devise", :git => "git://github.com/plataformatec/devise.git"
Also, I would love to see a tutorial on integrating Facebook connect with Devise (since that's my next step!)
I love your tutorials by the way. Your tutorials are one of the reasons why I am switching to Rails. They make it easy for me to learn quickly. Thanks for what you do for the community!
Thanks for sharing your article. I really enjoyed it. I put a link to my site to here so other people can read it. My readers have about the same interets
Ryan, I know this episode was released a few months ago but you might want to consider releasing an update for it since the current versions of Devise is 1.1.2 and has a few changes. Thanks for the screencasts.
How should I use Devise to integrate it with legacy system?
Thanks in advance.
I love your tutorials by the way. Your tutorials are one of the reasons why I am switching to Rails. They make it easy for me to learn quickly. Thanks for what you do for the community!
FYI to use device in Rails3 you now need to update your gem to gem "devise", :git => "git://github.com/plataformatec/devise.git"
Yuyao Huaneng sanitary ware factory is specialized in production of plumbing fittings.
Also good to note is that it supports other ORM's as well, not just ActiveRecord, and you can build your own custom modules if needed.
Intimately, the post is actually the best on this laudable topic. I harmonize with your conclusions and will eagerly look forward to your future updates. Saying thanks will not just be adequate, for the fantastic lucidity in your writing.
on iTunes
