#209 Introducing Devise

I've used Devise once pre-1.0 and am using it again with the current version. (Currently on a Rails 2.3.5 application) and I must say it is one of my favorite authentication solutions. It's easy to understand and set up, plus it provides most of the common real world solutions out of the box in the form of modules, so *most* of the time you're practically done with the base setup and all you need to do is style the views. Also good to note is that it supports other ORM's as well, not just ActiveRecord, and you can build your own custom modules if needed.

Definitely recommend to try out this authentication solution if you need one!

Thanks for the episode I will need to update some parts of my blog post in (Spanish). http://www.boliviaonrails.com/2010/04/05/como-usar-devise-con-rails-3/

Already in Rails making good authentication is really easy But I think with Devise plugin. authentication is became more easy..

Pretty nice ... I liked this one

Thank you.
May you introudce the access control plugin?
Because there are so many authentication solutions now. But no easily operated access control to use.
Always need to use keyboard. Is there any good UI for access control without typing?

Thanks Ryan, This screencast is very useful as always..

Can you please advise which one to use when:
1. nifty_authentication (yours)
2. Authlogic
3. Devise

I don't mind creating my own logic for Authlogic, you show us how to do that in chapter 160 :), just looking for the best solution out there, what would you use?
many thanks...

Thanks for putting the spotlight on Devise.

I put together a Rails 2.3 example app (with a walk-through tutorial) that shows how to set up Devise with subdomains: http://github.com/fortuity/subdomain-authentication (click above for the link). For anyone who needs a quick start for blog-style subdomains in Rails.

@dickstar, are you referring to acl9? I'm not a fan of that solution and prefer something like Declarative Authorization (episode 188) or CanCan (episode 190).

@elad, I only recommend nifty_authentication if you want a very minimal starting point and want to add most of the authentication from scratch without any external dependencies. The other solutions are quite complicated and sometimes writing from scratch is easier if you have very custom needs.

Authlogic is the next step up, where you are writing the controller and views from scratch but the authentication logic is handled for you. This is great if you want to customize that behavior extensively.

Devise is the full stack which means it does most of the work for you. It provides many features such as password resetting which you don't see in the others. If you want a really complete solution and don't need to customize it extensively then this is a good way to go.

Hm, I heard some guys were very opposed to Devise/Warden. The argument was that authentication should be on the model layer (like the user model), instead of being intercepted at the middleware level.

I'm curious what people think about this and if it might be a valid concern!

Thanks for this. Just starting a new Rails 3 project and was going to look at Devise (to replace authlogic I've used previously.). So your timing is impecable...

I just so happened to find Devise last week and I was particularly interested in the Subdomain tutorial (Linked above).

I understand that you will be getting into manipulating Devise such as changing the views etc, but I think it may be beneficial to the community (and Devise) if there was a tutorial based on 'Basecamp-style-Account-Subdomains'

Where is User under a specific account/subdomain security type model.

BTW, great work! My Monday mornings have become Railscasts and Tim Horton (Best Coffee in Canada) type of mornings.

Hi, Ryan.

I think on this page the migration code has been pasted twice, right?

BTW, just curious: why don't you like confirmation emails for registration?

Amazing, I just tried to get this working yesterday :P

@Soleone, I'd be interested in reading a more detailed article on the practical reasons against handling authentication in Rack middleware. MVC is a great principle, but it should not be followed blindly.

@BradM, subdomain handling has changed a little in Rails 3 so I'll likely be covering it in a future episode. However I don't consider it to be specific to a given authentication solution. You can apply my existing subdomain screencast (episode 123) to the Basecamp style. Just replace blogs there with projects.

Gotchas:
If you already have a
resources :users

you must remove it or put it after

devise_for :users

I found some of the documentation thin - it would have been nice if more comments were added to the code that was generated.

Bug (I will be submitting it):

If you app is not at the root
http://myhost/my_app/
devise will not get the right URLs for sign_in/out paths.

@Ryan Bates, Thanks for your detailed answer!

Just a minor suggestion:

# config/application.rb
config.filter_parameters << :password << :password_confirmation

Hi Ryan,

thx for another great screencast. One thing I wanted to mention is that your older screencasts were somehow sharper and had more authentic colors. You changed the screencapture tool?

KR
Bijan

Maybe customize with using twitter/facebook/google/yahoo connect.

Ryan,

I had already decided to use Devise with my new Rails 3 app so your screencast was perfect. Thanks and I'm looking forward to the next one!

Doug

Is it possible to use devise with LDAP (Active Directory)?

Does devise use an adapter pattern to switch from one auth type to another?

I hate that you have to define all your model attributes with attr_accessible. This could easily lead to cockups where you add a column to your table and forget to add it to the attr_accessible list

I recently wrote an application with the Clearance authentication gem, which uses the same attr_accessible technique as devise. Just before deployment I added a new column to my db and forgot to add it to the attr_accessible list for the user model. I only noticed the problem a month later, and so did my client. This caused a lot of useful data to be lost forever.

It seems silly to have to define the columns, and its a against the ActiveRecord standard

@Riccardo Devise uses Warden which has the concept of strategies.

Each role (like User and Admin) can have several strategies for authentication and you specify when they are triggered.

Devise ships with both :database_authenticatable (which validates the password given with one stored in the database, both using encryption) and a :token_authenticatable (where users can sign in using a token).

It's easy to add a new strategy. For instance, this guy developed one to authenticate through Imap:

  http://github.com/joshk/devise_imapable

There are other extensions around.

@Chris using attr_accessible is a good practice. Your issue would easily be caught if you had write tests before deploying. Anyway, Devise does not push that, it's up to you to use it or not.

@Soleone Devise still has most of its logic in the model and not in the rack middleware. Take a look at Warden, you will find interesting to know how it works. :)

@Joes

I'm not sure what you mean. Are you saying Devise does not require you to use attr_accessible in order to access your attributes?

@Bijan, unfortunately the previous video encoding I was using had buggy playback in Snow Leopard so I'm forced to switch. I'm still experimenting with different compression settings.

@Chris, attr_accessible is not part of Devise at all, it's just best practice. If you don't have the attr_accessible line then all database columns would be settable by the user. This is a major security problem especially with the User model, so you should always use attr_accessible there. See Railscasts episode #26 for details.

Maybe customize with using twitter/facebook/google/yahoo connect.

+1 is facebooker Rails3 ready?

awesome Rails! I have fallen love one more time with Rails :)

Ryan,

Can something like this be used for protecting files as well?

For example, a protected document @ site.com/directory/protected.doc.

Can this intercept the request and verify the user's identity?

My initial thought is No as this might be something for apache, but i would love to hear what you have to say, thanks!

Ryan, thanks for another awesome screencast.

I'd like to suggest something for the next episode on devise:
- How to add roles to the user model, and then assign a role in the user signup form, (in order to then use cancan or declarative_auth) - I think this will be clear when you'll try to modify the views.
- How to override some of the gems methods

Thanks and really looking forward to it!

Oh and BTW, another +1 for Twitter/Facebook/Google integration!

Great cast as always. Devise seems to be a great all around solution for our application, so far, but we are now getting into the customization aspect of it so we will see!

another +1 for OAuth/Twitter/Facebook/Google integration!

I suggest doing a screencast on Captcah. http://ruby-toolbox.com/categories/rails_captcha.html

I see that you have added one just as I'm posting this.

Does Devise support a way to do "who is online" functionality? How could this be done?

If your next episode would also cover how to replace an existing install of authlogic, that would be great. I've been looking to replace it for awhile now. Also, one feature I find particularly useful in these tools is the ability to impersonate a user so if that exists, it would be nice to hear of too.

Hi Ryan, great screenscast. I've been wondering how could I replace restful_authentication plugin with Devise plugin in a clean way. Any ideas ?

Ryan (or anyone),

I am getting this error when running script/generate devise User

`load_missing_constant': uninitialized constant Devise (NameError)

Also, once I run the devise_install generator I can no longer start my server as I get the same error.

I know I just gotta be missing that one thing ...

Thanks in advanced.

Great stuff.. just starting to play with devise... Feels very foreign from Authlogic though

Had to checkout the code and look through it all to actually know what methods it overrides

Any good sites that provides info on how to do more indepth customizations?

@Ryan N. What version of Rails are you running? If you are running 3.0, then you have to change from script/generate to rails generate with the rest of the arguments and flags included if you need etc., but if not, then I think you have to have different gem Devise version for Rails 2.3.5... Also, make sure to have dependency. When you first run the app, the app needs to load all of those gems that are, or should be, part of the app... Hope this helps.

So, do the controllers stay locked away in the gem? If I wanted to protect the password during transmission using SSL (e.g., ssl_requirement), how would I do that? Make a copy of the controller in the gem to add the ssl_requirement code? Or is there a better way?

Ryan N -

I'm guessing that you are running Rails 2.x. Assuming that you installed the correct Devise gem (1.0.6) and are still getting the error:
`load_missing_constant': uninitialized constant Devise (NameError)

You probably are missing a couple of dependencies in your environment.rb file.

    config.gem 'warden'
    config.gem 'devise'

I tried Devise with Ruby on Rails 3.0 beta 3 and the gotcha mentioned in the screencast turned out to be with config.secret_token.

So with beta 3, you can leave cookie_verification_secret.rb untouched and you have to add config.secret_token to application.rb, e.g. .config.secret_token = 'secret'

P.S. Switching from Beta 2 to Beta 3 actually showed DEPRECATION WARNING when starting up the server or running RSpec specs.

DEPRECATION WARNING: ActionController::Base.cookie_verifier_secret= is deprecated. Please configure it on your application with config.secret_token=.
DEPRECATION WARNING: ActionController::Base.session= is deprecated. Please configure it on your application with config.session_store :cookie_store, :key => '....'.

I guess if you generate Rails app fresh with Beta 3, there is no error any more.

After I run "script/server devise User" and try to view any controller it throws the error message:
"Routing Error

No route matches "/" with {:method=>:get}"

This is a paste of the routes.rb file of the very simple project I was testing devise on ( http://slexy.org/view/s21I0JCOdA )

Has anyone else run across this and managed to rectify it? If so. Please let me know! Any feedback is greatly appreciated.

I managed to get it working by commenting out the 'map.connect' lines at the bottom of the routes.rb file

Nice cast, I am going to try it out. Very useful.

One gotcha that bit me was not having actionmailer configured to use sendmail. config.action_mailer.delivery_method = :sendmail in the environment.rb, and everything worked.

Now I'm trying to figure out why it's not reading the configuration changes -- all my e-mails are coming from please-change-me!

Thanks again!

@creston
see here for SSL logins: http://gist.github.com/393520

Is is possible to save to two models when signing up? For example I want to save User and Address model during registration.

For Rails 3.0.0.beta3, in config/application.rb, use this syntax --

config.secret_token = '[secret copied from cookie_verification_secret.rb]'

Ryan,

How did you get bundler to work with rake? I'm running bundle 0.9.26 and rake 0.8.7, but rake is erroring out when I do the first db:migrate. I've read on some other posts that you need to 'gem install' separately not using 'bundle', but you're doing it. What is your trick?

FYI to use device in Rails3 you now need to update your gem to gem "devise", :git => "git://github.com/plataformatec/devise.git"

I already have the user model.
How should I use Devise to integrate it with legacy system?

Thanks in advance.

Like Jason mentioned, you can also use Devise 1.1.rc2. This helped me solve an 'uninitialized constant UsersController' error at /sign_up.

I have the same problem as @Walter with the password email not working with smtp. Unfortunately, I can't set my environment to use sendmail. Has anyone gotten this to work with smtp? I get "A sender (Return-Path, Sender or From) required to send a message". Other than that, it's working great in Rails 3!

Great Railscast!

Question: Are you using TextMate for your editing? What bundles do you have installed for the "ife" shortcut and the other HTML shortcuts?

I have the Ruby On Rails bundle installed, but all the shortcuts don't seem to work.

I have rails Rails 2.3.8 and Devise 1.0.8. I have followed the installation instruction, but when trying to access /users/sign_in for the first time after modified routes.rb, I get

Internal Server Error
undefined method `[]' for :users:Symbol

When I reload, I get

Routing Error
No route matches "/users/sign_up" with {:method=>:get}

If putting map.devise_for :users above other map.s, I get the same kind of routing errors when trying to access for example /artists or /songs.

Am I missing something?

Continue from previous comment: Oh, and by the way. In my eyes, the output of rake routes looks good:

http://pastebin.com/LEA2LXpV

To make this clear for everyone: If you are using Rails 3, and you're getting this message: No route matches "/" or something similar, you must use the latest version of Devise on github. Modify your Gemfile to say :

gem "devise", :git => "git://github.com/plataformatec/devise.git"

Also, I would love to see a tutorial on integrating Facebook connect with Devise (since that's my next step!)

I love your tutorials by the way. Your tutorials are one of the reasons why I am switching to Rails. They make it easy for me to learn quickly. Thanks for what you do for the community!

Ryan, I know this episode was released a few months ago but you might want to consider releasing an update for it since the current versions of Devise is 1.1.2 and has a few changes. Thanks for the screencasts.

Hi,
I am using Devise and want to override a method from a controller also there is a different way for signup.
I am using RAILS = 2.3.5 and DEVISE= 1.0.8
I tried using

 class Mycontroller < Devise::RegistrationsController

    end
and also
 devise_for :users, :controllers => { :registrations => "some_diff_controller" }

But still I am finding that the method is NOT getting overridden. Could you please suggest anything over here

Thanks in advance

Nice work, thanks for doing it!

Hello,

I haven't used version after
gem 'devise' since it's upgraded since your screencas - was it a good decision?

I didn't have the ControlerError - it is because Rails3 isn't in edge already?

Thanks for great video,
gezope

Hi Ryan,

Thanks for the screen cast. But one question how do l de-active a with devise so that they are still in the system but just cant login. With Authlogic is was as simple as an active field but having trouble working it out now

Is it possible to render both login form and forgot password in my layout ?

Great videos!

I have a question on Devise. In this video, it seems that we created our base use model from what devise wanted.

I have another model, skills, that i want to do a many to many through association with the user model.

i have two concerns:

1) i'm using a third party user model (devise) and don't want to edit it significantly for fear that it may lock me into big changes later on.

2) i want to create a set of checkboxes like in your habtm videos, but i'm not sure if i should use the devise based model or create it through the skills controller. i'm editing a user's skills so i'm a little confused on how to do it. any thoughts?

thanks!

rails g devise:install when using rails 3.0.x

When using rails generate devise_install it now leads to an error in the following steps.

Awesome stuff...I'm using windows 7 with rails 3.0.3 and it work good...but for some reason I deploy it to heroku it does work, I remove the gemlock file like it suggest on some forums it worked again but the 2nd time I did a commit it got stuck again...not sure if anyone knows a permanent fix fox this

Great post and Great discussion.

Thank you for the screencast. :required => true does not seem to work in safari. Any one else see the same?

Thank you this was very helpful even though devise has changed a little.

Hello! Thank you for lesson. Can you help me? I have error after db:migrate

rake db:migrate
rake aborted!
undefined method `devise' for User(Table doesn't exist):Class

Tasks: TOP => db:migrate => environment
(See full trace by running task with --trace)

@izumeroot: I had the same issue. Turns out, I had forgotten to do "rails g devise:install"

FYI - Devise no longer uses GET for the sign_out it uses DELETE. So you need to make your log out button/link use the DELETE method. Or change your route so to something like this which will use GET.

devise_scope :user do
get "/logout" => "devise/sessions#destroy"
end

Hi Ryan, I followed all the steps which is given in http://railscasts.com/episodes/209-introducing-devise. Sign up process is woking fine. Everything is getting stored in the database. But sign_in process is not working for valid users also. It is giving invalid email or password... Please help me...

Hey,

Can I implement Devise in an existing model of an existing application.
I have a Attendee Model with a couple of fields: Name , Email.

Can I use devise for this existing Model ?

Hey,

im using rails 3.2.1 and im new to this,
im unable to find the migration files which you specified in this tutorial,

all my requests for
users/signin are getting routed to index page, i dunno wat might the problem be.

can you help me with that?

Hey Ryan,

First of all, I really like your stuff- just subscribed today.

Anyway, this is the first time I've been unable to follow your railscast. For whatever reason, after doing as you said and installing devise, all requests for sign up/in/out are rerouted to the index page.

I feel like it has to do with using devise 2.0.4/rails 3.2.1, but I'm not sure. Any chance you could make an updated version of this episode?

I am on the same boat as Dave H, Ryan. I've looked online for ways to fix this but have come up with nothing. It would be awesome if you could address this if you had the time as it seems devise 2.0.4 is very different from the version used in this tutorial! This is the only devise screencast I've found and I'm sure many people new to rails would benefit from your clear explanations!

Great tutorial. I'm new to Rails development. I'm finally making the switch from PHP to Ruby! And all of your videos are helping out immensely. Thanks so much.

Thanks a lot for this video cast. It really helped me to understand the plugin which has used in my current project. I just wanted to know how can I let users change password? I tried some ways but I couldn't do it. Also when I run rake route I don't get any routes related to the user. I'd be glad if there's any other video cast or tutorial where I can find how to edit the password

Thanks a lot

Keep up the good work

Someone mentioned this already, but it wasn't clear until I found this StackOverFlow answer. To sign_out, you must specify the method as 'delete'.

<%= link_to "Sign out", destroy_user_session_path, :method => :delete %>.

See http://stackoverflow.com/a/6557627/1316635

This episode will not work in the current Rails 3.2.11 and devise 2.2.3. (January2013). So see the video in the following link. It works correctly.
http://www.slideshare.net/wleeper/devise-and-rails

Also run 'rake db:migrate' in the terminal.

Làm ăn như khỉ ,

$ rails generate devise_install sai cmnr , đúng là phải viết

$ rails generate devise:install

ngu vkl.

Note that link_to signout should contain :method=>delete
as shown below:

/app/views/layouts/application.html.erb

<% if user_signed_in? %>
Signed in as <%= current_user.email %>. Not you?

<%= link_to "Sign out", destroy_user_session_path, :method => :delete %>

<% else %>
<%= link_to "Sign up", new_user_registration_path %> or
<%= link_to "Sign in", new_user_session_path %>
<% end %>

If u want email confirmation when users sign up, add the option confirmable in the model User.rb. also in the migration uncomment the lines corresponding to confirmable.
Add the lines
config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = {
:enable_starttls_auto => true,
:address => "smtp.gmail.com",
:port => 587,
:domain => "mydomain.com",
:authentication => :login,
:user_name => "myemaiL@mydomain.com",
:password => "mypass"
}
to config/environments/development.rb

Hi i try to use Devise but when register a new user in /user/sign_up he says

Unknown action

AbstractController::ActionNotFound

why? I followed the steps!

When I sign_in i get redirect to same sign_in page. Not sure why this is happening...shouldnt default devise session controller should take care of this??

Hi, can you do a more recent episode on devise?

Please check my gem https://github.com/igorkasyanchuk/any_login
It can really make your life easier with changing logged in user.
Your feedback is appreciated.
Video: https://www.youtube.com/watch?v=978DlHvufSY&feature=youtu.be
PS: this is my first solid gem :) and I hope you will like it.