#283 Authentication with Sorcery

Sep 12, 2011 | 10 minutes | Plugins, Authentication

Sorcery is a full-featured, modular solution to authentication which leaves the controller and view layers up to you.

Download:
source codeProject Files in Zip (94.3 KB)
mp4Full Size H.264 Video (24.6 MB)
m4vSmaller H.264 Video (12.8 MB)
webmFull Size VP8 Video (16 MB)
ogvFull Size Theora Video (30.1 MB)

Thanks for another great screencast, but i don't see any advantages over old good Devise, which is definitely more flexible

Michael de Silva about 13 years ago

That's the whole point though - devise isn't all that flexible when you want to get it to do things 'your way' - personally I ended up having to override most of Devise's own controllers. It all depends on what you really want out of your authentication system in the end, so YMMV of course.

@Ryan - thanks for another fantastic cast, will be sure to try it out tonight!

Rupert Madden-Abbott about 13 years ago

Any gem is infinitely flexible in the sense you can always monkey patch your own way of doing things on top of the gem code. The difference in flexibility between gems is in the ease of which they can be customised, not the extent.

Devise just isn't intended for massive customisation. It fulfils the most common use case for authentication systems. This is great because it means you don't have to code very much if this suits you. It is also sufficiently easy to change that you know if you need something more complex down the road, you won't have to rip it out in favour of a different system. However, I don't think you should be using it with the intention of doing all that customisation.

However, if you already know to begin with that you will need to replace the Devise views and controllers (and to be honest, I haven't yet found a situation where this isn't true), then you will have a much easier time with Sorcery.

Sorcery also has the advantage of having a very small public API meaning it is much easier and faster to learn than Devise.

Devise has much better documentation, much better guides on using it with associated gems such as CanCan and a larger community so better support. It is also older and so is more dependable.

Michael de Silva about 13 years ago

Very true Rupert - and yes, I guess most of us think of Devise as "old faithful". I also agree on your points regarding the smaller API.

In time, I think it should come into its own. Till then, I'll be sticking with auth from scratch vs. Devise for production apps - I'll definitely be hacking around with Sorcery though =)

jinscoe about 13 years ago

Thanks for another great episode. I'm really interested in the submodule: externals to allow fb and twitter login.

I believe I'm going to replace my login system with this.

nextcom about 13 years ago

Any thoughts on Sorcery vs Authlogic. Seems to be very much the same ideas of basic core authentication logic, but gets out of your way on the business side of the implementation.

Authlogic hasn't been updated in a while, but has some nicities like built in validations for emails etc...

Noam Ben Ari about 13 years ago

Thanks very much for covering Sorcery, Ryan.
I can't express how awesome it is to have a RailsCasts episode dedicated to a gem I've spent close to 9 months on...

Hopefully the community spotlight will help push the gem forward, which is much needed as work is crazy right now...

I like the logo... :)

Michael de Silva about 13 years ago

Hi Noam - liking your work mate, keep it up. I see you merged my pull-request =)

Rubem Azenha about 13 years ago

Can you recommend an authorization gem that works fine with sorcery?

ineu about 13 years ago

Authorization doesn't really depend on authentication. For example, I use Ryan's CanCan gem with simple http auth.

Chuck Vose about 13 years ago

You're a complete rock star. I only wish you would use sign/log consistently. I know it's a small thing but I think people look up to you. Sign in/out/up (2 words) instead of login, log in, sign up, log out, etc.

Anyways, I learned a lot still. You're really an outstanding teacher and I watch your casts to get ideas about how to teach others.

Bogdan Kulbida about 13 years ago

That`s pretty awesome. Customizable authentication solution that i looking for. Thanks!

Frederic ZINGG about 13 years ago

Need help for user_activation module.

I followed Sorcery's wikis tutorial but I don't know how to fix this problem. Everything works with these submodules :
:http_basic_auth, :remember_me, :reset_password

but with :user_activation :

NoMethodError (undefined methodactivation_code' for #User:0xacda7bc):
app/mailers/user_mailer.rb:22:in activation_needed_email' app/controllers/users_controller.rb:29:increate'`

Environnement : Rails 3.1.0 - Sorcery 0.6.1

Thanks.

Frederic ZINGG about 13 years ago

Ok, I found the problem.

It's a confusion between :activation_code and :activation_token

@noam ben ari : I think you can update your wikis tutorial.

By default :activation_token and :activation_token_expires_at are created during the migration.

But after, in your tutorial you write user.activation_code instead of user.activation_token in *user_mailer.rb - activation_needed_email

Another little thing in Sorcery - Reset password tutorial, you forgot :

          ruby
        
*# app/views/password_resets/edit.html.erb*
<h1>Forgot Password?</h1>
<%= render 'form' %>

Thank you very much for this amazing gem.

Noam Ben Ari about 13 years ago

Thanks,
the community already fixed the token/code issue.
I added the view.

landitus about 13 years ago

Thanks Ryan for another great screencast! I really enjoyed and share the need for a very customizable authentication gem.

I was wondering if you could clarify this for me: I've seen the gem has an external submodule and all, but would you use Sorcery with OmniAuth or just stick to the external submodule? I really don't understand if these two gems overlap in this matter or are meant to be combined or hacked together :)

Dom about 13 years ago

Great episode as usual, but I'm getting sick of authentication. Not that I'm unappreciative, I do watch your episodes religiously each week.

Maybe an episode on Mercury, with carrier wave uploads and snippets for adding images to content from a gallery?

zhouwl about 13 years ago

Hi, Ryan. Thanks for your wonderful episodes. I wonder if you can teach us how to use Textmate, I think it's simple but most important for developer, beacuse there are many tricks, plugins, etc.. and we don't know. Regards.

Roberto Esposito about 13 years ago

Great screencasts as always. I've only a doubt: why do you use _url methods instead of _path methods? I thought that one should use _path methods unless there is the need to have the full urls. Since you are always very precise about these details I was wondering if there is a reason behind that...

J. Pablo Fern about 13 years ago

When running tests, the block that sets the configuration for sorcery doesn't get run (I added puts "something" to make sure), so, while testing, sorcery uses username instead of email, because this line doesn't every run: user.username_attribute_name = :email.

Any ideas why or how to fix it?

Lee Reilly about 13 years ago

Try replacing it with the following:

          ruby
        
# user.username_attribute_name = :email
user.username_attribute_names = [:email]    

Philipp Kursawe about 13 years ago

Thanks for the screencast!
Can this be combined with CanCan and does it allow logins using OpenID?

Meron Bareket about 13 years ago

I'm gonna try next week to combine with CanCan so i'll let you know - but I see no reason why not - CanCan doesn't care, and I don't see a reason why Sorcery will, as long that you are using the same User model.

If you check out Sorecery Wiki - external login you see that only FB and twitter are currently supported, but if you look at the migrations that are generated by external model, it should be easy to integrate it with another gem, like OmniAuth, then do OpenID authentication & callback from there. It is not pretty and, well, it might brake when either of them changes their DB structure or API, but until Sorcery will support it...

mnassif about 13 years ago

Ryan,

I am new to Ruby and Rails and while trying to get up to speed, I came across your site and watched your screencasts on Authentication (Sorcery) and Authorization (Declarative authorization).

This really simplifies much of the menusha associated with Authentication while allowing for some flexibility.

You did an outstanding job on presenting the information in a simple and easy to follow fashion. Kick ass!

Best,
Mike

Frederic ZINGG about 13 years ago

Problem with logout function and current_user value.

When calls logout, only resets session (reset_session) but not resets current_user to nil.

So when using logged_in? function after logout, it returns true because logged_in? tests current_user value.

Nicholas Poorman about 13 years ago

I would love to see this episode continued to include the user_activation module and how to setup a "resend activation email" feature for times when a user doesn't get the email.

Torsten B about 12 years ago

If you just want to resend the activation email, then you can add a method to your user model which calls the protected send_activation_needed_email! method. This sends the email again.

          ruby
        
def resend_activation_email!
  send_activation_needed_email!
end

Leonardo Skorianez about 13 years ago

How can I change the password?
I need to validate de "old_password" before change it.

Xavier Lozinguez about 13 years ago

Here is how:

          ruby
        
def update_password(current_password, new_password, new_password_confirmation)
  if new_password == new_password_confirmation
    if !User.authenticate(self.username, current_password).nil?
      return self.change_password!(new_password)
    else
      return false
    end
  else
    return false
  end
end

Xavier Lozinguez about 13 years ago

Hey everyone,

I've implemented a way to change the password (not reset the password) see here.

However I have trouble hooking up rspec tests for this bit of code... If anyone can help me out...

Markus Schwarz about 13 years ago

Hi Ryan,
you should use »rails generate sorcery:install« instead of »sorcery:bootstrap«.
Have fun!

Max Kramer almost 13 years ago

Looks like this tutorial was done with Sorcery v0.6.0 or round abouts, which uses the syntax Ryan used.

https://github.com/NoamB/sorcery/tree/v0.6.0

The newer versions (0.7.x) are using sorcery:install.

Chris about 13 years ago

Hi, receiving the following error when clicking my "Log In" link:

Routing Error

undefined method `username_attribute_name=' for #Sorcery::Model::Config:0x41a2730

bicepjai almost 13 years ago

issues with rspec and sorcery !
http://stackoverflow.com/questions/8877300/testing-logging-in-function-of-sorcery-using-rspec-in-rails-3-1

drew1two over 12 years ago

Love these casts, as a rails noob I'm killing heaps of hours watching and tinkering :) Thanks Ryan.

I am at my wits end atm though... I've isolated everything my app should use down to:-
Sorcery
Omniauth
CanCan
twitter-bootstrap (converted to sass)
and Simple Forms.

Clean, clear and simple....Not.
Cannot for the life of me integrate (what would seem to be the most simplest of tasks) simple forms with a Sorcery Login without getting errors on the 'remember_me' field.

Simple forms doesn't have a simple_form_tag option which would work best on a login form from the sessions controller new method. Instead I have to create a @user instance in that method, but then get errors on the 'remember_me' field "undefined method `remember_me'"

Any help would be greatly appreciated.

I mean Greatly! Huge thanx in advance :)

Folivi over 12 years ago

hi,
thanks for the great cast.
I'm having this error:

undefined method `authenticates_with_sorcery!' for User:Class

this happens on my new app on rails 3.2.6 using the latest version of mongoid (episode #238)

looks like there was a known error with mongowrapper, maybe is this linked?
Any help would appreciated.
thanks

Brandon Cordell about 12 years ago

@folivi In case you never found your solution, or for posterity in case other people find this comment while searching for this same solution

Make sure authenticates_with_sorcery! comes after include Mongoid::Document

E.g.

          ruby
        
class User
  include Mongoid::Document
  authenticates_with_sorcery!
end

Kiminari Homma about 11 years ago

In my case, the order of each gems in gemfile were wrong.

NG
gem 'sorcery'
gem 'mongoid', github: 'mongoid/mongoid'
gem 'bson_ext'

OK
gem 'mongoid', github: 'mongoid/mongoid'
gem 'bson_ext'
gem 'sorcery'

Elliott Blatt almost 12 years ago

I'm using rails 3 .2.8.

The generator is apparently not found:

rails g sorcery:install --model Account
Could not find generator sorcery:install

gem list | grep sorcery
sorcery (0.7.13, 0.6.0)

Has anyone experienced this?

Guilloteau Romain almost 12 years ago

Be careful with simple_form

Took me awhile to discover that you can't login if your form is built with simple_form.
My sessions controller is in an admin namespace and the builder gave me "/admin/sessions[password]".

Fabricio Flores over 11 years ago

hello all. I tried to use sorcery with backbone.js. I have written API in rails but I guess I have to add the before_filter :require_login in controllers that are part of the API. The problem is that I get an error
> WARNING: Can not Verify CSRF token authenticity
> Redirected to http://localhost:3000/
> Filter chain halted as: require_login rendered or redirected
> Completed 302 Found in 2ms (ActiveRecord: 0.0ms)

Tony Arthur over 11 years ago

@FabricioFlores, have you been able to address the filter chain halted issue. I am having the same problem. What is the fix?

Tony Arthur over 11 years ago

I figured the problem (or at least the issue that I was experiencing). It had to do with CSRF and how Ruby on Rails handle HTTP Post. I initially followed a tutorial on Braintree where it used regular html form. . This caused Rails to loose the session because of security associated with CSRF. To pass Rails's security check, I had to use <%= form_for @myobject, ... } do |f| %>. Lesson learned.

yonineitor about 11 years ago

hi!.

as I can decrypt the password?

I'm using the following:

          ruby
        
<%= Sorcery::CryptoProviders::AES256.decrypt(user.crypted_password) =>

But the result is:
Sorcery::CryptoProviders::AES256 expects a 32 bytes long key. Please use Sorcery::Model::Config.encryption_key to set it.

There is another way to decrypt the password?

jules-syle about 11 years ago

Fuck Devise, Sorcery is way much cooler. Or easier perhaps. I don't want to go thru all the twinge I've been spending my whole afternoon figuring out how to work my way with Devise. And by the way, this is the simplest by far, I know it's outdated but it only gets better and improved by time. I'm good to go with this, 'Sorcery'.

Sean O over 10 years ago

I'm brand new to Rails and am having an issue with my routing once I fill out the Sign up form and click Save User.

I'm getting a Routing Error that reads "No route matches [POST] "/signup" "

rake routes returns this:

          ruby
        
      Prefix Verb   URI Pattern                  Controller#Action
      logout GET    /logout(.:format)            sessions#destroy
       login GET    /login(.:format)             sessions#new
      signup GET    /signup(.:format)            users#new
       users GET    /users(.:format)             users#index
             POST   /users(.:format)             users#create
    new_user GET    /users/new(.:format)         users#new
   edit_user GET    /users/:id/edit(.:format)    users#edit
        user GET    /users/:id(.:format)         users#show
             PATCH  /users/:id(.:format)         users#update
             PUT    /users/:id(.:format)         users#update
             DELETE /users/:id(.:format)         users#destroy
    sessions GET    /sessions(.:format)          sessions#index
             POST   /sessions(.:format)          sessions#create
 new_session GET    /sessions/new(.:format)      sessions#new
edit_session GET    /sessions/:id/edit(.:format) sessions#edit
     session GET    /sessions/:id(.:format)      sessions#show
             PATCH  /sessions/:id(.:format)      sessions#update
             PUT    /sessions/:id(.:format)      sessions#update
             DELETE /sessions/:id(.:format)      sessions#destroy
      secret GET    /secret(.:format)            home#secret
  home_index GET    /home/index(.:format)        home#index
    home_new GET    /home/new(.:format)          home#new
        root GET    /                            home#index

What am I missing?

Matt S over 10 years ago

@SeanO looks like that route doesn't exist, if you're trying to #create a user, try posting to the users_path in your form, or use form_for(user_obj) to automatically pick the route like:

          ruby
        
<%= form_for(@user) do |f| %>

I'd suggest the above, as long as you're creating @user = User.new in the users#new controller action, so it knows to route to POST /users. The long way to write it is:

          ruby
        
<%= form_for @user, as: :post, url: users_path %>