#283 Authentication with Sorcery
Sep 12, 2011 | 10 minutes | Plugins, Authentication
Sorcery is a full-featured, modular solution to authentication which leaves the controller and view layers up to you.
- source codeProject Files in Zip (94.3 KB)
- mp4Full Size H.264 Video (24.6 MB)
- m4vSmaller H.264 Video (12.8 MB)
- webmFull Size VP8 Video (16 MB)
- ogvFull Size Theora Video (30.1 MB)
Thanks for another great screencast, but i don't see any advantages over old good Devise, which is definitely more flexible
That's the whole point though - devise isn't all that flexible when you want to get it to do things 'your way' - personally I ended up having to override most of Devise's own controllers. It all depends on what you really want out of your authentication system in the end, so YMMV of course.
@Ryan - thanks for another fantastic cast, will be sure to try it out tonight!
Any gem is infinitely flexible in the sense you can always monkey patch your own way of doing things on top of the gem code. The difference in flexibility between gems is in the ease of which they can be customised, not the extent.
Devise just isn't intended for massive customisation. It fulfils the most common use case for authentication systems. This is great because it means you don't have to code very much if this suits you. It is also sufficiently easy to change that you know if you need something more complex down the road, you won't have to rip it out in favour of a different system. However, I don't think you should be using it with the intention of doing all that customisation.
However, if you already know to begin with that you will need to replace the Devise views and controllers (and to be honest, I haven't yet found a situation where this isn't true), then you will have a much easier time with Sorcery.
Sorcery also has the advantage of having a very small public API meaning it is much easier and faster to learn than Devise.
Devise has much better documentation, much better guides on using it with associated gems such as CanCan and a larger community so better support. It is also older and so is more dependable.
Very true Rupert - and yes, I guess most of us think of Devise as "old faithful". I also agree on your points regarding the smaller API.
In time, I think it should come into its own. Till then, I'll be sticking with auth from scratch vs. Devise for production apps - I'll definitely be hacking around with Sorcery though =)
Thanks for another great episode. I'm really interested in the submodule: externals to allow fb and twitter login.
I believe I'm going to replace my login system with this.
Any thoughts on Sorcery vs Authlogic. Seems to be very much the same ideas of basic core authentication logic, but gets out of your way on the business side of the implementation.
Authlogic hasn't been updated in a while, but has some nicities like built in validations for emails etc...
Thanks very much for covering Sorcery, Ryan.
I can't express how awesome it is to have a RailsCasts episode dedicated to a gem I've spent close to 9 months on...
Hopefully the community spotlight will help push the gem forward, which is much needed as work is crazy right now...
I like the logo... :)
Hi Noam - liking your work mate, keep it up. I see you merged my pull-request =)
Can you recommend an authorization gem that works fine with sorcery?
Authorization doesn't really depend on authentication. For example, I use Ryan's CanCan gem with simple http auth.
You're a complete rock star. I only wish you would use sign/log consistently. I know it's a small thing but I think people look up to you. Sign in/out/up (2 words) instead of login, log in, sign up, log out, etc.
Anyways, I learned a lot still. You're really an outstanding teacher and I watch your casts to get ideas about how to teach others.
That`s pretty awesome. Customizable authentication solution that i looking for. Thanks!
Need help for user_activation module.
I followed Sorcery's wikis tutorial but I don't know how to fix this problem. Everything works with these submodules :
:http_basic_auth, :remember_me, :reset_password
but with :user_activation :
NoMethodError (undefined methodactivation_code' for #User:0xacda7bc):
Environnement : Rails 3.1.0 - Sorcery 0.6.1
Ok, I found the problem.
It's a confusion between :activation_code and :activation_token
@noam ben ari : I think you can update your wikis tutorial.
By default :activation_token and :activation_token_expires_at are created during the migration.
But after, in your tutorial you write
user.activation_tokenin *user_mailer.rb - activation_needed_email
Another little thing in Sorcery - Reset password tutorial, you forgot :
Thank you very much for this amazing gem.
the community already fixed the token/code issue.
I added the view.
Thanks Ryan for another great screencast! I really enjoyed and share the need for a very customizable authentication gem.
I was wondering if you could clarify this for me: I've seen the gem has an external submodule and all, but would you use Sorcery with OmniAuth or just stick to the external submodule? I really don't understand if these two gems overlap in this matter or are meant to be combined or hacked together :)
Great episode as usual, but I'm getting sick of authentication. Not that I'm unappreciative, I do watch your episodes religiously each week.
Maybe an episode on Mercury, with carrier wave uploads and snippets for adding images to content from a gallery?
Hi, Ryan. Thanks for your wonderful episodes. I wonder if you can teach us how to use Textmate, I think it's simple but most important for developer, beacuse there are many tricks, plugins, etc.. and we don't know. Regards.
Great screencasts as always. I've only a doubt: why do you use _url methods instead of _path methods? I thought that one should use _path methods unless there is the need to have the full urls. Since you are always very precise about these details I was wondering if there is a reason behind that...
When running tests, the block that sets the configuration for sorcery doesn't get run (I added puts "something" to make sure), so, while testing, sorcery uses username instead of email, because this line doesn't every run: user.username_attribute_name = :email.
Any ideas why or how to fix it?
Try replacing it with the following:
Thanks for the screencast!
Can this be combined with CanCan and does it allow logins using OpenID?
I'm gonna try next week to combine with CanCan so i'll let you know - but I see no reason why not - CanCan doesn't care, and I don't see a reason why Sorcery will, as long that you are using the same User model.
If you check out Sorecery Wiki - external login you see that only FB and twitter are currently supported, but if you look at the migrations that are generated by external model, it should be easy to integrate it with another gem, like OmniAuth, then do OpenID authentication & callback from there. It is not pretty and, well, it might brake when either of them changes their DB structure or API, but until Sorcery will support it...
I am new to Ruby and Rails and while trying to get up to speed, I came across your site and watched your screencasts on Authentication (Sorcery) and Authorization (Declarative authorization).
This really simplifies much of the menusha associated with Authentication while allowing for some flexibility.
You did an outstanding job on presenting the information in a simple and easy to follow fashion. Kick ass!
Problem with logout function and current_user value.
When calls logout, only resets session (reset_session) but not resets current_user to nil.
So when using logged_in? function after logout, it returns true because logged_in? tests current_user value.
I would love to see this episode continued to include the user_activation module and how to setup a "resend activation email" feature for times when a user doesn't get the email.
If you just want to resend the activation email, then you can add a method to your user model which calls the protected send_activation_needed_email! method. This sends the email again.
How can I change the password?
I need to validate de "old_password" before change it.
Here is how:
I've implemented a way to change the password (not reset the password) see here.
However I have trouble hooking up rspec tests for this bit of code... If anyone can help me out...
you should use »rails generate sorcery:install« instead of »sorcery:bootstrap«.
Looks like this tutorial was done with Sorcery v0.6.0 or round abouts, which uses the syntax Ryan used.
The newer versions (0.7.x) are using sorcery:install.
Hi, receiving the following error when clicking my "Log In" link:
undefined method `username_attribute_name=' for #Sorcery::Model::Config:0x41a2730
issues with rspec and sorcery !
Love these casts, as a rails noob I'm killing heaps of hours watching and tinkering :) Thanks Ryan.
I am at my wits end atm though... I've isolated everything my app should use down to:-
twitter-bootstrap (converted to sass)
and Simple Forms.
Clean, clear and simple....Not.
Cannot for the life of me integrate (what would seem to be the most simplest of tasks) simple forms with a Sorcery Login without getting errors on the 'remember_me' field.
Simple forms doesn't have a simple_form_tag option which would work best on a login form from the sessions controller new method. Instead I have to create a @user instance in that method, but then get errors on the 'remember_me' field "undefined method `remember_me'"
Any help would be greatly appreciated.
I mean Greatly! Huge thanx in advance :)
thanks for the great cast.
I'm having this error:
undefined method `authenticates_with_sorcery!' for User:Class
this happens on my new app on rails 3.2.6 using the latest version of mongoid (episode #238)
looks like there was a known error with mongowrapper, maybe is this linked?
Any help would appreciated.
@folivi In case you never found your solution, or for posterity in case other people find this comment while searching for this same solution
In my case, the order of each gems in gemfile were wrong.
gem 'mongoid', github: 'mongoid/mongoid'
gem 'mongoid', github: 'mongoid/mongoid'
I'm using rails 3 .2.8.
The generator is apparently not found:
Has anyone experienced this?
Be careful with simple_form
Took me awhile to discover that you can't login if your form is built with simple_form.
My sessions controller is in an admin namespace and the builder gave me "/admin/sessions[password]".
hello all. I tried to use sorcery with backbone.js. I have written API in rails but I guess I have to add the before_filter :require_login in controllers that are part of the API. The problem is that I get an error
> WARNING: Can not Verify CSRF token authenticity
> Redirected to http://localhost:3000/
> Filter chain halted as: require_login rendered or redirected
> Completed 302 Found in 2ms (ActiveRecord: 0.0ms)
@FabricioFlores, have you been able to address the filter chain halted issue. I am having the same problem. What is the fix?
I figured the problem (or at least the issue that I was experiencing). It had to do with CSRF and how Ruby on Rails handle HTTP Post. I initially followed a tutorial on Braintree where it used regular html form. . This caused Rails to loose the session because of security associated with CSRF. To pass Rails's security check, I had to use <%= form_for @myobject, ... } do |f| %>. Lesson learned.
as I can decrypt the password?
I'm using the following:
But the result is:
Sorcery::CryptoProviders::AES256 expects a 32 bytes long key. Please use Sorcery::Model::Config.encryption_key to set it.
There is another way to decrypt the password?
Fuck Devise, Sorcery is way much cooler. Or easier perhaps. I don't want to go thru all the twinge I've been spending my whole afternoon figuring out how to work my way with Devise. And by the way, this is the simplest by far, I know it's outdated but it only gets better and improved by time. I'm good to go with this, 'Sorcery'.
I'm brand new to Rails and am having an issue with my routing once I fill out the Sign up form and click Save User.
I'm getting a Routing Error that reads "No route matches [POST] "/signup" "
rake routes returns this:
What am I missing?
@SeanO looks like that route doesn't exist, if you're trying to #create a user, try posting to the
users_pathin your form, or use
form_for(user_obj)to automatically pick the route like:
I'd suggest the above, as long as you're creating
@user = User.newin the
users#newcontroller action, so it knows to route to
POST /users. The long way to write it is: