We want legitimate people to post on our website and avoid spam. In order to do so, authentication is a must. In this task, we will see how to use devise to add authentication to the application. The choice of devise is quite obvious because it is a very complete authentication engine in every sense. It is also very easily extensible and hence the best choice for this.
Devise is the most popular and up-to-date solution of authentication with Rails. We will use it to add user authentication to our website.
Let's have a look at how can we use devise to add user authentication to our website.
The use case for devise is as follows:
User story; that is, user sign-up
User clicks on sign-up
User fills in the e-mail
User enters and confirms the password
If validations are passed, the user gets a valid account
We can add devise and generate the basic authentication by adding the following code to the
Gemfile
and running the bundle:gem 'devise', github: 'plataformatec/devise'
We can install devise using the following command line. We can then go ahead and perform the installation of basic configuration files of devise:
:~/curry-nation$rails g devise:install
This will create two files for us:
initializers/devise.rb
andlocales/devise.en.yml
. We can now generate our user model::~/curry-nation$rails g devise user
The following command line will mount the Devise application routes on the
routes.rb
file:config/routes.rb devise_for :users
We will now protect selected methods. Devise comes with a set of methods that can be readily used with user-related resources in our application. We will first proceed with the protection of our specific methods inside our recipe model:
app/controllers/recipes_controller.rb before_filter :authenticate_user!, only: [:new, :edit, :create, :update, :destroy]
This will allow us to protect the
new
,edit
,create
,update
, anddestroy
methods using user authentication. Thecurrent_user
method allows access to the logged-in user in the session. We can display the e-mail of the user using this method.Let's write a "create user login" user story as follows:
User story; that is, user login
User clicks on the login link
User fills in the username and password
Validations are applied to check whether both the username and password are present in the database
We can also protect specific methods in views. The
if user_signed_in?
method is a conditional method provided by Devise. We can use it to check whether the user session is in progress or not. If it is, then we can display the e-mail of the user and the logout link; if not, then display the login and sign-up links:app/views/layouts/application.html.erb <ul class="nav navbar-nav pull-right"> <% if user_signed_in? %> <li><%=link_to "#{current_user.email}" %></li> <li class="active"><%= link_to "Logout", destroy_user_session_path%></li> <%else%> <li><%= link_to "Login", new_user_session_path %></li> <li class="active"><%= link_to "SignUp", new_user_registration_path%></li> <%end%> </ul>
We can make the methods visible only to the logged-in users. Also, though we have already protected our
new
andedit
methods using authentication, we can hide them altogether from the views, again by using theif user_signed_in?
method:app/views/recipes/index.html.erb <% if user_signed_in? %> <td><%= link_to 'Edit', edit_recipe_path(recipe), :class=>"btn btn-success btn-small"%></td> <td><%= link_to 'Delete', recipe, method: :delete, data: { confirm: 'Are you sure?' }, :class=>"btn btn-danger btn-small" %></td> <%end%>
At the end of this task, our application has devise-based authentication for login and sign-up functionalities. We also protected certain methods and made them accessible only after we completed the login process. Lastly, we looked at various methods to pass user data to session objects such as current_user
.
Devise also supports OpenLDAP and API methods for extending authentication for our apps on the mobile platform.