Devise Your Own Protection
Security is essential in the wilderness that is the Internet. It has created an arms race to keep sensitive information safe from those who would seek to steal it. When designing an app, it is most important to protect the user’s account information . This is most commonly achieved by using private passwords to authenticate a user is who they claim to be. If you are using Ruby on Rails to setup your database, there is a gem that can keep your passwords safe while also providing a slew of authorization features. This gem is called Devise.
To get started simply type this into your gemfile
As with any other gem we now need to
Now we can
$rails generate devise:install
Note: Always remember to restart the rails server after any changes to your gemfile.
After this we can now generate a user model with devise
$rails generate devise user
And of course, don’t forget to run your migration
There are several options available to the user model
class User < ActiveRecord::Base
devise :database_authenticatable, :registerable, :recoverable, :rememberable, :trackable, :validatable, :confirmable, :lockable, :timeoutable
- Database Authenticatable: Basic module to add authentication. Encrypts and stores a password in the database to validate the authenticity of a user while signing in.
- Recoverable: In the event of a user forgetting their password, this module allows a reset of the password via an email with instructions.
- Registerable: Controls whether or not your application provides the registration mechanism. Allows users to edit and destroy their accounts.
- Rememberable: Allows for a “remember me” checkbox option. Remembers a logged-in user by storing a cookie.
- Trackable: Provides ability to track sign-in processes so a user can collect information regarding sign-in count, timestamps, and the IP address.
- Validatable: Provides the basic validation for e-mail and password. The validations can be customized, so you’re able to define your own validations.
- Omniauthable: When active, this module will allow the application to let the user to sign in with external accounts such as Facebook and Twitter.
- Confirmable: Enables the confirmation mechanism. Devise will send an e-mail with a confirmation instruction and verify whether an account is already confirmed during the sign-in process.
- Timeoutable: Limits the session, causing an expiration in a specified period of time if it has no activity.
- Lockable: Manages the maximum count of failed sign-in attempts. When it reaches the maximum number, Devise will lock the account. The user can unlock it via e-mail or after a specified time period.
Devise comes with a number of helper methods. These include…
- authenticate_user!: For use in the controller only. Ensures a logged in user is available to all, or a specified set of controller actions. This method is invoked by using the
- current_user: Returns the model class relating to the signed in user. It returns
nilif a user has not signed in.
- user_signed_in?: Query method which checks if the
current_usermethod returns a value that’s not
- sign_in(@user): Used to login a newly created user.
- sign_out(@user): Used to logout a newly created user.
- user_session: Returns metadata on the logged in user.
Note: The most commonly used of these helper methods is current_user and user_signed_in?
Devise Your Own Plan
It is plain to see that Devise includes many features important in authenticating and authorizing users. The beauty of open code is that many of the needs you have as a developer have already been written and tested by thousands of other programmers. While no security is 100 percent reliable, Devise is the most trusted way to provide protection for your Ruby on Rails application.