usefulfor.com/ruby

There are more than a hundred thousand different ways of implementing authentication in ruby on rails. Authentication in the rails world is definetly not for the faint hearted. After some random reading through the rails wiki it seemed quite clear that there is one winner: acts_as_authenticated. However, after including this plugin in one of my secret projects to take over the world, it seems that is lacking some functionality, what I need out of the authentication framework is:

• A no non-sense authentication: just email and password. No bells, no wistles.
• The system should send an activation email after the user signs up.

Let’s explore the alternatives

The haystack…

As stated elsewhere acts_as_authenticated is a neat solution that just gets out of the way. It is nice and easy to integrate. However, it is a bit too simple. loginsugar seemed to be a suitable alternative with ActionMailer integration out of the box.

I decided to give it a try. It has a good documentation that walks you through the process of integrating it in your app, but it did not seem to be a goal too easy to accomplish

What I finally decided was to take specific bits and pieces of the loginsugar and integrate them with plain old acts_as_authenticated.

First step of the process: I created a brand new project and installed the acts_as_authenticated plugin. It was surprising to find the following line in the README file:

DEPRECATED: Use restful_authentication instead. Or, ask me for commit rights if you wish to maintain this plugin.

… So I was right back at the begining, everybody recommended acts_as_authenticated but acts_as_authenticated recommended restuful_authentication… I thought that if acts_as_authenticated is recommending something, it has to be good And I decided to give restuful_authentication a try.

… and the needle

Lets get out hands dirty, create a new project and install the plugin with:-

<br />
$ ./script/plugin  install http://svn.techno-weenie.net/projects/plugins/restful_authentication/<br />

It turns out that the plugin has the activation email functionality out of the box, the only requirement is the use of a few command line options:-

<br />
$ ./script/generate authenticated<br />
Usage: ./script/generate authenticated ModelName [ControllerName]</p>
<p>Options:<br />
        --skip-migration             Don't generate a migration file for this model<br />
        --include-activation         Generate signup 'activation code' confirmation via email<br />
        --stateful                   Use acts_as_state_machine.  Assumes --include-activation<br />
        --rspec                      Force rspec mode (checks for RAILS_ROOT/spec by default)<br />

We need to include the --include-activation for the email, which in turn requires --stateful. The idea is that you are going to associate a small state machine to each user. From signed up, to pending; after the user actives the account, the status changes to active, etc.

It is quite neat. However it has the drawback that requires another plugin: acts_as_state_machine, but more on that later.

In order to generate your user model and your session controller, you need to issue the following:-

<br />
$ ./script/generate authenticated user sessions \<br />
                --include-activation \<br />
                --stateful<br />

This generates the required files. It also creates the routes to the user and session resources in ./conf/routes.rb:-

<br />
#[...]<br />
map.resources :users<br />
map.resource :session<br />
#[...]<br />

However, as the README file suggests we need to modify the :users resource as follows:-

<br />
map.resources :users, :member => { :suspend => :put, :unsuspend => :put, :purge => :delete }<br />

An extra line in ./config/environment.rb is also required (make sure you include it inside the Rails::Initializer.run block):-

<br />
config.active_record.observers = :user_observer<br />

The next step is to install the acts_as_state_machine plugin and to run rake db:migrate to initialize the database:-

<br />
$ ./script/plugin install http://elitists.textdriven.com/svn/plugins/acts_as_state_machine/trunk<br />
[...]<br />
$ rake db:migrate<br />

Now you are set. Feel free to run rake that all the tests will pass without warnings. Only one tip from the restful_authentication railscast: to get short urls for signup, login and logout add the following to your ./config/routes.rb:

<br />
map.signup '/signup', :controller => 'users', :action => 'new'<br />
map.connect '/activate/:activation_code', :controller => 'users', :action => 'activate'<br />
map.login '/login', :controller => 'sessions', :action => 'new'<br />
map.logout '/logout', :controller => 'sessions', :action => 'destroy'<br />

Fine tune

So here we are all set with the authentication framework in place. From here on it is about customization and fine tunning. Note that the activation email feature requires an either an email server running on the same box or some ActionMailer configuration in order for it to work.

In the second part of this series we will go back to our basic need: get rid of the login field (we only need an email). This and other tweaks will be demonstrated in a tiny app that fully implements the concepts explained here. Part 2 is here! restful_authentication howto, step-by-step (part 2).