Authlogic: keeping you in the loop

I figured I would post an update keeping everyone in the loop. I created a new branch for authlogic locally and I’ve been making some changes mentioned in this post. Some of the changes I’m making are still somewhat experimental and I’m playing around with the code to see if I like the end result. Figuring out a way to make this ORM agnostic has proven difficult, simply because there is no standard. They all follow a similar pattern, but the method naming conventions and some of the feature implementations are vastly different. I’m also not sure you could even set a standard. Regardless, I do think this is an important feature since there is a lot of movement around alternative storage solutions such as MongoDB, CouchDB, etc.

Splitting out some of the authentication code into “authenticators” has worked out great so far. More importantly, its more or less a blueprint for people to extend Authlogic and provide alternate authentication solutions (openid, facebook connect, oauth, etc.).

The last major change I’ve been making is removing validations in the acts_as_authentic module. Validations add some clutter to authlogic, some might say its a necessary clutter, but I’m leaning towards leaving it out. Validation is such an easy thing to do. ActiveRecord provides very simple methods for doing this, I also feel like its gets in the way for certain edge cases. Authlogic will still provide some nice methods to make your life easier, like validating the format of an email address, the main difference being that you have to explicitly implement this validation. No validations will be automatically added. Lastly, this makes ORM abstraction a little easier.

So that’s that. I’ll keep you updated when I start to push out some code and what not. I’m probably going to label this release as v3, because of the validation changes and some of the other major changes that might break backwards compatibility.

Authlogic ideas

So I’ve been thinking about Authlogic lately and here are a few ideas I’ve been bouncing around:

1. Split out authenticating into “authenticators” that extend a class that acts as an interface, which would obviously be provided by Authlogic.
   So you would have a cookies authenticator, session authenticator, params authenticator, twitter oauth authenticator, openid authenticator, anything you want. You could basically create an authenticator, register it with authlogic, and then you can do whatever you want in that class. This shouldn’t be a complicated task, more importantly I think it makes it easier to extend authlogic with different authentication methods.
2. Abstract the interaction with your models.
   This is especially hard because there is no standard between the different database libraries. But it would be nice to use Authlogic with DataMapper, MongoMapper, etc. I’m just hoping I can come up with a clean and clever way to do this. The only sure fire way that I can think of is to create adapters for each supported library, which means maintaing duplicate code. That would not be a fun task.
3. I’m toying with the idea of adding in common application code that you can include in your application.
   Such as resetting passwords, registering, logging in and out, grabbing the current user etc. What I don’t like about that is that now I am stepping into your application and making decisions for you. Is this a bad thing? I don’t know, thats for you to decide, but it definitely deviates a little bit from the “rails way”. Your UserSessionsController should look VERY similar to your other RESTful controllers. If you are willing to create those controllers / views, what’s the big deal with creating one for UserSessions? I just feel like it fits better. Here I have an application full of RESTful controllers where the code is pretty similar, then I have this UserSessionsController thats different. I just don’t like that. Also, what if you are using something like resource controller, inherited resources, or resourcelogic? What if you want your controller to use on of those libraries?

   The worst part about this idea are the views. Interfaces can be quite a bit different from application to application. How do I provide views that are suitable for every project? In my opinion you can’t. I could give you a million partials, tons of configuration, a lot of helpers, etc. This might add some flexibility, but this seems like a hack. It’s not a clean solution. This is the one thing that I just don’t like about rails engines. I prefer tools that help me create my views. Give me a set of tools so I can go easily create my interface, but don’t go create my interface for me. And I think rails does a pretty good job of this with things like form_for, etc.

The bottom line is that I want to keep Authlogic focused on the business logic behind authentication. You should be able to use Authlogic in a rails app, merb app, sinatra app, etc. All of the interface cruft should probably be in a separate gem or in a template. The thing is, this gem could be written a million different ways depending on your preferences. Maybe I can create a base rails engine that people can fork and modify to their liking. That’s the beauty of git.

To conclude, #1 is probably going to happen, I want to do #2 if I can figure out a good way to do this, #3 is still up in the air and more likely to be in a separate gem / plugin.

That’s it for now, I figured I would try to keep everyone in the loop. Maybe you can help me out or have some ideas of your own.

Authlogic generators? All of the cool kids are doing it.

Lately I’ve been getting a lot of pressure to add a generator to Authlogic. One of the big things I “tout” about Authlogic is the fact that is does not need generators, not anymore than any other RESTful controller you create. Authlogic can pull this off because it’s intuitive, it works just like every other model you have in your application. Unless you want to customize how it works, there’s no learning curve. If you know how to set up a RESTful controller for an ORM model, then you know how to set up a RESTful controller for an Authlogic model.

(more…)

Tutorial: Easily migrate from restful_authentication to Authlogic

I’ve been getting a lot of emails asking the best way to migrate from restful_authentication. Where it gets complicated is in the password encryption methods. Authlogic and restful_authentication use different methods. You don’t want to change this method because it will break backwards compatibility with your current passwords, meaning no one will be able to log into their account. Fear not, because I did all of the hard work for you…

(more…)

Tutorial: Upgrade passwords easily with Authlogic

I released Authlogic 1.3.3 which has some handy options for migrating passwords to a new and improved algorithm. Without Authlogic this is somewhat of a pain in the ass, because there has to be a transition period in which your users can upgrade their passwords. You can’t just upgrade the algorithm because then no one will be able to log in. Authlogic solves this problem and makes it dead simple:

(more…)

Storing nuclear launch codes in your app? Enter BCrypt for Authlogic.

Today is Saturday, which is “fun day”, and there is nothing more fun that talking about encryption algorithms. So let’s get started…

Part of Authlogic’s responsibility to is to keep you on the cutting edge when it comes to security. Afterall, that is part of the reason you use Authlogic, so you don”t have to deal with it. Your app can use the latest and great security techniques just by updating the Authlogic gem.

(more…)

Tutorial: Using OpenID with Authlogic

Please note this tutorial is outdated and has been deleted, please see the official Authlogic OpenID addon, which makes OpenID integration extrmely easy. The content that used to be in this tutorial was for Authlogic 1.x and will not work properly with Authlogic 2.x.

Tutorial: Reset passwords with Authlogic the RESTful way

I’ve been getting emails asking me how to reset passwords with Authlogic, or how to confirm accounts. In this tutorial I’ll cover resetting passwords, since it is more complex, but after reading this tutorial there is no reason why you couldn’t set up account confirmation as well. In fact, my next tutorial will cover just that.

What am I about to read?

You are going to read a tutorial on how to reset passwords the RESTful way. I am going to pick up where I left off on the Authlogic basic setup tutorial, so if you have not read that I highly recommend doing so.

Want to see it in action before you start? Check it out for yourself:

A live example of this tutorial

Before we begin, let me walk you through the basic process of resetting a password as I see it:

(more…)

Authlogic shares the love, merb support added

Rails doesn’t have to hog all of the Authlogic love, it’s time to start sharing. So I decided to send a little love to the merb peeps and add in a merb adapter. Just install the Authlogic gem and include it as a dependency and you are good to go. Authentication in your app is as easy as setting up a resource for a model.

I think this is just the beginning though, here are my thoughts….

(more…)

Tutorial: Authlogic Basic Setup

Please note this tutorial has been moved to the README in the authlogic_example respository. This tutorial is stored with the example app incase you are more of a hands on learner, you can play around with the resulting code.