Development has moved to Daniel Neighman’s MerbAuth repo here on github.
- Stupidly Simple
- Speaks fluent HTTP, even the errors
- Pluggable Architecture (so that you can use any authentication algorithms you like)
- Cascading Authentication (if one method fails, another is attempted, then another. When no methods succeed, authentication fails)
- Sessions are authenticated, not users.
- Just because one method of authentication fails doesn’t mean the session, can’t be authenticated another way. This is especially true if your application has an external API as well as a public interface.
- HTTP has built-in Errors which every web-browser (should) know how to speak. If you’re application speaks in HTTP Verbs (GET, POST, PUT, DELETE), it should also serve HTTP Errors when things go wrong.