🗝 Add authentication to your Rails app without all the icky-ness of passwords
Clone or download
Latest commit b0fc343 Jun 22, 2018



Travis Rubygems codecov

Add authentication to your Rails app without all the icky-ness of passwords.

Table of Contents


Add the passwordless gem to your Gemfile:

gem 'passwordless'

Install it and copy over the migrations:

$ bundle
$ bin/rails passwordless:install:migrations


Passwordless creates a single model called Passwordless::Session. It doesn't come with its own User model, it expects you to create one, eg.:

$ bin/rails generate model User email

Then specify which field on your User record is the email field with:

class User < ApplicationRecord
  validates :email, presence: true, uniqueness: { case_sensitive: false }
  passwordless_with :email # <-- here!

Finally, mount the engine in your routes:

Rails.application.routes.draw do
  passwordless_for :users

  # other routes

Getting the current user, restricting access, the usual

Passwordless doesn't give you current_user automatically -- it's dead easy to add it though:

class ApplicationController < ActionController::Base
  include Passwordless::ControllerHelpers # <-- This!
  # ...
  helper_method :current_user
  def current_user
    @current_user ||= authenticate_by_cookie(User)

  def require_user!
    return if current_user
    redirect_to root_path, flash: {error: 'You are not worthy!'}

Et voilà:

class VerySecretThingsController < ApplicationController
  before_action :require_user!
  def index
    @things = current_user.very_secret_things

Providing your own templates

Override passwordless' bundled views by adding your own. passwordless has 2 action views and 1 mailer view:

# the form where the user inputs their email address
# shown after a user requests a magic link
# the mail with the magic link that gets sent

See the bundled views.

Registering new users

Because your User record is like any other record, you create one like you normally would. Passwordless provides a helper method you can use to sign in the created user after it is saved like so:

class UsersController < ApplicationController
  include Passwordless::ControllerHelpers # <-- This!
  #  (unless you already have it in your ApplicationController)

  def create
    @user = User.new user_params
    if @user.save
      sign_in @user # <-- And this!
      redirect_to @user, flash: {notice: 'Welcome!'}
      render :new
  # ...

Generating tokens

By default Passwordless generates tokens using Rails' SecureRandom.urlsafe_base64 but you can change that by setting Passwordless.token_generator to something else that responds to call(session) eg.:

Passwordless.token_generator = -> (session) {

Session is going to keep generating tokens until it finds one that hasn't been used yet. So be sure to use some kind of method where matches are unlikely.

Redirecting back after sign-in

By default Passwordless will redirect back to where the user wanted to go if it knows where that is, so you'll have to help it. Passwordless::ControllerHelpers provide a method for this:

class ApplicationController < ActionController::Base
  include Passwordless::ControllerHelpers # <-- Probably already have this!
  # ...
  def require_user!
    return if current_user
    save_passwordless_redirect_location!(User) # <-- here we go!
    redirect_to root_path, flash: {error: 'You are not worthy!'}

This can be turned off with Passwordless.redirect_back_after_sign_in = false but if you just don't save the previous destination, you'll be fine.

URLs and links

By default, Passwordless uses the resource name given to passwordless_for to generate its routes and helpers.

passwordless_for :users
  # <%= users.sign_in_path %> # => /users/sign_in
passwordless_for :users, at: '/', as: :auth
  # <%= auth.sign_in_path %> # => /sign_in

Also be sure to specify ActionMailer's default_url_options.host.

E-mail security

There's no reason that this approach should be less secure than the usual username/password combo. In fact this is most often a more secure option, as users don't get to choose the weak passwords they still use. In a way this is just the same as having each user go through "Forgot password" on every login.

But be aware that when everyone authenticates via emails you send, the way you send those mails becomes a weak spot. Email services usually provide a log of all the mails you send so if your app's account is compromised, every user in the system is as well. (This is the same for "Forgot password".) Reddit was compromised using this method.

Ideally you should set up your email provider to not log these mails. And be sure to turn on 2-factor auth if your provider supports it.