Authlogic is a clean, simple, and unobtrusive ruby authentication solution.
What inspired me to create Authlogic was the messiness of the current authentication solutions. Put simply, they just didn't feel right. They felt wrong because the logic was not organized properly. As you may know, a common misconception with the MVC design pattern is that the model “M” is only for data access logic, which is wrong. A model is a place for domain logic. This is why the RESTful design pattern and the current authentication solutions don't play nice. Authlogic solves this by placing the session maintenance logic into its own domain (aka “model”). Moving session maintenance into its own domain has its benefits:
It's easier to update and stay current with the latest security practices. Since authlogic sits in between you and your session it can assist in keeping your security top notch. Such as upgrading your hashing algorithm, helping you transition to a new algorithm, etc. Also, Authlogic is a gem, which means you get all of these benefits easily, through a rubygems update.
It ties everything together on the domain level. Take a new user registration for example, no reason to manually log the user in, authlogic handles this for you via callbacks. The same applies to a user changing their password. Authlogic handles maintaining the session for you.
Your application can stay clean and focused and free of redundant authentication code from app to app. Meaning generators are NOT necessary at all.
A byproduct of #3 is that you don't have to test the same code over and over in each of your apps. You don't test the internals of ActiveRecord in each of your apps, so why would you test the internals of Authlogic? It's already been thoroughly tested for you. Focus on your application, and get rid of the noise by testing your application specific code and not generated code that you didn't write.
You get to write your own code, just like you do for any other model. Meaning the code you write is specific to your application, the way you want it, and more importantly you understand it.
You are not restricted to a single session. Think about Apple's me.com, where they need you to authenticate a second time before changing your billing information. Why not just create a second session for this? It works just like your initial session. Then your billing controller can require an “ultra secure” session.
Authlogic can do all of this and much more, keep reading to see…
* Documentation: authlogic.rubyforge.org * Tutorial: Authlogic basic setup: www.binarylogic.com/2008/11/3/tutorial-authlogic-basic-setup * Tutorial: Reset passwords with Authlogic the RESTful way: www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic * Tutorial: Using OpenID with Authlogic: www.binarylogic.com/2008/11/21/tutorial-using-openid-with-authlogic * Live example of the tutorials above (with source): authlogicexample.binarylogic.com * Tutorial: Easily migrate from restful_authentication: www.binarylogic.com/2008/11/23/tutorial-easily-migrate-from-restful_authentication-to-authlogic * Tutorial: Upgrade passwords easily with Authlogic: www.binarylogic.com/2008/11/23/tutorial-upgrade-passwords-easily-with-authlogic
Bugs / feature suggestions: binarylogic.lighthouseapp.com/projects/18752-authlogic
Google group: groups.google.com/group/authlogic
**Before contacting me, please read:** If you find a bug or a problem please post it on lighthouse. If you need help with something, please use google groups. I check both regularly and get emails when anything happens, so that is the best place to get help. Please do not email me directly, with issues regarding Authlogic.
You can find anything you want about Authlogic in the documentation, all that you need to do is understand the basic design behind it.
That being said, Authlogic is split into 2 main parts:
1. Authlogic::Session, which manages sessions. 2. Authlogic::ActsAsAuthentic, which adds in functionality to your ActiveRecord model.
Each of the above has its various sub modules that contain common logic. The modules is responsible for including everything related to it, including configuration.
For example, if you want to timeout users after a certain period of inactivity, you would look in Authlogic::Session::Timeout. To help you out, I listed the following modules with short descriptions:
This module is for the acts_as_authentic method you call in your model. It contains all code for the model side of the authentication.
Authlogic::ActsAsAuthentic::Base - Provides the acts_as_authentic class method and includes all of the submodules.
Authlogic::ActsAsAuthentic::Email - Handles everything related to the email field.
Authlogic::ActsAsAuthentic::LoggedInStatus - Provides handy named scopes and methods for determining if the user is logged in or out.
Authlogic::ActsAsAuthentic::Login - Handles everything related to the login field.
Authlogic::ActsAsAuthentic::MagicColumns - Handles everything related to the “magic” fields: login_count, failed_login_count, etc.
Authlogic::ActsAsAuthentic::Password - This one is important. It handles encrypting your password, salting it, etc. It also has support for migrating password algorithms and transitioning from restful_authentication.
Authlogic::ActsAsAuthentic::PerishableToken - Handles maintaining the perishable token field, also provides a class level method for finding record using the token.
Authlogic::ActsAsAuthentic::PersistenceToken - Handles maintaining the persistence token. This is the token stored in cookies and sessions to persist the users session.
Authlogic::ActsAsAuthentic::RestfulAuthentication - Provides configuration options to easily migrate from the restful_authentication plugin.
Authlogic::ActsAsAuthentic::Scope - Allows you to scope validations, etc. Just like the :scope option for validates_uniqueness_of
Authlogic::ActsAsAuthentic::SessionMaintenance - Handles automatically logging the user in. EX: a new user registers, automatically log them in.
Authlogic::ActsAsAuthentic::SingleAccessToken - Handles maintaining the single access token.
This module is for the session side of authentication. It interfaces with the model and ultimately maintains the cookie and session value among other things.
Authlogic::Session::BruteForceProtection - Disables accounts after a certain number of consecutive failed login attempted.
Authlogic::Session::Callbacks - Your tools to extend Authlogic, lets you hook in and add/modify behavior.
Authlogic::Session::Cookies - Handles authentication via cookies.
Authlogic::Session::Errors - Stores validation errors, extends ActiveRecord::Errors.
Authlogic::Session::HttpAuth - Handles authentication via basic HTTP authentication.
Authlogic::Session::MagicColumns - Maintains “magic” database columns, similar to created_at and updated_at for ActiveRecord.
Authlogic::Session::MagicStates - Automatically validates based on the records states: active, approved, and confirmed.
Authlogic::Session::Params - Handles authentication via params, aka single access token.
Authlogic::Session::Password - Handles authentication via a traditional username and password.
Authlogic::Session::PerishableToken - Maintains the perishable token, used for resetting passwords, etc.
Authlogic::Session::Scopes - Implements scoping, just like ActiveRecord's with_scope, but for Authlogic instead.
Authlogic::Session::Session - Handles authentication via the session.
Authlogic::Session::Timeout - Implements automatically logging out after a certain period of inactivity.
Authlogic::Session::UnauthorizedRecord - Handles authentication by passing an ActiveRecord object.
Authlogic::AuthenticatesMany - Responsible for allowing you to scope sessions to a parent record. Similar to a has_many and belongs_to relationship. This lets you do the same thing with sessions.
Authlogic::ControllerAdapters - Contains adapters for the various framework controllers: Rails, Merb, etc.
Authlogic::CryptoProviders - Contains various encryption algorithms that Authlogic uses, allowing you to choose your encryption method.
Authlogic::I18n - Acts JUST LIKE the rails I18n library, and provides internationalization to Authlogic.
Authlogic::Random - Responsible for generating random strings.
Authlogic::Testing - Various helper methods for testing frameworks to help you test your code.
Authlogic::Version - A handy class for determine the version of Authlogic in a number of ways.
What if creating sessions worked like an ORM library on the surface…
What if your user sessions controller could look just like your other controllers…
class UserSessionsController < ApplicationController def new @user_session = UserSession.new end def create @user_session = UserSession.new(params[:user_session]) if @user_session.save redirect_to account_url else render :action => :new end end def destroy current_user_session.destroy redirect_to new_user_session_url end end
As you can see, this fits nicely into the RESTful development pattern. What about the view…
<% form_for @user_session do |f| %> <%= f.error_messages %> <%= f.label :login %><br /> <%= f.text_field :login %><br /> <br /> <%= f.label :password %><br /> <%= f.password_field :password %><br /> <br /> <%= f.submit "Login" %> <% end %>
Or how about persisting the session…
class ApplicationController helper_method :current_user_session, :current_user private def current_user_session return @current_user_session if defined?(@current_user_session) @current_user_session = UserSession.find end def current_user return @current_user if defined?(@current_user) @current_user = current_user_session && current_user_session.user end end
Install and use
Install the gem / plugin (recommended)
$ sudo gem install authlogic
Now add the gem dependency in your config:
# config/environment.rb config.gem "authlogic"
Or you install this as a plugin (for older versions of rails)
script/plugin install git://github.com/binarylogic/authlogic.git
Create your session
Lets assume you are setting up a session for your User model.
Create your user_session.rb file:
$ script/generate session user_session
This will create a file that looks similar to:
# app/models/user_session.rb class UserSession < Authlogic::Session::Base # configuration here, just like ActiveRecord, or in an initializer # See Authlogic::Session::Config::ClassMethods for more details end
Ensure proper database fields
The user model needs to have the following columns. The names of these columns can be changed with configuration. Better yet, Authlogic tries to guess these names by checking for the existence of common names. See Authlogic::Session::Config::ClassMethods for more details, but chances are you won't have to specify any configuration for your field names, even if they aren't the same names as below.
t.string :login, :null => false # optional, you can use email instead, or both t.string :crypted_password, :null => false t.string :password_salt, :null => false t.string :persistence_token, :null => false t.string :single_access_token, :null => false # optional, see Authlogic::Session::Params t.string :perishable_token, :null => false # optional, see Authlogic::Session::Perishability t.integer :login_count, :null => false, :default => 0 # optional, see Authlogic::Session::MagicColumns t.integer :failed_login_count, :null => false, :default => 0 # optional, see Authlogic::Session::MagicColumns t.datetime :last_request_at # optional, see Authlogic::Session::MagicColumns t.datetime :current_login_at # optional, see Authlogic::Session::MagicColumns t.datetime :last_login_at # optional, see Authlogic::Session::MagicColumns t.string :current_login_ip # optional, see Authlogic::Session::MagicColumns t.string :last_login_ip # optional, see Authlogic::Session::MagicColumns
Set up your model
Make sure you have a model that you will be authenticating with. For this example let's say you have a User model:
class User < ActiveRecord::Base acts_as_authentic # for options see documentation in: Authlogic::ActsAsAuthentic end
One thing to keep in mind here is that the default crypto_provider for Authlogic is Sha512. You are NOT forced to use this. You can easily choose your own encryption method, or even write your own: see the Authlogic::ActsAsAuthentic::Password module for more info.
You are all set. You might also want to check out the tutorials (see above in “helpful links”) for a more detailed walk through.
Some of the following next steps might apply to you. If you, check out the documentation for the module.
Migrating from restful_authentication? Checkout Authlogic::ActsAsAuthentic::RestfulAuthentication
Need multiple session types in your app? Check out Authlogic::Session::Base#id
Need to reset passwords or activate accounts? Use the perishable token. See Authlogic::ActsAsAuthentic::PerishableToken
Need to give API access or access to a private feed? Use basic HTTP auth or authentication by params. See Authlogic::Session::HttpAuth or Authlogic::Session::Params
Need to internationalize your app? See Authlogic::I18n
Need help testing? Checkout the Authlogic
Interesting in how it works?
Interested in how all of this all works? Basically a before filter is automatically set in your controller which lets Authlogic know about the current controller object. This “activates” Authlogic and allows Authlogic to set sessions, cookies, login via basic http auth, etc. If you are using your framework in a multiple thread environment, don't worry. I kept that in mind and made this thread safe.
From there it is pretty simple. When you try to create a new session the record is authenticated and then all of the session / cookie magic is done for you. The sky is the limit.
What's wrong with the current solutions?
You probably don't care, but I think releasing the millionth ruby authentication solution requires a little explanation.
I don't necessarily think the current solutions are “wrong”, nor am I saying Authlogic is the answer to your prayers. But, to me, the current solutions were lacking something. Here's what I came up with…
Generators are messy
Generators have their place, and it is not to add authentication to an app. It doesn't make sense. Generators are meant to be a starting point for repetitive tasks that have no sustainable pattern. Take controllers, the set up is the same thing over and over, but they eventually evolve to a point where there is no clear cut pattern. Trying to extract a pattern out into a library would be extremely hard, messy, and overly complicated. As a result, generators make sense here.
Authentication is a one time set up process for your app. It's the same thing over and over and the pattern never really changes. The only time it changes is to conform with newer / stricter security techniques. This is exactly why generators should not be an authentication solution. Generators add code to your application, once code crosses that line, you are responsible for maintaining it. You get to make sure it stays up with the latest and greatest security techniques. And when the plugin you used releases some major update, you can't just re-run the generator, you get to sift through the code to see what changed. You don't really have a choice either, because you can't ignore security updates.
Using a library that hundreds of other people use has it advantages. Probably one of the biggest advantages if that you get to benefit from other people using the same code. When Bob in California figures out a new awesome security technique and adds it into Authlogic, you get to benefit from that with a single update. The catch is that this benefit is limited to code that is not “generated” or added into your app. As I said above, once code is “generated” and added into your app, it's your responsibility.
Lastly, there is a pattern here, why clutter up all of your applications with the same code over and over?
Security gets outdated
Just as I stated in the above section, you can't stay up to date with your security since the code is generated and updating the plugin does nothing. If there is one thing you should stay up to date with, it's security. But it's not just the fact that there is no reasonable method for receiving updates. It's the fact that they tie you down to an encryption algorithm AND they use a bad one at that. Every single solution I've seen uses Sha1, which is joining the party with MD5. Sha1 is not as secure as it used to be. But that's the nature of algorithms, they eventually get phased out, which is fine. Everyone knows this, why not accommodate for this? Authlogic does this with the :transition_from_crypto_provider option. It takes care of transitioning all of your users to a new algorithm. Even better, it provides BCrypt as an option which should, in theory, never require you to switch since you can adjust the cost and make the encryption stronger. At the same time, still compatible with older passwords using the lower cost.
Why test the same code over and over?
I've noticed my apps get cluttered with authentication tests, and they are the same exact tests! This irritates me. When you have identical tests across your apps thats a red flag that code can be extracted into a library. What's great about Authlogic is that I tested it for you. You don't write tests that test the internals of ActiveRecord do you? The same applies for Authlogic. Only test code that you've written. Essentially testing authentication is similar to testing any another RESTful controller. This makes your tests focused and easier to understand.
Limited to a single authentication
I recently had an app where you could log in as a user and also log in as an employee. I won't go into the specifics of the app, but it made the most sense to do it this way. So I had two sessions in one app. None of the current solutions I found easily supported this. They all assumed a single session. One session was messy enough, adding another just put me over the edge and eventually forced me to write Authlogic. Authlogic can support 100 different sessions easily and in a clean format. Just like an app can support 100 different models and 100 different records of each model.
A lot of them forced me to name my password column as “this”, or the key of my cookie had to be “this”. They were a little too presumptuous. I am probably overly picky, but little details like that should be configurable. This also made it very hard to implement into an existing app.
I am not trying to “bash” any other authentication solutions. These are just my opinions, formulate your own opinion. I released Authlogic because I was “scratching my own itch”. It has made my life easier and I enjoy using it, hopefully it does the same for you.
Copyright © 2008 Ben Johnson of [Binary Logic](www.binarylogic.com), released under the MIT license