Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Magical authentication for Rails 3
Ruby JavaScript

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.



Magical Authentication for Rails 3.

Inspired by restful_authentication, Authlogic and Devise. Crypto code taken almost unchanged from Authlogic.

Example app using sorcery:

Current Features:

  • Basic Login/Logout.

  • Password encryption with configurable algorithm.

  • User activation by email with optional success email.

  • Reset password with email verification.

  • Remember me with configurable expiration.

  • Configurable session timeout.

  • Brute force login hammering protection.

  • Modular design, load only the modules you need.

  • 100% TDD'd code, 100% test coverage.

Planned Features:

I've got many plans which include:

  • Basic HTTP Authentication

  • Auto login

  • Hammering reset password protection

  • Other reset password strategies (security questions?)

  • Sinatra support

  • Mongoid support

  • OmniAuth integration

  • Activity logging

  • Have an idea? Let me know, and it might get into the gem!

Project Goals:

This gem plugin was started out of a few personal goals which are not related to the problem solved by it at all:

  • I wanted to write something 100% TDD from start to finish.

  • I wanted to learn how to write an engine for Rails 3.

In addition to the above goals, when I decided this will be an authentication plugin, and while looking at existing solutions, these goals came up:

  • Simple & short configuration as possible, not drowning in syntactic sugar.

  • Keep MVC cleanly separated - DB is for models, sessions are for controllers. Models stay unaware of sessions.

  • Magic yes, Voodoo no.

  • No generated code polluting the application's code.

  • No built-in controllers, models, mailers, migrations or templates; Real apps will need all of these custom made.

Hopefully, I've achieved this. If not, let me know.


You can either git clone and then 'rake install',

In the future will be available:

gem install sorcery


First add 'sorcery' to your Gemfile:

gem “sorcery”

And run bundle install

There are 2 required places to configure the plugin, and an optional one:

  1. config/application.rb

config.sorcery.submodules = [:user_activation, :remember_me] # add the modules you want to use

You can also configure here any controller and any controller-submodule option here. For example:

config.sorcery.session_timeout = 10.minutes

  1. app/models/user.rb (or another model of your choice)

activate_sorcery! do |config|

	  config.sorcery_mailer = MyMailer

config.username_attribute_name = :email end

  1. app/controllers/application_controller.rb (OPTIONAL: this is actually needed only in some cases)

activate_sorcery! do |config|

	  config.session_timeout = 10.minutes


Also check the migrations in the example app to see what database fields are expected.

The configuration options vary with the modules you've chosen to use.

Basic Configuration (in Model):

see lib/sorcery/model.rb

User Activation Configuration (in Model):

see lib/sorcery/model/submodules/user_activation.rb

Remember Me Configuration (in Model):

see lib/sorcery/model/submodules/remember_me.rb

Password Reset Configuration (in Model):

see lib/sorcery/model/submodules/password_reset.rb

Session Timeout Configuration (in Controller or config/application.rb):

see lib/sorcery/controller/submodules/session_timeout.rb

Brute Force Protection Configuration (in Controller or config/application.rb):

see lib/sorcery/controller/submodules/brute_force_protection.rb

Contributing to sorcery

I can use help of any kind, be it comments on code (code review), suggestions, features, bug reports, bug fixes and even a donation.




Copyright © 2010 Noam Ben Ari ( See LICENSE.txt for further details. Released with permission from Kontera (, where I work.

Something went wrong with that request. Please try again.