Magical Authentication for Rails 3.
Inspired by restful_authentication, Authlogic and Devise. Crypto code taken almost unchanged from Authlogic.
Example app using sorcery:
Password encryption with configurable algorithm.
User activation by email with optional success email.
Reset password with email verification.
Remember me with configurable expiration.
Configurable session timeout.
Brute force login hammering protection.
Modular design, load only the modules you need.
100% TDD'd code, 100% test coverage.
I've got many plans which include:
Basic HTTP Authentication
Hammering reset password protection
Other reset password strategies (security questions?)
Have an idea? Let me know, and it might get into the gem!
This gem plugin was started out of a few personal goals which are not related to the problem solved by it at all:
I wanted to write something 100% TDD from start to finish.
I wanted to learn how to write an engine for Rails 3.
In addition to the above goals, when I decided this will be an authentication plugin, and while looking at existing solutions, these goals came up:
Simple & short configuration as possible, not drowning in syntactic sugar.
Keep MVC cleanly separated - DB is for models, sessions are for controllers. Models stay unaware of sessions.
Magic yes, Voodoo no.
No generated code polluting the application's code.
No built-in controllers, models, mailers, migrations or templates; Real apps will need all of these custom made.
Hopefully, I've achieved this. If not, let me know.
You can either git clone and then 'rake install',
In the future will be available:
gem install sorcery
First add 'sorcery' to your Gemfile:
And run bundle install
There are 2 required places to configure the plugin, and an optional one:
config.sorcery.submodules = [:user_activation, :remember_me] # add the modules you want to use
You can also configure here any controller and any controller-submodule option here. For example:
config.sorcery.session_timeout = 10.minutes
app/models/user.rb (or another model of your choice)
activate_sorcery! do |config|
config.sorcery_mailer = MyMailer
config.username_attribute_name = :email end
app/controllers/application_controller.rb (OPTIONAL: this is actually needed only in some cases)
activate_sorcery! do |config|
config.session_timeout = 10.minutes
Also check the migrations in the example app to see what database fields are expected.
The configuration options vary with the modules you've chosen to use.
Basic Configuration (in Model):
User Activation Configuration (in Model):
Remember Me Configuration (in Model):
Password Reset Configuration (in Model):
Session Timeout Configuration (in Controller or config/application.rb):
Brute Force Protection Configuration (in Controller or config/application.rb):
Contributing to sorcery
I can use help of any kind, be it comments on code (code review), suggestions, features, bug reports, bug fixes and even a donation.
Copyright © 2010 Noam Ben Ari (firstname.lastname@example.org). See LICENSE.txt for further details. Released with permission from Kontera (www.kontera.com), where I work.