Should Suspenders ship with an authentication framework?

[stevepolitodesign]

I think it would be incredibly rare for a project to not need authentication. The challenge is I don't know if this is needed on day 0. Additionally, there is a lot of nuance to the authentication flow (e.g. should all apps require users to confirm their email addresses?). Finally, what framework should we use? We maintain Clearance, but I've advocated we that prefer Devise.

[stevepolitodesign]

This might be a separate issue altogether, but if we do land on supporting this, we should also consider extending the architecture to support teams by default.

[jaredlt]

Is there any downside to supporting teams by default? If an app doesn't need it does it cause any complications? In general I think I'm for this but I haven't thought through the implications. If there are cases where it's not needed maybe it could be a generator or something?

[stevepolitodesign]

One risk is that there's overhead. But, in the past, I've just made it so everyone is on a "team of one". The feature is basically hidden, but the architecture is there.

[JoelQ]

Yes, nearly every app needs this

[jaredlt]

Big agree on this. I'm also of the opinion that Clearance in its current form is not fit for purpose. MFA, OTP, Reauthorization, mobile API integration. You need to re-invent the wheel a lot. I've not used Device in a while, how is it's mobile integration? I've been thinking about some form of generator for auth that allows you to opt-in to what you need. Something like this https://mariochavez.io/desarrollo/2026/03/13/why-i-bet-on-rails-and-why-im-building-maquina/ but taking it much further to define eg. a standard format for API integration and all the rest.

[MatheusRich]

Here's another option https://github.com/lazaronixon/authentication-zero

[jaredlt]

Wow. Love the look of Authentication Zero! I wish I'd known about this earlier... 😅

[nickcharlton]

I've recently been using the Rails authentication generator as the basis for email/password and it works nicely. The only thing it's missing is generating tests alongside the implementation and the first time I used it, I implemented some tests and have since taken those with me when I've used it.

My feeling is that the only tricky part of authentication is where it interacts with the general product direction, and then I feel like you want something more like a "cookbook" to take solutions from.

[vburzynski]

I think authentication would be nice to see, but it would interesting to explore if it could be made optional (I'm thinking of how you can skip things with rails new).

That way suspenders provides an opinionated default, but makes it trivial to omit if the product you're building goes another direction. This could also avoid incurring the cost of maintaining multiple variants by following a sort of progressive-enhancement/graceful-degradation strategy. suspenders new app_name --skip-authentication

[MatheusRich]

I'm curious why would we skip this. As I understand this is meant to be how we create a real app for a client. Which use cases do you have in mind?

[vburzynski]

I'm mostly thinking of how there's a lot of different options for adding authentication. Want something small and simple, you might pick Clearance. Need a more expansive ecosystem, probably Devise. There were some others mentioned here too. The primary reason for the skip option would be to omit the opinionated default in order to proceed with an alternative. In a rare case you might build an app that doesn't require users to login.

A parallel can be drawn to rails new; I can use --skip-test to not include the defaults; avoid having to rip them out manually; and then add RSpec.

[louis-antonopoulos]

I am strongly in support of shipping Devise by default. I've used it on everything I've ever built and it's amazing. It meets the immediate needs of simple user login and switches seamlessly to more complicated authentication schemes when you need it. For example, we started a project with user/password to get it going, and when we were ready to bring in Okta authentication, the effort and diff was minimal.

I also like the idea of --skip-authentication that @vburzynski suggested. My personal preference would be to be able to skip auth if I want to, default to Devise if I don't, and have the option for Clearance if I want it instead of Devise.