Simple implementation of authentication for Rails
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



simplest_auth is a gem to be used with Rails applications where RESTful Authentication is overkill – it handles authentication and nothing else (e.g. password resets, etc…)

simplest_auth is now compatible with both ActiveRecord and DataMapper (the README displays examples for AR)


Version 0.2.0 has a change to handle multiple Model session keys. If you are using User as your model class then you shouldn’t have a problem. However, if you’re using another
class, you will either need to override the

method to return
or just accept that a few sessions will be lost.

If you don’t care about losing sessions, just go ahead and ignore this message.

If you use this gem in Rails (like most, I suspect), the session_key method will return the model class underscored plus “_id” as a symbol. Otherwise, it’s just #downcased (lame).


SimplestAuth depends (for now) on the BCrypt gem, so install that first:

$ sudo gem install bcrypt-ruby

Configure for the gem:

config.gem 'simplest_auth'


SimplestAuth is an extension to the existing models and controllers in your Rails application. It makes some decisions about how you structure your models, but will give you flexibility with naming and any ActiveRecord validations that you want to use.

Model Integration

If you’re starting out with a fresh User model, you just need an identifier such as email and crypted_password columns in your database:

$ ./script/generate model User email:string crypted_password:string

To get started, just use the SimplestAuth::Model mix-in, and tell it how you want to identify, in your User class:

    class User < ActiveRecord::Base
      include SimplestAuth::Model
      authenticate_by :email

The module provides accessors for both password and password_confirmation, but you will need to provide the validations required for your application. A password_required? method is defined, as well. Some sane defaults:

    validates_presence_of :email
    validates_uniqueness_of :email
    validates_presence_of :password, :on => :create
    validates_confirmation_of :password, :if => :password_required?

Before creating new records, the password is crypted before storing the User in the database.

The full model class:

    class User < ActiveRecord::Base
      include SimplestAuth::Model
      validates_presence_of :email
      validates_uniqueness_of :email
      validates_presence_of :password, :on => :create
      validates_confirmation_of :password, :if => :password_required?


To initialize the Controller functionality for use in your application, you need to include it in your ApplicationController:

    class ApplicationController < ActionController::Base
      include SimplestAuth::Controller

The plugin defines the user_class method so that it can find the appropriate object in your application, it defaults to User but can be Account or anything else. Once that is included, you can use the controller methods in your application – logging in, for example:

    class SessionsController < ApplicationController
      def new; end
      def create
        if user = User.authenticate(params[:email], params[:password])
          self.current_user = user
          flash[:notice] = 'Welcome!'
          redirect_to root_path
[:error] =  "Couldn't locate a user with those credentials"
          render :action => :new


The plug-in also defines some convenient helpers to use in your views:

  • current_user: The user object of the currently logged-in user (or nil if the user isn’t logged-in)
  • logged_in?: Is there a user logged in?
  • authorized?: Is this user authorized? Defaults to simply checking for logged_in? Override for your authorization scheme.


  • Document the usage of helper methods (e.g. :logged_in? / :authorized?) in the controller


Tony Pitale and Matt Swasey of Viget Labs (