The library application used in this tutorial has the CRUD actions to add, edit, and delete book objects. However, these actions are accessible to anyone, which isn’t safe. Let us add a security layer to the application, so that only authenticated users get the access.
Authentication Generator
Starting with Rails version 8.0, a default authentication generator is included to streamline the process of securing your application by allowing access only to verified users.
From the command terminal (windows) or Linux terminal, run the following command:
rails generate authentication
It generates the following models −
app/models/session.rb app/models/user.rb app/models/current.rb
Rails also generates the following controllers −
app/controllers/sessions_controller.rb app/controllers/passwords_controller.rb
And these views −
app/views/passwords/new.html.erb app/views/passwords/edit.html.erb app/views/sessions/new.html.erb
Next, you need to run the database migration to create the respective tables necessary for the authentication system:
rails db:migrate
Now, if you try to visit any route, Rails asks for the user to login with email and password.
How the Authentication Works?
Let us create a user object first. Open the Rails console and run the following command:
User.create! email_address:"[email protected]", password:"a1b2c3", password_confirmation:"a1b2c3"
Assuming that you have already created the Bookscontroller class, defined an index action in it and provided the corresponding index.html.erb file.
Run the Rails server and visit http://localhost:3000/ upon which the browser displays this login page:
Rails authenticates the entered email address and password registered with it and automatically redirects the browser to the index view.
By default, the Rails authentication generator will restrict all pages to authenticated users only. However, if you want some of the pages to be accessible without authentication, such as guest visitors, allow_unauthenticated_access property can be used for the purpose.
How to Allow Guest Users
To allow guests to view products, we can allow unauthenticated access in our controller.
classBooksController<ApplicationController allow_unauthenticated_access only:%i[ index show ]# ...end
Rails also provides the before_action that runs before executing a specific controller action. It’s mainly used for tasks like authentication, setting up variables, or checking permissions.
classApplicationController<ActionController::Base before_action :set_messagedefindexend
- The before_action callback helps avoid redundant code (e.g., authentication checks in every action). Use only: and except: inside the controller to control execution.
- There is also an after_action callback, intended to run after the action runs, and the round_action callback that wraps before & after the logic.
This built-in authentication system works well for small applications. You can use Devise Authentication by using Devise (a popular authentication gem). To generate authentication with Devise:
rails generate devise:install rails generate devise User# Generates User model with authentication rails db:migrate
You can also use jwt for token-based authentication.
Leave a Reply