Magical Authentication with Sorcery

Originally published at:

Authentication is a vital part of many web apps. I should not need to persuade you that an authentication must be easy to use and well-protected at the same time. You may either write it from scratch or use one of the many gems available out there.

This article is the first in the upcoming series devoted to authentication in Rails. We are going to take a look at Sorcery, a less well-known, but very convenient and easy to use gem created by Noam Ben-Ari and other folks. In comparison to Devise, Sorcery is a bit more low level and requires the developer to perform some additional actions. However, this is a good thing because you can cherry-pick only the required functionality.

Additional options are added with the help of submodules. Initially, Sorcery provides only the most minimal set of features. There are submodules to enable user activation, brute force protection, OAuth 2 support and more. It is really up to you to decide on what your app needs. “Less is more” is one of the main principles of Sorcery.

I hope you are excited to get to know Sorcery better. :) Read on and let’s build a demo app together!

Continue reading this article on SitePoint

That’s a really great post. But you’ve missed an important part of authentication. That is, recovering passwords. Can you show how to do it? The module is here

Thank you! Okay, I will research this and make an update in some days :smile:

See the updated version of the article!

Great! BTW, I implemented it from going through the Sorcery’s github repo. Thanks for responding anyway :smile:

Also it’s worth noting that ActiveJob works only on 4.2+, so including that would be helpful as I spent 3 hours only to realise I was using Rails 4.1.8

Hey also, can you consider putting up an example of adding a profile picture using “Attachinary + Cloudinary”? Hoping that I am not asking too much :stuck_out_tongue:

The reason I’m asking for Attachinary is that it’s much more streamlined and takes fewer lines of code with direct uploading to cloudinary.

They also say that no changes in the model is required. So, it would nicely integrate with this authentication system.

The link is here…

Huh, I’ll look into this and maybe implement such functionality :smile:

Thank you for taking the time putting together this article - it is much of help and actually, I got the impression the sorcery is more what I need compared to devise - which simply seems to be “too much” - and who wants to maintain bloat at the end of the day?

However, there is two things I really apprecaite your feedback on as it can get critical pretty fast:

  1. On the second article (authentification using devise), you mentioned
    that, if running on heroku, at least one 1 worker instance (at
    $35) is needed - this article doesn´t mention that. Is that not
    required here with the setup or did you learn it the “hard way” (as
    the devise article is newer I assume the latter).
  2. If I plan to use authentification (standard as well google, facebook), then using fog for cloudservices such as S3 and pundit or CanCanCan for authorization (will have a lot different roles/groups), do you think sourcery would be “enough” (I prefer it as it seems to contain much less bloat in relation to devise were I doubt I would use 5% of its features)
  3. When it comes to authorization, do you think sorcery and CanCanCan play well together? I read your article about CanCanCan and liked it a lot. (Also having a question there :))

Would be great if you can take the time to answer or, if you feel good doing so, extend this real world example by using it with CanCanCan or pundit.

Thank you for the feedback!

  1. You need worker process only to perform background tasks, like sending e-mail asynchronously. I don’t really remember how I learned that, as I am using Heroku for quite a long time :slight_smile: If no such tasks are present, worker process is not needed (you can send e-mail synchronously, however this is not very user-friendly). Btw, Heroku has new pricing plans.
  2. Yes, I believe that would be enough, however I had not used such setup myself - rather build authentication from scratch and used CanCan.
  3. Yeah, Sorcery does not really care about authorization mechanism and CanCan does not care about authentication - it only requires current_user to be present.

Thank you again for kind words, I really appreciate that.

Thank you for your impact to RoR community. You’ve done excellent job.

In addition to already shown information, could you please provide us with an example of AJAX integration for login and signup processes, using for example bootstrap modals?

And also, could you please explain inclusion of shared/errors in views/users/new.html.erb? You didn’t mention it in your tutorial, but I see it in the source code.

Thank you in advance.

Thank you!

I am planning to do yet another article on authorization in some time and I’ll consider using AJAX :smile:

Regarding the “errors” partial - yeah, I absolutely forgot to mention it. The actual code for it is on GitHub This is a pretty simple partial for rendering errors found while submitting the form. I prefer to do it this way because you may have many different forms and only one partial for errors. I can explain this in a more detail if it is needed.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.