Sorcery is an autentication library for Rails 3. Compared to other library in the same category, Sorcery does not generates code for your MVC. And that is the first thing that make me want to try this lib.
Add Sorcery to your Gemfile
$ bundle install
Then generate the core migration, initializer file, and the 'User' model
$ rails generate sorcery:install rake db:migrate
Now let's 'continue to create User sign-up feature.
The users_controller file
class UsersController < ApplicationController def new @user = User.new end def create @user = User.new(params[:user]) if @user.save redirect_to posts_url, :notice => "Signed up!" else render :new end end end
class User < ActiveRecord::Base authenticates_with_sorcery! attr_accessible :username, :email, :password, :password_confirmation validates_confirmation_of :password validates_presence_of :password, :on => :create validates_presence_of :username validates_uniqueness_of :username end
Add this in your routes.rb
get 'signup' => 'users#new', :as => 'signup'
Don't forget to create the view file. Run the server, fire up your browser and go to '/signup' and you will be presented a login form.
Sign-in and out
Start with the Sessions controller
class SessionsController < ApplicationController def create user = login(params[:username], params[:password]) if user redirect_back_or_to posts_url, :notice => "Logged in!" else flash.now.alert = "Email or password was invalid" render :new end end def destroy logout redirect_to posts_url, :notice => "Logged out!" end end
On 'create' we call login method to authenticates by sending username and password. The login method is one of the many Sorcery library method you could use right away from your controller.
Continue to create the sign-in form then add this to your routes.rb
get 'signin' => 'sessions#new', :as => 'signin' get 'signout' => 'sessions#destroy', :as => 'signout'
Now add this code to your application_controller
before_filter :require_login protected def not_authenticated redirect_to login_url, :alert => "Please login first." end
You just added code that will block any unauthenticated user to any path, meaning that if your try to visit the Sign-in or Sign-up form, you shall be denied.
The only method in sessions_controller that need to be protected from unauthenticated user is the destroy method.
class SessionsController < ApplicationController skip_before_filter :require_login, :except => [:destroy] ...
We also need to skip the require_login on Sign-in and Sign-up process otherwise nobody could sign-in or sign-up, add this to users_controller file.
class UsersController < ApplicationController skip_before_filter :require_login ...
From the application_controller code, you might notice the not_authenticated method. It is there to configure where the unauthenticated user should be redirected whenever they tried to access protected path.
You know how to use Devise and Authlogic, now you can add Sorcery to your authencation stacks. A simple, clean authentication method which support many authetication feature and also external authentication provider such as Twitter or Facebook.