Lesson Monday

Most web applications use authentication. However, it will quickly become tiresome to roll your own each time. Fortunately, there's an excellent and thoroughly tested gem called Devise that can add authentication to your application with just a few console commands.


Devise is built on a piece of Rails middleware called Warden. (Think of middleware as a bridge between your application and the server.) In fact, you can roll your own authentication with Warden alone, but that's more involved. Devise makes the process much easier by providing the helper methods, views and controllers you'll need for authentication.

Installing and Configuring Devise

Here's what we need to set up Devise in an application:

  • Add gem 'devise' to your Gemfile and bundle.

  • Run $ rails generate devise:install.

  • Run $ rails generate devise [model_name] where [model_name] is the name of the model you'd like to add. user is most common.

  • Generate the model sets up the migration (but doesn't run it). You can customize the migration by adding your own fields. You shouldn't customize it too much, with a few notable exceptions mentioned below.

  • Next, you'll need to run the migration: $ rake db:migrate.

  • Run $ rails generate devise:views to automatically add views for registering and signing in.

That's it. Your application now includes basic authentication. You'll also be able to use Devise helper methods such as current_user as well. This method provides the same functionality as the current_user method we created when rolling our own authentication with bcrypt.

Altering Devise Tables

There are two fields you may want to add to the Devise users table. Devise provides an email field but not a username field. If you want to give users the option to sign in with their username instead of their email, you'll need to add this field.

If you want certain users to have admin privileges on your site (at the very least, you'll probably want them yourself), you can add an admin boolean field like this: add_column :users, :admin, :boolean, default: false . Then you can reserve certain routes and actions for admins only. One important thing: you should only make users into admins in the Rails console or when seeding the database. It's a bad idea for the application to provide functionality for users to become admins; what if a malicious user managed to access that part of the site?

Customizing Devise

While Devise is easy to set up, there are many, many things you can do to customize it further. Be forewarned, though: many customizations that seem as if they should be simple are not well-documented or can be frustrating to implement. Because Devise automates the process so much, that takes control out of the developer's hands — and can make it challenging to figure out exactly what Devise is doing under the hood. You are welcome to use either Devise or Bcrypt on the independent project, but at least take time to learn Devise.

Take a look at the Devise documentation for more information. There are a few things in particular you should know:

  • Check out the application model that Devise creates. It comes with a series of modules such as :confirmable and :validatable. You should have a general sense of the functionality that each Devise module provides.

  • Learn the other helper methods that Devise provides such as user_signed_in? and user_session. (These helper methods are contingent on the model name being user and change accordingly if you use a different model name.)

  • Check out config/initializers/devise.rb in your application. This is where you can make global changes to your Devise configuration.

  • Be aware of the ways you can use the command line to customize the views Devise generates.

  • Learn how to test Devise in your application. There's no need to test Devise itself since it's already well-tested, but you should make sure Devise is properly interacting with your code.

  • Check out Devise's extensive how-tos, which include information on everything from automatically creating passwords to two-step confirmation and creating guest users.

  • If you have the chance, take the time to learn more about Warden.

Lesson 11 of 27
Last updated August 7, 2022