Rails 8 adds built in authentication generator

For developers to setup the basic authentication flow in Rails application, we have to do lot of manual configurations.

New developers and small projects teams don’t even need major authentication related feature. But they still need to rely on third party gems or write the whole codebase of the authentication flow from scratch, which is time consuming.

Rails has built in generators(eg: model, migration) for different features to avoid manaul coding and configurations. These generators allow developers to focus on building the core features of their application, rather than spending time on basic setup tasks.

Authentication generator

Rails 8 introduced the basic authentication generator which will add the required codebase for the basic auth flow setup in a Rails application.

To add basic authentication to the app, we can use the following authentication generator command:

bin/rails generate authentication

It generates the following files with the necessary configurations. Here is the gist of the generated scaffold.

# Models
app/models/current.rb
app/models/user.rb
app/models/session.rb

# Controllers
app/controllers/concerns/authentication.rb
app/controllers/sessions_controller.rb
app/controllers/passwords_controller.rb

# Password mailer
app/mailers/passwords_mailer.rb

# Views
app/views/sessions/new.html.erb
app/views/passwords/new.html.erb
app/views/passwords/edit.html.erb
app/views/passwords_mailer/reset.html.erb
app/views/passwords_mailer/reset.text.erb

# Migrations
db/migrate/xxxxxxx_create_users.rb
db/migrate/xxxxxxx_create_sessions.rb

# Tests
test/mailers/previews/passwords_mailer_preview.rb

Models & Controllers

The generator adds User, Session models along with relations between these to handle user accounts and sessions. The Current model provides the current user’s information.

sessions_controller: It handles user login, session creation, and logout.
passwords_controller: It handles password reset requests, sends reset instructions, and updates user passwords.

Migrations

The generator adds CreateUsers and CreateSessions migrations which

CreateUsers: This migration generates an users table that includes a email_address field with a unique index and a password_digest column to securely store hashed passwords, leveraging has_secure_password.
CreateSessions: This migration generates a sessions table that includes a unique token field, ip_address and user_agent fields to record the user’s device and network. The Session model leverages has_secure_token for unique session token generation.

Authentication concern

It contains the core logic of authentication and session management.

require_authentication: A before_action callback to ensure a user is authenticated before accessing protected resources. Under the hood, it tries to restore the existing user’s session. If no session is found it redirects to login page.
resume_session: It attempts to restore the user’s session using a valid session token from the signed cookie. If a valid session is found, Current.session is set, and Current.user becomes available.
request_authentication: Redirects the user to the login page and before redirecting, it stores the URL the user was trying to access before being redirected to the login page inside session session[:return_to_after_authenticating].
authenticated?: It is helper method to check if the current user has an active session by verifying if Current.session is present.
allow_unauthenticated_access: Class method to allow specific controller actions to bypass the authentication requirement enforced by require_authentication.
after_authentication_url: It determines where to redirect the user after successful login/authentication. It looks for session[:return_to_after_authenticating]. If it is found then it fetches and deletes the value from the session in one step. This ensures the stored URL is cleared once it’s used. Otherwise, it redirect to root_url.
start_new_session_for(user): It creates a new session for the given user and stores important details like the device and IP address. It also sets the Current.session and stores the session token in an encrypted cookie.
terminate_session: It ends the current user session by deleting the session record and removing the session token from the cookies.

Password Mailer

PasswordsMailer sends password reset instructions to the user.
It generates a secure reset link with password_reset_token and includes it in the email.
The reset link allows the user to securely update their password.
Email delivery is handled asynchronously using deliver_later to enhance performance.

Why basic authentication over Devise, Auth0 or other solutions

Using gems like Devise for authentication requires developers to know its configuration, which isn’t ideal for small applications. Often, they just need a basic authentication flow and may not understand what’s happening under the hood when using such gems.

✅ Lightweight & Simple: Minimal, unopinionated, and easy to customize.

⚡️ Built-in & Native: No external dependencies, reducing complexity.

🛠️ Highly Customizable: Easier to modify and extend functionality.

⏱️ Easier Upgrades & Maintenance: Native to Rails, ensuring long-term stability.

Limitations

No Built-in Registration: Users must manually implement a registration flow.
Basic Features: It provides basic authentication features; for more complex needs, additional customization or third-party solutions might still be required.

Refer