I’m curious on others thoughts on whether or not to use Devise?
With the recent Rails updates, even in Rails 7, Devise didn’t seem that useful and seemed to over complicate the user authentication, registration, lost password experience and also seemed like I had to do a lot of work overriding their views to fit with my application. It seemed easier to not use Devise? It had its usefulness in earlier versions of Rails but not so much now?
> over complicate the user authentication, registration, lost password experience
As a SWE and infosec guy, please don’t just roll this stuff yourself. Maybe Devise is more complicated than it needs to be, but a lot of this stuff is far more subtle than people realize and trivially easy to get catastrophically wrong.
I’m absolutely certain a lot of the parts you think are unnecessarily complex are the result of having gotten it wrong before. How do I know? Because I’ve personally submitted vulnerabilities to Devise (specifically the lost password flow) that ended up getting a redesign to fix the vuln.
So even if you don’t use Devise, please use some other project which has already suffered through iterating over vulns so you don’t have to.
I figure if it's good enough for login.gov [1], it's good enough for my sites as well.
I also find devise pretty simple to get setup and use. It's so easy to mess up some small thing while writing your own auth. I've always pretty much trusted myself to at least get devise setup properly.
The Treasury's systems were just hacked, in some capacity, last week.
If you put the money the government steals from your paycheck for "Social Security" into your own private investment account and invest it in the S&P 500, after a 40 year career you would have about 4x the income that Social Security will pay you for the same malinvestment in their broken system. That's now. In the future, we will probably have to net pay Social Security when we retire.
The FDA put candy on the food pyramid, as a part of our daily diet.
The F-35 Lightning project was managed by the government, and, as a result, the United States will likely lose the next major nation state war we enter. But, because of that selfsame government's other skills, the United States will likely be bankrupt and gone before that happens.
Everything the government does is worse; no, the worst. If the government does something, that's a really good reason to look at alternatives.
I don't like Devise. Rodauth covers similar ground in what seems to be a slightly better way. I know there are some other options.
My pet peeve with most of the auth solutions is that they tend to be extremely coupled to hard-coded emails, which makes it varying degrees of annoying to use third party tools for the parts of a product funnel that intersect with auth and also to integrate SMS cleanly. But I guess I'm the kind of person who finds it annoying to override a "send invite email" method with something that triggers events or sends an SMS instead just because it's not really what it says on the tin at that point.
Acknowledging that I haven't had a chance to try the new Rails 8 auth stack... over the last decade I've gone from being a Devise hater to a Devise lover.
Yes, it can seem esoteric and magical (in the bad way) until you wrap your head around the idioms and design philosophy. There's a lot of functionality that happens unless you override it. I fully get that this rubs a lot of people who aren't in the pool the wrong way.
However, in addition to the impressive selection of modular capabilities mentioned elsewhere in this thread, there's a very bright light that goes on when you realize that you can make powerful changes to the way the library works by reopening a few controller classes and defining your own methods.
My strong advice for anyone looking at Devise and perhaps feeling stumped is to open up https://github.com/heartcombo/devise/tree/main/app/controlle... and spend some tens of minutes looking at how the library does what it does. These controller - especially sessions and registrations - contain all of the business logic driving the "magic". Not only do they reveal themselves as relatively simple and well thought out, all of those yield calls mean that you can call those methods while passing a block to them. Whatever is in that block will be evaluated inside of that method when it runs.
The people who designed Devise put a lot of thought into this stuff. When you get it, you suddenly don't want to be without it.
My experience is opposite. Getting devise up and running is very easy. Adding OAuth for GitHub, google, and other providers is also very easy. Editing views is pretty straightforward - you can put your forms or whatever you want - just post the form data to devise endpoint and that’s it. All in probably will take 30 minutes to set it up.
Devise bakes in a lot of knowledge about auth. You probably don't need it for a simple app. As your needs grow, when you need things like social logins, Devise makes that easier. If you get really big you probably will have to build out something bespoke anyway. So Devise is sort of for the middle of the journey.
For very simple username/password authentication, what Rails 8 provides is probably sufficient. But the moment you need other auth providers, 2FA, etc., Devise is very much still useful.
With the recent Rails updates, even in Rails 7, Devise didn’t seem that useful and seemed to over complicate the user authentication, registration, lost password experience and also seemed like I had to do a lot of work overriding their views to fit with my application. It seemed easier to not use Devise? It had its usefulness in earlier versions of Rails but not so much now?