Hanami Authentication


#1

@davydovanton and I are going to be working on an authentication solution for Hanami. We want something that’s as easy to use as devise, but done in a Hanami way (with less magic).

Talking with @jodosha and @davydovanton, we think it’s good to start with session management. That is, the very first iteration will not have user sign up, only user log in / log out. From there we can iterate and add support for omniauth, and traditional in-app email sign up.

After that, other nice-to-have features, for me, would be confirmations & password resets. Do other agree?

What other features should we add? We want to keep it as lean as possible, and iterate quickly.


Hanami::Mimoto - Easy authentication for Hanami
#2

What I want to see in this lib

In general, I want to see hanami (CLI?) app wich will create files with all actions and view in auth application instead “magic” controllers like in devise.

Generators

In general, I see something like this:

hanami g auth model # => account model with some methods
hanami g auth app # => new hanami auth app with config
hanami g auth base # => sessions#create, sessions#delete, etc
hanami g auth reset-password # => actions for this logic
hanami g auth oauth # => all for auth app

Also, we should generate specs with tests for each generated action.

Model

I think we need to set account as a default model.

Generated fields:

  • password_hash
  • email (commented)
  • login (commented)

Now I’m working on simple Authentication module with simple methods (authenticate!, current_account, etc).

@jodosha @cllns WDYT?


#3

Hi,

I’m trying to accomplish something similar with Tachiban.

I’m almost ready to release Auth and then move on with password reset and later on also Authorizations.

regards,
Seba


#4

Hey, thanks for your comment! Do you have any example of usage this lib?


#5

Unfortunately I don’t have an example of Tachiban in action yet. I’m planning on using it right after I release it. Although the code in Tachiban was extracted and from an app in production and slightly expanded in some cases to be more flexible.


#6

Sorry, I don’t get what is this about. Does it adds auth code to an existing app, or does it does something else?


#7

I’ve released Tachiban 0.3.0 and will test it in an app to be used as an example.


#8

Hi, I’ve recently developed an interest in hanami and decided to build a pet project in it. One of the first things I looked for was an authentication framework. Here is my 2cents.

Tachiban seems to currently be the only serious attempt, however I decided to skip it because it seems to be early in development and, more importantly, invents it’s own session management instead of leveraging warden gem (https://github.com/hassox/warden). I decided to roll my own with warden and bcrypt since it’s very easy. I’ve even done it a few times in the past in rails apps, skipping over devise for simplicity.

I would just like to suggest that any auth framework really should leverage both warden and bcrypt since they are both very mature, battle tested and actively maintained gems that fit into hanami philosophy. I was considering extracting the authentication from my pet app into a gem once it’s finished but I’d be even happier to just contribute to an existing gem following the same philosophy.


#9

FWIW I had no intention of reinventing the wheel or replacing any existing solutions, but rather to learn the concepts of authentication and authorization as well as any related subjects. For me, the best way was to try to do it myself as much as possible. In the process I ended up with Tachiban. Admittedly there’s a long road ahead since it’s still a WIP, but I’ll continue to work on it as much as my schedule permits it to complete the set goals.


#10

Is warden maintained? I don’t see too much activity, hence my question.

Your help is welcome! Please talk with @cllns


#11

Yes, warden is very much maintained. It’s just a very mature and stable library with little need for modifications which is why there is not much activity. Also, since it’s a pure rack implementation it doesn’t get affected by new releases of Rails. Besides, Devise depends on it so it will stay live for at least as long as Devise itself is live.


#12

Thanks for the clarification. :thumbsup:

@cllns @davydovanton Let’s start with warden then, wdyt?


#13

I’ve got user registration, log in and log out nearly working in my pet app with bcrypt and warden. It’s going a bit slowly since I’m basically learning Hanami along the way :slight_smile: but I’m almost done with the first version. After that I’ll extract just the authentication into a separate project so you can see it. It might be useful as an example app to play around in.

One of the benefits of basing it on warden is, of course, the existing ecosystem. I.e. omniauth was mentioned which should be pretty easy to add through warden: https://github.com/hassox/warden_omniauth.


#14

FWIW I had no intention of reinventing the wheel or replacing any existing solutions, but rather to learn the concepts of authentication and authorization as well as any related subjects. For me, the best way was to try to do it myself as much as possible. In the process I ended up with Tachiban. Admittedly there’s a long road ahead since it’s still a WIP, but I’ll continue to work on it as much as my schedule permits it to complete the set goals.

You’re definitely right, doing things from scratch is the best way to learn, I often do that as well. However, when I’m done, if there is a better existing solution that satisfies all requirements I also often delete my code and switch to the existing solution. :slight_smile: Of course, if you have plans for implementing a different feature set not supported by existing solutions then it also makes sense to build from scratch.


#15

Hi all, I’ve wrapped up the first version of authentication based on warden and bcrypt and extracted it into a sample application: https://github.com/radanskoric/hanami_auth_sample

The key parts related to warden are: