Enter your email below to watch this video
Application monitoring that helps developers get it done.
Deploy apps to servers that you own and control.
To begin building our app, we're going to start with one of the foundational aspects of any application—user accounts and authentication. Fortunately, Rails 8 includes a new authentication generator that makes it easy to set up a secure and robust authentication system quickly.
Let's jump over to our Lorem News application and run the generator:
bin/rails generate authentication
This command generates a number of essential files, including:
Additionally, the generator installs dependencies and creates migrations for the users and sessions tables, along with tests.
Since there's a lot happening here, I’ve linked documentation and blog posts below that walk through every detail. However, in this video, I'll highlight key features.
Let's start with the migrations.
The users table includes:
It's important to note that we do not store raw passwords. Instead, Rails provides built-in helpers that automatically encrypt passwords before storing them in the database. This functionality is powered by the has_secure_password method, which ensures:
All of these security features are handled automatically, making authentication both safe and efficient.
If we check our application controller, we’ll see that Rails includes an authentication concern located at:
controllers/concerns/authentication.rb
This concern adds a before action to require authentication for all controllers that inherit from ApplicationController. This means that:
For example, our sessions controller explicitly allows unauthenticated access to:
Since users aren’t logged in when accessing these routes, they must remain publicly accessible.
Rails 8 automatically adds rate limiting to the sign-in controller. This is a crucial security measure that prevents bots from repeatedly attempting to log in using leaked credentials from data breaches.
Additionally, the authenticate_by method is designed to prevent timing attacks, further enhancing the security of our authentication system.
For more details on these security enhancements, check out the linked documentation below.
After running the generator, I recommend making a commit:
git commit -m "bin/rails generate authentication"
Next, we need to run the migrations that were generated:
bin/rails db:migrate
Since running migrations modifies our repository, I like to make another commit after running them:
git commit -m "bin/rails db:migrate"
Now we have a clean working tree, and we’re ready to test the authentication system in the browser.
Let's start our development server:
bin/dev
This command also starts the ESBuild JavaScript bundler and Tailwind CSS compiler.
Now, if we visit our Rails app, we should see it running. Navigating to /session/new brings up the login form, where users can enter their email and password to sign in.
It's important to note that this generator only includes authentication for existing users. It does not provide functionality for new users to sign up. We’ll need to implement user registration in the next steps.
While our authentication system is working, the default UI is plain and unstyled. Personally, I find it hard to work with an application when the UI is too basic.
So, the next step will be to apply a base stylesheet to make our scaffolded application visually appealing and easier to navigate.