High Leverage Rails
Introduction
Introduction to this course
Why use Ruby on Rails
Why use SQLite
Ruby on Rails + SQLite
Powering Your App with SQLite
Creating tables
Timestamps
Column types
Typeof
Ruby types
Creating table introduction
Creating table advanced
Inserting data
Updating data
Upserting data
Reading data
Virtual columns
Enums
Introduction to JSON
Indexing JSON
JSON table functions
Building a Modern Rails Application
Creating a new Rails application
Installing Solid Queue
Installing Solid Cache
Installing Solid Cable
Dockerfile
Application overview
Authentication
Base styles
Registration
Scaffolding posts
Polishing posts
Scaffolding comments
Polishing comments
Polishing models
Polishing controllers
Creating new post
Updating post
Reviewing MVP
Tagging posts
Custom tags
Friendly URLs
Full text search
Deploying & Operating Your App
Backups
Check Litestream locally
Verifying backups
Deployment options
Deploying with Hatchbox
Deployment constraints
Vertical scaling
Database access
Migrations
Watch for free

Enter your email below to watch this video

Video thumbnail
Building a Modern Rails Application
Authentication

Full Course

$
129
$179
USD, one-time fee
This course came at the perfect time. I’ve recently gotten back into Rails after an 18-year hiatus, and this was a perfect refresher and shows just how much you can accomplish with Rails right out of the box.
Garrett Winder
Garrett Winder

Rails hosting made simple

Deploy apps to servers that you own and control.

Move fast and fix things

Application monitoring that helps developers get it done.

Summary

Learn how to set up secure user authentication in Rails 8 using the built-in authentication generator. This video covers password encryption, login security with rate limiting, and the foundation for user sign-in. Next, we'll add user registration and refine the UI for a seamless experience.

Links

Ruby on Rails Authentication Documentation

Video Transcript

To begin building our app, we're going to start with one of the foundational aspects of any application—user accounts and authentication. Fortunately, Rails 8 includes a new authentication generator that makes it easy to set up a secure and robust authentication system quickly.

Let's jump over to our Lorem News application and run the generator:

bin/rails generate authentication

This command generates a number of essential files, including:

  • Views for authentication
  • Models for users and sessions
  • Controllers for session and password management
  • A password reset mailer with corresponding views
  • New authentication routes

Additionally, the generator installs dependencies and creates migrations for the users and sessions tables, along with tests.

Understanding the Authentication System

Since there's a lot happening here, I’ve linked documentation and blog posts below that walk through every detail. However, in this video, I'll highlight key features.

Let's start with the migrations.

The users table includes:

  • Email address (must be unique)
  • Password digest (for encrypted passwords)

It's important to note that we do not store raw passwords. Instead, Rails provides built-in helpers that automatically encrypt passwords before storing them in the database. This functionality is powered by the has_secure_password method, which ensures:

  • Secure password hashing
  • Authentication helper methods
  • A built-in password reset system

All of these security features are handled automatically, making authentication both safe and efficient.

How Authentication Works in Our App

If we check our application controller, we’ll see that Rails includes an authentication concern located at:

controllers/concerns/authentication.rb

This concern adds a before action to require authentication for all controllers that inherit from ApplicationController. This means that:

  • Authenticated users can access all routes where require_authentication is set
  • Certain routes, like login and signup, allow unauthenticated access

For example, our sessions controller explicitly allows unauthenticated access to:

  • New action (displays the login form)
  • Create action (handles sign-in requests)

Since users aren’t logged in when accessing these routes, they must remain publicly accessible.

Security Features: Rate Limiting & Attack Prevention

Rails 8 automatically adds rate limiting to the sign-in controller. This is a crucial security measure that prevents bots from repeatedly attempting to log in using leaked credentials from data breaches.

Additionally, the authenticate_by method is designed to prevent timing attacks, further enhancing the security of our authentication system.

For more details on these security enhancements, check out the linked documentation below.

Committing Our Changes

After running the generator, I recommend making a commit:

git commit -m "bin/rails generate authentication"

Next, we need to run the migrations that were generated:

bin/rails db:migrate

Since running migrations modifies our repository, I like to make another commit after running them:

git commit -m "bin/rails db:migrate"

Now we have a clean working tree, and we’re ready to test the authentication system in the browser.

Testing the Authentication System

Let's start our development server:

bin/dev

This command also starts the ESBuild JavaScript bundler and Tailwind CSS compiler.

Now, if we visit our Rails app, we should see it running. Navigating to /session/new brings up the login form, where users can enter their email and password to sign in.

It's important to note that this generator only includes authentication for existing users. It does not provide functionality for new users to sign up. We’ll need to implement user registration in the next steps.

Next Steps: Improving the User Experience

While our authentication system is working, the default UI is plain and unstyled. Personally, I find it hard to work with an application when the UI is too basic.

So, the next step will be to apply a base stylesheet to make our scaffolded application visually appealing and easier to navigate.