#67
Aug 20, 2007
87 comments

restful_authentication

Need multiple user authentication? If so, the restful_authentication plugin is a great way to go. It will generate some basic authentication code for you which is good starting point to your authentication system. Watch this episode for details.
Tags: plugins administration controllers
Download (30.6 MB, 9:30)
alternative download for iPod & Apple TV (16.3 MB, 9:30)

Resources

Note: it’s now conventional to pluralize your controller name here, and use it as a singular resource. I’ve updated the code in these show notes to reflect that.

script/plugin install git://github.com/technoweenie/restful-authentication.git
script/generate authenticated user sessions
rake db:migrate
# routes.rb
ActionController::Routing::Routes.draw do |map|
  map.home '', :controller => 'home', :action => 'index'

  map.resources :users
  map.resource  :session
  map.signup '/signup', :controller => 'users', :action => 'new'
  map.login  '/login', :controller => 'sessions', :action => 'new'
  map.logout '/logout', :controller => 'sessions', :action => 'destroy'
end
<!-- home/index.rhtml -->
<h1>Welcome</h1>

<% if logged_in? %>
  <p><strong>You are logged in as <%=h current_user.login %></strong></p>
  <p><%= link_to 'Logout', logout_path %></p>
<% else %>
  <p><strong>You are currently not logged in.</strong></p>
  <p>
    <%= link_to 'Login', login_path %> or
    <%= link_to 'Sign Up', signup_path %>
  </p>
<% end %>

RSS Feed for Episode Comments 87 comments

1. k Aug 20, 2007 at 00:16

There is space in link to
"067_resful_authentication.mov", and some
browser have problem with download.
Use wget is solution.

2. weskycn Aug 20, 2007 at 00:16

so good.这个正是我现在项目需要的东西啊。及时!!!

3. Urban Hafner Aug 20, 2007 at 00:46

Yes, k is right. For example my iTunes can't download this episode!

4. Dmitry Aug 20, 2007 at 01:07

Couldn't download this episode :(

5. Vicent Aug 20, 2007 at 01:09

wget http://media.railscasts.com/videos/067_restful_authentication.mov

6. Error Aug 20, 2007 at 01:10

Could you fix the download error please?

7. Tobias Lidskog Aug 20, 2007 at 01:14

The url that actually works is http://media.railscasts.com/videos/067_restful_authentication.mov

8. Vladislav Aug 20, 2007 at 01:53

Can't download via iTunes ;(

9. Ryan Bates Aug 20, 2007 at 03:24

Fixed, sorry about that guys.

10. xajler Aug 20, 2007 at 04:35

Thanks, this is the one I've been looking for. I'm looking forward the next episode on OpenID's.

11. Aditya Sanghi Aug 20, 2007 at 06:32

I'm downloading the video as i write this so i'm not sure if its covered within or not. The tests generated by the plugin use assert_difference and assert_no_difference methods not yet available on stable Rails (i've heard they are available only on edge rails).

12. Damien Warman Aug 20, 2007 at 08:24

Hi, I'll work out where to send this (I guess to RO) but I thought I'd note here that the before filter method in lib/authenticated system wants to call login in the session controller, but the default routing and setup use new. So if I just bolt in the default before filter it blows up... changing it to call new makes it all go.

Anyway, thanks for another awesome screencast. It really helped me.

13. Karl Smith Aug 20, 2007 at 09:40

Ryan, thank you for making every Monday special.

14. Neil Henegan Aug 20, 2007 at 10:40

Many thanks.

15. viniosity Aug 20, 2007 at 11:01

Ryan, was wondering if you could describe how to differentiate the flash.now[:error] to tell the difference between an incorrect password and a user who may not have yet activated their account?

16. pimpmaster Aug 20, 2007 at 12:21

I use RESTful Auth a lot and recently ran into a problem with redirects I cant seem to solve. I dont want to clutter up your comments so:

http://railsforum.com/viewtopic.php?id=8794

17. John Aug 21, 2007 at 06:59

i love you!

excellent work, was gonna tackle this alone this week...

now i have a podcast, ho ho ho!

;-)

good work

John.

18. Dave Aug 21, 2007 at 09:30

A fantastic screencast as always - RESTful authentication is a excellent start to an authentication system, and nice to build upon. I recently worked in role based authentication (as seen in the Rails Recipes book) into this setup with surprising ease. Which offers a great RESTful way to control access to controller/action pairs through rights and roles.

19. Chris Aug 21, 2007 at 12:04

For those that want to keep the URL of "/login" when you submit, you can do the following in your routes.rb:

map.login '/login', :controller => 'session', :action => 'new', :conditions => { :method => :get }

just add the :conditions part to the current named route map.login

map.connect '/login', :controller => 'sessions', :action => 'create', :conditions => { :method => :post }

and in your form, put login_path. Now when you submit your form it will stay on '/login' instead of '/session'

if you run rake routes, you can see it.

20. Ryan Bates Aug 21, 2007 at 12:54

@viniosity, I haven't checked how restful_authentication handles the account activation, so I'm not sure on the details. You would likely have an "if" condition in the controller checking whether or not the account is activated and display the appropriate error message.

21. carmelyne Aug 21, 2007 at 17:11

Rick handled the activation part really well, you'll just have to tweak the files a bit. I did a quick post to show the ideas on how to extend it with activation: http://rubyurl.com/gFX

22. Michael Aug 21, 2007 at 20:37

Can you post a link for your code to review please

23. bug? Aug 22, 2007 at 08:52

I am getting an error
"NameError in SessionController#new "

when I go to
http://localhost:3000/login or
http://localhost:3000/logout

can anyone help me?

24. Ryan Bates Aug 22, 2007 at 13:09

I recommend posting this problem on railsforum.com so you can post the details on what you've done and the full stack trace.

25. alberto Aug 24, 2007 at 16:15

nice screencast!, ey ryan, maybe a railscast of a simple rbac?, it will be nice ;).

anyway great railscasts ryan!

c'ya

26. Matt Aug 27, 2007 at 11:38

Ryan, I think it would be great if you made a quick little episode demonstrating how to add a forgot password function to the restful_authentication system. This would not only demonstrate the function itself, but demonstrate adding custom actions to a restful application. Just a thought!

27. ColinD Sep 04, 2007 at 03:19

@bug

I believe the restful_auth plugin has been updated since this railscast.

As such, the users controller no longer exists.

Routes that work for me, YMMV.
map.resources :users
  map.resource :session
  
  map.signup '/signup', :controller => 'session', :action => 'signup'
  map.login '/login', :controller => 'session', :action => 'login'
  map.logout '/logout', :controller => 'session', :action => 'logout'

Hope that helps others, threw me for a while as I've got a few projects using this plugin, all as per the railscast.

28. lukas Sep 05, 2007 at 14:09

thanks, I've been waiting for a restful_auth screencast for a while

29. Travis Black Sep 06, 2007 at 15:48

I just installed this and somehow didn't notice that there was an activation option. I wrote my own before figuring it out, and it ended up being the same thing anyway.

Just wanted to say that it is super easy to install with activation, and even without knowing that option was there, this screencast made my decision for me on how to authenticate.

Thanks Ryan!!!

30. Travis Black Sep 06, 2007 at 15:53

Just thought I should add that if you want it to install with activation, just include :include_activation as an option when you install

31. Anlek Sep 10, 2007 at 18:32

Great Job Ryan,
One little recommendation; If you could show how to do tests with this plugin that could help some people out. I've been trying to do TDD but having a hard time learning everything at once.
(Mainly referring to before_filter :login_required and how to create a login during a test on a controller)

Keep up the great work!

Andrew

32. KL Sep 13, 2007 at 03:22

In my case (edge rails and latest plugin) I think it should be "sessions" controller not "session" as this matches the routing.

33. Ryan Bates Sep 13, 2007 at 09:04

@KL, yeah, just noticed this myself recently. If you are using the singular name then you will need to specify it in the routes (in edge rails).

map.resource :session, :controller => 'session'

34. Hendy Irawan Sep 18, 2007 at 17:11

Or alternatively (in Rails > 1.2.3), simply go with Rails' flow and use "sessions" as the controller name:

script/generate authenticated user sessions

:-)

I wonder if they'll change the singular resource name convention again next time?

35. simik Sep 22, 2007 at 14:57

Nice screencasts, helped a lot! BTW, what software have you made it with?

36. linoj Sep 24, 2007 at 06:43

I wanted user records in my app to have various statuses. Here's how I modified restful_authentication with acts_as_state_machine to accomplish this. I'll call it stateful_authentication

37. Lucky Sep 26, 2007 at 09:26

I installed this plugin but encountered the following problems. Thanks in advance, to anyone who help enlighten me.

1. For my case, MVC for HOME (home/index) is not generated automatically. Do I have to create it myself? Anyway, I created Home controller and view.

2. When I entered the wrong password, I do see error message "Authentication failed".

But, when I entered the correct password, I was re-directed to "http://localhost:3000/", but it does not display the Welcome page (/home/index.rhtml). I did change routes.rb to enter the first line - "map.home '', :controller => 'home', :action => 'index'".

38. Ryan Bates Sep 28, 2007 at 14:17

@Lucky, I believe I answered this on railsforum.com, but I'll answer it here for completeness. You need to remove the index.html file from the public directory so the home page will work.

39. krychek Oct 03, 2007 at 11:42

If use 'sessions' as plural when i generate, i get this error when i try to start the login page: "uninitialized constant SessionController". I have "map.resource :session, :controller => 'session'" in my routes.rb.

40. Ryan Bates Oct 03, 2007 at 11:47

Try this (pluralize sessions):

map.resource :session, :controller => 'sessions'

41. Dennis Oct 05, 2007 at 17:31

Do you know why one of the tests fails:
ruby test/unit/user_test.rb

 1) Failure:test_should_require_password(UserTest) [test/unit/user_test.rb:23:in `test_should_require_password' /Users/ia00stai/railsdev/signmeup/trunk/signmeup/config/../lib/authenticated_test_helper.rb:16:in `assert_difference' /Users/ia00stai/railsdev/signmeup/trunk/signmeup/config/../lib/authenticated_test_helper.rb:24:in `assert_no_difference' test/unit/user_test.rb:21:in `test_should_require_password']:<nil> is not true.

42. Ryan Bates Oct 10, 2007 at 08:12

@ari, I recommend posting this on railsforum.com as I need to see the code and more details before knowing what's wrong.

44. David Oct 10, 2007 at 13:06

Ryan,

Great screencasts, these are incredibly useful. How about a screencast that looks at adding roles/authorization, so admin can edit anything but users can only edit there stuff?

David

44. Ryan Bates Oct 10, 2007 at 16:00

@David, I talk a little bit about this in episodes 20 and 21, but I haven't gone into details on role based authorization. Thanks for the suggestion.

http://railscasts.com/tags/9

45. AJ Oct 14, 2007 at 09:18

Thank you for the excellent casts. Executing script/generate authenticated user session as shown in the cast doesn't create the users_controller.
Env:
Windows xp
Ruby 1.8.6
Rails 1.2.3

46. AJ Oct 15, 2007 at 13:37

I got to generate the users_controller by executing "script/generate authenticated user" first, then "script/generate authenticated user session" to generate the session files.

47. David Oct 22, 2007 at 20:04

Ryan, in episode #13, "Dangers of Model in Session" you mention that it is a good practice to avoid storing model data within a session, or at least minimizing the amount of model data you store in a session.

In looking through the source code for the restful_authentication plugin, it appears as though that plugin is storing information in a @current_user variable and in a session variable (assuming your model is called user).

Is the approach being used in that plugin to store the user model in the session, I was just a little confused and thought you might be able to chime in on the topic.

48. Yui-Ikari Nov 01, 2007 at 13:55

Oh man, im in love with you! .Thanks for this tutorial <3

49. Kei Dec 14, 2007 at 08:19

hi,

if i override the to_param in user model, I will get more meaningful urls in
localhots:3000/users/peter_permalink/tests

instead of
localhots:3000/users/2/tests

however, that makes my restful_authentication plugin not work so well.

is there a way out?

thanks

50. Iain Wright Dec 18, 2007 at 08:04

going to try this in rails 2.0 right now, i will let you know how it goes. great screencasts ryan they have been helping me out alot!

Best,

51. Rob Jan 01, 2008 at 10:40

Good vid but don't follow the advice about not pluralising your sessionscontroller - rails is notorious for throwing up bugs when it comes to this kind of thing, and it took me several hours to work out why there were weird 'uninitialized constant SessionsController' errors. Totally bad advice.

52. rob99 Jan 19, 2008 at 21:08

I followed this using Rails 2.0.2 and found I had to alter line 67 of authenticated_system.rb from:
redirect_to new_session
to
redirect_to :controller => 'session', :action => 'new'

... in order to avoid the "undefined local variable or method `new_session'" error.

53. Premek Jan 22, 2008 at 05:44

Hi,
I followed this using Rails 2.0.2 and Ruby 1.8.6. I had to use:
"generate authenticated user sessions" to get the SessionsController.

Then it works fine and no changes of authenticated_system.rb needed. With
"generate authenticated user session" I got stuck with a Name Error:
uninitialized constant SessionsController

54. Sillium Feb 01, 2008 at 15:47

Thanks for the great screencast! One (possibly stupid) question though: Where in the rails app does the third quoted file (index.rhtml) go to make it work?

55. Sillium Feb 01, 2008 at 15:57

Okay, sorry, I just answered the question myself. I had to generate the "home" controller and put the index.rhtml in the corresponding views directory.

56. Mickey the mouse Feb 08, 2008 at 09:09

Is you get sessioncontroller uninitialized controller. then
put those lines to your routes.rb

#-------------------
  map.resources :users
  map.resource :session#, :controller => 'sessions'
  
  map.signup '/signup', :controller => 'users', :action => 'new'
  map.login '/login', :controller => 'sessions', :action => 'new'
  map.logout '/logout', :controller => 'sessions', :action => 'destroy'

#----------------------

57. Paul Davidowitz Feb 19, 2008 at 16:21

@ Premek

See http://beast.caboo.se/forums/2/topics/1077

So instead of
  map.resource :session
use rather
  map.resource :session, :controller => 'session'

58. luis Feb 23, 2008 at 10:50

Excelente, gracias :)

59. vince Mar 04, 2008 at 02:13

Hey Ryan,

First of all thanks for casts.
All of them really helpful.

Maybe you can answer my question.
Made several projects with restful_authentication but still didn't figure out bonuses of salt in model. I though salt is required for for decrypting but using sha we don't have such option.

Thanks,
Vince

60. Ryan Bates Mar 04, 2008 at 21:28

@vince, from my understanding the salt doesn't have anything to do with decrypting. A salt is just a random string of characters appended to the password before hashing. This helps prevent dictionary attacks if someone is trying to break the hash. I'm no expert on ecryption, so take this with a grain of salt (pun intended).

61. Steve Mar 05, 2008 at 13:42

Ryan,

Thanks for the railscasts! They're great.

I just tested out the restful authentication and noticed the Rails log had the password param unencrypted: "password"=>"abcd1234." I think I've seen documentation about hiding that param in the log file. But, is it also sent in clear text across the wire from browser to server?

62. Carl Mar 08, 2008 at 15:32

Steve,

add something like this to your application.rb file:

filter_parameter_logging :password, :password_confirmation

63. progressive Mar 13, 2008 at 19:20

gr8 stuff to have a such thing...keep the good work on ... 3pZkFrpjtf

64. insurance Mar 16, 2008 at 05:20

I liked it! Keep it Up, Buddy! 3pZkFrpjtf

65. Steve Carr Mar 28, 2008 at 12:03

question about plugins:
I spent alot of time trying to install the restful_authentication plugin, but when I'm at work behind to corporate firewall it doesn't find the install repository. But when I did it on my home DSL connection, it installed first time.
At work I can go to the techno-weenie site in my browser, so is the problem caused by script/plugin install using a protocol other than http?

66. starrwulfe.com Apr 02, 2008 at 08:09

nice work man - put some elvis pics on your site ;) 3pZkFrpjtf

67. insurance Apr 06, 2008 at 06:27

Free Your Mind!!! 3pZkFrpjtf

68. insurance Apr 06, 2008 at 18:57

gr8 stuff to have a such thing...keep the good work on ... 3pZkFrpjtf

69. Lucas Uyezu Apr 17, 2008 at 20:25

Thanks for the great screencast!

I found it useful for me, so I've made a summary of your screencast and put it in my blog. The permalink is: http://xucros.com/2008/4/18/restful-authenticationin-rails-quickly

Please, let me know if I should remove or change it.

70. David Pickens Apr 22, 2008 at 05:26

Thank you for the great webcasts, Ryan. FINALLY some tutorials that work!

 

71. David Spector Apr 24, 2008 at 14:30

If I wanted to break the login controls out onto the home page (say with as the home controller in your example, rather than having the use click on a login link), how would I tell the home controller to get the User controller to make a new session?

Right now if I put the controls on the home page, the submit of course gets me an "uninitialized constant SessionsController" stack trace...

72. dubek May 13, 2008 at 05:52

Thanks a lot, Ryan!

This was short and to the point, exactly what I was looking for.

Keep up the great work!

73. kino May 23, 2008 at 01:57

The transcendental aesthetic (and what we have alone been able to show is that this is true) depends on our problematic judgements; as I have elsewhere shown, our concepts abstract from all content of knowledge.

74. Nick Jun 09, 2008 at 19:49

I know I'm asking a question long after the cast was posted, but I'm been having trouble with this for a while.

When I include the AuthenticatedSystem module in the Application controller, the function "logged_in?" works correctly, but whenever I try any other methods such as "authorized?", Rails throws an error saying it's not defined?

Any ideas?
Nick

75. Felipe Marques Jun 23, 2008 at 19:43

Very Nice!

76. jung carl Aug 15, 2008 at 22:27

Why not tell us total noobs about how you created the home controller and where you put that code for index.rhtml (for completeness)
noobs are like gravy we run all over the internet looking for holes

77. Scott Aug 22, 2008 at 23:43

Nick, I'm hitting the same problem you are about the defined methods. Would be great if you or someone figured it out...

78. Scott Aug 22, 2008 at 23:54

aaah, answered my (and your) question. Any methods you add that you want to be available outside of the protected methods in this class need to be added to the self.included call later in authenticated_system.rb.

79. ERPTooL Aug 27, 2008 at 21:08

The correct command is :

script/generate authenticated user sessions

NOTE: use plural sessions and not sigular session as you showed in your screen cast. Else you will have the following error when you try to log in:

uninitialized constant SessionsController

This little thing wasted my 3 hours. You should fix it in your screen cast.

80. jack Sep 16, 2008 at 22:10

Thanks, good one!

BTW, I also had to use sessions (in plural), got that "uninitialized constant SessionsController" error, no matter what I did in routes...

ruby script/generate authenticated user sessions

81. bflo Sep 19, 2008 at 16:28

I used the "generate authenticated user session" and I get the "uninitialized constant SessionsController" error. The suggested route.rb changes don't fix it, as jack says above.

Do I need to back out and redo the generate script? Or are there files I can edit to make session work? Ryan: Why did it work for you and not others? Thanks for any info

82. jsterick Oct 22, 2008 at 04:05

I tried using session singular when using script/generate but I ran into problems. I undid that and used plural sessions as recommended in the README. I still got the uninitialized constant error but that got resolved when I pluralized session in defining the login and logout routes.

83. Matt Nov 03, 2008 at 11:14

IN order for my generate to work with a fresh application is:

1. I had to sym link vendor/plugins/restful_authentication/lib to the main project directory
2. I had to make sure that test/fixtures existed

84. Paul Nov 04, 2008 at 20:16

for those people that used a singular Session and get the "uninitialized constant SessionsController"

So instead of
  map.resource :session
use rather
  map.resource :session, :controller => 'session'

85. ajay Nov 09, 2008 at 22:47

flash.now[:error] is not working. please advice on how can i show errors during login.

thanks a lot for the great video.

90. Johan van der Kuijl Dec 07, 2008 at 21:46

The plugin can now be obtained from http://github.com/technoweenie/restful-authentication/tree/master

91. free blowjob videos Dec 16, 2008 at 08:16

thanks

Add your comment:

(SKIP THIS ONE)

(required)

(not shown)


(use pastie or gist for code)

navigation:
sponsored by:
tags:
if you want to help:
required:
Get Quicktime Player