Today, I started a new project with Rails. I used always an own auth implementation, now I thought I'll give devise a try. Hell... the documentation is bad, really really bad. I really don't know why people are using this and don't write this by themselves. Anyway, I kicked devise and write it again by myself.

You write your own auth implemtation?

Alrighty then.

I don't disagree, devise is trash.

On the other hand, maintaining your own auth gem is a fucking nightmare.

One word, compliance.

No other team of assholes have moved the goalposts more.

Before you start rolling your own, maybe check out Rodauth by Jeremy Evans:

https://github.com/jeremyevans/...

It also has a Rails integration:

https://github.com/janko/...

@sariel hmmmm… why you need to build a gem for that?

@KaosKermit I'll give it a try. Thank you!

@preezer so you're just going to hack together an auth pattern?

I don't know if you're a fool or an idiot.

By implementing it as a gem, you provide yourself an exit strategy down the road when you're required to replace it with devise or some other auth library to bring it up to compliance.

Have you thought about the following items for your library?

- how long will your session live?
- where will your session live?
- are you using a jwt mechanism?
- is a permission system integrated?
- is 2FA required?
- are you encrypting users data at rest?
- how often are you rotating encryption keys?
- are you going to instead leverage an external auth provider like AWS Cognito, keycloak, Okta, etc?
- are you going to support oAuth2 for multi user origins? (Will you support "sign in with Facebook/GitHub/myspace")

So much more, not enough room to type them up.

@sariel Hahaha, nice one. You call me an idiot, because I implement a very simple authentication workflow (only email/password), plain without abstracting it as a gem. YMMD! Even DHH told in a podcast recently that its not a bad design decision to NOT use a gem for authentication... I really hope you don't work as a professional...

@preezer I work in Enterprise solutions.

I'm held to higher standards that require me to follow OWASP, PCI, and HIPAA compliance standards.

Everything is hashed, or encrypted unless it poses no risk.

Hacking together a plaintext auth solution is not only stupid but extremely dangerous to your users.

Also just to clarify, I called you a fool or an idiot. I presumed you were just a fool but you seem to have proved me wrong in one regard.