Should I use a custom authentication system?

August 18, 2016 | Ruby

Authentication
Authentication for RailsPM

A great question that I see continually: Should I use a custom authentication system or use a pre-existing solution (like Devise)? There are a lot of arguments either way, but the answer is simple: it depends! For this discussion, I’ll use Devise as our example.

Pre-existing solutions

There are a lot of great reasons to use pre-built authentication tools, such as Devise:

– Popular: Devise is by far the most popular authentication solution. It has almost 18 million downloads, a very active development community and lots of documentation.
– Robust: Devise is very robust: right out of the box it has 10 modules, including support for Omniauth, remembering users’ passwords, and locking users out after a number of failed sign in attempts.
– Flexible: Devise is built in a modular fashion, so you only use what you need, when you need it.
– Secure: Devise will most likely be more secure than a custom authentication solution you built, unless you have lots of experience doing that.

However, Devise isn’t without it’s disadvantages:

– Complex: Devise is not for the faint of heart. It’s a complex solutions with a lot of parts and configurations. In fact, Platformatec even say in their ReadMe it’s not good for beginners, especially those who have never worked with authentication systems before. Even after learning authentication fundamentals I still had some trouble getting started with it.
– Hides the details: Because of how Devise is built, it abstracts away most of the details. This can lead to a lack of understanding of how authentication is working or how to customize it for the project you’re working on.
– Customization: While Devise is customizable, it can be a pain to modify defaults to meet your project requirements. In my RailsPM project I had to spend a significant amount of time reading the documentation to figure out how to customize my routes, controller actions, and add extra parameters to my user model.

Custom Authentication System

So what about using a custom authentication system? There are a few reasons why you may want to consider doing this instead of using a pre-existing solution:

– Simple: Building a simple authentication system may be easier than implementing a complex solution such as Devise. You won’t have to worry about any code bloat or unnecessary modules, and you’ll fully understand the system.
– Fully customizable and adaptable: Since you’re building it yourself, you can customize it as necessary. Your solution can be flexible enough to meet changing project requirements.
– Great for learning: What better away to understand authentication than by building a system from the ground up.

But building your own authentication system also poses a number of challenges and risks for you and your users:

– Not Secure: If you have little experience with authentication, a system you build may not be as secure as a pre-existing solution. This is a huge risk for your users, especially if your application is handling sensitive information.
– Not Scalable: Your system may not be scalable if not developed correctly from the beginning. Without a long term vision and roadmap right at the start of the project, you may have to go back and refactor your entire authentication system.
– No features: Starting from scratch means you’ll have to build all of the features yourself and spend time “reinventing the wheel.” This may be mitigated if you have your own code snippets to reuse from other projects or a scaffolding tool.

My Recommendation

If you’ve have never done user authentication before, take the time to build your own custom authentication system and understand how everything works. BCrypt is an excellent hashing algorithm for storing your users’ passwords that you should use in conjunction with Rails’ built in password method has_secure_password. In a future post I may cover how to develop your own simple authentication system, but a quick Google search will reveal a number of tutorials on how to do this.

Devise is a solid gem packed with a lot of great features, but if you don’t understand how user authentication works you’ll probably end up giving yourself a lot of headaches. However, if you have a good understanding of authentication it’s a great solution to use in a lot of cases.

Alternatively, there a lot of other solutions out there that are a nice middle ground between complex tools such as Devise and a custom authentication system. I recommend doing your research (Ruby Toolbox will help) and seeing what solution best fits your project requirements!

Leave a Reply

Your email address will not be published. Required fields are marked *