Extensions

Question

Extensions

Closed this issue 9 months ago · 12 comments

Are you planning to support optional extensions like locking accounts on brute-force attempts, sudo mode, etc?
I would be happy to help with those if there is an example of how you would like them to be implemented.

Answer 1 · 2023-01-12T18:41:52.000Z

That would be awesome. I don't have any examples on how to do extensions yet, so I'm open to suggestions.

One idea might be to swap the included module with a class method that takes options.

class User < ApplicationRecord
  revise_auth locking_enabled: true
end

Or we can keep it simple with an initializer config that defines the features (which might be cleaner).

Answer 2 · 2023-01-12T18:50:41.000Z

The initializer would be cleaner, but what if you have multiple models authenticated, let's say Admin and User, and you only want to enforce 2FA on Admin?

Answer 3 · 2023-01-12T18:58:15.000Z

Good point, although I'm not sure if I even want to support authenticating multiple models? Maybe we should, but it adds a lot of complexity.

Answer 4 · 2023-01-12T19:27:42.000Z

That's true, but that would make it a great alternative to devise.

Answer 5 · 2023-01-12T19:47:09.000Z

If we can figure out a clean way of doing it, I'd be happy to support it.

I think we'd have to do something like the Devise routes like

revise_auth :user

# Generates routes with the scope. 
/users/sign_up
/users/login
/users/profile

Then somehow the controller needs to figure out the model from the route.

Answer 6 · 2023-01-12T20:05:23.000Z

Looks like we can use defaults to set the param for us to easily choose the right model?

get "users/sign_up", to: "registrations#create", defaults: { model: "User" }

We'd still need to figure out a way to handle authenticate_user! and the other methods for each model.

Answer 7 · 2023-01-13T15:08:27.000Z

What are your thoughts on 2FA and passwordless authentication support built-in to this library? I'd like to contribute if you think it belongs here.

Answer 8 · 2023-01-13T15:15:44.000Z

@excid3 can we define those methods from the method which adds the routes? If not, maybe we could have a global registry of authenticable models, and we can have a method missing in the controller to catch calls to authenticate_#{MODEL_NAME}.

Answer 9 · 2023-01-13T16:44:29.000Z

What are your thoughts on 2FA and passwordless authentication support built-in to this library? I'd like to contribute if you think it belongs here.

Yes please! I'd also like to do OAuth (client and provider like doorkeeper)

Answer 10 · 2023-01-13T18:53:49.000Z

For methods like authenticate_user!, a random thought on this:

Probably for the majority of apps, it will likely be a single "User" model, so having a default set of methods suffixed with _user should work. eg. authenticate_user!
As Greg mentioned, there may be use cases where different models are used (eg. Admin, AwesomeUser, etc)
Back when working with Devise on apps (many years after the initial implementation), the metaprogrammed method generations are sometimes hard to trace/find.
An idea to avoid too much metaprogramming could be to have something like this instead:

class SomeProtectedController > ApplicationController
  revise_auth_with :user
  before_action :revise_authenticate!
end

It's a bit more verbose, but it may make (future) code maintenance easier (I'm thinking about my future 2033 self).

Answer 11 · 2023-01-28T21:46:53.000Z

@excid3 I was thinking about this multiple-model authentication and I think you are right, and the added complexity wouldn't be worth supporting it. If someone wants to have separate authenticated models, it would be recommended to use a role-based approach instead.
So for the extensions, probably an initializer would be the cleanest solution.

Answer 12 · 2023-01-31T01:17:21.000Z

@gregmolnar yeah, I think so too. I always implement roles and supporting multiple models really goes down the rabbit hole of complexity. Might just be an "anti-feature" we need to make clear.