Rails Authentication - potential pitfalls when *not* using Devise?

Question

I'm weighing up whether to roll my own authentication system (a la the excellent Railscast) or using Devise.

My question is, what are the potential pitfalls when not using Devise but going for something as per the Railscast? Are their security issues I need to think about that are not already covered in the cast? Any other pitfalls you can think of?

Edit: Why am I thinking about not using Devise? Part of the reason I am shying away from Devise is because I am not keen on it's failed log-ins protection. The way Devise does it means anyone can lock anyone else's account if they just know their email address. And it seems to me that on balance, I would be better off rolling my own than getting to know Devise inside out to make these changes, especially if I am going to need to do other things my own way too at some point in the future (which seems likely).

Answer 1

For basic authentication (which means just having a username and a password), rolling out your own wouldn't have any serious pitfalls.

Now, if you also wanted:

• Cookies for remembering a logged in user
• Recover a forgotten password by sending an email with reset instructions
• Require an email confirmation for signing up
• Timeout user sessions without activity in a certain period of time

Now these would be quite a bit harder to implement.

So, if you just want a basic authentication system, you can happily go with your own. But if you're worried about the future of your app, then maybe you should just go with Devise. It's not that hard to understand, it provides a ton of features and later you won't have to migrate your data when you actually decide to use Devise.

Edit: So, reiterating what I said. If this is a pet project and you just want to have a basic authentication system and authorization system, where you will only allow certain users to view certain pages, then you're free to implement your own and learn as you go along.

However, if this is something more serious, then I don't see any reason why you shouldn't go with Devise. It reminds me of people creating their own hashing and encryption schemes when they could (and should!) just use something powerful and safe like bcrypt.

Answer 2

I was asking the same question a while back. If you're looking to really dive in and spend some time on authentication, make your own. But if you want to get something pretty standard up fast so you can focus on the features of your app, I would recommend devise.

It doesn't appear the Lockable module is even on by default, but it's easily done either way.

class User < ActiveRecord::Base
    # Include default devise modules. Others available are:
    # :token_authenticatable, :confirmable,
    # :lockable, :timeoutable and :omniauthable
    devise :database_authenticatable, :registerable,
           :recoverable, :rememberable, :trackable, :validatable
    ...
end

Also if you did use the Lockable module, since locking is based on a number of failed authentication attempts, you can change the maximum number of attempts before triggering a lock in config/initializers/devise.rb

Devise.setup do |config|
    ...
    # Number of authentication tries before locking an account if lock_strategy
    # is failed attempts.
    config.maximum_attempts = 20
    ...
end

Just take a quick read through https://github.com/plataformatec/devise#devise