Authentasaurus … the long awaited tutorial !! [part 1]

So my co-workers have been harassing me to write this tutorial for ages and today i decided it was time to get back writing for my blog other than writing for other blogs :P

So what is Authentasaurus?

For code junkies

Authentasaurus is a Ruby on Rails plugin for restful authentication and authorization locally and remotely.

For normal people

I am pretty sure that you are not remotely interested in any geeky topic, so scram (but not for too long :) I do write in other topics from time to time :D)

So now that we have filtered out the nasty end-users, let me dive into more details.

Why another restful authentication and authorization plugin?

Writing plugins is always a good practice for learning the ins and outs of frameworks, and for that reason I started Authentasaurus.
Back then there were few good plugins touching that topic such as the all famous and gr8 AuthLogic, but none was up to my needs and mash’s needs; It was either authentication or authorization which meant more plugins and different syntaxes (I actually checked the web for the plural of syntax :D), also It meant less successful plugin updates for those that depend on AuthLogic and so the idea of Authentasaurus became more logical.

What’s different about Authentasaurus?

While Authentasaurus still follows the same rules restful authentication plugins do, It differs than most in 3 main things:

1. It is a rails engine, which means less chaos in your code directories
2. It works for local authentication and remote authentication (for stuff like single sign-in solutions but that is a whole other topic that I will cover in the near future in shaa’ allah - if god wills -)
3. While role based authorization is good for most applications, I found that it is less powerful than good old permissions authorization; so I merged both into group-permission authorization for the power of permissions and the flexibility of roles

As a Rails engine

When I first started building Authentasaurus it was a generator plugin, meaning it would stub out all the necessary models, controllers, views and migrations needed for authentication and authorization in your code directories.

This had two problems, almost every time we needed to update the plugin for security fixes or simply update the relations in the main models we had to either edit them manually in all the projects or destroy the generated files and generate them again; this was so error prune and redundant.
The second problem we had was the excess chaos that the files created after generation, It was confusing and sometimes very useless (for times that we only needed authentication but not authorization).

Engines solved both problems; now that the files are not located in your application directory updating the plugin was as easy as changing the version in your configuration file (if you are using the gem) or replacing the old plugin with the new one in your vendor directory. Also that meant that you can use Authentasaurus without having to place the it’s files to mess your directories in your application.
Of course this came to a cost, the plugin was less customizable as an engine and we had to develop an api for customizing it outside the plugin in your application; of course the awesomness of Ruby was in aid and let us create a consistent DSL for extending Authentasaurus that I will cover in later tutorials, having that DSL in hand allowed us to convert Authentasaurus into a modular plugin too which means you get only what you need out of it rather than the whole package.

Local and Remote authentication

With “Single sign-in solutions” becoming more and more needed, we were tired to constantly write an API each time we needed to integrate an application with our central data server.
This motivated us to include a remote authentication module in Authentasaurus that can authenticate users between applications and cache their data locally when needed.
I will cover that topic in the near future ISA.

Group-Permission authorization

As I mentioned, role based authorization was just not cutting it in our projects; It was flexible but very dynamic in the DB and that lead to less dynamic code, On the other hand group-permission authorization was as flexible and dynamic in the DB but static in coding; You can actively create groups at runtime and your authorization will still function on that group, this is because Authentasaurus only knows read and write permissions and uses those permissions to authorize group members. Here is an example of a write permission requirement on the create action of pages controller:

class PagesController < ApplicationController
  require_write :create

  def create
    # Your creation code here
  end
end

Conclusion

As you see Authentasaurus is not just another restful authentication and authorization plugin for Rails; it continues where other plugins have stopped, and while it may have a harder name than others, it is as powerful when user correctly.
Even though I am the creator of Authentasaurus, I encourage you to check other options and solutions for authentication and authorization such as AuthLogic, CanCan and Devise, each has its pros and cons but none is better than the other.

Next Part

In the next part I will take you through the basics of setting up and using Authentasaurus in your application isa.