giant robots smashing into other giant robots

Written by thoughtbot

September 1, 2009

dancroak

Always remember me

Clearance now uses only cookies with a long expiration as its default. The effect is always remembering the user unless they ask to be signed out.

“I’ll never let go, Jack! I’ll never let go!”

A better “remember” default

A couple of weeks ago, I asked how Clearance should handle “remember me”

PJ Hyett’s argument won the day:

Assuming people using shared computers can’t remember to log out is insulting at best and annoying to everyone else that has exclusive access. Cookies with long expirations should always be the default.

Clearance, as of today’s 0.8.2 release, works exactly this way.

Cleaner under the hood

Fewer conditionals. No special cases. Just do one thing well.

       def current_user
-        @_current_user ||= (user_from_cookie || user_from_session)
+        @_current_user ||= user_from_cookie
       end

       def user_from_cookie
         if token = cookies[:remember_token]
-          return nil  unless user = ::User.find_by_remember_token(token)
-          return user if     user.remember?
+          ::User.find_by_remember_token(token)
         end
       end

If you look through the recent commits, it’s a glorious sea of red as lines of code were removed.

Deprecations of shoulda macros

Originally, we had between a dozen and two dozen shoulda macros. They’re almost all deprecated now, continuing a trend over the last six months. The macros that have survived are:

sign_in_as(Factory(:email_confirmed_user))
sign_in
sign_out
should_deny_access
should_forbid

Want to upgrade?

You’ll want to:

  • migrate your schema
  • watch out for a cookies gotcha
  • regenerate Cucumber features
  • remove the “remember me” checkbox!

Migrate your schema

If you decide to upgrade, you’ll need to migrate your database schema, as we also finally addressed the “double duty” that token/token_expires_at used to play. It is now split into a confirmation_token and a remember_token.

Cookies gotcha

Like most things in software, this decision comes with a tradeoff. When cookies are set, they are not available until the next request.

So be careful with functional tests that depend that cookies. Try to use the current_user method where possible.

Cucumber features

This is a minor change. They mostly combine “remember me” scenarios into the basic scenario. If you don’t want to run the generator again, you can probably figure out what needs to be altered on your own.

Issues

As always, if you find any issues, please report them at Github Issues. Thanks and happy coding!

Written by .

August 16, 2009

dancroak

Blossom the lovely stars, the forget-me-nots of the angels

“Silently, one by one, in the infinite meadows of Heaven, Blossom the lovely stars, the forget-me-nots of the angels.” Evangeline by Henry Wadsworth Longfellow

You’re writing a Rails app. You want users to be able to sign in.

You decide to use Clearance.

How do you expect it to handle “remember me” out of the box?

Remember unchecked by default

Basecamp:

Basecamp

Gmail:

Gmail

Remember me checked by default

Eventbrite:

Eventbrite

No remember me, automatically sets a cookie

Github:

Github

Tumblr:

Tumblr

What should an authentication framework prefer?

Right now, Clearance comes with remember unchecked by default. I’m leaning towards changing it to checked by default.

What do you think?