Always remember me

Clearance now uses only cookies with a long expiration as its default. The effect is always remembering the user unless they ask to be signed out.

“I’ll never let go, Jack! I’ll never let go!”

The only place to go after the Care Bears is the Titanic.

A better “remember” default

A couple of weeks ago, I asked how Clearance should handle “remember me”

PJ Hyett’s argument won the day:

Assuming people using shared computers can’t remember to log out is insulting at best and annoying to everyone else that has exclusive access. Cookies with long expirations should always be the default.

Clearance, as of today’s 0.8.2 release, works exactly this way.

Cleaner under the hood

Fewer conditionals. No special cases. Just do one thing well.

       def current_user
-        @_current_user ||= (user_from_cookie || user_from_session)
+        @_current_user ||= user_from_cookie
       end

       def user_from_cookie
         if token = cookies[:remember_token]
-          return nil  unless user = ::User.find_by_remember_token(token)
-          return user if     user.remember?
+          ::User.find_by_remember_token(token)
         end
       end

If you look through the recent commits, it’s a glorious sea of red as lines of code were removed.

Deprecations of shoulda macros

Originally, we had between a dozen and two dozen shoulda macros. They’re almost all deprecated now, continuing a trend over the last six months. The macros that have survived are:

sign_in_as(Factory(:email_confirmed_user))
sign_in
sign_out
should_deny_access
should_forbid

Want to upgrade?

You’ll want to:

• migrate your schema
• watch out for a cookies gotcha
• regenerate Cucumber features
• remove the “remember me” checkbox!

Migrate your schema

If you decide to upgrade, you’ll need to migrate your database schema, as we also finally addressed the “double duty” that token/token_expires_at used to play. It is now split into a confirmation_token and a remember_token.

Cookies gotcha

Like most things in software, this decision comes with a tradeoff. When cookies are set, they are not available until the next request.

So be careful with functional tests that depend that cookies. Try to use the current_user method where possible.

Cucumber features

This is a minor change. They mostly combine “remember me” scenarios into the basic scenario. If you don’t want to run the generator again, you can probably figure out what needs to be altered on your own.

Issues

As always, if you find any issues, please report them at Github Issues. Thanks and happy coding!

Blossom the lovely stars, the forget-me-nots of the angels

“Silently, one by one, in the infinite meadows of Heaven, Blossom the lovely stars, the forget-me-nots of the angels.” Evangeline by Henry Wadsworth Longfellow

You’re writing a Rails app. You want users to be able to sign in.

You decide to use Clearance.

How do you expect it to handle “remember me” out of the box?

Remember unchecked by default

Basecamp:

Gmail:

Remember me checked by default

Eventbrite:

No remember me, automatically sets a cookie

Github:

Tumblr:

What should an authentication framework prefer?

Right now, Clearance comes with remember unchecked by default. I’m leaning towards changing it to checked by default.

What do you think?

Clearance: Rails authentication for developers who write tests

Authentication is a common pattern in Rails apps. Thus, there have been many authentication plugins. We’ve tried acts_as_authenticated and restful_authentication over the years.

We found that user authentication is hard to generalize. Most abstracted authentication plugins had both too much and too little for us.

We then tried writing authentication from scratch on our clients’ Rails apps for about a year. We felt better about test coverage but it was still a pain to re-write similar code. App after app, we talked about extracting common code into a library. Each time we resisted.

After a while, we made the decision that maybe 60% of authentication could be re-used. We extracted Hoptoad’s authentication at last year’s Lone Star Ruby Conference, then merged code from two of our clients’ apps. We named the gem Clearance.

On the first attempt, we went overboard on re-use. We backed off and Mike wrote hooks in places we were finding logical extension points. For the past few months, patches have trickled in from Github and we’ve carefully included code that fits in the “60%”.

We recently started a new project. In the process, we’ve polished the gem and are happy to announce its official release.

Clearance

1. Sign up
2. Confirm email
3. Sign in
4. Sign out
5. Reset password

Get version 0.4.5 on Github.

Modules, Shoulda, & Factory Girl

Clearance is focused on maintainability of your application’s authentication code.

• Include comprehensive Shoulda & Factory Girl tests in your Rails app’s test suite.
• Encapsulate authentication logic in modules which are included in your controllers, models, & tests.

This approach keeps your Rails application’s code clean and alerts you if you ever break your authentication code.

Due to the work we’ve been doing to make Shoulda test framework-agnostic, you will be able to use RSpec in the 0.5.0 release of Clearance.

Test::Unit and Cucumber features are already supported:

script/generate clearance
script/generate clearance_features

Conventions

To keep our approach simple, we made a series of design decisions:

• User model required.
• User model uses attr_accessible.
• Authenticate by email (not username) & password.
• Users must be confirmed via email.
• Vocabulary restricted to Trinity of Signs: “sign up”, “sign in”, “sign out”

Beyond

Clearance does not try to be a Swiss Army knife but it does have some hooks if you want admin roles, sign up and sign in by username in addition to email, or something else.

Please report bugs and request features on Clearance’s Lighthouse account.

There is also a mailing list for questions.