Extensions

[gregmolnar]

Are you planning to support optional extensions like locking accounts on brute-force attempts, sudo mode, etc?
I would be happy to help with those if there is an example of how you would like them to be implemented.

[excid3]

That would be awesome. I don't have any examples on how to do extensions yet, so I'm open to suggestions.

One idea might be to swap the included module with a class method that takes options.

class User < ApplicationRecord
  revise_auth locking_enabled: true
end

Or we can keep it simple with an initializer config that defines the features (which might be cleaner).

[gregmolnar]

The initializer would be cleaner, but what if you have multiple models authenticated, let's say Admin and User, and you only want to enforce 2FA on Admin?

[excid3]

Good point, although I'm not sure if I even want to support authenticating multiple models? Maybe we should, but it adds a lot of complexity.

[gregmolnar]

That's true, but that would make it a great alternative to devise.

[excid3]

If we can figure out a clean way of doing it, I'd be happy to support it.

I think we'd have to do something like the Devise routes like

revise_auth :user

# Generates routes with the scope. 
/users/sign_up
/users/login
/users/profile

Then somehow the controller needs to figure out the model from the route.

[excid3]

Looks like we can use defaults to set the param for us to easily choose the right model?

get "users/sign_up", to: "registrations#create", defaults: { model: "User" }

We'd still need to figure out a way to handle authenticate_user! and the other methods for each model.

[bdewater]

What are your thoughts on 2FA and passwordless authentication support built-in to this library? I'd like to contribute if you think it belongs here.

[gregmolnar]

@excid3 can we define those methods from the method which adds the routes? If not, maybe we could have a global registry of authenticable models, and we can have a method missing in the controller to catch calls to authenticate_#{MODEL_NAME}.

[excid3]

What are your thoughts on 2FA and passwordless authentication support built-in to this library? I'd like to contribute if you think it belongs here.

Yes please! I'd also like to do OAuth (client and provider like doorkeeper)

[geetfun]

For methods like authenticate_user!, a random thought on this:

• Probably for the majority of apps, it will likely be a single "User" model, so having a default set of methods suffixed with _user should work. eg. authenticate_user!
• As Greg mentioned, there may be use cases where different models are used (eg. Admin, AwesomeUser, etc)
• Back when working with Devise on apps (many years after the initial implementation), the metaprogrammed method generations are sometimes hard to trace/find.
• An idea to avoid too much metaprogramming could be to have something like this instead:

class SomeProtectedController > ApplicationController
  revise_auth_with :user
  before_action :revise_authenticate!
end

It's a bit more verbose, but it may make (future) code maintenance easier (I'm thinking about my future 2033 self).

[gregmolnar]

@excid3 I was thinking about this multiple-model authentication and I think you are right, and the added complexity wouldn't be worth supporting it. If someone wants to have separate authenticated models, it would be recommended to use a role-based approach instead.
So for the extensions, probably an initializer would be the cleanest solution.

[excid3]

@gregmolnar yeah, I think so too. I always implement roles and supporting multiple models really goes down the rabbit hole of complexity. Might just be an "anti-feature" we need to make clear.