It is interesting to watch how the “login” discussion on the Rails Mailing List evolves. There is an abundance of choice for developers who want to integrate login functionality into a rails application. A sample selection;
- Auth Generator
- Model Security
- Extensible Authorization for Rails
My current project requires “login” functionality so I thought I would have a look at some of these projects to see what they offered and to see how easy it would be to integrate one of the existing software products. To my dismay I found that all of them seemed to try and do too much of one thing or not enough of another. Now I think I am begining to understand why rails does not consider these components worthy of core or not evil but distracting .
All of the systems seem to mix different concerns in the one system. What I would like to see is the ability to separate out authentication from authorization. In the software I am currently developing users do not register for an account but must be explicitly added and passwords must not be stored in clear text. Next month I will be helping to develop a system where each user authentication attempt is delegated to an external system, if the user authenticates then a user account is created if it does not exist. If all goes well I will be developing another system about March next year that uses HTTP authentication.
However in each of these applications there will need to be a very similar concept of authorization. Each application will have a fixed set of parameterizable permissions, roles/groups that are granted these permissions and linkage between users and roles/groups. All of the solutions that I looked at seem to lump too much functionality together. If only they had separated out the pieces into smaller reusable chunks then I would be jumping at the chance to reuse them. As it stands it looks like I am going to end up reinventing the wheel as it is just less work.