Sunday, May 17, 2009

Rails Authentication: restful_authentication vs. authlogic

I've been spending a bit of time comparing Rails authentication mechanisms. The two main frameworks out there are the "restful-authentication" and "authlogic" libraries. The two provide the same general purpose functionality; users, sessions, cookies and emails.

The Restful authentication library is the current popular choice. I believe this is due to it being one of the first real options, as well as coverage in books like "Advanced Rails Recipes". The library is incredibly complex and opaque though. It relies heavily on generators and hidden code to produce its functionality. The install instructions are an exercise in command line arguments rather than code.

Authlogic has proven to be far simpler to digest. No real magic involved. One of the stated goals of the library is to be able to treat sessions as you would an active record model. You create a session, save a session and destroy a session like you would any other model. There are no generators you write the code yourself, and there is very little of it. The basic set of columns you need for a "User" show you that the library is well thought out with regards to security and usefulness. There are a number of columns though and this leads to a heavy initial copy & paste though. I felt a bit dirty having to do that, but I'll get over it. The rest of the code I have to write is transparent and understandable, a big plus. Oh, and do not assume that because "restful" isn't in the title that it lacks there. It doesn't, follow the tutorial and you'll produce a very restful solution.

You can probably tell from the above two paragraphs that I'm favoring Authlogic at this point. I definitely like the transparency and simplicity of it. To learn more about Authlogic you can follow along with the README in the main repository as well as the fantastic tutorial app. There are also a few extra tutorials on Ben Johnson's blog around password resets and openId.