Integration with Devise

[sergiopantoja]

Hi! I love this gem and the codebase looks great.

I'd love to integrate it with my current app that uses Devise. I can write a PR if you prefer.

It seems like we could hook into this line:

passwordless/app/controllers/passwordless/sessions_controller.rb

Line 45 in 51c1993

sign_in session.authenticatable

Instead of using the passwordless #sign_in method, we could use the Devise #sign_in method which will accept the same authenticatable object.

Or the passwordless #sign_in could check if Devise is enabled, and then call out to that.

Thoughts?

[mikker]

Hi! Thanks!

I'm not sure I want built-in devise integration. I'd like to keep the two separate. If we just move to use Devise's sign_in method we have to depend on Devise and I'd rather not. Devise uses Warden underneath and a whole lot of other concepts and frankly I kind-of wrote this to get away from Devise 😁.

(Devise is great though - no hate!)

Here's what I've done in a "legacy" app that previously used Devise, to keep the users' sessions after migrating to Passwordless:

  def current_user
    @current_user ||=
      authenticate_by_cookie(User) ||
      fallback_to_old_devise_session
  end

  def fallback_to_old_devise_session
    id = session.fetch('warden.user.user.key', []).dig 0, 0
    user = User.find_by(id: id)

    return nil unless user

    sign_in! user
  end

It's not necessarily pretty but it worked. What do you think? How can we keep the two separate and still make them work with each other?

[grekko]

Hey Mikkel,

first of all: I like the simplicity of passwordless. Thanks for your work and for publishing it.

I am currently evaluating different ways to gradually move towards a "Magic Link"-based (ML) authentication system. The migration should be gradual and not a full replacement for some UX concerns I yet need to refute.

Therefore my goal is to offer a new primary ML-based authentication system (e.g. via passwordless) and a secondary password-based authentication system (via devise).

Unfortunately both systems do not play well together for the reason that @sergiopantoja pointed out.

Devise uses Warden underneath and a whole lot of other concepts and frankly I kind-of wrote this to get away from Devise.

I agree that passwordless should definitely NOT depend on Devise (for many reasons) and for greenfield projects many people might not even use Devise anymore.

For brownfield projects (with existing users) that already use Devise I think it would very beneficial for passwordless to be able to co-exist Devise. This would allow developers to support a gradual migration from Devise to passwordless ;)

What do you think?

[mikker]

Hi @grekko! I think the two can co-exist with the "fix" I posted above? Just put Passwordless in front of Devise and let it fall back if necessary.

The user might end up with two cookies – but that's not necessarily a problem for them. Only problem is that it's probably going to end up confusing to you 😀

[mikker]

If you have any specific concerns about mixing the two let me know – I'll see if we can figure something out. But I think going for the simplest possible way is probably the best for both your project and Passwordless.

[grekko]

I think the two can co-exist with the "fix" I posted above? Just put Passwordless in front of Devise and let it fall back if necessary.

Hmm. I observed that Passwordless and Devise where both extending ApplicationController with a sign_in-method which lead to problems when using both gems but I might be mistaken. I will check this again and report.

But I think going for the simplest possible way is probably the best for both your project and Passwordless.

It turned out that I had to jump through some hoops to integrate Passwordless since it is using the isolate_namespace-Feature of Rails engines. I got it working with my app but had to change several things which ended up in a lot of complexity.

In the end I implemented my own MagicLink-Solution which is fairly simple since I am already using Devise (+ Warden) and probably wont be using Passwordless (for now).

Nevertheless I like your project and for a greenfield project I would not even go for Devise and instead give Passwordless a try.

Also if I am able to turn off password-bases authentication in the near future I might have a look at Passwordless again and be able to completely drop Devise + Warden.

So if you are interested I can describe the difficulties I had and provide a PR demonstrating the changes I made to Passwordless to make it work for me.

[mikker]

Passwordless doesn't touch ApplicationController unless told to (by using include Passwordless::ControllerHelpers in the case of sign_in). You could make your own sign_in method that takes this into account.

I'm very curious what isolate_namespace hindered? A PR or example project or whatever would be very helpful, thanks!

[grekko]

I'm very curious what isolate_namespace hindered? A PR or example project or whatever would be very helpful, thanks!

I have not much experience w/ Rails engines but I assume the isolate_namespace-directive enforces the main app to prefix all routes with main_app if a template is rendered within the context of the isolated Rails engine.

When rendering the /sign_in action of this example project you can see that 92c7fd7 throws a NameError: undefined local variable or method users_path. Changing users_path to main_app.users_path fixes that issue.

[grekko]

Passwordless doesn't touch ApplicationController unless told to (by using include Passwordless::ControllerHelpers in the case of sign_in). You could make your own sign_in method that takes this into account.

You are absolutely right. I just thought that if Passwordless would allow to be mixed together with Devise w/o too many manual customizations would make its adoption much easier.

I opened two PRs #14 and #15 to describe the other minor issues I stumbled upon.

[mikker]

Thanks a lot.

I suppose we could avoid isolate_namespace if we instead prefixed routes with passwordless_sign_in_path fx. This would though be trouble if an app has several records that log in passwordlessly. I think? Maybe not. Would you prefer that, @grekko ?

[abevoelker]

Heyo, I've used and enjoyed passwordless before, but I too needed a Devise integration. I took it as an opportunity to try out some ideas, so I ended up making my own gem for it: devise-passwordless.

Hopefully you don't mind me mentioning it here @mikker - this page comes up high on the "devise passwordless" google search so just wanted to provide an option to Devise people arriving here looking for one. And now maybe you won't feel like you have to support Devise as much if you don't want to. 😄

[mikker]

@abevoelker Very ok! Nice work 👏