Coming from Vim, I was really used to rails.vim. When I switched to Zed, I started using Ruby LSP. In some ways I felt like I’d gained superpowers, as now I had all these modern editor features that are possible because my Ruby code is actually being parsed. On the other hand, I found there were some features I was missing.

One such feature was following render calls in view templates. Rails.vim offered a gf (“go to file”) mapping, which when hovering over a render call would take me to the partial being rendered. In LSP terminology this functionality is called “go to definition”. If I were to implement it, I knew it had to live in the Rails add-on.

LSP mechanics

Before we can get into the weeds, we need to establish how language servers work. The Language Server Protocol (LSP) defines JSON-RPC messaging between a code editor and a server process.

When you hover over a Ruby class constant and hold cmd, Zed will send a message to Ruby LSP in the following format:

{
  "jsonrpc": "2.0",
  "id": 5,
  "method": "textDocument/definition",
  "params": {
    "textDocument": {
      "uri": "file:///path/to/source.rb"
    },
    "position": { "line": 7, "character": 27 }
  }
}

Since Ruby LSP indexes all constant declarations on initialization, it can then respond with the location where the constant is defined:

{
  "id": 5,
  "result": [
    {
      "targetUri": "file:///path/to/class.rb",
      "targetRange": {
        "start": { "line": 8, "character": 2 },
        "end": { "line": 253, "character": 5 }
      },
      "targetSelectionRange": {
        "start": { "line": 8, "character": 9 },
        "end": { "line": 8, "character": 19 }
      }
    }
  ],
  "jsonrpc": "2.0"
}

Here we can see Ruby LSP returned the location of the class ... end block (targetRange) as well as the constant name the editor should select (targetSelectRange). Notice that the result field is an array, allowing for multiple locations in case the class is re-opened more than once (for which Zed will open a multibuffer).

Custom add-on

Back to the task at hand. I needed to test out my Ruby LSP extension locally first. It turns out Ruby LSP will automatically pick up any add-ons in your project directory, they just need to match **/ruby_lsp/**/addon.rb. So, I put mine in lib/ruby_lsp/my_app/addon.rb:

# lib/ruby_lsp/my_app/addon.rb
require "ruby_lsp/addon"

module RubyLsp
  module MyApp
    class Addon < RubyLsp::Addon
      def activate(global_state, outgoing_queue)
        outgoing_queue << Notification.window_log_message("Activated My App addon")
      end
    end
  end
end

If everything works correctly, after restarting your Ruby LSP server, you should see the “Activated My App addon” message in the language server logs.

When Ruby LSP receives a textDocument/definition request, it calls #create_definition_listener on every add-on with some parameters, allowing them to add their own locations to the response. Let’s override it:

# lib/ruby_lsp/my_app/addon.rb
# ...
require_relative "definition"

module RubyLsp
  module MyApp
    class Addon < RubyLsp::Addon
      # ...
      def create_definition_listener(...)
        Definition.new(...)
      end
    end
  end
end

# lib/ruby_lsp/my_app/definition.rb
module RubyLsp
  module MyApp
    class Definition
      def initialize(response_builder, uri, node_context, dispatcher)
        @response_builder = response_builder
        @path = uri.to_standardized_path
        @node_context = node_context
        @dispatcher = dispatcher
      end
    end
  end
end

Prism drilling

Ruby LSP will use Prism to parse the source document where we activated go-to-definition, set up a dispatcher for walking the AST, and save the context of the AST node you’re hovering over. In our case, we want to react on partial names passed to render calls. Since these are strings, let’s register a listener for entering string nodes:

# lib/ruby_lsp/my_app/definition.rb
module RubyLsp
  module MyApp
    class Definition
      def initialize(response_builder, uri, node_context, dispatcher)
        # ...
        dispatcher.register(self, :on_string_node_enter)
      end

      def on_string_node_enter(node)
        # ...
      end
    end
  end
end

First things first, we can only support following render calls inside HTML+ERB templates, as in helpers we don’t have the view/controller context. So, let’s early return otherwise:

def on_string_node_enter(node)
  return unless html_erb?
end

private

def html_erb?
  @path&.match?(/\.html(\+\w+)?\.erb/) # handle template variants
end

Unlike Solargraph, Ruby LSP has ERB support that can extract Ruby code, allowing it to provide the same features as for regular Ruby files. Templating languages like Slim and Haml have much more complex grammars, making it difficult to know where Ruby code is, so as of this writing they’re not supported.

We’ll return if the string node is not a “partial argument”, which we’ll define shortly after:

def on_string_node_enter(node)
  # ...
  return unless partial_argument?(node)
end

private

def partial_argument?(node)
  # ...
end

Inside #partial_argument?, let’s now grab the call node from the node context. For render "partial" code, that would be the render call, which is what we care about. It’s also possible there is no call node, in case a string node isn’t passed to any method invocation, so we need to handle that as well.

def partial_argument?(node)
  call_node = @node_context.call_node
  return unless call_node
  return unless call_node.message == "render"
end

We want to only accept render calls in template context (self.render technically counts here as well), so we reject any other receivers like Foo.render:

def partial_argument?(node)
  # ...
  return unless call_node.receiver.nil? || call_node.receiver.is_a?(Prism::SelfNode)
end

We’re interested whether the string node matches any of the render call arguments, so let’s retrieve them:

def partial_argument?(node)
  # ...
  arguments = call_node.arguments&.arguments # an array of arguments
  return unless arguments
end

If our string node is the first positional argument of the render call (e.g. render "foo"), then we found our partial name:

def partial_argument?(node)
  # ...
  return true if arguments.first == node
end

Otherwise we check for keyword arguments to handle explicit render partial: "foo" form as well. We only accept keyword arguments as the first argument, as we want to exclude render "bar", partial: "foo", where "foo" would be the value of a partial local variable.

def partial_argument?(node)
  # ...
  return unless arguments.first.is_a?(Prism::KeywordHashNode)
  
  arguments.first.elements.any? do |element|
    next unless element.is_a?(Prism::AssocNode)
    next unless element.key.is_a?(Prism::SymbolNode)

    element.key.value == "partial" && element.value == node
  end
end

Returning locations

Now that we’ve identified that our string node is indeed a partial name, let’s resolve the actual template file.

def on_string_node_enter(node)
  # ...
  resolve_partial(node)
end

private

def resolve_partial(node)
  # ...
end

If the string contains a /, it holds an absolute partial path, otherwise it’s a relative partial name. Since template engines and formats can be mixed, we handle any file extension.

def resolve_partial(node)
  partial_path = node.content

  template_glob = if partial_path.include?("/")
    *directory, name = partial_path.split("/")
    File.join("app/views", *directory, "_#{name}.*")
  else
    File.join(File.dirname(@path), "_#{partial_path}.*")
  end

  template_path = Dir[template_glob].first
  return unless template_path
end

Finally, we return the partial path in the response:

def resolve_partial(node)
  # ...
  @response_builder << Interface::Location.new(
    uri: URI::Generic.from_path(path: template_path).to_s,
    range: Interface::Range.new(
      start: Interface::Position.new(line: 0, character: 0),
      end: Interface::Position.new(line: 0, character: 0)
    )
  )
end

Once you restart Ruby LSP, you can now try it out in the editor:

Closing words

I had no prior experience with Prism or any other Ruby parser, so going into this was scary at first. But working with Prism was surprisingly intuitive — I could see why it became the canonical Ruby parser. I didn’t expect to need to be so precise when inspecting node context, but it makes a lot of sense.

The template resolution shown was simplified for the article. It doesn’t handle controller inheritance, :variants, :formats, :handlers, alternative view_paths etc. For that it would need to call the actual controller to perform the view template lookup. I baked all this into my pull request to the Rails add-on, hopefully it will get merged :crossed_fingers:

I’m excited for all the improvements Shopify is doing for Ruby LSP, such as creating Rubydex which makes code indexing efficient and comprehensive. It’s an important tool for making Ruby development feel modern, and the add-on architecture creates exciting possibilities.

• stronger than any password
• safe from data breaches
• safe from phishing attacks

WebAuthn credentials are bound to the device that created them (think security keys like YubiKey), which is good for privacy since no company has your data, but losing your device could lock you out of your account. Passkeys add the ability to be backed up to the cloud and synchronized between multiple devices, which reduces the risk of passkeys getting lost.

Rodauth provides first class support for passkeys, implemented on top of the excellent webauthn-ruby gem. It enables using passkeys as a multifactor authentication method, or for passwordless login and registration. In addition to routes, views and database storage, it also provides the complete JavaScript part that interacts with Web Authentication API for zero configuration.

In this article, I would like to show how to set each of these up in a Rails app that uses rodauth-rails. I’ll be using Safari on macOS Ventura, and have iCloud Keychain sync enabled, which is a requirement for Apple passkeys.

Multifactor authentication

As I mentioned before, Rodauth supports registering passkeys as a multifactor authentication method, in addition to TOTP, recovery codes and SMS codes it already provides.

We’ll start by creating the necessary database tables:

$ rails generate rodauth:migration webauthn
$ rails db:migrate

class CreateRodauthWebauthn < ActiveRecord::Migration
  def change
    # stores WebAuthn user identifiers
    create_table :account_webauthn_user_ids, id: false do |t|
      t.integer :id, primary_key: true
      t.foreign_key :accounts, column: :id
      t.string :webauthn_id, null: false
    end
    # stores WebAuthn credentials
    create_table :account_webauthn_keys, primary_key: [:account_id, :webauthn_id] do |t|
      t.references :account, foreign_key: true
      t.string :webauthn_id
      t.string :public_key, null: false
      t.integer :sign_count, null: false
      t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
    end
  end
end

Next, we’ll enable the webauthn feature in our Rodauth configuration:

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    enable :webauthn
  end
end

This will add routes for setting up, authenticating via and removing passkeys:

$ rails rodauth:routes
# ...
# GET/POST  /webauthn-auth    rodauth.webauthn_auth_path
# GET/POST  /webauthn-setup   rodauth.webauthn_setup_path
# GET/POST  /webauthn-remove  rodauth.webauthn_remove_path
# ...

Now when the user navigates to the page for managing multifactor authentication methods, they should see a link for setting up WebAuthn authentication.

This page will show a button for registering a WebAuthn credential, which is already hooked up with the necessary JavaScript code, so clicking on it should show a native browser dialog for creating a new passkey. Once I verify biometric identification, my 2nd factor is set up.

When this user is logging in the next time, once they’ve authenticated with 1st factor, they’re given the option to authenticate via a passkey for 2nd factor.

Just like for registering passkeys, the page for authenticating via a passkey is already hooked up with the necessary JavaScript code, so clicking on the submit button should show a dialog for authenticating with the previously created passkey. Once I verify biometric identification, I’m authenticated with 2nd factor.

Passwordless login

Once the user has created a passkey for your website, in addition to multifactor authentication, they can also use it for passwordless login. This functionality is provided by the webauthn_login feature:

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    enable :webauthn_login
  end
end

This will automatically enable multi-phase login, where the user first enters their email, and then they can choose to authenticate via a password or a passkey. Note that the password field won’t be displayed if the user didn’t set one when creating their account.

Verifying the passkey will log the user in. If they’re using multifactor authentication, by default this will only authenticate 1st factor, so they’ll still need 2nd factor (for pages that require it). However, passkeys are generally considered multi-factor authentication, because the user presents something they “have” (device) and – if user verification took place – something they “are” (biometrics) or “know” (PIN).

We can tell Rodauth to consider user verification as 2nd factor. If there was no user verification, e.g. a security key was used that only requires user presence but doesn’t have biometrics or PIN, then only 1st factor will get authenticated.

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    webauthn_login_user_verification_additional_factor? true
  end
end

To make the login UX even better, WebAuthn protocol supports autofill UI for passkeys when the email field is focused. Rodauth once again has this built in via the webauthn_autofill feature (which happens to be a feature I added :blush:):

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    enable :webauthn_autofill
  end
end

When the user opens the login page again and focuses the email field, they should see their passkey being offered. This is because stored passkeys include the user’s email address for identification.

When the user selects their passkey and verifies it, they’ll be automatically logged in, without even having to type their email address. In fact, they don’t even have to select the passkey, they can just scan their fingerprint as soon as they focus the email field.

In addition to passwordless login, Rodauth also supports passwordless registration via the webauthn_verify_account feature. The user just needs to enter their email address in the create account form, and when they follow the link in the verification email, they’re required to register a passkey in order to verify their account.

Multiple credentials

Rodauth supports registering multiple passkeys for a single account; the user can just visit the WebAuthn setup page again and create another credential. This is useful for people wanting to register multiple devices for backup.

By default, credentials can only be differentiated by their last used timestamp, which is what’s displayed on the WebAuthn remove page by default.

Let’s add the ability for the user to choose a nickname for their credentials, so that they can more easily differentiate between them. We’ll start by adding a new nickname column to the account_webauthn_keys table:

$ rails generate migration add_nickname_to_account_webauthn_keys nickname:string
$ rails db:migrate

class AddNicknameToAccountWebauthnKeys < ActiveRecord::Migration
  def change
    add_column :account_webauthn_keys, :nickname, :string
  end
end

Next, we’ll import the view templates used by the WebAuthn feature, and add a nickname field to the setup form:

$ rails generate rodauth:views webauthn
# create  app/views/rodauth/webauthn_auth.html.erb
# create  app/views/rodauth/webauthn_setup.html.erb
# create  app/views/rodauth/webauthn_remove.html.erb

<!-- app/views/rodauth/webauthn_setup.html.erb -->
<!-- ... -->
  <div class="form-group mb-3">
    <%= form.label :nickname, "Nickname", class: "form-label" %>
    <%= form.text_field :nickname, value: params[:nickname], class: "form-control #{"is-invalid" if rodauth.field_error("nickname")}", aria: ({ invalid: true, describedby: "nickname_error_message" } if rodauth.field_error("nickname")) %>
    <%= content_tag(:span, rodauth.field_error("nickname"), class: "invalid-feedback", id: "nickname_error_message") if rodauth.field_error("nickname") %>
  </div>
<!-- ... -->

Now we’ll hook into the WebAuthn setup request, validate that the nickname param was filled in and persist it on the new credential:

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    before_webauthn_setup do
      throw_error_status(422, "nickname", "must be set") if param("nickname").empty?
    end
    webauthn_key_insert_hash do |credential|
      super(credential).merge(nickname: param("nickname"))
    end
  end
end

Finally, let’s also modify the remove form to display nicknames instead of last used timestamps (we’re using the Account#webauthn_keys association defined by rodauth-model):

<!-- app/views/rodauth/webauthn_remove.html.erb -->
<!-- ... -->
  <fieldset class="form-group mb-3">
    <% current_account.webauthn_keys.each do |webauthn_key| %>
      <div class="form-check">
        <%= form.radio_button rodauth.webauthn_remove_param, webauthn_key.webauthn_id, id: "webauthn-remove-#{webauthn_key.webauthn_id}", class: "form-check-input #{"is-invalid" if rodauth.field_error(rodauth.webauthn_remove_param)}", aria: ({ invalid: true, describedby: "webauthn_remove_error_message" } if rodauth.field_error(rodauth.webauthn_remove_param)) %>
        <%= form.label "webauthn-remove-#{webauthn_key.webauthn_id}", webauthn_key.nickname, class: "form-check-label" %>
        <%= content_tag(:span, rodauth.field_error(rodauth.webauthn_remove_param), class: "invalid-feedback", id: "webauthn_remove_error_message") if rodauth.field_error(rodauth.webauthn_remove_param) && webauthn_key == current_account.webauthn_keys.last %>
      </div>
    <% end %>
  </fieldset>
<!-- ... -->

Closing words

Passkeys still need wider support in browsers and operating systems before they can become mainstream, but they look very promising. I like that I can use devices I already have, as opposed to having to buy a separate piece of hardware such as a YubiKey. I also feel safer that passkeys are synced automatically, and it’s convenient that I don’t have to remember on which Apple device I created a passkey for a given website.

The fact that Rodauth provides such advanced support for passkeys with zero configuration shows that it’s really keeping up with authentication trends. It also speaks to its incredibly flexible design, as passkeys can be combined with existing authentication methods, acting both as 1st and 2nd factor. The whole flow is highly configurable, as can be seen from the vast list of configuration methods.

Resources

• WebAuthn.io
• FIDO Alliance documentation
• Passkeys.dev
• Passkeys: What the Heck and Why? (CSS Tricks)
• WebAuthn vs Passkeys (Passwordless.ID)

I stumbled across an episode of The Bike Shed podcast, where it was mentioned that Selenium can add considerable overhead, so I decided it was worth trying out Cuprite. For those not familiar, Cuprite is a Capybara driver that interacts with Chrome directly using CDP (Chrome DevTools Protocol). This is in contrast to Selenium, which goes through chromedriver/geckodriver command-line tool.

I have to say I did not expect the performance improvements to be so significant. Running individual system tests was about 30-50% faster on my M1 MacBook Air, while our overall system test suite went from 9 minutes to 6 minutes, which is a 30% speedup. Just from changing the Capybara driver. For someone who cares about fast tests, this was a considerable win :metal:

Our Capybara configuration ended up being the following:

require 'capybara/rspec'
require 'capybara/cuprite'

Capybara.default_max_wait_time = 5
Capybara.disable_animation = true

RSpec.configure do |config|
  config.before(:each, type: :system) do
    driven_by(:cuprite, screen_size: [1440, 810], options: {
      js_errors: true,
      headless: %w[0 false].exclude?(ENV["HEADLESS"]),
      slowmo: ENV["SLOWMO"]&.to_f,
      process_timeout: 15,
      timeout: 10,
      browser_options: ENV["DOCKER"] ? { "no-sandbox" => nil } : {}
    })
  end

  config.filter_gems_from_backtrace("capybara", "cuprite", "ferrum")
end

Flaky test failures

While moving to Cuprite made tests faster, we started getting dozens of new flaky test failures. After looking at them more closely, I found that each failure was caused by improper waiting for JavaScript (we’re using Hotwire). With Selenium, those issues were just masked, because the overhead was big enough that the race conditions never manifested.

Most failures were around clicking on a link and then waiting for text to appear, but that text was already present on the previous page, so Capybara didn’t actually wait for the new page to get navigated to. In some cases we needed to manually scroll to elements before interacting with them, where Selenium appears to have automatically scrolled.

click_on "Some link"
# make sure this text was NOT present on the previous page
expect(page).to have_content("Some text")

Disabling CSS transitions

We’re using Bootstrap, and I noticed that some modal clicks were failing. It turned out that due to CSS transitions used by Bootstrap modals, Capybara would sometimes attempt to click on a moving target. Since we don’t actually need animations in tests, I was looking for a way to disable them. By sheer luck I discovered a handy Capybara configuration that takes care of this:

# disable CSS transitions and jQuery animations
Capybara.disable_animation = true

One problem is that our flash messages are set to fade away after 3 seconds, so this caused them not to disappear automatically. This was fine most of the time, but in some cases they were covering content we needed to interact with. To address this, I created a helper method that retrieves the flash message and immediatelly closes the alert:

def flash_message
  message = find(".flash").text.split("\n").last
  find(".flash .close").click # close alert
  message
end

# ...
click_on "Create Device"
expect(flash_message).to eq "Device was successfully created"

Disabling Turbo previews

In a previous project, I found that Turbo previews were the cause of one flaky test, so I disabled them by adding the following into <head> of the layout:

<!-- disable cached Turbo previews when navigating -->
<meta name="turbo-cache-control" content="no-preview">

Raising Stimulus errors

When a JavaScript errors occur inside Stimulus lifecycle callbacks or actions, they are caught by Stimulus and logged. This avoids an error from one Stimulus controller halting JavaScript execution and preventing other Stimulus controllers from being executed (see Sam Stephenson’s explanation for more details).

While this is useful for production, in tests we want to get alerted when JavaScript errors occur. After configuring Cuprite to convert any JS errors into Ruby exceptions by setting js_errors: true, we overrode Stimulus application’s error handler in tests to propagate errors:

import { Application } from "@hotwired/stimulus"

const application = Application.start()

// Works with Webpacker (in Vite we'd use `import.meta.env.MODE === "test"`).
if (process.env.RAILS_ENV === "test") {
  // propagate errors that happen inside Stimulus controllers
  application.handleError = (error, message, detail) => {
    throw error
  }
}

Precompiling assets

We were initially hitting timeout errors on CI from Cuprite on the first test. The reason was that Webpacker would compile assets on the first request. We tried increasing :process_timeout in Cuprite, but that didn’t help.

Instead of letting Webpacker compile assets on-the-fly, we chose to precompile them in advance, which fixed the issue.

$ bundle exec rake assets:precompile
$ bundle exec rspec spec/system

However, when JS errors would occur, I noticed the JavaScript source was now minified. This not only made it more difficult to locate where the error occurred, but on CI the error message was completely absent. This is because the webpack:compile rake task defaults NODE_ENV to production. First I tried setting NODE_ENV=test, but that didn’t skip minification, and I later found out this is intended for JavaScript tests. Setting NODE_ENV=development on CI worked, which is what’s used for on-the-fly compilation.

I would prefer Webpacker not to merge assets into a single file in tests, but I think migrating to Vite would help with this.

Toggling headless mode

Cuprite runs Chrome in so-called “headless” mode by default, which means the browser doesn’t open up while tests are being run. However, if you’re debugging a failing test, it’s not always enough to look at the captured screenshots, sometimes you need to see what’s happening on the page.

Our Cuprite configuration allowed us to pass HEADLESS=0 environment variable to the rspec command to disable headless mode. If the interaction was happening too fast to make sense of anything, we could additionally set e.g. SLOWMO=0.5 to add 0.5s of overhead to every click.

$ HEADLESS=0 SLOWMO=0.5 bin/rspec spec/system/something_spec.rb

Docker handling

Some team members prefer to run the Rails app locally through Docker. To make Cuprite work, we set DOCKER=true in our docker-compose.yml, and then based on that environment variable passed the no-sandbox option to Chrome.

Closing words

The performance benefits alone will definitely make me advocate for using Cuprite every time. The only feature I found it doesn’t support yet is drag-and-drop, though initial support has been merged to master.

Flaky test failures have always been a challenge for me when writing system tests. What helped me is to trust that the root cause is always figureoutable. I would previously attribute them to complex Selenium internals, but Cuprite is much less magical in comparison, so I can make better sense of why something is happening.

While Devise provides a convenience layer around OmniAuth, it does nothing to actually sign the user into your app. When I started writing the OmniAuth integration for Rodauth, I wanted to go one step further and actually handle things like persistence of external identities, account creation and login, while still allowing the developer to customize the behaviour. That’s how rodauth-omniauth was created. :sparkles:

In this article, I will show how to add social login to an existing Rails app that’s using Rodauth, and extend the default behaviour with some custom logic. If you’re looking to get started with Rodauth, check out my previous article. With that out of the way, let’s dive in.

Setup

We’ll start by installing the Rodauth extension and the desired OmniAuth strategies:

$ bundle add rodauth-omniauth omniauth-facebook omniauth-google-oauth2

You don’t need to install any gems for CSRF protection of OmniAuth request endpoints, because rodauth-omniauth will automatically use whichever CSRF protection mechanism Rodauth was configured with, which in case of Rails will be ActionController::RequestForgeryProtection.

If you haven’t already, create the necessary OAuth apps, and configure the callback URL to be https://localhost:3000/auth/{provider}/callback, where {provider} is either facebook or google. We’ll save the credentials for the OAuth apps into our project:

$ rails credentials:edit

# ...
facebook:
  app_id: "<YOUR_APP_ID>"
  app_secret: "<YOUR_APP_SECRET>"
google:
  client_id: "<YOUR_CLIENT_ID>"
  client_secret: "<YOUR_CLIENT_SECRET>"

Next, we’ll need to create the table that rodauth-omniauth will use for storing external identities:

$ rails generate migration create_account_identities
$ rails db:migrate

class CreateAccountIdentities < ActiveRecord::Migration
  def change
    create_table :account_identities do |t|
      t.references :account, null: false, foreign_key: { on_delete: :cascade }
      t.string :provider, null: false
      t.string :uid, null: false
      t.index [:provider, :uid], unique: true
    end
  end
end

In the Rodauth configuration, we can now enable the omniauth feature and register our strategies:

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    enable :omniauth

    omniauth_provider :facebook,
      Rails.application.credentials.facebook[:app_id],
      Rails.application.credentials.facebook[:app_secret],
      scope: "email"

    omniauth_provider :google_oauth2,
      Rails.application.credentials.google[:client_id],
      Rails.application.credentials.google[:client_secret],
      name: :google # rename it from "google_oauth2"
  end
end

Finally, we can import the view templates for the login form, and add the social login links there:

$ rails generate rodauth:views login
#  create  app/views/rodauth/_login_form.html.erb
#  create  app/views/rodauth/_login_form_footer.html.erb
#  create  app/views/rodauth/_login_form_footer.html.erb
#  create  app/views/rodauth/_login_form_header.html.erb
#  create  app/views/rodauth/login.html.erb
#  create  app/views/rodauth/multi_phase_login.html.erb

<!-- app/views/rodauth/_login_form_footer.html.erb -->
<!-- ... -->
  <li>
    <%= button_to "Login via Facebook", rodauth.omniauth_request_path(:facebook),
      method: :post, data: { turbo: false }, class: "btn btn-link p-0" %>
  </li>
  <li>
    <%= button_to "Login via Google", rodauth.omniauth_request_path(:google),
      method: :post, data: { turbo: false }, class: "btn btn-link p-0" %>
  </li>
<!-- ... -->

We’re using POST form submits, because OmniAuth doesn’t allow GET requests for the request phase anymore by default. You’ll notice we had to disable Turbo for the request links, as those redirect to an external authorize URL, which don’t support AJAX visits.

Some OAuth authorizations require that the web app is served over HTTPS. Assuming you’re using Puma, a quick way to enable this locally would be to install the localhost gem, and tell the Rails server you want to use SSL:

$ bundle add localhost --group development
$ rails server -b ssl://localhost:3000

Now you should be able to open https://localhost:3000/login, and see the Rodauth login page with social login links.

Login & Registration

When we visit the Facebook login link, and authorize the OAuth app, upon returning to the app a new verified account with your Facebook email address should be automatically created, along with the external identity, and you should be logged in.

You should see something like this in the database:

account = Account.last
#=> #<Account id: 123, status: "verified", email: "janko.marohnic@gmail.com">
account.identities
#=> [#<Account::Identity id: 456, account_id: 123, provider: "facebook", uid: "350872771">]

A problem I often experienced as a user was forgetting which social provider I initially logged into on a certain app, and whether I had even logged in with a social provider (though I can now easily determine the latter by checking my password manager). If I would sign in with the wrong provider, this would usually result in a new account being created for me.

Wouldn’t it be nice if the app could detect that the email address of my existing account matches the one of the external identity, and automatically assign that identity to the existing account? Well, rodauth-omniauth does that automatically. If I were to authenticate with Google the next time, I would get logged into my existing account, with the new Google identity connected to it.

account.identities #=> [
#   #<Account::Identity id: 456, account_id: 123, provider: "facebook", uid: "350872771">,
#   #<Account::Identity id: 789, account_id: 123, provider: "google", uid: "987349876343">,
# ]

If for whatever reason you want to change or disable this behaviour, you can override account_from_omniauth, which is what searches existing accounts when authenticating with a provider for the first time:

class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    account_from_omniauth do
      # this is roughly the default implementation
      account_table_ds.first(email: omniauth_info["email"])
    end
    # OR
    account_from_omniauth {} # new identity = new account
  end
end

Storing additional data

Let’s say users in our app can fill in their full name, and we decided to inherit it from their external identity when possible, to save them extra work.

We’ll assume we have a separate profiles table associated to accounts, and we’re already creating a profile record on normal registration:

# in a migration:
create_table :profiles do |t|
  t.references :account, null: false, foreign_key: true
  t.string :name
  t.timestamps
end

class RodauthMain < Rodauth::Rails::Auth
  configure do
    # create profile after normal registration
    after_create_account { Profile.create!(account_id: account_id) }
  end
end

We can override the hook for creating the account via OmniAuth login, and create the profile with the name prefilled:

class RodauthMain < Rodauth::Rails::Auth
  configure do
    # create profile after registration through OmniAuth login
    after_omniauth_create_account do
      Profile.create!(account_id: account_id, name: omniauth_info["name"])
    end
  end
end

Let’s say we now want to store additional data on identities, which by default have only the mandatory provider and uid columns. We might want to store created_at & updated_at timestamps, as well as an email for each identity. We can start by creating the necessary columns:

# in a migration:
add_timestamps :account_identities
add_column :account_identities, :email, :string

We can now ensure created_at is set the first time we authenticate with a provider, and that updated_at and email are updated each time we authenticate with the provider:

class RodauthMain < Rodauth::Rails::Auth
  configure do
    # store `created_at` only when the identity is created
    omniauth_identity_insert_hash do
      super().merge(created_at: Time.now)
    end
    # update `updated_at` and `email` each time the identity is updated
    omniauth_identity_update_hash do
      super().merge(updated_at: Time.now, email: omniauth_email)
    end
  end
end

Now our account & identity data might look as follows:

account = Account.last
#=> #<Account id: 123,
#    status: "verified",
#    email: "janko@hey.com",
#    name: "Janko Marohnić">

account.identities.first
#=> #<Account::Identity
#    id: 789,
#    account_id: 123,
#    provider: "google",
#    uid: "987349876343",
#    email: "janko.marohnic@gmail.com",
#    created_at: Fri, 11 Nov 2022 13:11:85 UTC,
#    updated_at: Fri, 02 Dec 2022 08:01:26 UTC>

Multiple account types

If your app has different account types which require potentially different authentication rules, you’ll be glad to know that rodauth-omniauth supports distinct configurations.

Let’s say we have an admin account type, for which we want to provide logging in via GitHub. Assuming we’ve already created the OAuth app, we’ll install the OmniAuth strategy gem:

$ bundle add omniauth-github
$ rails credentials:edit

# ...
github:
  client_id: "<YOUR_CLIENT_ID>"
  client_secret: "<YOUR_CLIENT_SECRET>"

To protect the admin section, we’ll only allow users that are members of the company’s GitHub organization. For this, we might have the following Rodauth configuration:

# app/misc/rodauth_admin.rb
class RodauthAdmin < Rodauth::Rails::Auth
  configure do
    enable :omniauth

    prefix "/admin"
    session_key_prefix "admin_"

    omniauth_provider :github,
      Rails.application.credentials.github[:client_id],
      Rails.application.credentials.github[:client_secret]

    before_omniauth_callback_route do
      if omniauth_provider == :github && !organization_member?(omniauth_info["nickname"])
        set_redirect_error_flash "User is not a member of our GitHub organization"
        redirect "/admin"
      end
    end
  end

  private

  def organization_member?(username)
    # ... check if user is a member of company's GitHub organization ...
  end
end

Since we’ve set admin routes to be prefixed with /admin, OmniAuth routes will be prefixed as well, so the request phase will be at /admin/auth/github. This ensures authentication doesn’t overlap with the main account type.

If we had decided to use a separate table for admin accounts (e.g. admins), we can also use a separate identities table:

# in a migration:
create_table :admin_identities do |t|
  t.references :admin, null: false, foreign_key: { on_delete: :cascade }
  t.string :provider, null: false
  t.string :uid, null: false
  t.index [:provider, :uid], unique: true
end

class RodauthAdmin < Rodauth::Rails::Auth
  configure do
    # ...
    omniauth_identities_table :admin_identities
    omniauth_identities_account_id_column :admin_id
  end
end

Future work

Separate registration step

The current automatic registration assumes the external login will always return the user’s email address, which is not always the case (hello Twitter). It also assumes we don’t need additional information from the user before creating their account.

After external login, I would like to support having a separate registration step, with fields like email address already being filled in. The main challenge is preventing an attacker from signing up with another person’s identity. I would definitely welcome any contributions. :pray:

Connecting additional identities

Once the user is signed in, it would be useful to allow them to connect additional external identities, as well as disconnect already linked identities, to make future logins more reliable.

This feature seems more straightforward to implement. However, it’s tricky to handle the scenario when a logged in user wants to authenticate via a different provider, because by default Rodauth doesn’t disallow access to the login page in this case. There are also questions around connecting identities that are currently assigned to a different account.

Closing words

This was definitely the most challenging Rodauth extension I’ve built. I had been working on it periodically for 2 years, and was only able to release it once I decided to postpone the mentioned features. It took a while to find the right balance between respecting OmniAuth configuration and Rodauth conventions, support JSON API with JWT, handle inheritance, figure out the OmniAuth 2.0 upgrade, and implement a customizable callback phase.

I was able to do all this thanks to the strong foundation Rodauth provides. Its layered design allowed me to hook at the right level to make it work well with other authentication features, while the configuration DSL made it easy to make any part customizable. Because Rodauth supports feature dependencies, I was able to extract the pure OmniAuth integration for standalone usage, for those who don’t need any of the database logic.

While it was previously possible to use OmniAuth directly, I’m happy that Rodauth now has a social login story. Given that this is a much more integrated solution compared to what Devise offers, and other people might have more custom authentication flows, I’m curious to get everyone’s feedback. :wink:

Even though Rodauth is built on top of Roda and Sequel, it can work as a Rack middleware in any Ruby web framework. In the beginning, there was a demo app showing how Rodauth can be used in Rails, which leveraged the (now discontinued) roda-rails gem. However, the integration felt fairly raw, and definitely lacked the ergonomics Rails developers are used to.

Rodauth has a vast feature set, but if it was going to compete with other authentication solutions, it needed to match their level of convenience in context of Rails. That meant deeply integrating into the Rails framework, having clear drawers where code goes, and defaults that are easy to get started with. At the start of 2020, I set on a mission to make using Rodauth in Rails easy.

Initial spike

I first created a demo Rails app, and started setting up Rodauth there. In the early iterations, I managed to hook up view rendering, flash messages, CSRF protection, and email delivery to use Rails instead of Roda, with significantly less code compared to roda-rails. I also managed to make Rodauth code reloadable by inserting a proxy Rack middleware that just calls the Roda app.

# app/misc/rodauth_app.rb
class RodauthApp < Roda
  plugin :rodauth, csrf: false, flash: false do
    enable :rails, :login, :create_account, :verify_account, :reset_password, :logout
    # ... rodauth configuration ...
  end

  route do |r|
    r.rodauth # handle rodauth requests
  end
end

# lib/rodauth/features/rails.rb
module Rodauth
  Feature.define(:rails, :Rails) do
    # ... rails integration ...
  end
end

# config/initializers/rodauth.rb
class RodauthMiddleware
  def initialize(app)
    @app = app
  end

  def call(env)
    RodauthApp.new(@app).call(env) # keeps RodauthApp reloadable
  end
end

Rails.application.config.middleware.use RodauthMiddleware

Once I felt things were functioning well enough, I extracted the glue code into the rodauth-rails gem and added tests. I also included an install generator, which created the initial skeleton with sensible default configuration. A new Roda superclass provided a convenience configure method for loading the Rodauth plugin together with the rails feature.

$ bundle add rodauth-rails
$ rails generate rodauth:install

# app/misc/rodauth_app.rb
class RodauthApp < Rodauth::Rails::App
  configure do # automatically loads the rails feature
    enable :login, :create_account, :verify_account, :reset_password, :logout
    # ... rodauth configuration ...
  end

  route do |r|
    r.rodauth # handle rodauth requests
  end
end

By default, Rodauth uses database authentication functions for password matching, which coupled with a two-user database setup allows protecting password hashes even in case of SQL injection (read here on how this works). However, I felt this complexity could be daunting when getting started, so I changed the default to do password matching in ruby instead.

use_database_authentication_functions? false
account_password_hash_column :password_hash

Rodauth also optionally uses HMACs for signing tokens, providing additional security. Since this is quite important, rodauth-rails turns this on by setting the HMAC secret to the Rails’ secret key base.

hmac_secret { Rails.application.secret_key_base }

Active Record

While Rodauth uses Sequel for database interaction, most Rails apps are using Active Record. This meant Rodauth needed to work seamlessly alongside Active Record.

One idea was to develop a Rodauth extension that replaces all Sequel calls with Active Record code. However, given Rodauth’s advanced SQL usage, that would’ve been a monumental effort. It would also have been a huge maintenance burden, since the extension would break with new Rodauth changes, and 3rd-party Rodauth extensions would need to maintain their own Active Record integrations.

So, the initial integration simply connected Sequel to the same database Active Record was connected to, which was then picked up by Rodauth.

db_config = ActiveRecord::Base.connection_db_config

Sequel.connect(adapter: db_config.adapter, database: db_config.database)

However, I noticed that this breaks features such as maintaining test schema, which requires temporarily disconnecting from the database in order to re-create the test database; even though Active Record connections were closed, Sequel was still holding an open connection, which was blocking database dropping. To address this, I extended Active Record to connect & disconnect Sequel in lockstep with Active Record.

This worked, but I quickly encountered a new kind of problem. Because Active Record and Sequel used separate database connections, Active Record code couldn’t reference records created within a Sequel transaction, because to that connection the record simply doesn’t exist (remember, database transactions are tied to a connection).

class Profile < ActiveRecord::Base
  belongs_to :account
end

class RodauthApp < Rodauth::Rails::App
  configure do
    # we're still in a Sequel transaction that created the account record
    after_create_account do
      # creating an associated record with Sequel worked:
      # db[:profiles].insert(account_id: account_id, name: "New User")

      # but with Active Record it failed with a foreign key constraint violation:
      Profile.create!(account_id: account_id, name: "New User") # ~> account record not found
    end
  end
end

My goal was for developers not to have to care that Rodauth uses Sequel, so calling Active Record inside Rodauth should just work. Moreover, Bruno Sutic warned me if Sequel uses a separate database connection, it would mean production databases would have up to twice as many open connections. It became apparent this approach could never achieve the desired developer experience.

Just browsed the repo. Sequel connection is a bummer.

— Josef Strzibny (@strzibnyj) April 23, 2020

For the integration to work, I would need to make Sequel reuse Active Record’s database connection. I discussed this idea with Jeremy Evans (the lead Sequel maintainer), and he provided me with some guidance, thanks to which I was able to come up a solution. It was a Sequel extension that retrieved Active Record connections, kept transaction state and callbacks synchronized between Sequel and Active Record, integrated SQL instrumentation, and reconciliated adapter differences (see my previous article for more details).

$ bundle add sequel-activerecord_connection

DB = Sequel.postgres(extensions: :activerecord_connection)
DB[:accounts].all # uses Active Record's database connection

Model

Unlike Devise or Sorcery, Rodauth is completely decoupled from models, and any calls need to go through the Rodauth object. If you need to perform Rodauth actions outside of an HTTP request, you can use the internal request feature, which makes an actual Rack call to the Rodauth app:

# performing rodauth actions (class level)
RodauthApp.rodauth.create_account(login: "user@example.com", password: "secret123")
RodauthApp.rodauth.verify_account(account_login: "user@example.com")

# calling rodauth methods (instance level)
rodauth = Rodauth::Rails.rodauth(account_login: "user@example.com")
rodauth.get_password_reset_key(account_id) #=> "DS6dtRNnvzSCWzm8jg4lltOzBE5vTN_xflNdToIPw3A"
rodauth.recovery_codes #=> ["30GRJkr1BheZztvFZcDeRSNy6yhzigXH6zB-yvzP4Io", ...]

While I love this decoupling, it would still be nice to be able to at least create accounts and retrieve associations directly through the model. So, I created the rodauth-model gem, which provides an interface similar to Active Record’s has_secure_password, and defines associations based on your Rodauth configuration (together with associated models).

class Account < ActiveRecord::Base
  include Rodauth::Rails.model
end

# generating a password hash
account = Account.create(email: "user@example.com", password: "secret123")
account.password_hash #=> "$2a$12$k/Ub1I2iomi84RacqY89Hu4.M0vK7klRnRtzorDyvOkVI.hKhkNw."

account.password_reset_key #=> #<Account::PasswordResetKey id: 1, key: "DS6dtRNnvzSCWzm8jg4lltOzBE5vTN_xflNdToIPw3A" ...>
account.recovery_codes #=> [#<Account::RecoveryCode id: 1, code: "30GRJkr1BheZztvFZcDeRSNy6yhzigXH6zB-yvzP4Io">, ...]

Rodauth stores account statuses (unverified, verified, closed) as integers, but we can use ActiveRecord::Enum to map them to strings, which is what the install generator now does.

class Account < ActiveRecord::Base
  # ...
  enum :status, unverified: 1, verified: 2, closed: 3
end

account = Account.find(123)
account.status #=> "unverified"

account.verified? #=> false
account.status = "verified"
account.verified? #=> true

Account.closed #=> [#<Account id: 456, status: "closed" ...>, ...]

Routes introspection

In this architecture, Rodauth routes are handled by the Rack middleware that’s sitting in front of the Rails router. This has the benefit of allowing you to perform authentication actions such as requiring authentication, checking active sessions, and remembering from cookie in a single place, thus better encapsulating authentication logic.

However, since Rodauth routes aren’t registered within the Rails router, they don’t show up in rails routes. Rails’ routes introspection doesn’t currently have capability of registering custom routes, and Roda’s routing is dynamic, so it’s not possible to retrieve its routes programmatically.

Eventually I managed to implement a rodauth:routes Rake task, which retrieves the route paths from the Rodauth app, and parses the source code for HTTP verbs. It’s not ideal, but it should be good enough.

$ rails rodauth:routes
# Routes handled by RodauthApp:
# 
#   GET/POST  /login                   rodauth.login_path
#   GET/POST  /create-account          rodauth.create_account_path
#   POST      /email-auth-request      rodauth.email_auth_request_path
#   GET/POST  /email-auth              rodauth.email_auth_path
#   GET/POST  /logout                  rodauth.logout_path
#   GET/POST  /reset-password-request  rodauth.reset_password_request_path
#   GET/POST  /reset-password          rodauth.reset_password_path
#   GET/POST  /change-password         rodauth.change_password_path
#   GET/POST  /change-login            rodauth.change_login_path
#   GET/POST  /verify-login-change     rodauth.verify_login_change_path
#   GET/POST  /close-account           rodauth.close_account_path
#   GET/POST  /verify-account-resend   rodauth.verify_account_resend_path
#   GET/POST  /verify-account          rodauth.verify_account_path
# 
#   GET       /admin/multifactor-manage      rodauth(:admin).two_factor_manage_path
#   GET       /admin/multifactor-auth        rodauth(:admin).two_factor_auth_path
#   GET/POST  /admin/multifactor-disable     rodauth(:admin).two_factor_disable_path
#   GET/POST  /admin/otp-auth                rodauth(:admin).otp_auth_path
#   GET/POST  /admin/otp-setup               rodauth(:admin).otp_setup_path
#   GET/POST  /admin/otp-disable             rodauth(:admin).otp_disable_path
#   GET/POST  /admin/recovery-auth           rodauth(:admin).recovery_auth_path
#   GET/POST  /admin/recovery-codes          rodauth(:admin).recovery_codes_path
#   POST      /admin/unlock-account-request  rodauth(:admin).unlock_account_request_path
#   GET/POST  /admin/unlock-account          rodauth(:admin).unlock_account_path

Generators

Before working on this gem, I didn’t realize how important code generators are for convenience, and also how difficult they are to get right. There are currently three generators rodauth-rails ships with:

• rodauth:install – sets up initial skeleton with default auth features and migrations
• rodauth:views – imports ERB view templates for customization
• rodauth:migration – generates migrations for selected authentication features

The generators needed to handle various scenarios, such as RSpec vs Minitest, fixtures vs factory_bot, Active Record vs Sequel, different SQL adapters, API-only mode, UUID primary keys, and more.

Schema migrations

I wanted to remove any Sequel code from sight, so I translated Sequel migrations into Active Record code, and generated those in Active Record migrations. If Sequel happens to be used as the main database library, we’d generate Sequel migrations instead.

$ rails generate rodauth:migration otp active_sessions
# create  db/migrate/20221012110706_create_rodauth_otp_active_sessions.rb

class CreateRodauthOtpActiveSessions < ActiveRecord::Migration[7.0]
  def change
    # Used by the otp feature
    create_table :account_otp_keys do |t|
      t.foreign_key :accounts, column: :id
      t.string :key, null: false
      t.integer :num_failures, null: false, default: 0
      t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
    end

    # Used by the active sessions feature
    create_table :account_active_session_keys, primary_key: [:account_id, :session_id] do |t|
      t.references :account, foreign_key: true
      t.string :session_id
      t.datetime :created_at, null: false, default: -> { "CURRENT_TIMESTAMP" }
      t.datetime :last_use, null: false, default: -> { "CURRENT_TIMESTAMP" }
    end
  end
end

View templates

The built-in view templates use Tilt’s interpolated string engine, which avoids ERB dependency, but requires work to adapt for Rails. So, rodauth-rails’ views generator imports already converted ERB view templates that use familiar Rails’ form helpers.

$ rails generate rodauth:views login create_account lockout 
# create  app/views/rodauth/_login_form.html.erb
# create  app/views/rodauth/_login_form_footer.html.erb
# create  app/views/rodauth/_login_form_header.html.erb
# create  app/views/rodauth/login.html.erb
# create  app/views/rodauth/multi_phase_login.html.erb
# create  app/views/rodauth/create_account.html.erb
# create  app/views/rodauth/unlock_account_request.html.erb
# create  app/views/rodauth/unlock_account.html.erb

<%= form_with url: rodauth.unlock_account_path, method: :post, data: { turbo: false } do |form| %>
  <%== rodauth.unlock_account_explanatory_text %>

  <% if rodauth.unlock_account_requires_password? %>
    <div class="mb-3">
      <%= form.label "password", rodauth.password_label, class: "form-label" %>
      <%= form.password_field rodauth.password_param, value: "", id: "password", autocomplete: rodauth.password_field_autocomplete_value, required: true, class: "form-control #{"is-invalid" if rodauth.field_error(rodauth.password_param)}", aria: ({ invalid: true, describedby: "password_error_message" } if rodauth.field_error(rodauth.password_param)) %>
      <%= content_tag(:span, rodauth.field_error(rodauth.password_param), class: "invalid-feedback", id: "password_error_message") if rodauth.field_error(rodauth.password_param) %>
    </div>
  <% end %>

  <div class="mb-3">
    <%= form.submit rodauth.unlock_account_button, class: "btn btn-primary" %>
  </div>
<% end %>

Because not all Rodauth actions are Turbo-compatible (multi-phase login and viewing recovery codes return a 200 response on form submits), I have chosen to disable Turbo by default for all HTML forms, to ensure everything works.

Future plans

• I would like the migration generator to support database authentication functions, to make it easier for developers to better secure their password hashes. I have been working on it on & off, but it’s fairly complex to generate correct migration code, especially since different SQL databases (PostgreSQL, MySQL, SQL Server) require different setups.

• Default Rodauth view templates use Bootstrap markup, but Ben Koshy has been working on adding Tailwind CSS support, which will be a nice addition. You’ll be able to pass --css=tailwind, which will be the default when the tailwindcss-rails gem is used.

• I want to make it easier for 3rd-party Rodauth extensions to provide migrations/views for Rails generators. The rodauth-oauth gem currently provides its own generators (rodauth:oauth:install and rodauth:oauth:views), but it would be nice if they didn’t have to be duplicated.

• Rodauth methods are called through the Rodauth object, and you’re encouraged to define convenience controller/view helpers that suit your application’s needs. That being said, having some default helpers like Devise has (and even something like Devise groups) probably might go a long way. I was also considering more convenient routing helpers, perhaps even a builder for defining custom ones.

  # config/routes.rb
  Rails.application.routes.draw do
    # this is what we have today
    constraints Rodauth::Rails.authenticated do
      # ...
    end
  
    # but maybe Devise syntax is worthwhile
    authenticate do
      # ...
    end
  end
  

Closing words

There are many more things the Rails integration takes care of, such as ignoring asset requests from Sprockets or Propshaft, instrumentation/logging of Rodauth requests, executing controller callbacks & rescue handlers, handling background emails, testing helpers, and Rails 4.2+ & JRuby support. But I think I rambled on for long enough.

The purpose for this article wasn’t to bolster on my achievements, but to share my realization about the price of convenience, and how much work it can actually take integrate a generic library into Rails, especially when it does the work of a Rails engine. I cannot thank Jeremy Evans enough for discussing, reviewing, and merging every one of my additions to Rodauth that helped enable a smooth Rails integration :pray:

I hope I fulfilled my goal of making Rodauth easy to work with in Rails. That being said, I’m grateful for the continuous feedback I’m getting from people that are using Rodauth. I’m trying to convert many of my answers into a wiki page, a how-to guide or a screencast, to grow the knowledge around handling common use cases.

My first approach was to have Sequel connect to the same database as Active Record, and create and close connections in lockstep with Active Record, so that Sequel is connected to the database if and only if Active Record is too. While this was functional, it didn’t play well with transactions. Some of Rodauth’s configuration blocks are executed within a Sequel transaction, and I wanted developers to be able to call Active Record inside them, and have it just work. But this wasn’t the case, because it turns out, if you have two different connections, they aren’t aware of each other’s transactions; you might as well be using two different processes.

ActiveRecord::Base.establish_connection("postgresql:///mydb")
DB = Sequel.connect("postgresql:///mydb")

class Account < Sequel::Model
end
class Profile < ActiveRecord::Base
end

# open sequel transaction
DB.transaction do
  # create record using sequel connection
  account = Account.create(email: "user@example.com", password_hash: "...")

  # open active record transaction
  ActiveRecord::Base.transaction do
    # create associates record using active record connection
    Profile.create(name: "User", account_id: account.id)
    #~> foreign key constraint violation: given account_id is not present in table "accounts"
  end
end

The example above fails because, while the account record was created by Sequel’s connection, its transaction hasn’t yet been committed at the time Active Record’s connection attempted to create the associated profile record. Even though Active Record’s transaction block is physically nested inside Sequel’s, transactions are tied to connections that opened them, so as far as the database is concerned these are two independent transactions.

Moreover, if Sequel did use its own database connection, that would mean the number of open connections to the database would double, which could impact performance and hit maximum connection limits. So, I knew I needed to find a way to make Sequel reuse Active Record’s database connection instead of creating its own.

I decided to build this as a database extension for Sequel, which when loaded, switches Sequel to use Active Record’s database connection:

class Sequel
  class ActiveRecordConnection
    # ... database overrides ...
  end

  Database.register_extension(:activerecord_connection, ActiveRecordConnection)
end

DB = Sequel.connect(...)
DB.extension :activerecord_connection
DB.run "SELECT ..." # executed on Active Record's database connection

Reusing the connection

Sequel’s connection pool is the one in charge of creating new database connections when they’re needed. So, the first and most important step was to bypass it, and retrieve Active Record’s database connection instead.

The Sequel connection is retrieved in Database#synchronize, which gets called for every query, so that’s the ideal place to put the override:

class Sequel::ActiveRecordConnection
  def synchronize(*)
    yield activerecord_connection.raw_connection
  end

  private

  def activerecord_connection
    ActiveRecord::Base.connection
  end
end

DB.synchronize do |connection|
  connection # Active Record's connection object
end

I also needed to account for the fact that Sequel adapters use different connection options than Active Record, and store prepared statements in the connection object. For SQLite and MySQL handling this required relatively little code, while for PostgreSQL I unfortunately needed to copy-paste methods defined on Sequel adapter’s subclass of PG::Connection.

Syncing transaction state

Both Sequel and Active Record track which transactions are in progress and in which order. Currently, even though the connection is shared, Sequel doesn’t know about transactions opened by Active Record and vice-versa.

DB.transaction do
  ActiveRecord::Base.connection.open_transactions #=> 0
end

ActiveRecord::Base.transaction do
  DB.in_transaction? #=> false
end

Syncing this state is important for handling nested transaction blocks, which should either reuse the outer transaction or use a savepoint, depending on the setup. Sequel saves informations about transactions for each connection in @transactions instance variable:

DB.transaction(auto_savepoint: true) do |conn|
  DB.instance_variable_get(:@transactions)[conn] #=> {savepoints: [{auto_savepoint: true}]}

  DB.transaction do # creates a savepoint
    DB.instance_variable_get(:@transactions)[conn] #=> {savepoints: [{auto_savepoint: true}, {auto_savepoint: nil}]}
  end
end

We’ll override the method accessing this instance variable, and sync state about any transactions opened by Active Record:

class Sequel::ActiveRecordConnection
  # ...
  private

  def _trans(conn)
    hash = super || { savepoints: [], activerecord: true }

    # add any transactions/savepoints opened via Active Record
    while hash[:savepoints].length < activerecord_connection.open_transactions
      hash[:savepoints] << { activerecord: true }
    end
    # remove any transactions/savepoints closed via Active Record
    while hash[:savepoints].length > activerecord_connection.open_transactions && hash[:savepoints].last[:activerecord]
      hash[:savepoints].pop
    end
    # sync knowledge about joinability of current Active Record transaction/savepoint
    if activerecord_connection.transaction_open? && !activerecord_connection.current_transaction.joinable?
      hash[:savepoints].last[:auto_savepoint] = true
    end

    if hash[:savepoints].empty? && hash[:activerecord] # Active Record closed last transaction
      Sequel.synchronize { @transactions.delete(conn) }
    else
      Sequel.synchronize { @transactions[conn] = hash }
    end

    super
  end
  # ...
end

ActiveRecord::Base.transaction(requires_new: true) do
  DB.in_transaction? #=> true
  DB.transaction do
    DB.send(:in_savepoint?) #=> true
  end
end

This takes care of Sequel state, now we need to ensure that Active Record’s state is updated when opening transactions via Sequel. We can do this by calling Active Record for beginning, committing, and rolling back transactions:

class Sequel::ActiveRecordConnection
  # ...
  private

  def begin_transaction(conn, opts = OPTS)
    activerecord_connection.begin_transaction(joinable: !opts[:auto_savepoint])
  end

  def commit_transaction(conn, opts = OPTS)
    activerecord_connection.commit_transaction
  end

  def rollback_transaction(conn, opts = OPTS)
    activerecord_connection.rollback_transaction
  end
  # ...
end

DB.transaction(auto_savepoint: true) do
  ActiveRecord::Base.connection.open_transactions #=> 1
  ActiveRecord::Base.transaction do
    ActiveRecord::Base.connection.open_transactions #=> 2
  end
end

Fixing transaction hooks

Because we’ve preserved the format of transaction state, Sequel’s after commit/rollback hooks still work when Sequel holds the outer transaction:

DB.transaction do
  DB.after_commit { puts "=> after commit" }
  DB.after_rollback { puts "=> after rollback" }
  DB.run "SELECT 1"
end
# BEGIN
# SELECT 1
# COMMIT
# => after commit

However, they don’t work when Active Record holds the outer transaction, because in that case Active Record is the one committing the transaction, and Sequel doesn’t get notified.

ActiveRecord::Base.transaction do
  DB.after_commit { puts "doesn't get called" }
  DB.run "SELECT 1"
end
# BEGIN
# SELECT 1
# COMMIT

We can fix this by using the after_commit_everywhere gem to register after commit/rollback callbacks into Active Record when it holds the outer transaction. Sequel will call either #add_transaction_hook or #add_savepoint_hook method, depending on whether the hook was registered within a transaction or a savepoint, so we’ll override those:

$ gem install after_commit_everywhere

require "after_commit_everywhere"

class Sequel::ActiveRecordConnection
  # ...
  private

  def add_transaction_hook(conn, type, block)
    if _trans(conn)[:activerecord] # Active Record holds the outer transaction
      AfterCommitEverywhere.public_send(type, &block)
    else
      super
    end
  end

  def add_savepoint_hook(conn, type, block)
    if _trans(conn)[:savepoints].last[:activerecord] # Active Record holds the savepoint
      AfterCommitEverywhere.public_send(type, &block)
    else
      super
    end
  end
  # ...
end

ActiveRecord::Base.transaction do
  DB.after_commit { puts "=> gets called" }
  DB.run "SELECT 1"
end
# BEGIN
# SELECT 1
# COMMIT
# => gets called

Instrumenting SQL queries

Active Record logs its SQL queries through a log subscriber that listens for sql.active_record notifications. To make the integration seamless, I wanted Sequel’s SQL queries to be logged via Active Record’s logger.

Sequel logging is happening in Database#log_connection_yield, so we’ll want to override that, and instrument the query execution with Active Support:

class Sequel::ActiveRecordConnection
  # ...
  def log_connection_yield(sql, conn, args = nil)
    sql += "; #{args.inspect}" if args # include bound variables in the output

    activerecord_log(sql) { super }
  end

  private

  def activerecord_log(sql)
    ActiveSupport::Notifications.instrument(
      "sql.active_record",
      sql:        sql,
      name:       "Sequel",
      connection: activerecord_connection,
      &block
    )
  end
  # ...
end

ActiveRecord::Base.logger = Logger.new($stdout)

DB[:records].where(foo: "bar").all
#>> Sequel (0.7ms) SELECT * "records" WHERE "foo" = 'bar'

Wrapping it up

I committed the initial version into the rodauth-rails gem, but I soon realized that getting Sequel to reuse Active Record’s database connection is not specific to Rodauth, so I extracted it into the sequel-activerecord_connection gem.

I’m glad I did, because it opened doors that weren’t previously open. People can now try out Sequel alongside Active Record without any performance cost or mental overhead, which can be pretty handy given that Sequel can do lots of things Active Record can’t.

It took several iterations to get the implementation right, but extracting it into its own gem helped me focus on this problem in isolation, and converge on the correct behaviour. The end result is a solution that covers much wider use cases than the original problem.

We’re using Active Record for interaction with our primary database, which gained support for multiple databases in version 6.0. However, given that we expected the queries to our analytics database would be fairly complex, and that we’d probably need to be retrieving large quantities of time-series data (which could be performance-sensitive), I decided it would be a good opportunity to use Sequel instead.

Thanks to Sequel’s advanced Postgres support, I was able to utilize many cool Postgres features that helped me implement this task efficiently. Since not all of these features are common, I wanted to showcase them in this article, and at the same time demonstrate what Sequel is capable of. :metal:

Table partitioning

I mentioned that our analytics data is time-series, which means that we’re storing snapshots of our product data for each day. This results in a large number of new records every day, so in order to keep query performance at acceptable levels, I’ve decided to try out Postgres’ table partitioning feature for the first time.

What this feature does is allow you to split data that you would otherwise have in a single table into multiple tables (“partitions”) based on certain conditions. These conditions most commonly specify a range or list of column values, though you can also partition based on hash values. Postgres’ query planner then determines which partitions it needs to read from (or write to) based on the SQL query. This can drammatically improve performance for queries where most partitions have been filtered out during the query planning phase.

Sequel supports Postgres’ table partitioning out-of-the-box. In order to create a partitioned table (i.e. a table we can create partitions of), we need to specify the column(s) we want to partition by (:partition_by), as well as the type of partitioning (:partition_type). In our app, we wanted to have monthly partitions of product data for each client, so our schema migration contained the following table definition:

DB.create_table :products, partition_by: [:instance_id, :date], partition_type: :range do
  Date    :date,        null: false
  Integer :instance_id, null: false # in our app "instances" are e-shops
  String  :product_id,  null: false

  # Postgres requires the columns we're partitioning by to be part of the
  # primary key, so we create a composite primary key
  primary_key [:date, :instance_id, :product_id]

  jsonb :data         # general data about the product
  jsonb :competitors  # data about this product from other competitors
  jsonb :statistics   # sales statistics about the product
  jsonb :applied_rule # information about our repricing of the product
end

The partitioned table above acts as sort of an abstract table, in the sense that it won’t contain any data by itself, but instead it allows partitions to be created from it, which will be the ones holding the data. For example, let’s create a partition of this table which will hold data for an e-shop with ID of 10 for March 2021:

DB.create_table? :products_10_202103, partition_of: :products do
  from 10, Date.new(2021, 3, 1)
  to 10, Date.new(2021, 4, 1) # this end is excluded from the range
end

The arguments we pass to from and to are the values of columns we’ve specified in :partition_by on the partitioned table (we have two arguments because we specified two columns – :instance_id and :date). The name of the table partition is custom, in this example I’ve just chosen a products_<INSTANCE_ID>_YYYYMM naming convention. Given that we’re creating these partitions on-the-fly (as opposed to in a schema migration), I’ve used Sequel’s create_table? to handle the case when the partition already exists, which generates a CREATE TABLE IF NOT EXISTS query.

Once we’ve created the partitions and populated them with data, we can just reference the main table in our queries, and Postgres will know which partition(s) it should direct the queries to.

# queries partition `products_10_202101`
DB[:products].where(instance_id: 10, date: Date.new(2021, 1, 1)).to_a

# queries partitions `products_29_202102` and `products_29_202103`
DB[:products].where(instance_id: 29, date: Date.new(2021, 2, 1)..Date.new(2021, 3, 31)).to_a

# creates the record in partition `products_13_202012`
DB[:products].insert(instance_id: 13, date: Date.new(2020, 12, 25), product_id: "abc123", ...)

Upserts

We have 4 types of product data, each of which is retrieved, aggregated, and stored in a separate background job. Previously, each background job was writing to a separate CSV file, but now they would all be writing to a single table, either creating new records or updating existing records with new data.

The simplest option which is also concurrency-safe was to use Postgres’ INSERT ... ON CONFLICT ..., also known as “upsert”. Sequel supports upserts with all its parameters via #insert_conflict:

DB[:products]
  .insert_conflict # by default ignores insert that fails unique constraint violation
  .insert(instance_id: 10, date: Date.new(2021, 1, 1), product_id: "abc123")

# INSERT INTO products (instance_id, date, product_id)
# VALUES (10, '2021-01-01', 'abc123')
# ON CONFLICT DO NOTHING

In my task, I needed each background job to only store data it is responsible for, and that these jobs can be executed in any order. So, the background job which was responsible for storing general product data into the analytics database had the following code:

product_data #=>
# [
#   { instance_id: 10, date: Date.new(2021, 1, 1), product_id: "111", data: { ... } },
#   { instance_id: 10, date: Date.new(2021, 1, 1), product_id: "222", data: { ... } },
#   { instance_id: 10, date: Date.new(2021, 1, 1), product_id: "333", data: { ... } },
#   ...
# ]

product_data.each_slice(1000) do |values|
  DB[:products]
    .insert_conflict(
      target: [:date, :instance_id, :product_id],
      update: { data: Sequel[:excluded][:data] }
    )
    .multi_insert(values)
end

# INSERT INTO products (...) VALUES (...)
# ON CONFLICT (date, instance_id, product_id) DO UPDATE data = excluded.data

The above inserts values in batches of 1,000 records, and when the record already exists, only the data column value is replaced. In general, when a conflict happens, Postgres exposes the values we’ve tried to insert under the excluded qualifier. So, in the DO UPDATE clause we were able to do data = excluded.data, which updates only the data column. In this case, Postgres also requires us to specify the column(s) involved in the unique index, which in our case are date, instance_id, and product_id that form the primary key.

COPY

Now that we’ve covered the important bits involved in modifying the code to write new data into Postgres, what remains is efficiently migrating all the historical data from our CSV files into Postgres.

The fastest way to import CSV data into a Postgres table is using COPY FROM, which Sequel supports via #copy_into:

DB.copy_into :records,
  format: "csv",
  options: "HEADERS true",
  data: File.foreach("records.csv")

In my case, I couldn’t import the CSV files directly into the products table, because I wanted to write most of the fields into JSONB columns. So I first imported the CSV data into a temporary table whose columns matched the CSV data, and then copied the data from that table into the end products table in the desired format.

data = File.foreach("products_10.csv")
columns = File.foreach("products_10.csv").first.chomp.split(",")
temp_table = :"products_#{SecureRandom.hex}"

DB.create_table temp_table do
  columns.each do |column|
    String column.to_sym
  end
end

DB.copy_into temp_table, format: "csv", options: "HEADERS true", data: data

DB[temp_table].paged_each.each_slice(1000) do |products|
  DB[:products].insert products.map { |product| ... } # transform into desired format
end

DB.drop_table temp_table

Inserting from SELECT

Notice how in the last example we were fetching data from the temporary table, transforming it in Ruby, then writing the result in batches into the destination table. This is a common way people copy data, but it’s actually pretty inefficient, both in terms of memory usage and speed.

What we can do instead is transform the data via a SELECT statement, and then pass it directly to INSERT. This way we avoid retrieving any data on the client side, and we allow Postgres to determine the most efficient way to copy the data.

INSERT INTO my_table (col1, col2, col3, ...)
SELECT val1, val2, val3, ... FROM another_table WHERE ...

Sequel’s #insert method supports this feature by accepting a dataset object:

DB[:products].insert [:instance_id, :date, :product_id, :data], DB[temp_table].select(...)

I’ve covered this topic in more depth in my recent article, which includes a benchmark illustrating the performance benefits of this approach.

Unlogged tables

Lastly, writing data into a temporary table does create some overhead, which we can reduce by making the temporary table “unlogged”. With this setting, data written to this table is not written to Postgres’ write-ahead log (used for crash recovery), which makes the writing speed considerably faster than in ordinary tables.

Sequel allows creating unlogged tables by passing the :unlogged option to #create_table:

DB.create_table temp_table, unlogged: true do
  # ...
end
# CREATE UNLOGGED TABLE products_5ea6fe37d2fde562 (...)

Loose count

During this migration, I’ve often wanted to check the total number of records, to verify that the migration was performed for all of our customers. The problem is that the regular SELECT count(*) ... query can be slow for larger amounts of records.

# can take some time:
DB[:products].where(instance_id: 10).count
# SELECT count(*) FROM products WHERE instance_id = 10

Luckily, Postgres stores a rough number of records for each table, which can be retrieved very fast, and in my case that was more than sufficient. I wouldn’t have found about this Postgres feature if I hadn’t come across Sequel’s pg_loose_count extension:

DB.extension :pg_loose_count
DB.tables
  .grep(/products_10_.+/) # select only partitions for e-shop with ID of 10
  .sum { |partition| DB.loose_count(partition) } # fast count

Conclusion

With Sequel and Postgres I was able to use table partitioning to store time-series data in a way that’s efficient to query, import large amounts of historical data from CSV files into a temporary unlogged table, and transform it and write it into the destination table all in SQL, while checking the data migration progress with Postgres’ loose record counts.

All these Postgres features helped me to efficiently handle time-series data and import historical data, and I didn’t have to make any comporomises, thanks to Sequel supporting me every step of the way.

class RodauthController < ApplicationController
  def omniauth
    # ...
    rodauth.login("omniauth") # logs the session in and redirects
  end
end

Could not log "process_action.action_controller" event.
/path/to/actionpack-6.1.1/lib/action_controller/log_subscriber.rb:26:in `block in process_action': undefined method `first' for nil:NilClass (NoMethodError)

Since I want the integration between Rodauth and Rails to be as smooth as possible, I decided to investigate.

Diving in

Let’s see the ActionController::LogSubscriber source code where the error happens:

# lib/action_controller/log_subscriber.rb
module ActionController
  class LogSubscriber < ActiveSupport::LogSubscriber
    # ...
    def process_action(event)
      # ...
        status = payload[:status]

        if status.nil? && (exception_class_name = payload[:exception].first) # <==== the exception happens here
          status = ActionDispatch::ExceptionWrapper.status_code_for_exception(exception_class_name)
        end
      # ...
    end
    # ...
  end
end

We can see that the issue happens because :exception data is missing from the instrumentation event payload. Let’s look at ActionController::Instrumentation next, which is in charge of instrumenting controller actions:

# lib/action_controller/metal/instrumentation.rb
class ActionController
  module Instrumentation
    def process_action(*)
      # ...
      ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
        result = super # <=== this calls our controller action
        payload[:response] = response
        payload[:status]   = response.status
        # ...
      end
    end
  end
end

We can see that, if our controller action raises an exception, the :status data will never be set. This ties to the status.nil? check we’ve seen in the ActionController::LogSubscriber.

The remaining part is to find where :exception is being set. Knowing that instrumentation is implemented in Active Support, I quickly found ActiveSupport::Notifications::Instrumenter:

# lib/active_support/notifications/instrumenter.rb
module ActiveSupport
  module Notifications
    class Instrumenter
      # ...
      def instrument(name, payload = {})
        # ...
        begin
          yield payload if block_given?
        rescue Exception => e
          payload[:exception] = [e.class.name, e.message] # <==== the exception is set here
          payload[:exception_object] = e
          raise e
        ensure
          finish_with_state listeners_state, name, payload
        end
      end
    end
  end
end

The problem

When Rodauth redirects, what is actually doing is throwing :halt with the rack response. This is how Roda implements redirection, and it’s common practice in non-Rails web frameworks (Sinatra and Cuba do it too). In our case, throwing exits from controller action and is caught by the Roda middleware.

Does throwing act the same way as raising an exception does? Initially it would appear so:

begin
  throw :halt
rescue Exception => exception
  puts "rescue: #{exception.inspect}"
  raise
ensure
  puts "ensure"
end

rescue: #<UncaughtThrowError: uncaught throw :halt>
ensure
~> uncaught throw :halt (UncaughtThrowError)

This makes sense to me, because uncaught throw is an exception. But then why wasn’t the rescue block that was supposed to set the :exception in the event payload being executed?

The picture starts getting clearer when we wrap the code with a catch block:

catch(:halt) do
  begin
    throw :halt
  rescue Exception => exception
    puts "rescue: #{exception.inspect}"
    raise
  ensure
    puts "ensure"
  end
end

ensure

We see that in this case the rescue block isn’t being executed, and this is precisely our scenario. This actually makes sense when you think about it, because a throw with a matching catch is not anything erroneous, it’s just a way to do an early return.

The solution

Now we know where the issue is, which is that Rails just wasn’t correctly handling a throw/catch scenario when processing controller actions. Fixing it was the easy part.

throw/catch is probably something you’ll rarely use, but it does have its use cases. I hope this article taught you a bit more about this lesser known Ruby feature.

Most common multifactor authentication methods include:

• TOTP (Time-based One-Time Passwords) – user has an app installed on their device that displays the authentication code, which is refreshed every 30 seconds

• SMS codes – user receives authentication codes on their phone via SMS when the application requests them

• Recovery codes – user is given a fixed set of one-time codes they can enter when logging in (this is typically used as a backup method)

• WebAuthn – user authenticates themselves using a security key or built-in platform biometric sensors (e.g. fingerprint)

In this article, I want to show you how to add multifactor authentication to a Rails app using Rodauth, which has built-in support for each of the multifactor authentication methods mentioned above. Compared to alternatives¹, Rodauth provides a much more integrated experience by shipping with complete endpoints, default HTML templates, session management, lockout logic and more². To keep the tutorial focused, we’ll be implementing just the first three methods, as they’re by far the most common.

We’ll be using the rodauth-rails gem, and we’ll be continuing off of the application we started building in my previous article. The goal functionality: allow users to set up TOTP as their primary MFA method, and use SMS codes and recovery codes as backup MFA methods.

TOTP

The TOTP functionality is provided by Rodauth’s otp feature. It depends on the rotp and rqrcode gems, so let’s first install those:

$ bundle add rotp rqrcode

Next, we need to create the required database table. For this we’ll use the migration generator provided by rodauth-rails:

$ rails generate rodauth:migration otp
# create  db/migrate/20201214200106_create_rodauth_otp.rb

$ rails db:migrate
# == 20201214200106 CreateRodauthOtp: migrating =======================
# -- create_table(:account_otp_keys)
# == 20201214200106 CreateRodauthOtp: migrated ========================

Now we can enable the otp feature in our Rodauth configuration:

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    enable :otp
  end
end

This adds the following routes to our application:

• /otp-auth – authenticate via TOTP code
• /otp-setup – set up TOTP authentication
• /otp-disable – disable TOTP authentication
• /multifactor-manage – set up or disable available MFA methods
• /multifactor-auth – authenticate via available MFA methods
• /multifactor-disable – disable all MFA methods

To allow the user to configure MFA, let’s display a link to the /multifactor-manage route for managing MFA methods in our views:

<!-- app/views/application/_navbar.html.erb -->
<% if rodauth.logged_in? %>
  <!-- ... --->
  <%= link_to "Manage MFA", rodauth.two_factor_manage_path, class: "dropdown-item" %>
  <!-- ... --->
<% end %>

Now when the user logs in and clicks on “Manage MFA”, they’ll get redirected to the OTP setup page that Rodauth provides out-of-the-box³:

The user can now scan the QR code using an authenticator app such as Google Authenticator, Microsoft Authenticator or Authy, and enter the OTP code (along with their current password) to finish setting up OTP. As a developer, you can generate the code from the OTP secret using the ROTP gem:

$ rotp --secret omo2p3movepqyc222rp54v3cic7ky2au
409761

When the user with OTP set up logs in the next time, we want them to be automatically redirected to the OTP auth page. We can achieve this by requiring logged in users that have MFA set up to authenticate with 2nd factor, and tweaking the flash messages to make it feel like part of one signin:

# app/misc/rodauth_app.rb
class RodauthApp < Rodauth::Rails::App
  # ...
  route do |r|
    # ...
    # require MFA if the user is logged in and has MFA setup
    if rodauth.uses_two_factor_authentication?
      rodauth.require_two_factor_authenticated
    end
  end
end

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    # don't show error message when redirected after login
    two_factor_need_authentication_error_flash { flash[:notice] == login_notice_flash ? nil : super() }
    # show generic authentication message
    two_factor_auth_notice_flash { login_notice_flash }
  end
end

Recovery codes

After the user sets up TOTP, it’s recommended to also generate a set of “recovery” codes for them to save somewhere, which they can use on login in case they lose access to their TOTP device. This functionality is provided by Rodauth’s recovery_codes feature.

Let’s start by creating the required database table:

$ rails generate rodauth:migration recovery_codes
# create  db/migrate/20201214200106_create_rodauth_recovery_codes.rb

$ rails db:migrate
# == 20201217071036 CreateRodauthRecoveryCodes: migrating =======================
# -- create_table(:account_recovery_codes, {:primary_key=>[:id, :code]})
# == 20201217071036 CreateRodauthRecoveryCodes: migrated ========================

And enabling the recovery_codes feature in our Rodauth configuration:

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    enable :otp, :recovery_codes
  end
end

This adds the following routes to our app:

• /recovery-auth – authenticate via a recovery code
• /recovery-codes – view & add recovery codes

We’ll now override the after_otp_setup hook to display recovery codes to the user after they’ve successfully set up TOTP, instead of the default redirect.

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    # automatically generate recovery codes after enabling first MFA method
    auto_add_recovery_codes? true
    # automatically remove recovery codes after disabling last MFA method
    auto_remove_recovery_codes? true
    # display recovery codes after TOTP setup
    after_otp_setup do
      set_notice_now_flash "#{otp_setup_notice_flash}, please make note of your recovery codes"
      return_response add_recovery_codes_view
    end
  end
end

We’ll also override the default Rodauth template to display the recovery codes in a nicer way. For convenience, we’ll add a download link for the recovery codes as well. Instead of adding a new endpoint, which would have to be password-protected to maintain security, we’ll just implement the download link in plain HTML using a data URL and download attribute.

$ rails generate rodauth:views recovery_codes

<!-- app/views/rodauth/add_recovery_codes.html.erb -->
<% content_for :title, rodauth.add_recovery_codes_page_title %>

<% if rodauth.recovery_codes.any? %>
  <p class="my-3">
    Copy these recovery codes to a safe location.
    You can also download them <%= link_to "here", "data:,#{rodauth.recovery_codes.join("\n")}", download: "myapp-recovery-codes.txt" %>.
  </p>

  <div class="d-inline-block mb-3 border border-info rounded px-3 py-2">
    <% rodauth.recovery_codes.each_slice(2) do |code1, code2| %>
      <div class="row text-info text-left">
        <div class="col-lg my-1 font-monospace"><%= code1 %></div>
        <div class="col-lg my-1 font-monospace"><%= code2 %></div>
      </div>
    <% end %>
  </div>
<% end %>

<!-- Used for filling in missing recovery codes later on -->
<% if rodauth.can_add_recovery_codes? %>
  <%== rodauth.add_recovery_codes_heading %>
  <%= render template: "rodauth/recovery_codes", layout: false %>
<% end %>

When the user now sets up TOTP, they will be shown a page like this:

And when they log into their account the next time, on the multifactor auth page they can choose to enter a recovery code instead of TOTP.

SMS codes

In addition to TOTP, it’s good practice to also provide the ability to use SMS codes for 2nd factor authentication. Rodauth provides a specialized sms_codes feature for this.

To set it up, we again create the required database table:

$ rails generate rodauth:migration sms_codes
# create  db/migrate/20201219173710_create_rodauth_sms_codes.rb

$ rails db:migrate
# == 20201219173710 CreateRodauthSmsCodes: migrating ==================
# -- create_table(:account_sms_codes)
# == 20201219173710 CreateRodauthSmsCodes: migrated ===================

And enable the sms_codes feature in the Rodauth configuration:

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    enable :otp, :recovery_codes, :sms_codes
  end
end

This adds the following routes to our app:

• /sms-request – request the SMS code to be sent
• /sms-auth – authenticate via an SMS code
• /sms-setup – set up SMS codes authentication
• /sms-confirm – confirm the provided phone number
• /sms-disable – disable SMS codes authentication

When an SMS code is requested, Rodauth calls the sms_send method with the configured phone number and a corresponding text message. This method isn’t defined by default, since Rodauth doesn’t know how we want to send the SMS, instead we’re expected to implement sms_send:

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    sms_send do |phone, message|
      # we need to implement this
    end
  end
end

We’ll use Twilio for sending SMS messages. Assuming we’ve set up an account, we’ll add the account SID, auth token, and phone number to Rails credentials:

$ rails credentials:edit

twilio:
  account_sid: <YOUR_ACCOUNT_SID>
  auth_token: <YOUR_AUTH_TOKEN>
  phone_number: <YOUR_PHONE_NUMBER>

Next, we’ll install the twilio-ruby gem, and create a wrapper class for the Twilio client that uses the configured credentials:

$ bundle add twilio-ruby

# app/misc/twilio_client.rb
class TwilioClient
  Error              = Class.new(StandardError)
  InvalidPhoneNumber = Class.new(Error)

  def initialize
    @account_sid = Rails.application.credentials.twilio.account_sid!
    @auth_token = Rails.application.credentials.twilio.auth_token!
    @phone_number = Rails.application.credentials.twilio.phone_number!
  end

  def send_sms(to, message)
    client.messages.create(from: @phone_number, to: to, body: message)
  rescue Twilio::REST::RestError => error
    # more details here: https://www.twilio.com/docs/api/errors/21211
    raise TwilioClient::InvalidPhoneNumber, error.message if error.code == 21211
    raise TwilioClient::Error, error.message
  end

  def client
    Twilio::REST::Client.new(@account_sid, @auth_token)
  end
end

Finally, we’ll implement sms_send using our new TwilioClient class. We’ll convert SMS sending errors into validation errors, making sure we roll back the wrapping database transaction to prevent phone number & code from being persisted:

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    sms_send do |phone, message|
      twilio = TwilioClient.new
      twilio.send_sms(phone, message)
    rescue TwilioClient::Error => error
      db.rollback_on_exit
      throw_error_status(422, sms_phone_param, sms_invalid_phone_message) if error.is_a?(TwilioClient::InvalidPhoneNumber)
      throw_error_status(500, sms_phone_param, "sending the SMS code failed")
    end
  end
end

When the user now visits the SMS authentication setup page on the multifactor manage page, they can enter their phone number and password, and then enter the SMS code they received to finish the SMS authentication setup.

Afterwards, when the user logs in the next time, in addition to authenticating via TOTP or a recovery code, they’ll now also be able to choose to authenticate via SMS.

Disabling multifactor authentication

In addition to setup and authentication, Rodauth also provides endpoints for disabling any MFA method, which require the user to confirm their password:

• /otp-disable – disable OTP authentication
• /sms-disable – disable multifactor authentication
• /multifactor-disable – disable all multifactor methods

The links for disabling MFA methods that have previously been set up are automatically displayed on the multifactor manage page:

Disabling a MFA method will take care of deleting any records associated to that account from the corresponding database table.

Closing words

In this tutorial we’ve shown how to add multifactor authentication functionality in Rails with Rodauth and rodauth-rails. We’ve enabled the user to set up TOTP as their primary MFA method, after which they receive a set of recovery codes, and have the possibility to also set up SMS as a backup MFA method.

We’ve seen that Rodauth ships with complete endpoints and default HTML templates for managing multiple MFA methods, and generally provides a much more integrated experience compared to the alternatives. Given that multifactor authentication is becoming an increasingly common requirement, it’s very useful to have a framework that supports it with the same level of standard as the other authentication features.

We’ll be working with a fresh Rails app using PostgresSQL, Hotwire, Bootstrap, home page, navbar, flash messages, and posts scaffold setup.

$ rails new blog --database=postgresql --css=bootstrap
$ cd blog
$ rails db:create
$ rails generate controller home index
$ rails generate scaffold post title:string body:text
$ rails db:migrate

# config/routes.rb
Rails.application.routes.draw do
  root to: "home#index"
  resources :posts
end

<!-- app/views/layouts/application.html.erb -->
<!-- ... -->
  <body>
    <%= render "navbar" %>

    <div class="container">
      <%= render "flash" %>
      <%= yield %>
    </div>
  </body>
<!-- ... -->

<!-- app/views/application/_flash.html.erb -->
<% if notice %>
  <div class="alert alert-success"><%= notice %></div>
<% end %>
<% if alert %>
  <div class="alert alert-danger"><%= alert %></div>
<% end %>

<!-- app/views/application/_navbar.html.erb -->
<nav class="navbar navbar-expand-sm navbar-light bg-light border-bottom mb-4">
  <div class="container">
    <%= link_to "Rails App", root_path, class: "navbar-brand" %>

    <div class="navbar-collapse">
      <ul class="navbar-nav">
        <li class="nav-item">
          <%= link_to "Posts", posts_path, class: "nav-link #{"active" if request.path.start_with?("/posts")}" %>
        </li>
      </ul>
    </div>
  </div>
</nav>

Installing Rodauth

Let’s start by adding the rodauth-rails gem to our Gemfile:

$ bundle add rodauth-rails

Next, we’ll run the rodauth:install generator provided by rodauth-rails:

$ rails generate rodauth:install

# create  db/migrate/20200820215819_create_rodauth.rb
# create  config/initializers/rodauth.rb
# create  config/initializers/sequel.rb
# create  app/misc/rodauth_app.rb
# create  app/misc/rodauth_main.rb
# create  app/controllers/rodauth_controller.rb
# create  app/models/account.rb
# create  app/mailers/rodauth_mailer.rb

This will create the Rodauth app and some default Rodauth configuration, configure Sequel which Rodauth uses for database interaction to reuse Active Record’s database connection, and generate a migration that will create tables for the loaded Rodauth features. Let’s run the migration:

$ rails db:migrate

# == CreateRodauth: migrating ==========================
# -- create_table(:accounts)
# -- create_table(:account_password_hashes)
# -- create_table(:account_password_reset_keys)
# -- create_table(:account_verification_keys)
# -- create_table(:account_login_change_keys)
# -- create_table(:account_remember_keys)
# == CreateRodauth: migrated ===========================

We’ll also need to set Action Mailer’s default URL options for Rodauth to be able to generate email links in RodauthMailer:

# config/environments/development.rb
Rails.application.configure do
  # ...
  config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
end

After restarting the Rails server, we should be able to open the /create-account page and see Rodauth’s default registration form.

Adding authentication links

Rodauth configuration generated by rodauth-rails provides several routes for authentication and account management:

$ rails rodauth:routes

# /login                   rodauth.login_path
# /create-account          rodauth.create_account_path
# /verify-account-resend   rodauth.verify_account_resend_path
# /verify-account          rodauth.verify_account_path
# /logout                  rodauth.logout_path
# /remember                rodauth.remember_path
# /reset-password-request  rodauth.reset_password_request_path
# /reset-password          rodauth.reset_password_path
# /change-password         rodauth.change_password_path
# /change-login            rodauth.change_login_path
# /verify-login-change     rodauth.verify_login_change_path
# /close-account           rodauth.close_account_path

Let’s use this information to add some main authentication links to our navbar:

<!-- app/views/application/_navbar.html.erb -->
<!-- ... --->
<% if rodauth.logged_in? %>
  <div class="dropdown">
    <button class="btn btn-info dropdown-toggle" data-bs-toggle="dropdown" type="button">
      <%= current_account.email %>
    </button>
    <div class="dropdown-menu dropdown-menu-end">
      <%= link_to "Change password", rodauth.change_password_path, class: "dropdown-item" %>
      <%= link_to "Change email", rodauth.change_login_path, class: "dropdown-item" %>
      <div class="dropdown-divider"></div>
      <%= link_to "Close account", rodauth.close_account_path, class: "dropdown-item text-danger" %>
      <%= link_to "Sign out", rodauth.logout_path, data: { turbo_method: :post }, class: "dropdown-item" %>
    </div>
  </div>
<% else %>
  <div>
    <%= link_to "Sign in", rodauth.login_path, class: "btn btn-outline-primary" %>
    <%= link_to "Sign up", rodauth.create_account_path, class: "btn btn-success" %>
  </div>
<% end %>
<!-- ... --->

Here we’re using the #current_account helper method that rodauth-rails provides, which returns the currently signed in account.

Now our application will show login and registration links when the user is not logged in:

While logged in users will see some basic account management links:

Requiring authentication

Now that we have working authentication, we’ll likely want to require the user to be authenticated for certain parts of our application. In our case, we want to authenticate the posts controller.

We could add a before_action callback to the controller, but Rodauth allows us to do this inside the Rodauth app’s route block, which is called before each Rails route. This way we can keep our authentication logic contained in a single place.

# app/misc/rodauth_app.rb
class RodauthApp < Rodauth::Rails::App
  # ...
  route do |r|
    # ...
    if r.path.start_with?("/posts")
      rodauth.require_authentication
    end
  end
end

Now visiting the /posts page will redirect the user to the /login page if they’re not logged in.

We’ll also want to associate the posts to the accounts table:

$ rails generate migration add_account_id_to_posts account:references
$ rails db:migrate

# app/models/account.rb
class Account < ApplicationRecord
  # ...
  has_many :posts
end

And scope them to the current account in the posts controller:

# app/controllers/posts_controller.rb
class PostsController < ApplicationController
  # ...
  def index
    @posts = current_account.posts.all
  end
  # ...
  def create
    @post = current_account.posts.build(post_params)
    # ...
  end
  # ...
  private
    def set_post
      @post = current_account.posts.find(params[:id])
    end
    # ...
end

Adding new fields

To have something other than an email address to display our users, let’s require users to enter their name during registration. This will also give us an opportunity to see how Rodauth can be configured.

Since we’ll need to edit the registration form, let’s first copy Rodauth’s HTML templates into our Rails application:

$ rails generate rodauth:views

# create  app/views/rodauth/_login_form.html.erb
# create  app/views/rodauth/_login_form_footer.html.erb
# create  app/views/rodauth/_login_form_header.html.erb
# create  app/views/rodauth/login.html.erb
# create  app/views/rodauth/multi_phase_login.html.erb
# create  app/views/rodauth/logout.html.erb
# create  app/views/rodauth/create_account.html.erb
# create  app/views/rodauth/verify_account_resend.html.erb
# create  app/views/rodauth/verify_account.html.erb
# create  app/views/rodauth/reset_password_request.html.erb
# create  app/views/rodauth/reset_password.html.erb
# create  app/views/rodauth/change_password.html.erb
# create  app/views/rodauth/change_login.html.erb
# create  app/views/rodauth/close_account.html.erb

We can now open the create_account.erb template and add a new name field:

<!-- app/views/rodauth/create_account.erb -->
<%= form_with url: rodauth.create_account_path, method: :post, data: { turbo: false } do |form| %>
  <!-- new "name" field -->
  <div class="mb-3">
    <%= form.label :name, "Name", class: "form-label" %>
    <%= form.text_field :name, value: params[:name], required: true, class: "form-control #{"is-invalid" if rodauth.field_error("name")}", aria: ({ invalid: true, describedby: "login_error_message" } if rodauth.field_error("name")) %>
    <%= content_tag(:span, rodauth.field_error("name"), class: "invalid-feedback", id: "login_error_message") if rodauth.field_error("name") %>
  </div>
  <!-- ... -->
<% end %>

Since the user’s name won’t be used for authentication, let’s store it in a new profiles table, and associate the profiles table to the accounts table.

$ rails generate model Profile account:references name:string
$ rails db:migrate

# app/models/account.rb
class Account < ApplicationRecord
  # ...
  has_one :profile
end

We now need our Rodauth app to actually handle the new name parameter. We’ll validate that it’s filled in and create the associated profile record after the account is created.

# app/misc/rodauth_main.rb
class RodauthMain < Rodauth::Rails::Auth
  configure do
    # ...
    before_create_account do
      # Validate presence of the name field
      throw_error_status(422, "name", "must be present") unless param_or_nil("name")
    end
    after_create_account do
      # Create the associated profile record with name
      Profile.create!(account_id: account_id, name: param("name"))
    end
    after_close_account do
      # Delete the associated profile record
      Profile.find_by!(account_id: account_id).destroy
    end
    # ...
  end
end

Now we can update our navbar to use the user’s name instead of their email address:

  <button class="btn btn-info dropdown-toggle" data-bs-toggle="dropdown" type="button">
-   <%= current_account.email %>
+   <%= current_account.profile.name %>
  </button>

Closing words

In this tutorial we’ve gradually built out a complete authentication and account management flow using the Rodauth authentication framework. It supports login & logout, account creation with email verification and a grace period, password change & password reset, email change with email verification, and close account functionality. We’ve seen how to add authentication links, require authentication for certain routes, and add new fields to the registration form.

I’m personally very excited about Rodauth, as it has an impressive featureset and a refreshingly clean design, and also it’s not tied to Rails. I’ve been working hard on rodauth-rails to make it as easy as possible to get started with in Rails, so hopefully it will help Rodauth gain more traction in the Rails community.