[GO] Story of implementing login function using gem sorcery

What did you do

I implemented the login function using a gem called sorcery. It was my first time to use a gem, and there were few documents that could be seen in Japanese, so I would like to make a runbook and manual for myself.

The execution environment is as follows.

What kind of gem?

It is a gem with the minimum logic for authentication, and aims to increase or extend methods as needed by the user.

▼ Click here for official documents Sorcery/sorcery

Introduction method

The steps in this article generally follow the Official Tutorial (https://github.com/Sorcery/sorcery/wiki/Simple-Password-Authentication). It describes from the introduction of Gem to the implementation of login / logout function.

The procedure is as follows. First, write the following in the Gemfile ...


gem 'sorcery'

bundle install.

Then, if you execute the following command

$ rails generate sorcery:install

The following files will be generated.

create  app/models/user.rb
create  db/migrate/XXXXXXXXX_sorcery_core.rb

Also, here is the content of the generated migration file.


class SorceryCore < ActiveRecord::Migration[5.2]
  def change
    create_table :users do |t|
      t.string :email,            null: false
      t.string :crypted_password
      t.string :salt

      t.timestamps                null: false
    add_index :users, :email, unique: true

You still know the crypted_password, but the salt column is a mystery, isn't it? I found this article on the WEB, the following is the Google Translate.

Standard encryption uses "salt" to make password hashes more secure. Sorcery does this by combining a random string at the end of the password and storing that string in the salt field.

So that's it. .. .. Do rails db: migrate and the installation is completed successfully.

Implementation (1): User creation

View The data in the crypted_password and salt columns is not written in the view so that the user cannot directly change or display it. Instead, the view uses password and password_confirmation.


= form_with model: @user, local: true do |f|
  = f.label :email
  = f.text_field :email
  = f.label :password
  = f.password_field :password
  = f.label :password_confirmation
  = f.password_field :password_confirmation
  = f.submit "Registration"


Also, the controller strong_paramater will allow you to receive password and password_confirmation respectively.


class UsersController < ApplicationController
  # ...

  def user_params
    params.require(:user).permit(:email, :password, :password_confirmation)

Model The model file is described as follows.


class User < ActiveRecord::Base

  validates :password, length: { minimum: 3 }, if: -> { new_record? || changes[:crypted_password] }
  validates :password, confirmation: true, if: -> { new_record? || changes[:crypted_password] }
  validates :password_confirmation, presence: true, if: -> { new_record? || changes[:crypted_password] }

  validates :email, uniqueness: true

First, use authenticates_with_sorcery! to give the Uder model the ability to authenticate with sorcery. For columns that are not in the model, such as password and password_confirmation

validates :password, confirmation: true, if: -> { new_record? || changes[:crypted_password] }

This description makes sorcery aware that it is the contents of the encrypted_password column.


As an aside, the new_redord? Method looks like Active Record's method to determine if an instance is newly created ...: relaxed: (I didn't know & & useful! )

Also, the following if:-> is Symbols, Lambdas and Proc parts of conditional validation. I'm not good at it, so I have to do my best to review it. .. ..

Try on the console

Once you've done that, try rails c to make sure the user can create it successfully.

> User.create!(email: "[email protected]", password: "test12345", password_confirmation: "test12345")

> User.last
=> #<User:0x00007fb37b8b4d28
 id: 1,
 email: "[email protected]",
 salt: "QapQbW9crUf1QixW2BD7",
 username: "testuser",
 created_at: Tue, 22 Dec 2020 14:48:37 UTC +00:00,
 updated_at: Tue, 22 Dec 2020 14:48:37 UTC +00:00>

You have successfully created a user with crypted_password and salt: relaxed:


By the way, I noticed that I didn't describe the methods of the Users controller, so I will give you the whole picture of users_controller.


class UsersController < ApplicationController
  def new
    @user = User.new

  def create
    @user = User.new(user_params)
    if @user.save
      redirect_to login_path
      flash[:notice] = 'You have successfully created a user'
      flash.now[:alert] = 'Failed to create user'
      render :new


  def user_params
    params.require(:user).permit(:username, :email, :password, :password_confirmation)

Now you can also create users from the screen ^ ^

Implementation (2): Creation of login / logout function

Now, I would like to implement the login / logout function. The methods provided by sorcery are described in Official part here.

According to it, the login method can take three arguments: email, password, and remenber_me (default value is false).

login(email, password, remember_me = false)

This time, we are not using the remenber_me function, so we will implement the login function with email and password. First, generate a controller from the terminal ...

$ rails g controller UserSessions new create destroy

I will describe the controller.


class UserSessionsController < ApplicationController
  def new

  def create
    @user = login(params[:email], params[:password])

    if @user
      redirect_back_or_to(new_user_path, notice: 'Login was successful')
      flash.now[:alert] = 'I failed to login'
      render :new

  def destroy
    redirect_to(login_path, notice: 'logged out')

redirect_back_or_to is a function that realizes friendly forwarding with sorcery, and according to this description, it takes(url, flash_hash = {})as an argument. ..

Variable name = {} is the way to write when receiving the entire hash as an argument. It was written on p.165 of Cherry Book.

The logout method doesn't need any explanation.

Router The routing is defined as follows.


Rails.application.routes.draw do

  get 'login', to: 'user_sessions#new'  #Postscript
  post 'login', to: 'user_sessions#create'  #Postscript
  delete 'logout', to: 'user_sessions#destroy'  #Postscript
  root 'users#new'

  resources :users, only: %i(new create)

I don't think there is any particular explanation here either.


Finally, View is defined as follows: Again, I didn't have to worry about it.


    = render 'shared/header'
    = yield

The logged_in? Below is a ** sorcery method that can be used in views **, according to the Official Documentation (https://github.com/Sorcery/sorcery#core).


h1 AppName
  - if logged_in?
    = link_to 'Log out', logout_path, method: :delete
  - else
    = link_to 'Login', login_path


= form_with url: login_path, method: :post do |f|
  = f.label :email
  = f.text_field :email
  = f.label :password
  = f.password_field :password
  = f.submit 'Login'


With the above, the login / logout method has been implemented. I will improve the appearance etc. from now on, but it was easier than I imagined ^ ^ Image from Gyazo

Image from Gyazo

As for the impression, since I made it for the first time, I felt that it was a hassle to make a simple login form using the default functions of Rails without using Gem etc.

I didn't feel that the implementation was quirky like in devise, and there seems to be SNS authentication etc. in the method list that can be realized with sorcery, so I would like to continue trying various things ^ ^

