Adding User Authentication to a Ruby on the Rails Application

Adding User authentication to a Ruby on the rails app. This follows the method discussed in “Agile Web Development with Rails”. Some of the example code is copied from there.

0. Create user database:

rails generate scaffold User name:string password_digest:string
rake db:migrate

1. Edit app/models/user.rb such that it reads:

class User < ActiveRecord::Base
  validates :name, presence: true, uniqueness: true
  has_secure_password # This makes the password a digest and forces you to enter it twice.

2. add bcrypt to the gemfile, edit Gemfile:

gem 'bcrypt-ruby'

You may need to run “bundle install”.

3. Edit the user edit form to add password confirmation:

app/views/users/_form.html.erb so that it reads as follows:

<%= form_for(@user) do |f| %>
  <% if @user.errors.any? %>
    <div id="error_explanation">
      <h2><%= pluralize(@user.errors.count, "error") %> prohibited this user from being saved:</h2>

      <% @user.errors.full_messages.each do |msg| %>
        <li><%= msg %></li>
      <% end %>
  <% end %>


  <div class="field">
    <%= f.label :name %><br />
    <%= f.text_field :name %>
  <div class="field">
    <%= f.label :password, 'Password' %><br />
    <%= f.password_field :password %>

    <%= f.label :password_confirmation, 'Confirm' %>:
    <%= f.password_field :password_confirmation %>

  <div class="actions">
    <%= f.submit %>

<% end %>

4. Create session controller…

rails generate controller Sessions new create destroy

Edit: app/controllers/sessions_controller.rb

Should look like this following edits:

class SessionsController < ApplicationController
  skip_before_filter :authorize

  def new

  def create
    user = User.find_by_name(params[:name])
    if user and user.authenticate(params[:password])
      session[:user_id] =
      #redirect_to admin_url # use this to redirect the user somewhere after login
      redirect_to login_url, alert: "Invalid user/password combination"

  def destroy
    session[:user_id] = nil


You should open localhost:3000/users at this point and create a user. We’ll be adding authentication next and you will need at least one user to be able to login and create more.

5. Create the login page.

Your ads will be inserted here by

Easy AdSense Pro.

Please go to the plugin admin page to paste your ad code.

Edit app/views/sessions/new.html.erb to read:

<div class="depot_form" >
<% if flash[:alert] %>
<p id="notice" ><%= flash[:alert] %></p>
<% end %>

<%= form_tag do %>
<legend>Please Log In</legend>

<label for="name" >Name:</label>
<%= text_field_tag :name, params[:name] %>

<label for="password" >Password:</label>
<%= password_field_tag :password, params[:password] %>

<%= submit_tag "Login" %>
<% end %>

Edit the route controller:

config/routes.rb remove:

  get "sessions/new"

  get "sessions/create"

  get "sessions/destroy"


  controller :sessions do
    get 'login' => :new
    post 'login' => :create
    delete 'logout' => :destroy

6. Now we need to add a “filter” to provide for authenication:

edit app/controllers/application_controller.rb

It should read as follows:

class ApplicationController < ActionController::Base

  before_filter :authorize

  # ...


  def authorize
    unless User.find_by_id(session[:user_id])
      redirect_to login_url, notice: "Please log in"

7. You’ll need to skip authorisation for all controllers that don’t need a login.

The following with skip authorisation for all methods in a controller add the following after the beginning of the class definiton:

skip_before_filter :authorize

For particular methods:

skip_before_filter :authorize, only: [:create, :update, :destroy]

8. Logoff code:

Add the following on pages where you want a logoff button:

<% if session[:user_id] %>
<%= button_to 'Logout', logout_path, method: :delete %>
<% end %>
<div id="main" >
<%= yield %>
  • Amanda Abelove

    Great tutorial! To make it work… users controller needs to say:

    # Never trust parameters from the scary internet, only allow the white list through.
    def user_params
    params.require(:user).permit(:name, :password, :password_confirmation)