I’m in the middle of writing an application in Elixir and Phoenix, so when I saw a link to an article by José Valim on an upcoming authentication solution for Phoenix, my initial reaction (before reading it) was negative. José is the author of the Devise framework for Ruby-on-Rails, so I assumed it was going to be the same idea, but for Elixir and Phoenix. I’ve implemented Devise in a handful of Rails apps, and each and every time I ended up ripping it out and writing my own auth solution (often based on this Railscasts tutorial). The reason is that while authentication works similarly in most apps, there are always 1 or 2 business requirements that fall outside of what Devise can do in a simple and straightforward manner. Yes, Devise is very flexible there are hooks to add logic and a number of extensions available, but that makes for code that is hard to follow and understand. And something as crucial as authentication needs to be well understood by the maintainers of any web application.
But to my great satisfaction, José said exactly this!
While this made Devise more flexible and general purpose, it also made it more complex. A complex codebase is harder to be audited, which is important in authentication systems. Furthermore, the existence of too many options and customization hooks makes it extremely hard to guarantee that the authentication system will continue be secure under all possible customization combinations.
His authentication “solution” is not a framework, but a code generator. It gets you started with the basic code you need to roll your own authentication. It’s not finished yet, but I’ve looked over the code and it’s exactly what I’ve been wanting for Phoenix. It will make spinning up a new app dramatically simpler. 👏