cole-robertson/inertia-rails-skills
Overview
This skill implements authentication and authorization for Inertia + Rails apps, providing ready patterns for Devise, has_secure_password, session handling, and permission propagation to the frontend. It focuses on secure, session-based flows that work with Inertia’s shared props model so your Vue or React pages receive auth state and per-record permissions. The goal is practical, secure defaults for sign-in, registration, password reset, protected routes, and history encryption.
How this skill works
The skill wires Rails authentication (Devise or has_secure_password) into Inertia by sharing minimal auth state via inertia_share and sending permission flags as props from controllers. Controllers render Inertia responses with can: hashes for global and per-record authorization checks (Pundit or Action Policy), while client components read auth and can props to conditionally render UI. It also configures encrypted history, CSRF protection, and clear-history logout flows to prevent sensitive data leakage.
When to use it
- Setting up sign-in, sign-out, registration, and password reset pages in an Inertia Rails app
- Exposing current user info and signed_in state to Vue or React pages without leaking sensitive attributes
- Enforcing server-side permissions while showing permitted UI actions on the frontend
- Protecting admin or role-based areas with before_action checks and per-controller requirements
- Preventing back-button access to sensitive data after logout via encrypted history and clear_history
Best practices
- Share only minimal user fields (id, name, email, avatar_url) via inertia_share to avoid data leaks
- Always enforce authorization server-side (authorize/allowed_to?) and only mirror results to the client
- Use secure session configuration (secure, httponly, same_site) and graceful session expiry handling
- Enable CSRF protection and rely on Rails/XSRF cookie integration with Inertia/axios
- Rotate or clear encrypted history on logout to prevent back-button exposure of sensitive views
Example use cases
- Add Devise sign-in and registration pages that post via Inertia form helpers and return errors as props
- Implement has_secure_password sessions with server-side authenticate, session[:user_id], and inertia_share
- Render users index with can.create_user and per-user can.edit/can.delete flags for UI controls
- Protect an admin namespace with require_admin! and enable inertia_config(encrypt_history: true) for admin controllers
- Implement a password reset flow that never leaks whether an email exists and returns token state for the edit page
FAQ
No. Inertia works well with session-based Rails auth because frontend and backend share the same domain; use sessions and standard Rails auth gems.
How do I show permissions in the frontend?
Compute permission boolean values server-side (Pundit or Action Policy) and include them in the inertia render payload as global can flags and per-record can hashes for components to read.
5 skills
This skill helps you implement and share session-based authentication and authorization in Inertia Rails apps using Devise or has_secure_password.
This skill helps you implement Inertia Rails best practices across server setup, props, forms, navigation, security, and testing for robust apps.
This skill enables server-side rendering for Inertia Rails apps to boost SEO and first-load performance.
This skill provides practical Inertia Rails patterns and components, enabling rapid UI, modal usage, and cohesive starter-kit customization.
This skill helps optimize Inertia Rails apps by implementing code splitting, deferred props, prefetching, and partial reloads for faster, scalable UIs.