- Home
- Skills
- Thibautbaissac
- Rails Ai Agents
- Authentication Flow
authentication-flow_skill
269
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill thibautbaissac/rails_ai_agents --skill authentication-flow- SKILL.md7.5 KB
Overview
This skill implements Rails 8 built-in authentication generator and supplies a complete, production-ready auth flow without external gems. It scaffolds User, Session, and Current models, controller concerns, and views for login, logout, and password resets. Use it to quickly add secure session management, cookie-based authentication, and easy controller protection.
How this skill works
Run the generator to create models (User, Session, Current), controllers (Sessions, Passwords), and an authentication concern included into ApplicationController. The concern resumes sessions from signed cookies, enforces authentication by default, and provides helpers to start and terminate sessions. The User uses has_secure_password, Session generates secure tokens, and Current exposes request-local user access.
When to use it
- When adding sign-up, sign-in, and sign-out flows to a Rails 8 app
- When you need secure, cookie-based session handling without external gems
- When protecting controllers and actions by default with opt-out for public pages
- When implementing password reset flows and session tracking
- When you want test helpers and request specs for auth scenarios
Best practices
- Include the Authentication concern in ApplicationController to protect all actions by default
- Use Current.user in controllers and views for request-scoped access; avoid heavy use in models
- Store session tokens in signed, HttpOnly cookies and rotate or expire tokens for security
- Write request specs for login, logout, and protected routes; use provided test helpers to sign_in/sign_out
- Consider rate limiting the sessions#create action to protect against credential stuffing
Example use cases
- Protecting an admin area so only authenticated users can access PostsController
- Adding a ‘Remember me’ option by setting cookie expiry when starting a session
- Implementing multi-device session tracking and an interface to terminate sessions
- Building password reset flows using the generated PasswordsController and views
- Writing RSpec request specs that assert redirects for unauthenticated access and successful sign-in flows
FAQ
The generator stores a session token in a signed, HttpOnly cookie. On each request the Authentication concern checks cookies.signed[:session_token], looks up the Session by token, and sets Current.session if found.
Can I allow public access to specific controller actions?
Yes. The Authentication concern provides allow_unauthenticated_access which calls skip_before_action for listed actions so those routes remain public.