authentication-flow_skill

This skill helps you implement Rails 8 built-in authentication with a complete user, session, and password reset flow, including controllers and views.

269

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill thibautbaissac/rails_ai_agents --skill authentication-flow

  • SKILL.md7.5 KB

Overview

This skill implements Rails 8 built-in authentication generator and supplies a complete, production-ready auth flow without external gems. It scaffolds User, Session, and Current models, controller concerns, and views for login, logout, and password resets. Use it to quickly add secure session management, cookie-based authentication, and easy controller protection.

How this skill works

Run the generator to create models (User, Session, Current), controllers (Sessions, Passwords), and an authentication concern included into ApplicationController. The concern resumes sessions from signed cookies, enforces authentication by default, and provides helpers to start and terminate sessions. The User uses has_secure_password, Session generates secure tokens, and Current exposes request-local user access.

When to use it

  • When adding sign-up, sign-in, and sign-out flows to a Rails 8 app
  • When you need secure, cookie-based session handling without external gems
  • When protecting controllers and actions by default with opt-out for public pages
  • When implementing password reset flows and session tracking
  • When you want test helpers and request specs for auth scenarios

Best practices

  • Include the Authentication concern in ApplicationController to protect all actions by default
  • Use Current.user in controllers and views for request-scoped access; avoid heavy use in models
  • Store session tokens in signed, HttpOnly cookies and rotate or expire tokens for security
  • Write request specs for login, logout, and protected routes; use provided test helpers to sign_in/sign_out
  • Consider rate limiting the sessions#create action to protect against credential stuffing

Example use cases

  • Protecting an admin area so only authenticated users can access PostsController
  • Adding a ‘Remember me’ option by setting cookie expiry when starting a session
  • Implementing multi-device session tracking and an interface to terminate sessions
  • Building password reset flows using the generated PasswordsController and views
  • Writing RSpec request specs that assert redirects for unauthenticated access and successful sign-in flows

FAQ

The generator stores a session token in a signed, HttpOnly cookie. On each request the Authentication concern checks cookies.signed[:session_token], looks up the Session by token, and sets Current.session if found.

Can I allow public access to specific controller actions?

Yes. The Authentication concern provides allow_unauthenticated_access which calls skip_before_action for listed actions so those routes remain public.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational