fernandezbaptiste/authentication-flow
skills/authentication-flow/SKILL.md
Implements authentication using Rails 8 built-in generator. Use when setting up user authentication, login/logout, session management, password reset flows, or securing controllers.
$ install --global
skillsauthnpx skillsauth add fernandezbaptiste/rails_ai_agents authentication-flowInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 25, 2026, 2:44 PM27.1s3 files scanned
SKILL.md
- name:
- authentication-flow
- description:
- Implements authentication using Rails 8 built-in generator. Use when setting up user authentication, login/logout, session management, password reset flows, or securing controllers.
- allowed-tools:
- Read, Write, Edit, Bash
Rails 8 Authentication
Overview
Rails 8 includes a built-in authentication generator that creates a complete, secure authentication system without external gems.
Quick Start
# Generate authentication
bin/rails generate authentication
# Run migrations
bin/rails db:migrate
This creates:
Usermodel withhas_secure_passwordSessionmodel for secure sessionsCurrentmodel for request-local storage- Authentication concern for controllers
- Session and Password controllers
- Login/logout views
Generated Structure
app/
├── models/
│ ├── user.rb # User with has_secure_password
│ ├── session.rb # Session tracking
│ └── current.rb # Current.user accessor
├── controllers/
│ ├── sessions_controller.rb # Login/logout
│ ├── passwords_controller.rb # Password reset
│ └── concerns/
│ └── authentication.rb # Auth helpers
└── views/
├── sessions/
│ └── new.html.erb # Login form
└── passwords/
├── new.html.erb # Forgot password
└── edit.html.erb # Reset password
Core Components
User Model
# app/models/user.rb
class User < ApplicationRecord
has_secure_password
has_many :sessions, dependent: :destroy
normalizes :email_address, with: -> { _1.strip.downcase }
validates :email_address, presence: true, uniqueness: true,
format: { with: URI::MailTo::EMAIL_REGEXP }
end
Session Model
# app/models/session.rb
class Session < ApplicationRecord
belongs_to :user
before_create { self.token = SecureRandom.urlsafe_base64(32) }
def self.find_by_token(token)
find_by(token: token) if token.present?
end
end
Current Model
# app/models/current.rb
class Current < ActiveSupport::CurrentAttributes
attribute :session
delegate :user, to: :session, allow_nil: true
end
Authentication Concern
# app/controllers/concerns/authentication.rb
module Authentication
extend ActiveSupport::Concern
included do
before_action :require_authentication
helper_method :authenticated?
end
class_methods do
def allow_unauthenticated_access(**options)
skip_before_action :require_authentication, **options
end
end
private
def authenticated?
Current.session.present?
end
def require_authentication
resume_session || request_authentication
end
def resume_session
if session_token = cookies.signed[:session_token]
if session = Session.find_by_token(session_token)
Current.session = session
end
end
end
def request_authentication
redirect_to new_session_path
end
def start_new_session_for(user)
session = user.sessions.create!
cookies.signed.permanent[:session_token] = { value: session.token, httponly: true }
Current.session = session
end
def terminate_session
Current.session&.destroy
cookies.delete(:session_token)
end
end
Usage Patterns
Protecting Controllers
class ApplicationController < ActionController::Base
include Authentication
# All actions require authentication by default
end
class PostsController < ApplicationController
# All actions protected
end
class HomeController < ApplicationController
# Allow public access to specific actions
allow_unauthenticated_access only: [:index, :about]
end
Accessing Current User
# In controllers
Current.user
Current.user.email_address
# In views
<%= Current.user.email_address %>
# In models (use sparingly)
Current.user
Login Flow
# app/controllers/sessions_controller.rb
class SessionsController < ApplicationController
allow_unauthenticated_access only: [:new, :create]
def new
end
def create
if user = User.authenticate_by(email_address: params[:email_address],
password: params[:password])
start_new_session_for(user)
redirect_to root_path, notice: "Signed in successfully"
else
flash.now[:alert] = "Invalid email or password"
render :new, status: :unprocessable_entity
end
end
def destroy
terminate_session
redirect_to root_path, notice: "Signed out"
end
end
Testing Authentication
Request Specs
# spec/requests/sessions_spec.rb
RSpec.describe "Sessions", type: :request do
let(:user) { create(:user, password: "password123") }
describe "POST /session" do
context "with valid credentials" do
it "signs in the user" do
post session_path, params: {
email_address: user.email_address,
password: "password123"
}
expect(response).to redirect_to(root_path)
expect(cookies[:session_token]).to be_present
end
end
context "with invalid credentials" do
it "shows error" do
post session_path, params: {
email_address: user.email_address,
password: "wrong"
}
expect(response).to have_http_status(:unprocessable_entity)
end
end
end
describe "DELETE /session" do
it "signs out the user" do
# First sign in
post session_path, params: {
email_address: user.email_address,
password: "password123"
}
delete session_path
expect(response).to redirect_to(root_path)
end
end
end
Test Helper
# spec/support/authentication_helpers.rb
module AuthenticationHelpers
def sign_in(user)
session = user.sessions.create!
cookies[:session_token] = session.token
end
def sign_out
cookies.delete(:session_token)
end
end
RSpec.configure do |config|
config.include AuthenticationHelpers, type: :request
config.include AuthenticationHelpers, type: :system
end
Protected Route Specs
# spec/requests/posts_spec.rb
RSpec.describe "Posts", type: :request do
let(:user) { create(:user) }
describe "GET /posts" do
context "when not authenticated" do
it "redirects to login" do
get posts_path
expect(response).to redirect_to(new_session_path)
end
end
context "when authenticated" do
before { sign_in(user) }
it "shows posts" do
get posts_path
expect(response).to have_http_status(:ok)
end
end
end
end
References
- See sessions.md for session management details
- See current.md for Current attributes patterns
Common Customizations
Remember Me
def start_new_session_for(user, remember: false)
session = user.sessions.create!
cookie_options = { value: session.token, httponly: true }
cookie_options[:expires] = 2.weeks.from_now if remember
cookies.signed.permanent[:session_token] = cookie_options
Current.session = session
end
Multiple Sessions Tracking
# In User model
def active_sessions
sessions.where('created_at > ?', 30.days.ago)
end
def terminate_all_sessions_except(current_session)
sessions.where.not(id: current_session.id).destroy_all
end
Rate Limiting
# app/controllers/sessions_controller.rb
rate_limit to: 10, within: 3.minutes, only: :create,
with: -> { redirect_to new_session_path, alert: "Too many attempts" }
Related Skills
fernandezbaptiste/viewcomponent-patterns
development
VerifiedTrustedCommunity
Creates ViewComponents for reusable UI elements with TDD. Use when building reusable UI components, extracting complex partials, creating cards/tables/badges/modals, or when user mentions ViewComponent, components, or reusable UI.
1SKILL.mdUpdated Apr 25, 2026
fernandezbaptiste/tdd-cycle
development
VerifiedTrustedCommunity
Guides Test-Driven Development workflow with Red-Green-Refactor cycle. Use when the user wants to implement a feature using TDD, write tests first, follow test-driven practices, or mentions red-green-refactor.
1SKILL.mdUpdated Apr 25, 2026
fernandezbaptiste/solid-queue-setup
data-ai
VerifiedTrustedCommunity
Configures Solid Queue for background jobs in Rails 8. Use when setting up background processing, creating background jobs, configuring job queues, or migrating from Sidekiq to Solid Queue.
1SKILL.mdUpdated Apr 25, 2026
fernandezbaptiste/rails-service-object
testing
VerifiedTrustedCommunity
Creates service objects following single-responsibility principle with comprehensive specs. Use when extracting business logic from controllers, creating complex operations, implementing interactors, or when user mentions service objects or POROs.
1SKILL.mdUpdated Apr 25, 2026