Monday, 2 February 2015

Am I overcomplicating things?

I have spent a few days researching user authentication and authorisation[1] models in Rails for my genealogy log tool. I was looking for the ideal tool (or set of tools) to add to my project to take care of the "heavy lifting" involved with managing a user's access to their data and no-one else's. I studied different authentication gems (as add-ons are called in the Ruby world) and decided to use a simple, clean gem called Sorcery and have spent the past two days looking for authorisation gems to restrict access when I finally asked the questions I should have asked up front: What exactly do I want this tool to do? And, Am I over-complicating things?

The answer to the second question is: Of course I am over-complicating things! It's what I am best at. The first question is a bit trickier to answer, but it is where I should have started, so let's give it a go...

What do I want the genealogy log tool to do and how should it work? A person should be able to register as a user of the tool by providing some basic details (name, email, etc) and then should be able to log into the system to keep track of their genealogy research sessions. Once logged in, a user should be able to see their previous sessions, search previous sessions and create a new log session. Optionally, some or all of the data should be able to be exported in a variety of formats. Users don't need to be assigned variuos roles and they don't need to be able to see other users' data - all that needs to happen is that logged in users can view and edit their own data. So authentication is required so users can log in; and basic authorisation is required so a user can see only their data and no-one else's. Something this basic can be done without any third party tools.

The only exception I can think of is that I would like to leverage existing authentication providers like Twitter, Facebook, Google, LinkedIn, etc. by allowing users to log in with their Twitter account for example. This can be done using a technology called OAuth but it is really just a "nice to have" feature which I can add in later if I really want to go that route.

So for now I am going to put aside thoughts of using third-party authentication and authorisation engines and will simply roll my own.

[1] Authentication is proving a user is who they say they are - ie, logging in using a username and password - and athorisation is making sure a user is allowed to perform an action, or see some data.

No comments:

Post a Comment