Devise::Basecamper

Gem Version

Devise-Basecamper was built to allow users of Devise to implement "Basecamp" style subdomain scoped authentication with support for multiple users. There are a lot of great tutorials out there on doing subdomain authentication with devise, but none of them seemed to fit my particular use cases. So I took a stab at extending the functionality of Devise, which has been a great Gem, and community, to work with.

Use Case

User authentication that is scoped to an account, which is identified by the subdomain of the URL. This allows for better multi-tenancy, as well as for re-use of usernames under different accounts.

Installation

Add this line to your application's Gemfile:

gem 'devise-basecamper'

And then execute:

$ bundle

Or install it yourself as:

$ gem install devise-basecamper

Usage

To make Devise-Basecamper work properly, there are several steps that need to be taken to adjust the "out-of-the-box" behavior of Devise. None of the changes require doing any "hacking" of Devise, as they are all steps/actions and configuration options that are already a part of Devise itself.

Devise Configuration

Open the Devise initializer file, which can be found in config/initializers/devise.rb. Add :subdomain to the config.request_keys array like below.

config.request_keys = [:subdomain]

This will make sure to pass the subdomain value from the request to the appropriate Devise methods.

Configuring models

Which ever model you would like to have subdomain based authentication scoping on, just add :basecamper to your included devise modules.

class User
    include Mongoid::Document
    include Mongoid::Timestamps

    devise  :database_authenticatable,
        :recoverable,
        :trackable,
        :validatable,
        :basecamper
    ...
end

By default, Devise-Basecamper assumes that your devise model "belongs to" an Account and has a field called account_id as the foreign key to that table. Devise-Basecamper also assumes that the subdomain field exists in your Account model and is called subdomain. Now that's a lot of assumptions, but never fear...they can be changed.

If you need to change any of these assumptions, you can do so by calling the devise_basecamper method in your devise model.

class User
    include Mongoid::Document
    include Mongoid::Timestamps

    devise  :database_authenticatable,
        :recoverable,
        :trackable,
        :validatable,
        :basecamper

    devise_basecamper :subdomain_class => :my_parent_class,
              :subdomain_field => :my_field_name,
              :scope_field     => :field_to_scope_against

    ...
end

The devise_basecamper method has 3 options that can be set: subdomain_class, subdomain_field and scope_field.

subdomain_class

This option allows you to specify which model your subdomains are defined in. By default, devise_basecamper assumes this to be an Account object.

subdomain_field

This option allows you to specify the name of the field within the subdomain_class that the subdomain string is stored in. By default, devise_basecamper assumes this to be subdomain.

scope_field

This option allows you to specify the name of the field within the devise model (e.g. - User) stores the ID of the account you want to create a scope against. By default, devise_basecamper assumes that this is a field called account_id.

If your application follows the assumptions, you DO NOT need to define any of these options.

Configuring multiple models

You can configure multiple models accordingly just as you can in Devise. If you have a Devise model that does not need the additional features offered by Devise-Basecamper, simple do not include the module. Devise will work just as expected.

Add some helpers to your Application controller

You will need to add a helper method to your application controller, I would also recommend the validation for dealing with subdomains that do not belong to an account.

Helper Methods

class ApplicationController < ActionController::Base
    protect_from_forgery
    helper_method :subdomain, :current_account
    before_filter :validate_subdomain, :authenticate_user!

    private # ----------------------------------------------------

    def current_acount
        # The where clause is assuming you are using Mongoid, change appropriately
        # for ActiveRecord or a different supported ORM.
        @current_account ||= Association.where(subdomain: subdomain).first
    end

    def subdomain
        request.subdomain
    end

    # This will redirect the user to your 404 page if the account can not be found
    # based on the subdomain.  You can change this to whatever best fits your
    # application.
    def validate_subdomain
        redirect_to '/404.html' if .nil?
    end
end

Devise Recoverable

Devise provides the Recoverable module to implement standard password recovery practices. This module needs a little help working with the basecamp style authentication, making sure to find the correct user account, under the correct subdomain.

To implement subdomain-based lookups using the devise Recoverable module, you will need to uncomment the reset_password_keys section in devise.rb. This should be around line 158 in your devise.rb file. Then update the line to look like the following:

# ==> Configuration for :recoverable
#
# Defines which key will be used when recovering the password for an account
config.reset_password_keys = [ :email, :subdomain ]

You can add whatever field name you would like here, but :subdomain is probably the best choice.

Next we will need to override the default view for the passwords controller. Follow the directions from the devise readme if you don't know how to do this. Find the proper view equivelant in your application for devise/passwords/new.html.erb and add a hidden field for the subdomain value. You will then want to default its value to the subdomain we are scoping to. This value will then be included in the form submit and processed properly by devise-basecamper.

Support has also been added for confirmation emails thanks to juliobetta.

Example form:

<h2>Forgot your password?</h2>
<%= render "flashes" %>
<%= simple_form_for resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :post } do |f| %>
    <%= hidden_field_tag 'user[subdomain]', subdomain %>
    <%= f.input :email %>
    <%= f.button :submit, "Send me reset password instructions" %>
<% end %>

<%= render "devise/shared/links" %>

NOTE Notice that the hidden field is named 'user[subdomain]'. This is absolutely necessary to make sure that the value is passed to the handling devise methods. However, user is NOT the hard rule, use whatever the appropriate model name is for your application.

ORM Compatability

Devise-Basecamper has very minimal interaction with your data layer, however it uses the same orm_adapter gem as Devise and should work just fine with all of the ORM's supported by Devise.

MORE TO COME

Contributing

If you would like to contribute to this project, please fork it and submit pull requests with your code changes. I'm pretty much making updates to this as needed for my own projects right now, so it doesn't change super often and help would definately be appreciated.

License

MIT License. Copyright © 2012 Digital Opera, LLC. www.digitalopera.com