I recently implemented my own auth system in Ember, after trying out Ember-Simple-Auth with Devise.
I found it much, much simpler to roll my own, and it was a great learning experience, despite the fact that my first iteration was INCREDIBLY clunky.
The argument for this is pretty simple, with Ember constantly improving, and authentication schemes being what they are, you can’t expect a perfect out-of-the-box solution to exist anytime soon.
I used Michael Hartl’s superb Rails Tutorial book (https://www.railstutorial.org/book) to build the authentication / authorization back-end (he builds it piece by piece WITH TESTS in the book), then pieced together what was needed on the ember-side to complete the setup.
I’ll write a brief break down of what needs to be done (someone else please supplement):
- A model (or models) for a user needs to contain a secret string, and a hashed password string for authentication
- A login endpoint should exist in your API that takes a password and username in a POST request and returns the secret key
- A logged in helper function should be written that checks a request’s headers for a secret key, if the function returns true then the User is logged in and can be found by querying users for a user with that key
- A login action should exist (I put it in the application controller) that makes an ajax post to the login endpoint with a username and password. It then handles successful requests by creating a new User record and calling $.ajaxSetup to add an Auth_key header.
- You can then authenticate routes by checking for a User record, if it exists the user is logged in and can be transitioned to the route, if not he/she should be redirected to a login page (or handled some other way)
- If you want users to be remembered you need to persist the secret_key between sessions. You can do this with cookies or with a model that uses the localstorage adapter (or call local storage outside of the ember store)
- I then added a before model route to my application route to check for that record, if it existed it called $.setupAjax() if not it just continued as usual
Let me know if anything is unclear and keep in mind this isn’t the best way to do it, however I’ve found it to be a solid start.