// the find
heartcombo/devise
Flexible authentication solution for Rails with Warden.
Devise is the de facto authentication library for Rails — session management, password reset, email confirmation, account locking, OmniAuth, and more, all wired into Rails engines. It's been around since 2009 and is the first thing most Rails developers reach for when they need auth. Mature, battle-tested, and genuinely well-maintained through multiple Rails generations.
The module system is genuinely good design: you opt into only what you need (Confirmable, Lockable, Trackable, etc.) rather than getting everything by default. Password reset tokens are stored as digests, not plaintext — the security model here is correct. Generator-based workflow means you get working views, migrations, and routes in one command, which is the right tradeoff for 90% of apps. Active maintenance through Rails 7 and 8 with Hotwire/Turbo integration already handled.
Customizing behavior beyond simple overrides gets ugly fast — you end up inheriting from Devise controllers, copying views, fighting the parameter sanitizer, and the mental model breaks down. API-only mode is treated as a second-class citizen; the docs explicitly say compatibility is uncertain and you need middleware order hacks to make integration tests work. The strong parameters setup is a footgun: if you forget to whitelist a new field in ApplicationController, form submissions silently discard data with no obvious error. Multiple model setups (User + Admin) produce completely separate route namespaces with no shared controller logic, which is limiting for anything beyond the simplest RBAC scenario.