// the find
lazaronixon/authentication-zero
An authentication system generator for Rails applications.
A Rails generator that writes a complete authentication system directly into your app — controllers, models, migrations, mailers, tests and all. Unlike Devise, you own every line of the generated code. Aimed at Rails developers who want a solid starting point without being locked into a black-box gem.
Uses Rails 7+ primitives correctly — `has_secure_password`, `authenticate_by`, `generates_token_for`, signed cookies — no custom crypto, no rolling your own token logic. The optional flags (`--two-factor`, `--webauthn`, `--passwordless`, `--pwned`) let you generate only what you need rather than shipping everything and disabling it. Generated tests are included, so you're not starting from zero on coverage. The sudo pattern (`require_sudo`) for re-authenticating before sensitive actions is the right call and rarely seen in starter templates.
Once generated, the code is yours to maintain forever — security fixes in the generator don't propagate to your app automatically, which is a meaningful ongoing burden most teams underestimate. The tenantable option requires significant manual wiring after generation and the docs basically say 'more customization required', which is not confidence-inspiring. Last push was December 2024 and Rails 8 is out — unclear if generated code is tested against it. No upgrade tooling or diff-based patching mechanism exists, so tracking upstream security improvements is a manual changelog-reading exercise.