Auth framework: need advice based on a list of prerequisites

Hey everybody! :039:
I am looking for the auth framework that can help me with a project, given these specifics:

  1. There are no public sections or pages. Non-authenticated users can only land on the home page and they cannot go anywhere else before signing in.
  2. You cannot just sign up. An admin has to invite you first and you get a link in your email inbox that allows you to then sign up. The classic sign up model is either out of the question, or as a compromise it can be implemented only if the new account has to be approved by an admin before being able to sign in.
  3. As per above: there should be admins and users and admins can approve user accounts.
  4. The framework should allow for more roles than admin and user in the future – but I am guessing I have to study how can an authorization library work with the chosen framework or homegrown solution instead.
  5. The framework should in general be extensible in a non-bloated way, meaning if I want to customize something it does I shouldn’t have to copy several files 200+ lines long and then apply 3-line diffs to them. I know this is a very tough thing to do, it’s just that I would gladly take it if it was out there.

I looked at both Coherence and Pow. Also entertained the idea of Guardian with my own code on top.


Notes about Coherence:

  • Coherence seems to carry a lot of file baggage with it and integrates very tightly with myapp_web which I don’t like and I don’t have the time to untangle properly into a separate auth app inside an umbrella. I definitely could do it in theory but I have no guarantee that it’s only an 1-2 hour job which is scaring me and thus I haven’t tried that yet.
  • I suffered a problem with it caching the user model so aggressively that a linked belongs_to object was never really invalidated and reloaded and was thus showing wrong data on the pages. I was forced to instruct Coherence to copy its controllers inside the project and to then overwrite how they load the user model. Result: no caching at all, every page incurs a reload of the user itself and its linked object. Basically defeated the really neat idea that the Coherence author had. :frowning: This is definitely my bad and not of Coherence! But in the 10 minutes I tried to find a solution, I failed.
  • It does indeed support invitations but I admit I haven’t tried to disable normal sign up and gate it behind an invitation only. So I am not sure if my desired use-case is supported out of the box, if it’s possible with a small effort, or would be a hassle to achieve (but still possible).

/CC @smpallen99, the author of Coherence.


Notes about Pow:

  • A bit smaller than Coherence but basically has the same problem of file baggage and no umbrella-friendly installer (namely no option to generate an entirely separate app inside an umbrella). I really don’t know why library/framework authors don’t make this a first-class citizen in their mix tasks, it would be very highly appreciated!
  • Didn’t seem to capture my use case about being able to invite users and not allow them to sign in before approved by an admin. I liked the author’s response when I asked him – what he proposed sounded easy enough – it’s just that in a startup scenario you really cannot get distracted with customizing frameworks when you are building an MVP. You either have to use ready-baked solutions or know exactly what you are doing when customizing (and thus still do it very quickly). Every hour counts in these conditions.

/CC @danschultzer, the author of Pow.


Admittedly I am not an expert in both of these and sadly the time is really not right for me to indulge in weeks-long toy projects to inform myself properly.

Finally, I looked into Guardian because I used it before. It’s really easy and minimastlic to start with and is currently the decision I lean to (in combination with comeonin and my own DB model for invitations). Not really sure if it wouldn’t quickly get harder than Coherence and Pow though.

Don’t get me wrong. I am not lazy. I am open to devote to one framework and then become an expert – subsequently it’s likely I would be contributing to it as well. But right now I am really pressed with time and I am looking for a practical advice before pulling the trigger.

Any advice and battle stories are appreciated. Thanks for your consideration! :023: