It works great if you won't deviate from the common use case. Otherwise, you have to do all sorts of crazy monkey patching. On top of that, it is a relatively old project that has to keep legacy code for backwards compatibility.
I decided to roll my own auth, but was very cognizant about the risks of going down this route. I used primitives provided by Rails (has_secure_password, has_secure_token) and made sure that my implementation is not susceptible to known exploits, such as session fixation attack: https://guides.rubyonrails.org/security.html#session-fixatio...
I decided to roll my own auth, but was very cognizant about the risks of going down this route. I used primitives provided by Rails (has_secure_password, has_secure_token) and made sure that my implementation is not susceptible to known exploits, such as session fixation attack: https://guides.rubyonrails.org/security.html#session-fixatio...