Architecture for authorization system

[gmile]

What did auth architecture looked like in GitHub? Was it loosely based off gems like pundit or cancan, or was it a purely homegrown solution? Were there authorize call in each controller, or was it some smart isolated code that would hook in each request and check permissions? How does it work so fast?

If you're can't talk about how things were at GitHub, what would a dream auth architecture look like?

I our case we have so called "user roles" stored in MySQL, which makes each request somewhat slow, so I'm already looking forward to using Redis/Memcached on top of that.

[jankeesvw]

Good question!

[holman]

Was it loosely based off gems like pundit or cancan

pundit and cancan came out a good 4-5 years after GitHub did, so no. :) GitHub initially was built on Rick's restful-authentication, although with a lot of changes layered on it.

The gold standard view of GitHub's permissions code is @jesseplusplus' talks on refactoring with github/science (slides, video). It's not necessarily about the permissions code directly, but uses it as an example to explain the refactoring done when we went from the older architecture to the current approach. You should give it a watch if you're interested in this.

what would a dream auth architecture look like?

One without users.

[AquaGeek]

For anyone who might stumble on this in the future: there are slides from Nathan Witmer from denver.rb that go into a little more detail about the new architecture.