Torii is an authentication library for Ember.js. Much of the motivation behind Torii is introduced in this blog post from last summer. Unlike the popular Devise gem for Rails, Torii attempts to do little by default. Instead, it focuses on providing useful primitives and a conventional authentication lifecycle.
Over the past year Torii has grown popular. We’ve started to learn what patterns work across many apps and which ones should be avoided.
Torii 0.6.0, with amazing help from many contributors, formalizes several of these best practices into features. These include:
- OAuth 2.0 state support, securing applications from CSRF attack
torii and the opt-in
session support as Ember services
- Adding a test helper for stubbing session state
- Introducing support for flagging routes as “authenticated” in Ember’s router DSL
Lastly we’ve worked quite hard to ensure Torii 0.6.0 is still compatible with Ember.js 1.12, and supports all versions up to the current 2.1 betas without raising deprecations. This makes Torii 0.6.x a good version to use when migrating to Ember 2.x.
In Torii 0.7.0 we’re aiming to ship two big changes: Porting Torii into a traditional Ember-CLI addon (this will likely mean the removal of Torii’s “globals” mode support), and an iframe flow the provides an alternative to the popups we use for OAuth today.
But let’s take a look at these 0.6.0 features in detail.
Continue reading →