I liked the motto of simplicity on sorcery. But in the last couple of years, I rewrote the same
SessionsController multiple times.
Sorcery is a great tool, don't get me wrong. However, in terms of security, testablility and community devise seems to have an advantage. Let's analyze this claim:
The points security and testablility are only concerning oauth-modules. Where devise uses the great [omniauth gem], sorcery implements it's own handling. This results in two things:
Testability: The omniauth gem comes with
OmniAuth.config.mock_auth, which makes (js-)integration testing apps that rely to 100% on OAuth a breeze.
Security: Turns out, sorcery stores the access_tokens of as class variables in used external provider. This means, that after a user logs in via Facebook, the access_token of this user is available during the next user's request.
Looking at the community there are a couple indicator's to compare:
|last commit||2 days||20 days|