Eliminate devise from our app #3189
Description
Devise is an authentication library.
We are using it very lightly. Especially since we added SSO authentication, using omniauth, which can be used without devise.
It used to be almost universally used by Rails devs, but it is recently considered kind of heavyweight and not always unnecessary, and it feels like it's not getitng maintained as much as it used to be. For instance, it's producing annoying deprecation warnings in Rails 8.1, which are not going to be fixed until a devise major version update, at unknown ETA. heartcombo/devise#5800
Rails now has more auth-related stuff built in -- if we even need that, for our limited auth needs that mostly use SSO. (I guess we like having a non-SSO backup for emergencies, could prob use rails built in for that).
Consider how much work it would be to swap out devise for homegrown/rails password implementation. Benefit would be one less dependency which can cause problems on upgrades etc.
https://www.bigbinary.com/blog/rails-8-introduces-a-basic-authentication-generator
https://guides.rubyonrails.org/security.html