That's what we do. Rails mostly just a json api, with a React front end. Devise handles auth. Useful gems in models and services, sidekiq doing its thing... Happy with the setup.
As far as I know, there's no official way of using Devise over a REST API. It is designed with a server-side Rails app in mind. There's devise_token_auth and related client libraries, but I wish there was an official way for handling authentication for single-page apps. Every time I look into this issue, it seems like there isn't much going on in this space. Then again, maybe the entire authentication protocols space is like that, and it's actually Devise which is in the unusual position of being a de-facto standardized way to do auth in the Rails world.
It's true that there isn't an official way to use Devise over REST, but then again Devise isn't even the official way to manage auth in Rails apps - it just happens to be the de facto one due to community support. That being said, by using something like devise_token_auth/simple_token_authentication and devise-two-factor you can have a token based auth system with MFA ready in a matter of minutes.
Personally, I don't think there are really any back-end frameworks that have an official way to handle auth as it's always based more on community consensus.
I'd just like to say Spring Security has come a LONG way. It use to be a maze of madness and frustration but now is fairly straightforward.
Also, Spring Boot saved that whole organization from irrelevance. It took a huge amount of effort to just get hello world on the screen prior to Spring Boot.
I have seen this many times. You start with ActiveRecord, and before you know it, you are with a working with a Frankenstein of gems that resembles Rails, except it isn't done well.
I've come to a different conclusion over the years.
For example, let's compare 5 legacy Rails apps (each at a different version since this is the real world) to 5 bespoke Express/Sinatra apps.
One upside of the Express apps is that all of their glue code is right there in plain sight. You can go into each code base with a blank slate and read the code to understand what it's doing with zero dependent knowledge.
Having worked on Rails apps as part of my 7 years as a contractor, you don't get that benefit in a super framework. You need so much knowledge about Rails to follow the trail through an application. And it gets hard to keep things straight once you're jumping around old versions. Even stuff like "wait, where did this variable/method come from again?" and being able to quickly ID it as something Rails itself provides vs something else (application code or gem).
Or how about figuring out how authentication works in each of your 5 Rails apps that use Devise? If you're a veteran, you know to look for some magic options in config.rb/devise.rb and you know what they translate into. Otherwise it feels like credentializing in a black box.
I think that things like React and Express are toppling the old guard idea of Ember and Rails that large applications somehow save you from work. When Rails was hitting the front page of HN every day 9 years ago, the meme of the day was how much you could do with so little code. DHH showed you how to make a blog with almost nothing but `$ rails generate`. Want a user-avatar system that uploads to S3? Just drop a few lines here and there: https://github.com/carrierwaveuploader/carrierwave#getting-s... -- this was the spice of Rails.
The benefits are almost undeniable upfront, and the down sides of the trade-offs they make usually take a long time to fruit, so they're hard to quantify. But they're there.
But I can't tell you how many times I've deep dived on a client's old Rails app with pencil and paper into the wee hours of the morning wishing it was indeed just a "microframework that half-implemented Rails" if that would mean I could follow actual code from A to B.
Don't get me wrong, there are always trade-offs and there is never a best. This isn't to lambast all Rails apps across the globe. But I see the "you're going to either use Rails or reinvent Rails" meme a lot to discourage smaller frameworks more often than I see someone point out the other side of that trade-off.
