Context:
I have a chrome extension that pops-up when users connect to a given site (eg: https://www.site-triggering-extension.com)
This extension communicates with a Rails app (that uses Devise) deployed on Heroku (https://www.my-app.com). The basic user flow is :
Users sign-up on the Rails app to create an account
Then they can log-in on the chrome extension and use it
My Rails app has an API that allows the chrome extension to send some usage logs that I store.
To authenticate my users on the chrome extension, I set up an authentication_token exchange between the extension & the Rails app.
Problem :
Users logged-in on the chrome extension are not logged in on the Rails app.
And the Rails app allows them to access a dashboard with their logs, modify their account infos, etc.
=> Having to enter your login+password on both the chrome extension AND the Rails app seems unnecessary and adds friction to the whole experience.
How could I set up my system so that logging-in on the chrome extension also logs-in the user on my Rails app ?
What I tried :
I am probably completely in the wrong direction here but still I wanted to describe what I looked at :
My extension logs the user in by make a call to the /api/sign_in route that sends back the authentication token.
I realized that the response from Rails has a Set-Cookie header with _my_app_session cookie in it. This looks like the type of cookie Rails+Devise could use to consider the user as logged in. However, this cookie is stored (in the DevTools - Application pannel) under http://www.site-triggering-extension.com as the API call originated from this site.
When I open a tab and load my Rails app, the cookie does not seem to be used by the Rails app site (https://www.my-app.com).
I have no idea how to tackle this issue. Help would be highly appreciated !
Related
I have an app that all works fine for authentication and it uses Oauth2 (Google).
Now, I am struggling with the logout URL for this app. It works, but I am under the impression that it is possible to logout of it and remain logged into my gmail account please? Currently, ALL accounts are logged out of so the two gmail accounts need to go through login each time the app is used and log out is pressed.
I have read that this is possible but this is the URL that I am using to Log out
https://www.google.com/accounts/Logout?continue=https://appengine.google.com/_ah/logout?continue=http://news.bbc.co.uk
I am sure it can be done because I did it in a former role but do not have the code!
I am writing a Reddit client that uses OAuth to authenticate the user. One of the features I would like to implement is the ability to use multiple accounts simultaneously. This requires the user to authorize my client on each account they want to use. The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
Is there a way to force the user to re-enter their credentials? I would rather not have to put some kind of disclaimer on my Add Account screen that says "Please log out of Reddit in any open browser windows".
I tried opening the Reddit login page in a WebView so the request is sandboxed, and while that worked, it gives the user access to the entire login page (including all the links that navigate to elsewhere on the site). I don't mind that experience when I'm popping an external browser, but in an embedded WebView I really just want to present a username and password box along with the OAuth validation prompt.
Note: I do kind of prefer the embedded experience because it doesn't interfere with the users existing browser cookies, I just don't like how cluttered the login page is this way and I'm not sure how to prevent the user from navigating away from login. Also, for completeness, this is a UWP app, though this problem is largely technology independent.
The problem I'm running into is that if the user is already logged into Reddit in their browser, when I pop a browser to perform the auth, it will have them authenticate my client against their currently logged in user.
It may be caused by the authorization server. If so, we can not do anything in our client app.
But if it is not the server issue, in UWP, there is a WebAuthenticationBroker class witch can help you to authorize your app to access the user info from Resource server by getting a token. You can try to use the class to implement OAuth authorization. You don't need to use the in a WebView so that you can authorize your app with multiple users if you can manage all the user with the token properly in your code logic.
See the Web authentication broker topic and the sample to learn more details.
This Rails project uses Spree and Devise and has a separate controller to serve up JSON responses for the mobile side of things. I've just implemented Devise::Lockable to lock a user account after 5 failed logins. This automatically generates a password reset email. Things work fine on the desktop site and on the mobile site. My question comes from mixing the two together:
If you fail login 5 times through mobile API, the password link is sent to that account's email. But if you are already signed in on the desktop, and then also access the reset link from the desktop, it redirects to the home page (and signs out the user). If you click the reset link again, then the password reset form is served up.
How can I also sign out a user on from "normal" app (the desktop side of things) when the user fails logging in the maximum times on the mobile app?
EDIT: I've tried throwing Devise's "sign_out user" at almost every point in the pipeline but that doesn't do the trick, since the user for some reason isn't found to be signed in.
I've built a Rails app with a simple API. I'm using Devise for authentication. I'm trying to work out how to log a user into the rails app from my iOS app so they can retrieve and post data. I've been searching all day for the best way to do this but most info is outdated (using Devise's deprecated token_authenticable solution.
I've got my rails app. I've got my iOS app. I've written my API. How do I connect the pieces together?
Thanks
Details:
My app allows users to fill in a form and have that data sent to the server. In another section of the app the user can view the data they have previously submitted. When the app first launches the user should login to their account so that the data they post is associated with them and they can only view data they have previously posted. It's quite a simple app. How do I log them in so that I can tell the API to only return their data.
Set your server up to use SSL, then the communication to the server are secure. Post the userID and password to the server in an SSL. You can pass that information on each access to the server.
If you want to pass the UserID/Password only once then you can setup a session with a cookie but you will need server support for the session and timeouts.
What you need to define is how secure you want the authentication to be. That is who are you defending against? A friend, an enemy, a government? Define the value (in $) of a security breach. Defend to this level.
I'm making the back end for an iOS app in Rails. Users need to be able to log into the app using an app-specific username/password or via Twitter, but I'm not quite sure how to set things up for logging in via Twitter.
If I use OmniAuth, then it seems like the flow goes like this:
The iOS app directs users, in Safari, to the /auth/twitter page OmniAuth sets up for me
The /auth/twitter page sends the user to Twitter for OAuth authentication
Twitter returns the user to /auth/twitter/callback, and OmniAuth gives me an auth hash full of info
????
iOS app now has the credentials it needs to identify the user making requests when it calls my APIs
Authentication complete, app use proceeds as normal
It's step 4, getting the credentials back to the iOS app, that I don't know how to set up. All my APIs the iOS app calls are stateless; if they require an authenticated user, then user credentials are included in the API call. I don't know that much about writing iOS apps, and pretty much nothing about how apps interact with Safari.
What is a safe way of getting the user credentials back to the app? One that can't be snooped? If I have the callback page put information in cookies, or in the session, will that be accessible to the app but not anyone watching the traffic?
Alternately, if the app attaches some identifier for itself to the initial call to /auth/twitter, will Twitter & OmniAuth preserve that identifier so that it gets included in the /auth/twitter/callback, so that the app can then ask my back end for the credentials for an authentication that just finished associated with that identifier?
Alternately, if the app attaches some identifier for itself to the initial call to /auth/twitter, will Twitter & OmniAuth preserve that identifier so that it gets included in the /auth/twitter/callback, so that the app can then ask my back end for the credentials for an authentication that just finished associated with that identifier?
Did you try? Cause that's usually how your step4 goes. You keep a token or something about the user so when you get the callback you can lookup for that user again. No session or cookies, just plain db.