I currently have a productive web based Rails 6 application using devise for authentication.
I now have the requirement to implement API access to the same webapp.
Ideally:
There would be a separate auth link. (i.e. web access through http://<app_url>/users/sign_in and api login through http://<app_url>/api/v1/login
The intention is to receive user & password on the login and reply, once it's valid, a token with a certain validity (still uncertain if this should be in terms of days or weeks)
The api access with a valid token, should result in bypassing devise and granting the access.
I have implemented more than one solution available in forums, but none worked on Rails 6.
The options I have tried include using devise-jwt gem.
Any help on directions to overcome this are highly appreciated. I'm stuck in this scenario for a few days now.
Edit
I have tried some online options, but either bc I have a limited skill with rails or bc these don't work on Rails 6, I'm not getting any feasible state that I can use to move forward.
Related
I have a project where I want to develop the frontend in Next.js (requests based on fetch API from JS) and the backend in RoR and I am having a hard time to get the User authentication to work. I have researched and found four possible solutions:
Sessions and cookies
JWT
devise_token_auth
devise-jwt
I have tried to implement some of them but i always end up getting a server error on client requests at some point. I would like to know if anyone has any resources where I can get to know more about and learn more about it so I can implement such authentication in my project.
If I could take advantage of devise would be even better, since I already have it setup for ActiveAdmin (wanna use the admin dashboard)
Thanks a lot in advance.
I used to use devise, but have since moved to AWS Cognito which handles everything for you and is customizable as needed. You might look into it.
https://aws.amazon.com/cognito/
We have a monolithic Rails 3 (Ruby 1.9) server that does everything for us, including Devise session authentication.
We have recently decided to introduce a new Rails 5 server (built from scratch) which will serve as an API server and slowly replace existing capabilities in the old server.
Our problem is that session authentication happens against the old rails server and we want to include session authentication in the new Rails 5 server.
Does anyone have experience or suggestions on how to use new rails servers authenticate sessions against an existing rails server which has session information?
Needless to say, my main focus is on Front End development - server side authentication is not my forte.
You can have multiple Rails applications that share the same database and that use Device to authenticate users. But you need to ensure the same input / algorithm is used when encrypting passwords.
For Devise this has been BCrypt by default for quite some time, you also need to ensure that the config.stretches setting matches for both apps. The implementation has changed a bit over the years through and your milage may vary.
The key concept here is that you´re not authenticating against an application - you're authenticating that the result of encrypting the password provided by the user matches the digest in the database.
But you should also start by recognising that the apps might not have the same authentication requirements at all. Most API's (at least good ones) use token based authentication which is stateless.
One major issue with session based authentication is that cookies normally work on a single domain or subdomains and they are normally disabled by browser if they work cross-domain (3rd party cookies) which means that your will have issues if your api and the legacy app are not on the same subdomain. Cookies are also a feature only available in browsers while token based authentication works in any kind of client.
And while you could have your new application query the legacy application over HTTP tinkering with this might actually be a a waste of time since the new application will need its own authentication solution anyways.
There are multiple gems that provide token based authentication for Devise.
Cause i'm new to the whole angular (specific angular2) thing i wonder about something.
I want to build an "api" backend with rails 5 as they released the api mode and my frontend with angular2. Because i'm used to rails i wanted to implement a devise user authentication and because i'm new to angular2 i searched for a way to authenticate the user against my rails/devise backend.
But all i find are tutorials about angular2 and auth0, which i never heared before.
So my question is, is it "normal" to user angular2 with auth0 authentication?
And when i use auth0 my user data are not in my database right? So how do i create relationships with my rails models?
Would be great if someone can explain that to me or link me some article if they exists.
Auth0 is one of the many choices available to you. If you'd like to use Auth0 but store credentials in your own database, there is a tutorial for setting that up with Auth0.
So it can be normal to use Auth0, and you can also have your user data available in your own database-- do keep in mind you'll need to secure user credentials thoroughly when storing them yourself though!
I've also faced the same problem and considered Devise (going so far as setting up a Rails+Devise landing page that redirected users to the Angular app after successful login). After much pain I have come to the same recommendation as Kassandra, that using JWT authentication is the way to go.
However, if you plan to use Auth0 note that after 7000 users have signed up you will need to upgrade. This may not be a problem for you but since I plan to deploy something substantial it's a decision I had to think about.
Hope this is not too broad but after a lot of googling I am not sure where to start. I am looking for a introductory/noob overview to help me get started on building an authentication implementation for a rails 3 application.
Basic technical requirements:
Rails 3 application is hosted on third party service (heroku)
Need to use specific external private SSO service to authenticate users.
No local user database or model in the rails application.
Authentication is token based meaning that there is a special cookie that needs to be read passing back token to SSO server (not rails based).
I have no control over the SSO server or infrastructure.
Trust of the SSO server is implicit and do not want to maintain local database of users, passwords, or sensitive information. User info only exists during session and the SSO server is authoritative.
Session token info is cookie based and lives for the duration of the browser session.
I am looking for basic example/tutorial/strategy/explanation of how the process would work in rails with the above setup. I would like the process to be seamless for user with workflow that basically looks like this:
Navigate to rails app -->
redirect unauthenticated users to SSO server -->
login and authenticate via remote SSO server -->
callback/redirect to rails app -->
capture user info passed back from SSO server and load protected resources in rails app
Strategy is completely custom using a private SSO resource and does not use a well published auth mechanism (in other words not Facebook, Google, Twitter, OAuth, etc).
Any help on terminology, coherent tutorials, examples would be appreciated.
Edit/Update:
To be more specific I am also looking for good documentation how to create an omniauth custom developer strategy. Some tutorial that goes through the kind of code required to talk to an arbitrary SSO server, read a token out of a cookie, and complete the authentication handshake and callback/redirect.
This isn't really an answer but I'm posting this because a comment just wouldn't do. I don't know of any comprehensive guides so here's what I'd suggest you do:
Learn how Omniauth works. There's a great Railscast about authentication using Twitter. It's really simple and it will get you in the flow of the thing.
Build your own Omniauth strategy. Go to the list of Omniauth Strategies and scroll to Developer Strategies. In that table, choose the strategy you can use to connect to your SSO server.
Ideally, you'd be able to use OAuth2 and there are a couple of guides that talk about implementing your own OAuth strategy:
Custom OAuth 1.0 strategy to connect to Rdio
Custom OAuth 2.0 strategy by Intridea (the creators of Omniauth)
Custom OAuth 2.0 strategy to connect to Force.com by Heroku
But since you can't, just give a quick look at those guides. Without any specifics it's kind of hard (for me) to give any more help, but hopefully someone else will fill in the details.
So Im developing a Rails app- primarily serves API which I want to lock down behjind a nice authorization system. Ive created Rails apps which render HTML and for that I used Devise and CanCan. This time I want to serve JSON to my clients. I basically have the following requirements:
Need an authorization system thats robust
A user should be able to log in with existing apps such as facebook, twitter, linked in and google
There should be full stack authorization available
Now this is my 1st app that Im writing that serves up API so I started researching and so far Ive found the following solutions that people have used:
I've seen people use Devise with CanCan
I've seen people talk about using Oauth2
http://railscasts.com/episodes/353-oauth-with-doorkeeper?autoplay=true
I've heard... "Use Doorkeeper"
I've heard use ..." Use omniauth"
So basically my 1 day of research basically just confused me more. When di I use these and for my requirements which comnbination would I use! Im struggling to make sense of the alphabet soup, can someone help me understand this
Devise is an authentication engine for Rails apps of all types. Devise allows authentication against username/password, token authentication (good for API's), and an oauth provider (such as Google, Facebook and the like). This obviously allows you to deny access to the API unless the user is signed in through one of the services you offer.
CanCan is an authorization system that will work on top of Devise to allow users access to certain parts of your system based on their role within the system. CanCan has a very slick DSL prviding can and cannot methods for allowing or denying access to views or controller actions.
Doorkeeper is an oauth provider gem if you wanted to roll your own oauth solution on top of your API. This would be if you wanted your application to act in the same manner as Google or FAcebook in providing an oauth endpoint for users to authenticate against. From what you stated above, I don't think this is the case.
Given the requirements you provided above, I believe that Devise and CanCan would be the route that I would choose. This would allow the user to authenticate at first by username/password, or some oauth provider, then allow token authentication after that to access your API. You can then lock down access to specific actions through CanCan.