I love the ThoughtBot Clearance gem (https://github.com/thoughtbot/clearance) for Rails authentication. But I'd like to expand my knowledge base in what/how I can make it more-better :)
I've used Devise (https://github.com/heartcombo/devise) in past projects, there's a great extension called "Devise Security Extension" written by Phatworx (https://github.com/phatworx/devise_security_extension) to add some additional features to Devise.
From Devise Security Extension
It is composed of 7 additional Devise modules:
:password_expirable - passwords will expire after a configured time (and will need an update). You will most likely want to use :password_expirable together with the :password_archivable module to prevent the current expired password being reused immediately as the new password.
:secure_validatable - better way to validate a model (email, stronger password validation). Don't use with Devise :validatable module!
:password_archivable - save used passwords in an old_passwords table for history checks (don't be able to use a formerly used password)
:session_limitable - ensures, that there is only one session usable per account at once
:expirable - expires a user account after x days of inactivity (default 90 days)
:security_questionable - as accessible substitution for captchas (security question with captcha fallback)
:paranoid_verification - admin can generate verification code that user needs to fill in otherwise he wont be able to use the application.
I've done a quick search for this but Google didn't seem to come up with anything promising right off the bat. I'll keep digging but if I don't find anything I'll need to consider that I'd have to write something from scratch to extend some of the features like password rotation.
Does anyone know of any good extensions for clearance that have some similar features?
Related
I have implemented the devise+patreon gem in my Rails application without issues. Now, devise requires an email/password by default when creating a User, but Patreon just uses the oauth integration.
I am wondering, what is the proper strategy to use so that I can migrate the Patreon Oauth users as Devise users, without having to set dummy passwords/emails to allow for validation to go through. I still want to eventually allow users to register via Devise natively, as well as through Patreon.
Is there maybe a known strategy/gem/addition for devise that I may have missed that can easily achieve that?
You can retrieve the user email and a lot of other infos (see here) about the user in the login call to patreon's services, but password will remain unknown, you can't just copy & paste a User.
In my Rails app, we use Devise gem for authentication and authorization. But for viewing some of the pages clients want a second password to be entered who will act like super users. This is not an Multi-Factor authentication request, but a kind of One Time Password (OTP) for a given set of pages/resources, just that the OTP will be static.
Devise does not provide this feature. Googling hasn't helped. Any idea how could this be achieved?
This sounds like a bit of an anti-pattern. Why not have an additional field on User that denotes if the user is a super user or not?
This has the benefits that:
there is no password to remember and distribute
super users have one less step to perform
you can easily remove users from this group, if needed
you don't need to build a secondary login form/page
I want to force a user to choose a strong password on registration.
I know, there are many jquery password strength meters out there, and I will most probably use one of them, too. But that does not really enforce anyone to choose a strong password. The registration form must also be useable without js enabled, so one could still potentially register with a weak password.
Accounts must be most secure, because if you are logged in, you can see data of other accounts, which I do not want exposed under any circumstances. So I want to go for maximum security here, therefore I think, it is most important to only allow strong passwords.
So,
How do I set and customize requirements for validating minimum password strength? Only thing I could find in the devise config file is password length. Is there another gem that I should use for this task?
You can use the Devise Security extension, where you can define a password regexp validation (among other things) and enforce the password strength you want.
I've recently released a devise gem which uses the zxcvbn library to reject weak passwords:
https://github.com/bitzesty/devise_zxcvbn
As of this writing (2018), I'd suggest other-folk to consider the newer Devise Security fork before settling on the previously recommended Devise Security extension gem (stale as of v0.10.0 March 2016, but still OG AF mang!)
edit: This one looks more recent, but idk.
I'm creating a web service with Rails 3.1 that requires authenticated user accounts for creating/managing content. It also requires an authorization scheme for transient 'users' accessing the content - they do not have accounts, but will simply provide a password furnished to them by the user who created the content in their requests.
I'm thinking the best strategy is to keep the two separate, not creating accounts for the transient users, representing them as a separate model associated with the content.
My question is whether this is something I should build from scratch, or whether I can get sufficient leverage from one of the existing authentication gems for it. And if the latter, how I would go about configuring it to manage two different strategies.
If understand right, you will have regular account users and temporary account generated by users to share access to whatever.
I don't think something for this specific purpose exist.
My think using a solid and confortable Auth Manager gem will be require to secure both user and tmp_account access.
The reste, ie managing user-tmp_account relation and managing life time + right of the tmp_account, could be done without pain manually.
I personally build up something similar with the gem Devise.
Turns out I don't really need an authentication gem. While the implementation isn't finished, it appears a combination of Rails 3.1's has_secure_password and CanCan will work well for this.
Here's Ryan Bate's tutorial for using has_secure_password: http://asciicasts.com/episodes/270-authentication-in-rails-3-1
The idea is to use has_secure_password on both the User and Content models, and implement current_user such that it creates a transient User when the password is provided, setting a password property on that transient user.Then the implementation of the init method in CanCan's Ability class will verify the transient user's password against the content in a can block.
This question already has answers here:
Closed 10 years ago.
In the .Net world we have the Membership provider, with this we can fully automate user registration and management. Does such a gem exist for the Ruby on Rails community.
I am looking for something that would allow a user to register, retrieve lost password, modify password and login.
See the answers given to this question recently - again, I would highly recommend Devise and the two railscasts on it, http://railscasts.com/episodes/209-introducing-devise and http://railscasts.com/episodes/210-customizing-devise. Devise handles all the things you described above - from the GitHub page:
"Confirmable: sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
Recoverable: resets the user password and sends reset instructions.
Registerable: handles signing up users through a registration process, also allowing them to edit and destroy their account."
Hope that helps!
Take a look at Devise - http://github.com/plataformatec/devise
It's a popular Rails engine for user authentication and should do what you need (and more).
Not sure that it has all of the features you want, but I really like restful-authentication.
http://agilewebdevelopment.com/plugins/restful_authentication
Features per website:
Login / logout
Secure password handling
Account activation by validating email
Account approval / disabling by admin
Rudimentary hooks for authorization and access control.
It also makes an appearance in a screen cast over at http://www.buildingwebapps.com/learningrails
Episode 11 about adding User Authentication. Watch the others if you are 100% new to rails, but if you just want to see them use the gem, skip to that one.
Check railscasts for a number of new options, including OmniAuth, Sorcery (my choice this week), and authentication from scratch, which may be less painful than the options listed before.