I have ran to the situation where I have to remove Facebook/Google authentication option from my app. So I want to know all the pain during this process.
What about user data ? Is there any possibility to link newly created user with data from previous facebook-login-based user ?
Any other situations which I have to fix ?
Oh my God. I personally do not think that you should do that. Yes, if their users in your application that have logged in with one of these providers, then yes their data possibly could be deleted. I mean if you have stored the access tokens to retrieve information about them, then you will be fine I think. But, if you remove OAuth2.0 then your users will not be able to log in with anything else, such as local authentication, due to the fact that they have not created an account via your local authentication system, as they do not have provided a password for their account. They only gave consent to read or write data about themselves, and you only know their email or username. Last but not least, a move like will definitely harm your User Experience (UX) throughout your application and your marketing as well.
I hope that helps! Try to search about some alternatives to solve your issues.
Related
If I have a single server with multiple domains, what is the preferred method for implementing a single-sign-on solution on the same domain. I am currently using devise, have a few million cookies in place on separate domains, and am stuck. On top of just implementing SSO, I also need to migrate the various cookies to a central domain. Regarding the various servers, they only have one single page that requires me to show different states depending on whether or not the user is logged in.
I have tried the following:
CORS: pick one domain as the central auth hub. From all other domains make cross domain checks to see if the user is logged in. For migrating cookies, detect if there's a "current_user" object, send it to the client, make a CORS request, sign the user in and kill the token. Works Great! BUT... After building it for 2-3 weeks, it TOTALLY FAILS in IE. Even IE11, I'm noticing the default setting is disabling this behavior.
tried tinkering with the session store at
Rails.application.config.session_store
with no luck.
I am currently experimenting with the following:
JSONP: I have someone right now trying to convert the above to JSONP instead while I try some other options:
Set up a custom OAUTH provider. Like before, it will be the "central domain" if the person is signed in, return to the requested domain with a token from which the users can make requests. https://github.com/songkick/oauth2-provider
Looking at this but it looks outdated? https://github.com/rubycas/rubycas-client. I also get the feeling this could have been a solution if I rolled this out from the get-go, but given how far we are into the project, it's unclear to me how I'd transfer the existing cookies. Also it's unclear if this requires two applications for me to get up and running ( one for client(s), one for auth server)
As I go through each of these possibilities, if anyone has had any experience doing what I'm doing, please do inform me and save me a whole lot of work :)
The best way unless this is a toy app is probably to set up an oauth provider.
We use Doorkeeper with Devise for this and it works great. It will be worth your time to set a little time aside to read through the documentation and watch a talk or two on youtube if you're not already familiar with the strategy but once you understand the core concepts its actually pretty simple to set up with the help of this gem.
There is a quick video run down on http://railscasts.com/episodes/353-oauth-with-doorkeeper
I've developed a MVC4-project and deployed it (in bèta version). A visitor must login before he can see most of the website. For login, you are required to register. So far so good.
Now there's some weird dude who is trying to register a 100 times, it seems just to annoy me. How can I prevent this? I already have the following:
I have to manually accept registrations (as admin)
I integrated a captcha
So this dude is locked out from my application anyway, but his registration attempts are stored in my database, so it keeps expanding.
My question is: Is there any way to limit registration actions? Like only one time per hour or something like that?
Kind regards
You can store ip in database after registration for one hour. And before registration check if ip exists in database. Or create application level list of IPs instead of DB.
I am using this answer here to log unique page views in my app: https://stackoverflow.com/a/15174466/1235816
I am using a cookie to check for unique visits. As far as I am aware, because the site will be hosted in the UK, I should have a message which asks the user to accept cookies or if they don't... it asks them to leave the site.
I want it to work like this... If a user wishes to accept cookies, then the 'app-name-visited' cookie should then be downloaded, otherwise if they just exit the site without clicking accept, no cookies are downloaded to the clients machine...
Is this:
1/. a correct way of thinking?
2/. possible?
The cookie law has since been modified, so this is not quite necessary any more, you only need to let the user know that they you will be using cookies.
The organisation that enforces this is the ico, which doesn't ask for permission for cookies on their site:
http://www.ico.org.uk/
Suggest you follow this pragmatic approach.
If you are wanting to comply as per your question I did some work on this a while back for rails projects which should be a decent starting point:
https://github.com/yule/threepwood
In may Rails web application, I need to enable more control in user authentication like if a user after registration will have specific credentials to login. So he/she should be able to login from a particular system(PC) only. This can prevent other users from logging in even if they know the particular users' credentials. Can we use Cookies for this purpose? Will Cookie always be unique if we access a particular web app from a particular PC? Help me to have a better solution.
Thanks in adv :)-
In my opinion, use cookies with caution, when you have no other options.
In this particular case (i.e. identify a unic computer), I think you can identify it by 2 solutions :
A stupid cookie with a value you know. The problem of a cookie is that a user can simply copy/paste the cookie value to another computer to have same access.
A unic key computed from computer data. You can create it with some accessible informations from this computer : browser, browser plugins, browser version, operating system, etc. This key can now be stored as a cookie. You have to check if this key is valid, regarding your identification function. Copy past have no effect because source informations are not the same. The main problem of this solution is it's 'too' secure : if the user change its browser, add a plugin, change its browser version, the function to compute key will not work at all.
This is the second solution I use, with this informations for example Rails Browser Detection Methods or https://github.com/josh/useragent
You can store secuirity token (md5 hash or something else) in the cookie, and check it for access.
I've got a ASP.NET MVC web app which uses forms authentication.
I'm using ActiveDirectoryMembershipProvider to validate users against our domain.
if (Membership.ValidateUser(m.Username, m.Password))
{
FormsAuthentication.SetAuthCookie(m.Username, true);
....
This means the user gets validated only when they log in.
Problem with that is ofcourse that if the user's password changes they still remain logged in. Or worse, user leaves our company with a grudge, and they still have access.
I would have thought such a simple use case would have an obvious answer but I've been stuck on this for a while now.
I could put the users password in the session and then validate it every time, but that doesn't feel right.
What is the suggested/correct way of handling this?
The typical solution is to force log out when users unsubscribes from the service or less commonly when they change password. Use this method:
FormsAuthentication.SignOut();
FormsAuthentication.RedirectToLoginPage();
If the user can be deactivated outside of the app (i.e. Active Directory), the typical practice is to rely on the session time-out and perhaps ask for the credentials once more for critical operations. If you absolutely cannot allow the deactivated user to work while the session is still active, then yes, you'll have to check the credentials on every request. Since storing the password in the app is a very bad idea, it means you'll have to ask for credentials on each request which arguably is an even worse idea.
As for the password change, it normally doesn't modify the user's permissions so it should be harmless to allow for them to continue working.
The answer is to periodically (every 30 minutes or so) check User.IsApproved and User.LastPasswordChangedDate to make sure the users credentials are still valid.
To do this you need to manually create the FormsAuthenticationTicket and cookie, rather than using FormsAuthentication.SetAuthCookie.
Put the date you validated the user inside UserData and compare this against LastPasswordChangedDate.
I've implemented this and it works perfectly.
More information here
Check if Active Directory password is different from cookie