I have a standard Rails app with Devise for authentication. I have a second app with Helpy.io installed (also Devise). I am looking for two scenarios:
Authenticated Users on the Main site can access the Help site
Sync the user databases and once you are logged into the main you are automatically logged into the Help site and can open tickets etc.
Here is what I have tried for option 1 to start:
I have set the SECRET_KEY_BASE and SESSION_STORE on both sites the same and in session_store.rb:
Rails.application.config.session_store :cookie_store, key: ENV['SESSION_STORE'], domain: 'mydomain'
On my help site I have an application controller before_action that redirects to the main site if a particular session variable is nil (this is cleared on the main site if you logout).
What Works
If I authenticate on the main site then visit the help site everything works fine. I can navigate the help site etc. and I am not logged in (which is fine for option 1 for now). My users can just browse the help site and open tickets manually. If I signout on the main site and go to the help site my re-direct kicks in and I end up back at the main app sign-in page.
What is Broken
If I navigate from the help site back to the main site I am automatically signed out. I can still access the help site. If I log back in the main site works fine again UNTIL I go back to the help site and the process starts again.
Question
Where do I start to look to find what in Devise or anywhere else (assuming it's Devise) that is getting cleared etc. to make my app think I am not authenticated anymore?
I ended up going with a static Jeklly site and this approach:
Authenticate static files with Devise?
Related
I have a Rails 5 app that uses Devise for managing users and hosted on Heroku.
My site is called www.example.com but I allow my users to set up custom domains so it could be www.andyexample.com as well.
I can successfully login to www.example.com. However, when I login to www.example.com and then navigate to www.andyexample.com I'm not logged in anymore even though it's the same application.
Is there a way to keep me logged in even when I change between domains?
My understanding was that Devise uses cookies but since a cookie is stored in the browser, why does it not keep me logged in?
Not a duplicate to the suggested post since it's outdated and has 1 reply that introduces a fairly complex solution to something that should be easier to achieve.
Cheers,
This Rails project uses Spree and Devise and has a separate controller to serve up JSON responses for the mobile side of things. I've just implemented Devise::Lockable to lock a user account after 5 failed logins. This automatically generates a password reset email. Things work fine on the desktop site and on the mobile site. My question comes from mixing the two together:
If you fail login 5 times through mobile API, the password link is sent to that account's email. But if you are already signed in on the desktop, and then also access the reset link from the desktop, it redirects to the home page (and signs out the user). If you click the reset link again, then the password reset form is served up.
How can I also sign out a user on from "normal" app (the desktop side of things) when the user fails logging in the maximum times on the mobile app?
EDIT: I've tried throwing Devise's "sign_out user" at almost every point in the pipeline but that doesn't do the trick, since the user for some reason isn't found to be signed in.
In my Dev environment, everything runs flawlessly. But, after deployment to Heroku, I can't log in. After filling out both the Sign in & Sign Up forms, I am redirected to the Root URL, but the UnAuthenticated page is shown and I do not have access to any of the Authenticated Routes.
A few notes:
After Signing Up, a User record is created in the db
After Signing IN, a Sign in Count is added in the db
I am 100% confident the db is setup & migrated correctly (haven done this many times)
Their are no errors in heroku logs. It appears that I am simply
redirected when trying to access Authenticated routes.
Does anyone have any suggestions? Getting desperate with this one :\
My problem was in my session_store.rb file. I had changed it to accomodate for subdomains, yet the :domain => was set to my local dev environment url (lvh.me). I changed it to :all, and the app now works as it should.
Good luck!
I have installed rubycas-server on my server. I have a ruby app that supports CAS on mysite.com. I would like to have the rubycas-server login page at login.mysite.com.
I have followed the instructions at http://code.google.com/p/rubycas-server/wiki/HowToConfigure and configured my config.yml file.
I have started the rubycas-server but I don't see a login form at login.mysite.com. There isn't anything on login.mysite.com. I have setup the uri_path to login.mysite.com. I thought that it would display the login form when I start the rubycas-server but it doesn't. I guess I am still missing something. What am I suppose to put on login.mysite.com in order for the login page to display? Is there suppose to be another ruby app?
Sorry, I am new to this.
Remember that the CAS is a single sign-on app and the CAS login page is meant to be central to all of your applications. So a typical usage would be that you have your CAS server running on one machine, and the login will be at somedomain.com/cas. Then you have a bunch of applications that want to authenticate, at mysite1.com, mysite2.com, etc. If you try to browse to a CAS-protected page in one of those applications, you'll be redirected to somedomain.com/cas, where you'll sign in, and then CAS will redirect you back to the page you wanted on, say, mysite2.com.
Out of the box, you should see the login by going to the domain that rubycas-client is installed on and going to /cas.
Basically, it sounds like you're expecting the login page to be part of your application, and with CAS, it's not.
Ok this is something weird. I got authlogic-oid installed in my rails app today. Everything works perfectly fine but for one small nuisance.
This is what i did:
I first register with my google openid. Successful login, redirection and my email, along with my correct openid is stored in my database. I am happy that everything worked fine!
Now when i logout, my rails app as usual destroys the session and redirects me back to my root url where i can login again. Now if i try to login it still remembers my last login id. Not a big issue as i can always "Sign in as a different user" but i am wondering if there is anyway to not only logout from my app but also logout from google.
I noticed the same with stack overflow's openid authentication system.
Why am i so bothered about this, you may ask. But is it not a bad idea if your web apps end user, who happens to be in a cyber cafe, thinks he has logged out from your app and hence from his google account only to realize later that his google account had got hacked by some unworthy loser who just happened to notice that the one before him had not logged out from google and say.. changed his password!!
Should i be paranoid? Isn't this a major security lapse while implementing the openid spec? Probably today someone can give me a workaround for this issue and the question is solved for me. But what about the others who have implemented openid in their apps and not implemented a workaround?
If this is such a big issue to you, do not use OpenID, or display a DHTML popup after a successful log out reminding the users that their session is still valid on their OpenID provider.
As for Google's OpenID, what you can probably do is redirect users through the following URL after
http://www.google.com/accounts/ClearSID?continue=http%3A%2F%2Fwww.google.com%2Faccounts%2FLogout%3Fcontinue%3Dhttp%3A%2F%2Fwww.google.com%2F
Afaik, there is no way you can log the user out of their account in another system. Your app is supposed to be responsible only for it's own business. As a user, I'd be very surprised if a website using openid could log me out of my google account.
Yes, there is a scenario that a user can assume that they are logged out of google because they logged out on your site but that would (and should) be their own fault.