How can we override from_basic method of doorkeeper - ruby-on-rails

In doorkeeper gem of rails, access token get by the client by from_basic method of doorkeeper, i tried to customise this method, so that it is not easy for any outsider to get the access token.
I just add some more unique attribute with user name and email id, so that it become tough to get access token.
Here is the basic_method of doorkeeper:
def from_basic(request)
authorization = request.authorization
if authorization.present? && authorization =~ /^Basic (.*)/m
Base64.decode64(Regexp.last_match(1)).split(/:/, 2)
end
end
please provide me any suggestion how can i override this method

This is obviously security by obscurity, but it’s still easy with Module#prepend. Put this code anywhere in your initializers.
Doorkeeper::OAuth::Client.Credentials.
singleton_class.prepend(Module.new do
def from_basic(request)
original = super(request)
# my code that makes it better
end
end)

Related

Find_for_database_authentication vs Find_by in Rails Devise app?

So, I'm trying to set up a React frontend and Rails backend with devise, and the Rails side is supposed to be an internal API. It's the first time I've ever done this, so I'm struggling with authentication. Specifically, in my SessionsController, I have this code:
def create
resource = User.find_for_database_authentication(email: params[:email])
return invalid_login_attempt unless resource
if resource.valid_password?(params[:password])
sign_in :user, resource
return render nothing: true
end
invalid_login_attempt
end
This always returns 401 Unauthorized. I check the result of calling valid_password? and it is always false.
However, if I replace find_for_database_authentication with find_by, the valid_password? works with no problems. Why is this? It's okay if for now the user can only enter his email and not his password, but this really confuses me. It also bugs me that this doesn't use any token checking (different issue).
On the side, I'm also wondering about whether or not CSRF tokens are okay for internal APIs (should I use a different token-auth?), and how I'm supposed to include a CSRF token with a login form if the user isn't logged in yet, but I guess those are questions for another post. Thanks for any help.

Doorkeeper - Reject access token request if user not an admin

Using password-grant OAuth-2 flow, If a non-admin user requests an access token with scope: 'admin' I want to be able to reject that from happening - I'm using doorkeeper with devise.
Currently any old user can ask for any scope and by default it gets granted.
I don't see an obvious hook in doorkeeper to perform this sort of logic. Where/how should I configure this?
This is not currently possible with doorkeeper 3.x. You'd need to monkeypatch the OAuth::PreAuthorization class or fork the gem to add the required logic.
I had a similar need, so I made this into a config option where you can specify your own preauth class. The code is here. The doorkeeper maintainers indicated they wanted to think more about the feature.
Using Doorkeeper 4.x.x I am checking the presence of an 'admin' scope and if the current user is admin in the Doorkeeper's initializer:
resource_owner_from_credentials do
user = User.find_for_database_authentication(login: params[:login])
if user&.active_for_authentication? &&
user.valid_for_authentication? { user.valid_password? params[:password] }
admin_scope = params[:scope]&.split&.include?('admin')
user if admin_scope && user.admin? || !admin_scope
end
end
end

Subclassing Ruby Gem?

As a RoR newbie, I'm trying to understand how/where to correctly subclass a gem.
I'm using the ruby-box gem (https://github.com/KonaTeam/ruby-box) in my application, and attempting to follow the example on their github page where they subclass session.rb in order to obtain a refreshed token as follows:
class MyBoxSession < RubyBox::Session
# override call to refresh token so we can update the tokens store
def refresh_token(refresh_token)
ut = MyTokens.where(refresh_token: refresh_token, provider: 'box').first
begin
super
ut.access_token = #access_token.token
ut.refresh_token = #access_token.refresh_token
ut.save!
rescue OAuth2::Error => e
# token pair must just be bad
ut.destroy
end
end
end
I'm my box controller I use ruby-box to create the initial session, but I'm unclear on where I would add in the code above? In the box controller, or do I need to pull in session.rb?
Any and all assistance is greatly appreciated. Thanks.
If you write just a ruby script, put the code inline. If you are using rails I believe in library lib/, and when you have need just call a library methods from a controller/helper. If the connection is persisted, initialize it once on startup.

Authlogic and Single Access Token

I am having a hard time finding a simple tutorial on how to enable single access token authentication using authlogic. There is some documentation but it isn't very helpful.
I added single_access_token to my db, I added this:
single_access_allowed_request_types :any
to my Session class. but I still don't understand how a user is authenticated using the credentials param that is passed over every call. My require_authentication before filter does a standard check for current_user like this:
def current_session
return #current_session if #current_session
#current_session = Session.find
end
def current_user
#current_user = current_session && current_session.record
end
But is that enough to work? Does the Session.find method do the magic to log the user is based on my params or do I have to create separate method that actually check if the user_credentials param is there and then find the user based on it and then log that user in. I am confused if I really am "creating" a new session everytime I use a SAT or if I'm just setting current user in a before filter every time an API call is made.
Any help would be amazing! Thanks!
I implemented a single_access_token solution with authlogic and what I had to do was add single_access_allowed_request_types :all to the UserSession model.
Then I added the following to the controller where I wanted to allow single_access_token authentication.
def single_access_allowed?
["some_action_1","some_action_2","some_action_3"].include?(action_name)
end
It looks like you're missing the controller code. So if you had two actions "get_user_info" and "update_user_info" you would add.
def single_access_allowed?
["get_user_info","update_user_info"].include?(action_name)
end
The only thing I had to do make this work was
add a field called single_access_token to my users-table
add a method called single_access_allowed? to each controller where single access should be allowed.
This method would look like this:
# method for authlogic: defines for which action the single-access-token can be used
def single_access_allowed?
(action_name == "deliver") || (action_name == "delivery_status")
end
I did not have to add anything in UserSessionsController or the UserSession object. Authlogic handles that for you. With a single-access-token only one request is authenticated, so there is not a persistent session. Each request has to send the single-access-token. Hence the name: a token to get a single access :)
Hope this helps.
The source code of authlogic is the best documentation on the single access token. This is the specific section that discusses it.
You will need to add a private method called single_access_allowed? in the controller where you are trying to let users access. The Single Access Token is passed by default as a URL encoded parameter using the name user_credentials. So to hit your controller without logging in it will be /your_route/?user_credentials=xxxxxx

Rails: Accessing the username/password used for HTTP Basic Auth?

I'm building a basic API where user information can be retrieved after that user's login and password are correctly sent.
Right now I'm using something like this:
http://foo:bar#example.com/api/user.xml
So, what I need to do is access the user/password sent in the request (the foo and bar) but am not sure how to access that info in a Rails controller.
Then I'd check those variables via a quick User.find and then set those as the username and password variables for authenticate_or_request_with_http_basic.
It's possible I'm looking at this at the completely wrong way, but that's where I'm at right now. :)
The answer to your question of how to get the credentials from the request is this:
user, pass = ActionController::HttpAuthentication::Basic::user_name_and_password(request)
However authenticate_or_request_with_http_basic is all you need to do basic auth:
class BlahController < ApplicationController
before_filter :authenticate
protected
def authenticate
authenticate_or_request_with_http_basic do |username, password|
# you probably want to guard against a wrong username, and encrypt the
# password but this is the idea.
User.find_by_name(username).password == password
end
end
end
authenticate_or_request_with_http_basic will return a 401 status if credentials are not supplied, which will pop up the username/password dialog in a browser. If details are given then those are passed to the block provided. If the block returns true the request goes through. Otherwise the request processing is aborted and a 403 status is returned to the client.
You can also check out Railscast 82 (thats were the code above is from):
http://railscasts.com/episodes/82-http-basic-authentication
The rails plugin Authlogic supports this functionality (as well as much more) out of the box. You could root around in the source for it, or simply integrate it into your existing application.
Edit:
After digging around the source code for Authlogic, I found this file which uses the following piece of code to grab the username and password:
def authenticate_with_http_basic(&block)
#auth = Rack::Auth::Basic::Request.new(controller.request.env)
if #auth.provided? and #auth.basic?
block.call(*#auth.credentials)
else
false
end
end
I'd look a bit further into where it all goes, but I've got to get to bed. Hope I was of some help.

Resources