I have a Rails app using Vue.js for some front-end components. I use Devise for authentication, but since some of my Vue components make JSON requests to my backend, should I be using something like JWT authentication? I'm confused about when Devise is enough and when some type of JSON web token authentication becomes necessary.
If you are developing a Single Page Application, maybe you need a JWT. The user must login once at the beginning, after login you will have a Json Web Token, and the next requests need to use the token in order to authenticate.
You can take a look a devise-jwt gem, to implement these feature.
https://github.com/waiting-for-dev/devise-jwt
Related
I'm writing an application that will primarily be accessed via API, but will also have views for editing via web app.
I would like to create a User model with authentication and authorization across both platforms.
I'm having trouble understanding the relationship between the devise and devise_token_auth libraries, other than that the former is recommended for most rails apps and the latter is great for API-only authentication.
For my case, what is the appropriate library to use, or should I be using both? Should I be generating the User model via devise and then adding the token auth to it? Do both systems use different authentication schemes? I'm just trying to understand why devise_token_auth exists apart from devise.
I'm also just a bit confused about the added complexity of token-based authentication. What would be wrong with simply having the users be registered and managed through devise, generating an API secret key for them, and then having them sign their API requests with that. Why the need for token based auth in the API?
devise_token_auth is an advanced method of API authentication which may, or may not, be overkill for your application. Essentially, a new token is generated for each API request.
Depending on what your needs are, you may be fine with token-based authentication, or perhaps even HTTP Basic auth, which devise supports out of the box.
I want to make a JSON API with Rails 5 that will feed an angular app and possibly later mobile apps. I do not want to include any html in the rails application. I typically use devise to handle user creation and authentication in regular rails apps. I would like to implement an OAuth2 compliant flow so I found a gem called doorkeeper.
I like devise as it handles the sending of a confirmation email and password reseting, etc. I would like doorkeeper to keep my app OAuth2 compliant.
My issue is that the OAuth2 documentation says to try to not use the password grant type but I cannot find a better alternative method for a site being served by the same server the API is coming from. Should I require a CSRF token only for the OAuth route to acquire the access token to ensure the request is coming from the site? Should I use the CSRF token from within the angular app the entire time in conjunction with the access token?
Also should I have devise handle the sending of the access token? How would that work in the other flows besides password grant? I would also have to edit devise to only accommodate JSON requests and to respond in kind.
Also I would like to implement a JWT however I still think it best to have the token linked to a session ID, I know the kind of defeats the purpose of the JWT but I think its beneficial to use the JWT in order to accommodate native apps.
I am sure this is not an uncommon thing to want to set up nowadays but I have yet to find a solid walkthrough connecting devise, doorkeeper, and an API only setup. Has anyone experienced and implemented a something like this?
I am building an API and I'm stuck at the authentication part. I will try to explain what I have and what I'm trying to accomplish:
First, the API is closed to the public, it will only be used on the admin's back-end and for 3rd party devices in the company.
I have a model called Member that is being used with Devise for authentication
I'm also using STI to distinguish between 3 levels of users (using CanCan for roles)
What I thought:
I tried the Token authentication by Rails, it worked but I was afraid of expose the token in each Ajax request, I don't know if I was right.
I also tried to use a '/token' route to post my credentials and get a token, but I was facing the same problem in a more complicated approach. The link with the tutorial
I don't wanna use OAuth because it's unnecessary for that kind of application.
Is it secure to use this token authentication with ajax requests or is there a more secure way to prevent people accessing my API?
Token authentication needs to be done over a secure connection.
If for example you are using Heroku, it is possible to use
their credentials to gain a HTTPS url. With this the contents
will be encrypted and so exposing the token through JSON
over the API will be acceptable.
I am developing an ASP.NET MVC web application. The application is consuming a REST API, but authentication for REST-full application is quite unclear for me.
As REST is stateless, do I have to implement two different Authentications with two different databases, one for client, and one for the REST service?
Or, do I have to send the login/password each time, to authenticate on the server?
Please give me some advice or tutorial on this.
You can authenticate a Web API using individual user accounts that are stored in a database.
In this case client should obtain access token first. And then include it to each request, that requires authorization, header:
Authorization: Bearer boQtj0SCGz2GFGz[...]
Good tutorial can be found HERE
Also authentication methods could be extended in Startup.Auth.cs with Cookies or some external authentication methods (Google, Facebook etc)
The stateless isn't a main problem in your situation, problem is that browser can only send GET or POST request in tradition way in tag form, so to send PUT or DELETE request you should use Ajax, the easiest way is to use JQuery library and config it to send user credentials in http header(between requests it can be store in cookies) in every request and use basic-authentication if you plan use own auth logic. I recommned you to look some SPA frameworks like angularjs
or emberjs
or backbonejs
to simplify your life from hardcode JavaScript . Also in future you can easy extend your auth by OAUTH 2.0.
I'm looking to write a single-page web application using RoR for the backend and Backbone (amongst other things) for the front-end. As with most things, the app will require the user to sign in (authentication easily handled with RoR and the database), but I'm confused as to how I would go about performing tasks with Backbone that require authentication. Because everything's client-side, it seems to me that I can't pass, for example, the user's ID to the backend as that'd be easy for somebody to discover.
Basically, how do I replicate a session-based authentication mechanism with Backbone?
Maybe this post can help you User Authentication with Rails and Backbone.js
Regards
You probably want to look into token authentication: How use token authentication with Rails, Devise and Backbone.js?
Basically, you send login data and receive an authentication token that you then use in all subsequent ajax calls.
Users discovering their token isn't really an issue: they can log in and have legitimate access to the information.