I've been asked to implement 2FA with email codes, like you get from Steam (and many banks), after you haven't logged in for awhile. I initially thought this would have been a flag I could turn on in the Devise config, but I can't find ANY place on the internet that talks about something like this. The desired process would be to generate and email a one-time pad to enter into a confirmation screen. Every reference I've found to 2FA with Devise refers to using things like SMS or an authenticator app.
Working within the framework of Devise, it seems like this might possibly boil down to unconfirming the user every so often, maybe like every other day. That way, the next time they log in, they get another email with a new link to "re-"confirm the login. The best I can find is Warden::Manager.after_authentication to set user.confirmed_at = nil, but this doesn't seem to be doing what I want.
Thanks to a friendly person on Github, I was directed to the Devise plugin, https://github.com/Houdini/two_factor_authentication, which does exactly what I wanted. I knew someone had to have already written it!
Related
In all of my Rails applications I have a User model with name, email and password attributes (among others).
This seems to be the standard approach when building Rails apps.
The more Rails apps I build, the more I begin to wonder why the User.name is even necessary.
Wouldn't it be easier to just omit the user name everywhere right from the start?
From a user perspective, the sign up process will become easier. Instead of filling in four fields (username, email, password, and password confirmation), the user will have to fill in only three.
According to some usability experts this might increase the number of sign ups.
In addition to that, users will also have to remember less data, i.e. only their email address (which most people have memorized anyway).
So what might be negative implications of this approach?
I couldn't think of any so far.
You might need to make emails from your app personalized, maybe with greetings such as `Dear <%= username %>.
This doesn't mean you have to put name as one of the sign-up fields. You can put in the update form only, when the user edits their profile. Then you can make the edit_user_registration_path the after_sign_up_path_for devise.
I don't think using username is "standart" approach with rails apps. In fact, devise's vanilla approach is using only email on models.
However, being able to accept username or email has many other advantages. You may have other scenarios where users do not register at all. I mean, perhaps you are also creating accounts for users without any registration and you don't know their emails, if so using email will not be an option.
In some applications, we use more then 3 authentication strategies. Some users do not have a username or email at all..
In short, i think it really depends on your scenarios. But i am sure that using both email and username is not a rails convention.
If the main goal is a frictionless signup process then an OAUTH strategy would be the best way to go (4 fields of info down to two clicks), however you may want to collect the user info at a later time for a more personalized feel depending on what info you can capture from the callback.
I am using rails+devise. I want the user to be able to confirm multiple e-mails (the app would send for each address a mail with a "confirm" link, and then the user have one or many confirmed mails). It is possible to confirm one with :confirmable (doc :
http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable )
I thought that i could play with
- (Object) resend_confirmation_instructions
by changing the address but this is not the best solution.
Is there a solution with devise or do i have to implement this specific functionnality?
You'll have to implement this yourself. Devise has one email per account, by default.
You'd not only need to handle multiple emails, but presumably you'd also want multiple confirmation_token's, along with multiples of the other database fields relating to email confirmation (find them in the devise migration file that gets generated). I don't imagine this will be a simple thing to solve with devise.
However, this sounds like a counter intuitive thing to do. Perhaps you should update your question to include the requirements of your app, and the reason why you need to get confirmation from multiple email addresses. Someone may have a solution for how to architect your app such that it doesn't need this feature.
I want to let new users signup and browse my site without having to confirm their email addresses, until they try to do anything meaningful like create a new project, upload a video or leave a comment.
Does Devise have any hooks for doing this sort of thing?
Try to do it in combination of postponing email confirmation via allow_unconfirmed_access_for and confirmed? for specific actions, like described in similar question1 and question2.
BTW, starting from Devise 2.2.4 allow_unconfirmed_access_for accepts nil for unlimited access without confirmation.
For UX sake, I have sign in and sign up forms on the same page.
However, I'd like to show the sign in page to people who are known to have ever logged in, and the sign up page to users who have never been known to log in.
It seems like something you could do with session and cookies, but it's not clear to me where I would place this code.
(I'm using Devise, rails 3 and mongoid)
Thankfully, Devise has thought of this for you :)
user.last_sign_in_ip
This requires the use of :trackable, which is very well detailed here:
Display last logged in details using Devise in Rails 3
If the value is nil, then the user has never signed in. I think you know where to go from there.
Hope that helps!
-- Adding more detail for clarity
If you can't find the current user's IP, then they have not logged in. So a search for
User.where :last_sign_in_ip => {current IP}
Should do you. You don't even need to know which user, just that one exists.
Now, like you said, you can also use cookies, etc. The logic would work the same way, though; you just get a bit of free lunch here from Devise.
I'm trying to implement a delayed-signup (aka delayed authentication aka gradual engagement) website flow using Devise + Rails.
By gradual engagement, I mean
"Don't make the user sign in until she
absolutely has to, but let her play
around and be remembered on the site"
I'm looking for a simple way to do this using devise. I feel like this is something many others have had to do, but I haven't found documentation on it.
The following approach sounds ok in my head, so I'm going to start with it:
Create users that are only "rememberable"
When certain pages are accessed, require that these users have more
data on them, like a username and
password, via something like
"before_filter :authenticate_user!" in
the appropriate controllers.
Does this approach make sense? Is there a better one? Do you have an implementation of a gradual engagement approach to signup/registration forms using Devise + Rails that you're willing to share?
I think the point of the article you gave us is to say:
only ask for sign up if necessary.
What does this mean?
Let's take an example. You're an e-commerce web site.
When does the customer has to sign up "at last"? During checkout. Never before. So you don't have to store, or remember anything about the user. Devise is never, never used here.
How do you manage the shopping cart of an unsigned in/up user? I'd say database, with session Id as primary key. Or You could store all the items ids in cookie, for later use.
In your code, if you have an action called checkout, just set in your controller a before_filter authenticate_user!, :only => [:checkout]
But maybe you have some constraints, like being able to keep your user's nickname without signing him up for example?
One alternate option is to do email-only signup, then send an email with a special link to finish registration later / bring them back to their account. There's an actively maintained tutorial on devise email-only signup at:
https://github.com/plataformatec/devise/wiki/How-To:-Email-only-sign-up
I've used this tutorial for a site I did a while back where we only asked for their email address to sign up, then later sent emails for them to complete registration / add a password.
You can keep all unsigned user's data in cookies, and transfer them to database once the user logs in, if you need to.