We have a monolithic Rails 3 (Ruby 1.9) server that does everything for us, including Devise session authentication.
We have recently decided to introduce a new Rails 5 server (built from scratch) which will serve as an API server and slowly replace existing capabilities in the old server.
Our problem is that session authentication happens against the old rails server and we want to include session authentication in the new Rails 5 server.
Does anyone have experience or suggestions on how to use new rails servers authenticate sessions against an existing rails server which has session information?
Needless to say, my main focus is on Front End development - server side authentication is not my forte.
You can have multiple Rails applications that share the same database and that use Device to authenticate users. But you need to ensure the same input / algorithm is used when encrypting passwords.
For Devise this has been BCrypt by default for quite some time, you also need to ensure that the config.stretches setting matches for both apps. The implementation has changed a bit over the years through and your milage may vary.
The key concept here is that you´re not authenticating against an application - you're authenticating that the result of encrypting the password provided by the user matches the digest in the database.
But you should also start by recognising that the apps might not have the same authentication requirements at all. Most API's (at least good ones) use token based authentication which is stateless.
One major issue with session based authentication is that cookies normally work on a single domain or subdomains and they are normally disabled by browser if they work cross-domain (3rd party cookies) which means that your will have issues if your api and the legacy app are not on the same subdomain. Cookies are also a feature only available in browsers while token based authentication works in any kind of client.
And while you could have your new application query the legacy application over HTTP tinkering with this might actually be a a waste of time since the new application will need its own authentication solution anyways.
There are multiple gems that provide token based authentication for Devise.
Related
I'm using devise_token_auth for a rails application with react on the frontend and rails as the backend acting as the backend.
In the readme the author states that
If you're building SPA or a mobile app, and you want authentication,
you need tokens, not cookies.`
Why? I understand the basic differences between tokens and cookies, but don't understand why you couldn't just use cookies (simply including the headers with any XHR requests)?
There are a few major reasons.
First of all most SPA's are designed as stateless and using cookie based authentication is not stateless. Using cookies also makes every request take a little bit longer because there is a lookup on every request.
Cookies are also tied to a domain. Most SPA's use multiple services across multiple domains which is a no go with cookie based authentication. This also applies to SPA's which have a web app and mobile app, using token based authentication means scaling this is much easier.
Tokens can also be used to store data and only need to be generated once, after that there is no work involved except for the server reading the token. This means you can store user permissions in there etc and the server can get this information with very little work.
the service I'm developing consists of chrome extension & web application.
For it I'm trying to create 2 server:
web application server (build by Rails)
API server(build by Django) to receive requests from chrome extension and process user data.
Those application use same database, same user information.
My question is how to authenticate users -- in Rails app, users can sign-up and sign-in via form. But in API server, how to authenticate users?
One solution might be JWT authentication, user get JWT token from Rails server and send token to Django server, and Django server authenticate by JWT authorization.
Is that best practice -- or simply sending username & password is better then this?
Thanks
I honestly believe that attempting to combine these two web platforms is not the best idea. You can read feedback from a similar question here, but basically attempting to combine rails with Django will lead you down a serious rabbit hole where both Rails and Django are going to be expecting to handle the authentication. You can potentially use a different, more simple Python framework, but I think you can potentially achieve the same overall goal with a single Rails application.
If project specifications require Django, then you can potentially try the latter option of username & password to do a database read, and then manually create a JWT functionality. I think it would be really really difficult though to use many of the built in, or even open source solutions, that Django provides, which is why Django could be overkill.
I'm writing an application that will primarily be accessed via API, but will also have views for editing via web app.
I would like to create a User model with authentication and authorization across both platforms.
I'm having trouble understanding the relationship between the devise and devise_token_auth libraries, other than that the former is recommended for most rails apps and the latter is great for API-only authentication.
For my case, what is the appropriate library to use, or should I be using both? Should I be generating the User model via devise and then adding the token auth to it? Do both systems use different authentication schemes? I'm just trying to understand why devise_token_auth exists apart from devise.
I'm also just a bit confused about the added complexity of token-based authentication. What would be wrong with simply having the users be registered and managed through devise, generating an API secret key for them, and then having them sign their API requests with that. Why the need for token based auth in the API?
devise_token_auth is an advanced method of API authentication which may, or may not, be overkill for your application. Essentially, a new token is generated for each API request.
Depending on what your needs are, you may be fine with token-based authentication, or perhaps even HTTP Basic auth, which devise supports out of the box.
I have a rails web which has been using cookie session authentication (devise) from its beginning. Now, we are developing an ionic mobile application which uses the API available from the rails application.
I have considered to use JWT or token authentication for this new application but I can't find a way to combine both authentication methods, cookie and JWT. Also, both applications have different requirements. For example, in the web a user can have concurrent sessions only if he/she has a certain role. On the opposite, in the mobile application it is possible to have concurrent session without any restriction.
I have reading a lot trying to figure how to combine both methods but I can't find the way. Maybe I should consider to use only one of the methods (JWT) or use another approach (doorkeeper).
Finally I have found a solution. According to refaelos and Zac Stewart, I have combined devise with JWT gem, using the last as a new strategy for the first. By this way, when I don't use JWT tokens, devise will choose the default strategy (database_authenticatable in my case). Otherwise, it will use JWT strategy.
However, when the user is not authenticated and make a post request to Session#create to get the credentials, the strategy chosen by devise/warden is database_authenticatable. In order to avoid this, I needed to add a new parameter to the request but only for this case because, as I said, when the token appears in the request, the new strategy is selected.
See also:
An Introduction to Using JWT Authentication in Rails
I realized from a previous question that I had been asking the wrong question...I would like to turn my application into a CAS server so that admins of the application may use this same authentication mechanism to log into other applications that we develop for the organization.
Have you done this before? Is there a plugin which adds the ability to Devise to be able to act as a CAS server? What do I need to change/add in order to turn the app into a CAS server?
Check this similar question, that explains rails 4 issues with devise_cas_authenticatable gem.
For the Server, you may use CASino for the server, it looks very clean. Check its installation guide.
OR
An Alternative solution, if both apps are on the same domain and they share the same database, you can simply modify the session cookie to be universal for all subdomains on your specified domain.