Adding JWT to current application - ruby-on-rails

I've been trying to research implementing JWT into my application and a little confused. Currently, I'm using BCrypt in order to Hash and Salt. My file looks like this in the User model
class User < ApplicationRecord
has_secure_password
validates :username, :email, :password_digest, presence: true
validates :password, length: { minimum: 6, allow_nil: true }
attr_reader :password
after_initialize :ensure_session_token
def self.find_by_credentials(email, password)
user = User.find_by(email: email)
user && user.is_password?(password) ? user : nil
end
def self.generate_session_token
SecureRandom.urlsafe_base64
end
def password=(password)
#password = password
self.password_digest = BCrypt::Password.create(password)
end
def is_password?(password)
BCrypt::Password.new(self.password_digest).is_password?(password)
end
def reset_session_token!
self.session_token = User.generate_session_token
self.save!
self.session_token
end
def ensure_session_token
self.session_token ||= User.generate_session_token
end
end
What I'm trying to ask is would I need to create a new method to further encrypt the password output from using BCrypt? Like I can't find any articles where a user encrypts a user password with BCrypt then uses JWT. All I'm seeing is people mentioning adding BCrypt by adding has_secure_password to the user model and basically creating hashing methods with JWT instead.
My question is replace BCrypt with JWT or what are some recommendation in regards to securing a user password with both JWT and BCrypt? also, any beginner friendly articles would be appreciated.
Thanks for all your help and explanation.

JWT is quite a different way compared to the method of logging in a user and using sessions and cookies to authenticate future requests.
If you think of it like this, user comes to your application and goes to login (like normal, with Devise for example). You receive their username and password on the login and check agasint the BCrypt hash in the database. If they successfully login, you then provide them with a JWT token. Inside this token is encoded their user id.
When they make future requests to your application (normally from an API) then they will provide the token instead of their username password. Your server has a secret and can decrypt this token to check if it is valid and can then use the user_id inside to know that it is the correct user. This will allow them to access any resources that they have access to.
JWT is normally used for javascript front ends or Smart phone apps that want to have long login times (rather than session or cookie). The token is also stateless so as long as the server has the secret, it can check its valid and decrypt it.
Here is a more detailed explanation: https://github.com/dwyl/learn-json-web-tokens
Here is a good guide for setting up JWT with devise: https://medium.com/#mazik.wyry/rails-5-api-jwt-setup-in-minutes-using-devise-71670fd4ed03

Related

Using Devise/DatabaseAuthenticatable module to check password/salt a string

I'm building an app that uses Devise to manage user state. I'm also building an API in that same app that receives a username and password from a POST request
What I'm trying to accomplish is:
Get the user by username from the database (done, straightforward)
Use Devise::Models::DatabaseAuthenticatable to take the password the user passed in, encrypt it, compare it against the encrypted_password field on the User model and if they're the same, proceed with the rest of my code
The second bullet above is what I'm having trouble with. In a console, I can't seem to get an instance of the module Devise::Models::DatabaseAuthenticatable to try the various instance methods that you can find here in the docs.
Any help would be greatly appreciated!
If I understood your question correctly, you can use .valid_password? devise method. Something like that:
#assuming you'll receive nested params like user[email], user[password]...
user_params = params.require(:user).permit(:email, :password)
user = User.find_by(email: user_params[:email])
return head 403 if user.nil?
valid = user.valid_password?(user_params[:password]) #true or false...
return head 403 unless valid
sign_in(user) #devise helper: if you want to sign in that user
You can also check another approachs, like devise token auth gem.

How to match a new string with the password already encrypted

I am working on a rails 3.2.13 project. I am using devise plugin (devise gem 3.2.2, 1.4.2) for authentication. Using this plugin, how can I validate the current_password field while changing the old password to a new one? Or else, please suggest how I can achieve this by encrypting the given string and matching it with the password already saved without using the devise plugin.
E.g.: One user has encrypted_password like below:
"$2a$10$VrawKYj6zp10XUxbixVzE.7d4QgYjQn9aiuzAuP7fp3PZOLMP5wbu"
while changing the password, if I enter a current_password, it should match the string above (encrypted_password == current_password). How can I validate this?
I believe you need to break your problem down into the following steps:
Determine if the old_password is actually the user's current password.
To do this, you can call:
User.find_by_id([SOME_ID]).valid_password?(old_password)
If this returns true, then you can move on to the next step to begin changing of the password. If it doesn't, then the old_password is incorrect, and you should not allow the changing of password.
The implementation of valid_password? can be found in the Devise gem's /lib/devise/models/database_authenticatable.rb file (at around Line 40). You could use this implementation to roll your own code for validating a password. But, Devise pretty much does it for you if you call valid_password?, so rolling your own seems unnecessary.
If old_password is valid, then verify that new_password matches confirm_new_password.
if (new_password == confirm_new_password)
.
.
.
end
If these match, then set the new password by doing the following:
u = User.find_by_id([SOME ID])
u.password = new_password
u.password_confirmation = confirm_new_password
u.save
You can verify that the password has been changed by:
u.valid_password?(new_password)
Update user with current_password validation:
#user.update_with_password(account_update_params)
# account_update_params - should have :current_password, :password, :password_confirmation
It is default behaviour in Devise::RegistrationsController. If you want update user without password, you should overwrite controller's action
class UsersController < Devise::RegistrationsController
def update_resource(resource, params)
# resource.update_with_password(params)
resource.update_attributes(params)
end
end
Do I understand you right what you want allow users login with encrypted and unencrypted (usual) password?
We have:
user.valid_password?('Password2').should
code on github
So we can overwrite it inside models/user.rb
def valid_password?(password)
encrypted_password == password || super(password)
end

Devise: after successful login hook

In my rails app, I am using devise for my authentication system. I have a situation in which I want to encrypt some data using a key that is based off of the user's password. The easiest way that I can think to do this is during a successful sign in, to generate the user's private key from their plain-text password (passed in from the login form) and store that in the user's session. I don't really want to ask the user to enter their password more than once.
Does devise provide a way to specify a callback function after a successful login? Or is there a better way to do this?
http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable#after_database_authentication-instance_method
In the user model where you're using devise create a after_database_authentication instance method.
Assume you have Devise resourse User with attribut password, then you can access user password after login in after_sign_in_path_for, which is called after sucessful login.
# app/control,lers/application_controller.rb
class ApplicationController < ActionController::Base
def after_sign_in_path_for(resource)
password = param[:user][:password]
do_cool_stuf_with_password(password)
#...
return url_for_root
end
end

Advice on HTTP authentication scheme (using request headers)

I have a rails app hosted on Heroku that am restricting access to by using a proxy service. The external server acts as intermediary for all requests and handles user authentication. Once a user has authenticated, the server (I think LDAP) adds the user name to the request header and redirects them to my app.
I would like to use the username from the request header to authenticate users in my app. Basically if the user doesn't exist I would create a user with that username (no password required) and if not I would just log them in. I will be storing the users in my app's database.
How should I do this? Is it possible to use Devise for this purpose?
Edit: I got it working with Devise/custom Warden strategy like this:
# config/initializers/my_strategy.rb
Warden::Strategies.add(:my_strategy) do
def valid?
true
end
def authenticate!
if !request.headers["my_key"]
fail!("You are not authorized to view this site.")
redirect!("proxy_url")
else
username = request.headers["my_key"]
user = User.find_by_username(username)
if user.nil?
user = User.create(:username => username)
end
success!(user)
end
end
end
#config/initializers/devise.rb
config.warden do |manager|
manager.default_strategies(:scope => :user).unshift :my_strategy
end
I need to make this as bullet proof as possible. Are there other security measures can I take to make sure someone can't spoof the request header and access my site?
I think using devise can be a little more overkill, but you can. You just need define a warden strategie. in devise or use only warden in this purpose.

Convert Custom Auth to AuthLogic

I am trying to convert my custom simple auth system in my rails app to use AuthLogic. I have managed to get everything working fairly easily, but now when I try to login it will not properly validate my credentials. The pertinent code is below:
# app/models/profile.rb
class Profile < ActiveRecord::Base
acts_as_authentic do |c|
c.transition_from_crypto_providers = Authlogic::CryptoProviders::Sha1,
c.crypto_provider = Authlogic::CryptoProviders::Sha512
end
end
I used to use this to hash my password on creation:
# app/models/profile.rb
def hash_password
self.salt = ActiveSupport::SecureRandom.base64(8)
self.hashed_password = Digest:SHA1.hexdigest(self.salt + #password)
end
I have already converted all the necessary table columns to be compatible with AuthLogic.
Is there a way to log what AuthLogic is hashing the password as? What else could be wrong?
I solved my problem, I had to write a custom crypto_provider, looked like this for anyone who is curious:
class MyCryptoProvider
# Turns your raw password into a Sha1 hash.
def self.encrypt(*tokens)
tokens = tokens.flatten
tokens = tokens.reverse
digest = Digest::SHA1.hexdigest([*tokens].join)
digest
end
# Does the crypted password match the tokens? Uses the same tokens that were used to encrypt.
def self.matches?(crypted, *tokens)
encrypt(*tokens) == crypted
end
end

Resources