I want to have an additional layer of authentication by asking for an access code from users who plan to sign up.
Basically, users have to input an access code prior to getting into the sign up page. I was thinking it could be something like schoology's way for students to sign up (https://app.schoology.com/register.php?type=student)
I am using Devise for authentication
I think you should not do this: Adding another layer to registration avoid users from register to your site.
But anyway, if you just want to put a general password for the whole website you could use Http Basic Authentication
Frontend Only solution:
Make a textfield and check the input via javascript. If it matches your code you hide the input field and show the registration form.
With backend:
First put just the password form on the page and in your rails app you need a action in a controller. There you check if the code matches and et a variable like #code_valid = true. In frontend you only display the registration form when the code is valid
# /controllers/pre_signup_controller.rb
.
.
def validate_code
#code_valid = params[:code] == '12345' ? true : false
if #code_valid
redirect_to ///where ever your registration page is
end
end
Related
I have a devise authentication already setup in my application.Now i want to implement second level authentication in rails. i want to hard code the email and password in coding in controllers. i want to compare this email and password with the email and password provided by the user. rather than saving in database and picking for second level authentication.,Because these 5 to 6 links are going to be used by only one person in the company at any point of time. i want to implement this for a 5 to 6 actions in my application in controller. how can i implement this? i checked a gem gem 'devise-authy' but it seems it sends a password to mobile for otp authentication. i dont want otp authentication. i want a second level authentication with the same email as devise email but the password should be different from the devise original password.(like in devise table i want to take one more column second_level_password.) is there any gem for this kind of requirement or is this manually coded. if it is manually coded then how can i do that?
You can use before_action in rails controller.
Add following line of code in your controller.
before_action :second_level_access
private
def second_level_access
#You can use your logic to get password
unless current_user.second_level_password == params[:second_level_password]
# signout to user because user is already logged in with devise.
redirect_to session_path
end
end
EDIT
You can use
attr_accessor_with_default :second_level_logged_in, false
add following line to application controller:
before_action :logged_in_with_second_level, if: 'current_user and !second_level_logged_in'
def logged_in_with_second_level
redirect_to 'second_level_logged_in_form_page'
end
in create action of second_level_logged_in
add code current_user.second_level_logged_in=true
I have an app that is using Devise, I would like that after a user signs up, they are directed to a specific page, this page calls an API and saves the value from the API, I need this page to only be accessible or available after a user completes the sign-up form and clicks submit, and is then redirected to this page.
I do not want this page or URL accessible any other way but after sign-up, as the API will send a new value if accessed again. How can I accomplish this?
Once a user signs up they will be redirected to the page calling the API:
def after_sign_up_path_for(resource)
api_call_path ##path that can only be accessed after sign_up
end
The API is called and the response from the JSON data is automatically saved to the database once the page is opened, if the page gets opened again a new JSON response will be received with new data, which is what I would like to avoid.
So in a nutshell, my question is how can I restrict access to a specific path, and only make that path accessible if a user completes the sign-up form (devise) OR is there a way that I can run the code from the controller using a callback/filter after the user is created through the User model?
I was just busy with something similar. You do not need to direct the user to a page to run the code, you can just run the code that needs to be run after the user logs in the first time.
You need to create a Session Controller, and create a conditional statement that checks if the user has logged in previously:
#config/routes.rb
devise_for :users, controllers: { sessions: "sessions" }
#app/controllers/sessions_controller.rb
class SessionsController < Devise::SessionsController
def after_sign_in_path_for(resource)
if resource.sign_in_count == 1
##Do something awesome
else
root_path
end
end
end
As Emmanuel advised you can check futher info on the Devise Controllers.
Let's call the moment between after sign_up and showing the specific page - state A. So in the specific page controller you need to know - is the user in state A. You can achieve it by
1) saving to db (server side) that user is in state A after sign up and resetting state after showing specific page (you can do resetting triggered by client side to guarantee that page is showed).
2) saving to cookies (client side) after sign up then do as above.
Second solution is more clean in my opinion, but I do not know how strict is the rule to show only once
You can customize devise users controller by issuing
rails generate devise:controllers [scope]
Then customise UsersController such that after user is saved you can call your api code there
eg
def create
#user = ....
if #user.save
#user.call_api_method()
else
......
end
end
For more information check Configuring controllers
I've got a cross-website integration to handle. Basically I'm passing a param into the rails application and if it evaluates correctly ... then I'd like to log a user in.
Can this be done without the users password?
something like simply evaluating the password as true?
This is called "token authentication" and is supported by Devise, or can be relatively easily ginned up on your own. You want to generate a non-guessable secret token (your param), and then use that in lieu of a username. The devise wiki has links to a couple of examples:
https://github.com/plataformatec/devise/wiki/How-To:-Simple-Token-Authentication-Example
If you want a lighter-weight solution, you can also simply generate an auth token (using something like bcrypt) and then do something like:
#user = User.find_by_auth_token(params[:auth_token])
if #user is nil, then return a 403.
I know how to change the password using devise but I don't know how to create a link to an action for the current admin user. For example adding a link under the email.
Change password
and that would send to an action calling:
send_reset_password_instructions
I can't really find any good documentation for ActiveAdmin, the official site expose some examples but nothing there is really explained. Its unclear where and how things works.
You'll want to look at ActiveAdmin's documentation on custom controller actions. I've accomplished this by creating a "member_action" (a custom controller action which acts upon a single record), and adding an "action_item" to perform it (those are the buttons which appear in the top right when viewing a record). Here's how I make it work:
# in app/admin/admin_users.rb
action_item do
# Link to perform the member_action, "reset_password" defined below
link_to("Reset Password", reset_password_admin_admin_user_path(admin_user))
end
member_action :reset_password do
# Find the user in question
admin_user = AdminUser.find(params[:id])
# Call the method (from Devise) which sends them a password reset email
admin_user.send_reset_password_instructions
# Redirect back to the user's page with a confirmation
redirect_to(admin_admin_user_path(admin_user),
notice: "Password reset email sent to #{admin_user.email}")
end
I have the following restful structure:
My login page uses the session/new action
My signup page the users/new action
My logout page uses the session/destroy action
My register process uses the users/create action
I need 3 more actions for:
I forgot my password page
Start forgotten password action (send email)
Reset password based on token
Where do these 3 actions fit in a restful world?
To clarify:
I know I can create whatever actions on my existing session and user controllers (eg. a reset_password get action or a start_reset_password post action) it just doesn't really sit right, it seems I am trying to make these controllers do too much work.
REST is not black magic. Figure out what your technical goals are for these pages, then pick the right verbs to go with them.
I forgot my password page: essentially a static form, right? You want this to be cachable. GET on any URL you want.
Send email: costly action which you don't want repeated and you DO want executed every time the user requests it: POST or PUT on any URL you want. Heck, you could make it the same as the above URL if you wanted to, but I don't see a particularly pressing need to.
Reset password based on token: I'd consider implementing this as a login-via-token instead, but if you're going to do it your way, then it has server-side consequences and hence should probably be a POST or PUT.
I ended up creating a new controller called forgotten_passwords, to control the process
forgotten_passwords - new : maps to I forgot my password page
forgotten_passwords - create : maps to start forgotten password action (send email with token)
forgotten_passwords - show : maps to the end of the process (a page where the user sees her new password)
I am pretty happy with this design. I think it called for a new controller.