securely storing login details to external services - ruby-on-rails

I’m making an app that performs tasks on other sites for you.
Example - my app would login in to your theguardian.com account and check if you have any replies to your comments and perform an action if you do.
I'm wondering how I should store, and read, the login details for the guardian.com in my app? Obviously I want to avoid plain text.
I'm using rails and Postgres, my app is fully SSL.
EDIT:
I'm voting to close the question as it's obviously a bad idea and it looks like people are going to tell me so many times. #jvillian has suggested a gem which will help encrypt properties on a model if I do want to avoid plain text, which may be of use to anyone who stumbles across the question.

Check out attr_encrypted. I haven't used it personally, but it looks like what you're looking for and looks to be an active project.

Related

Is there a 'template' for a Rails web app with user authentication?

Is it possible to use a preexisting Rails app (preferably one that only has the user authentication system already setup) as a template by changing it to do what you want it to do?
I was hoping that there is something like wordpress is for php, that I can add to to make it do what I want it to do. Wordpress already has the user authentication and other important things built in. I can then go in and make it do what I want.
This question might reveal a fundamental misunderstanding of the framework concept, but I had to ask.
p.s. - Another way to ask this question could be "Can I take a basic Rails app with user authentication and then refactor it and add my own models?"
These two solutions appear to be what I am looking for:
https://github.com/RailsApps/rails-composer/
and
http://blog.bryanbibat.net/2011/01/03/starting-a-professional-rails-app-with-haml-rspec-devise-and-web-app-theme/
I will go through the tutorials and report back.

Rails and Facebook - can I do this?

I am considering implementing a Facebook-integration to my web app. I want to be able to import friends names, their ages and their interests/likes.
A. First off, is this possible? Can I access this information?
This import will, more or less, be a one-time import.
I also want to be able to use Facebook-login and to use it parallell to my "normal" login (auth) functionality. I assume this should be quite straightforward since most websites have it this way (e.g. Fiverr.com).
B. These two things being my basic needs of my Facebook-integration, which gem would you recommend me to use?
C. I am 1 1/2 years into RoR and consider myself decent at Rails-programming but hardly know any JavaScript and very little jQuery. Will this integration be very difficult for me, you think?
Receommendations of useful blog posts etc will also be appreciated!
A. Check facebook doc on permissions. I'd say you can get a user friends list (id and names), but nothing more : the friends would have to allow your app in order for you to retrieve their data. I've stumbled upon this issue a few weeks ago, but we were retrieving albums and pictures. The data you want is less sensitive, so maybe you can do it anyway. Bottom line : check.
B. I'd suggest using devise for managing everything related to authentication. It is a well known gem, used by many and more. You can add support for facebook via omniauth; there's a wiki page on devise about how to achieve this.
C. Once you get your grasp around the OAuth concepts, you'll be good. You can use facebook connect without javascript/jQuery. Some features though, as the "like button", will require to use the js SDK. Besides these ones, you can do pretty much everything server-side. For more advanced queries, the koala gem can do that.
Hope this is enough for you.

Share session between phpBB and a rails app

This might be a nonsensical question, but I have this task to create a rails app that shares session information, specifically login/authorization info, with an installation of a phpBB that some other person has customized to be more than just a BB.
Basically I need to rely on the user's phpBB login to authorize access to the rails app. I really don't want to have the user maintain two logins to use this conceptual single app.
I read a lot of documentation on phpBB and didn't find anything like exposed services or an API, but I'm hoping I just missed something obvious.
I've been considering adding a method to expose some hash or something to link the two applications rather than try to squeeze possibly different implementations of session.
Quick context, this work needs to be done fast and cleanly and I've never developed in php and rails is super fast so I am investigating the idea of integrating the two sides.
I might be off in the weeds, so don't be afraid to say so :)
thanks!
Have you checked phpbb-auth?
https://github.com/mattfawcett/phpbb-auth

How to safely let users submit custom themes/plugins for a Rails app

In my rails app I'd like to let users submit custom "themes" to display data in various ways.
I think they can get the data in the view using API calls and I can create an authentication mechanism for this. Also an authenticated API to save data. So this is probably safe.
But i'm struggling with the best way to let users upload/submit their own code for the theme.
I want this to work sort of like Wordpress themes/plugins where people can upload the thing. But there are some security risks. For example, if I take the uploaded "theme" a user submits and put it in it's own directory somewhere inside the rails app, what are the risks of this?
If the user inserts any rails executable code in their theme, even though it's the view they have full access at that point to all the models, everyone's data, etc. Even from other users. So that is not good.
I need some way to let the uploaded themes exist in a sandbox of the rails app, but I haven't seen a good way to do this. Any ideas?
You could try Liquid (http://www.liquidmarkup.org/), which was developed to allow users to create their own themes for Shopify. Liquid themes aren’t real Ruby code, so you shouldn’t have to worry about users trying to access things they shouldn’t.
Another option is Ruby’s concept of “tainted” objects, which could be used to implement secure themes/plugins while still allowing users to write actual Ruby code. You can read more about it here. I can’t vouch for how secure it is as I’ve never used it.
It looks like this might have potential:
http://flouri.sh/2007/10/27/safely-exposing-your-app-to-a-ruby-sandbox
I'm also thinking about letting users submit their own sinatra apps and then running them from within rails. It looks like with Rack routing this is possible. I haven't been able to find any data on how/if the sinatra app is sandboxed from the rails app though. If anyone has info please let me know!

Is there a bulk email plugin for Rails apps?

Does anyone know of a plugin or something that can be used to send bulk emails for a Rails app?
Specifically, I'd like to be able to pass an HTML email file to a rake task or something and have it emailed out to everyone who has signed up to my site and checked the "please send me info about XXX" box.
I wrote kind of a hacked-together version for myself, but I'd like something that throttles itself somewhat smartly and can pick up where it left off if interrupted.
Update: I eventually broke down and got out my credit card and signed up for a real bulk email service, and damn was that the right choice. The resulting emails are very professional, they have built-in analytics, also integrate with Google Analytics, and it's awesome for a ton of other reasons.
If you're looking to do bulk emails with Rails, I would suggest using the Mailchimp service (here's my affiliate link that has a bonus on signup) along with the hominid gem. This will allow you to sync all your user emails from your database to Mailchimp, then use a real bulk service instead of some crappy patched together one.
Another Update: I heard about Maktoub today, and it's pretty much exactly what I was describing. Disclaimer: I have never used it and would still probably steer clear and go with a paid service, but it's still probably better than rolling you own.
I couldn't find one so I wrote it myself. It's not pretty (at this stage), but should serve as a good starting point for anyone with similar needs.
Please send me a pull request if you make any beneficial changes and I'll make sure to give you credit.
Mailcar - Ruby on Rails mass / bulk email plugin
Update - I highly recommend using a service. Rolling your own is a real pain and it will be difficult to manage once your list becomes reasonably large at all.
I don't know that this is the kind of thing that can be covered by a plugin as there are whole sites/applications dedicated to this kind of thing. If you wanted to use one of those then there is www.campaignmonitor.com, it's pretty good and it has an api that you can hook into from your application.
You might want to take a look at postageapp.com
Not aware of any plugins for this and I don't know how rake could be used to do this, if at all.
Since you're using Rails, I assume you're using MySQL as your database so this may not be useful to you, but SQL Answers Mail for SQL Server sends bulk email directly from SQL Server. You could try searching for a tool that does something similar for the database you're using.
There's also a tutorial here and here on creating your own mailer.
use ActionMailer(tutorial) (docs), it comes with Rails and you should be able to rig it to run from a rake task.
There's a relatively new project called Maktoub which claims to be a Rails engine for email newsletters. I haven't tried it yet, but it looks promising.

Resources