Devise helps us to login/register users to our Rails applications. It helps us to Confirm emails, recover accounts. It is easy to implement sessions between app and user. It is easy to use Devise when user accesses to your app via Browser.
However, how to use Devise if users will be accessing to your app via Grape?
In simple Browser app when users wants to login, We can check by using user_signed_in?, or when user accesses to controller we can use before_action :authenticate_user!. Then we use current_user which is user who logged in or registered now.
Is it possible to access these helpers via Grape? Is it good solution to use Devise through Grape!?
Related
I'm developing a rails app that use devise to manage users, and I want to prevent user from signing into my app directly. (can I just prevent it by removing all the relevant routes?)
I have removed the front end logic, but I know that browser is not the only way to access a website. People can also use tools like curl to access website, so I want to know how people do that so I can better prevent it.
I have two Rails 4 sites, auth.example.com and app.example.com. Eventually there are going to be multiple app-type sites, maybe a dozen or two, but let's start with the one. Auth has devise set up so we can do basic user management (user creation and deactivation, password and SSH key management, etc.), with users logging into auth so they can do basic stuff themselves like update their address or phone number.
I want to set up app so that it uses the same authentication as auth. If a user tries to access app without being logged in, I want to redirect them to auth so they can log in, then go back to the page they were trying to access on app. Basically, I want to do devise actions on app, but with devise residing on auth. This, of course, is so that when we have multiple sites running, we can implement devise once instead of having to put it on every one of our sites individually.
I found this but it doesn't look like it's quite what I want:
http://4trabes.com/2012/10/31/remote-authentication-with-devise/
Anybody have a pointer to a resource that can walk me through how to do this?
Thanks.
What I would do is create a small API simply for user management. Then allow your other apps to make calls to that API to log a user in, create a user, etc. So keeping them on whatever site they're on, but in the background you're talking to the auth API.
a have a client with a website built on RoR by other developer, the website uses devise for user authentication and registration.
The website allows users to registrate and then send them a confirmation email, when they confirm their email, then they can login, BUT they can't see the content until they are approved to see it.
My client ask me to don't allow users to login until two things happen: They confirm their email and him(my client) approve them to see the content.
I tried this adding active_for_authentication? to the user model and returning true or false deppending if they are approved or not, but like the documentation of devise saids: the method active_for_authentication? is overriden by other modules like confirmable.
How can i perform this two validation using devise?
thanks for your help
You have to add authorization control in your application.
So I advice you to use CanCan gem it's easy to set and it allows you to define access rules based on your criteria.
Within a rails app i'm working on. I'm trying to add the ability for users to signup simply by entering their email address and then confirming their account via the confirmation email. I don't want the user to have to enter in any password. How would I go about doing this?
This example is useful, but requires for the user to enter a password: https://github.com/plataformatec/devise/wiki/How-To:-Email-only-sign-up
Should I just automatically use one password for all users?
Devise is built for authentication, which is either a password, or a quick check with a social network that this is actually the person they claim to be. The email address is used as identification.
If you just want to identify a person by their email, I suggest you create your own system for it. You can even add some of the Devise features in if you like. First, create a User model with an email attribute:
rails generate model User email:string
Once you've migrated the database, create a controller for it:
rails generate controller users
Then create a Session model and let each User create sessions by logging in. There'll be plenty of great tutorials on the web of how to create a system like this. Writing helper methods like current_user or user_signed_in? should be quite easy too.
Now for the last point, if you want people to sign in after they signed up using the email confirmation, how will you make sure that it is actually the same person signing in as the person who confirmed the email? Any malicious user could simply use an already confirmed account to sign in, unless you have to do an email confirmation every time you sign in...
So while you can do the above, I would seriously recommend to have some kind of authentication, whether it be with a password, or using OmniAuth to connect to social networks. There's a railscast for that here.
Not sure if this would help you, but based on the simplicity of the authentication process, I would suggest not to use Devise at all. You can just create an action in your SessionsController, which will compare the params[:email] (or however you are calling it in your app) against the emails listed in the UsersTable.
I am using Devise gem for web authentication in my Application.
Now i am about to write a mobile app for my Application which includes Sign in / Sign up process.
What is the correct way i should use to sign in a user and authenticate each call made by the user from the mobile app?
Which of the below strategy is correct? (i am not sure which method to follow to be more secure)
Note : You can view the above image in http://i.stack.imgur.com/I13uT.png (will be more clear)
FYI : I am using Titanium to develop mobile app and my backend server runs Rails app
Model #1 isn't secure, you aren't passing any sort of authentication on subsequent requests to validate that the user is still who they say they are.
What I'm presuming you really want to know is, what's the best way to verify the user is who they say they are, after logging in. I've answered this previously, Exposing Rails/Devise Authentication to iOS application and the same answer applies here.
Using token authentication in Devise will match model #2, and is also the most secure since you exchange the username/password for a token rather than having to store their username and password and reuse it with every request.
I'm not sure how #1 is secure at all since none of the subsequent requests are signed in any way. If someone knew the file structure of your app they could just access it that way, right?
With Devise, you can set an attribute on your User model to allow users to be authenticated via token:
class User < ActiveRecord::Base
devise :token_authenticatable
# there are other details and options on this, but this is the relevant piece
end
On each controller you can also verify that the user is authenticated by including before_filter :authenticate_user! at the beginning:
class PostsController < ActionController::Base
before_filter :authenticate_user!
end
When making requests from the mobile app, include the auth_token in the request so that the Rails app can authenticate before responding.
Beyond authentication, you may also be interested in something like CanCan to handle authorization as well.