I'm using the devise_token_auth Gem to build a public API.
To destroy a session (sign_out) i have to send : uid (mail), client_id, and access-token (associated with this client_id)
This method from devise_token_auth gem checks if token is still available, and if it is valid. Github code
def token_is_current?(token, client_id)
# ghetto HashWithIndifferentAccess
expiry = self.tokens[client_id]['expiry'] || self.tokens[client_id][:expiry]
token_hash = self.tokens[client_id]['token'] || self.tokens[client_id][:token]
return true if (
# ensure that expiry and token are set
expiry and token and
# ensure that the token has not yet expired
DateTime.strptime(expiry.to_s, '%s') > Time.now and
# ensure that the token is valid
BCrypt::Password.new(token_hash) == token
)
end
I have some issues with this line BCrypt::Password.new(token_hash) == token
What i know is :
token_hash is the token extracted from DB
token came from header of the request
the line is using bcrypt "==" method to compare, which is
def ==(secret);
super(BCrypt::Engine.hash_secret(secret, #salt));
end
Since its using this method to check equality, the check doesn't pass, unless i explicity checking strings values.
Why use Bcrypt to compare two tokens, and not simply compare two strings.
Reading this : bcrypt ruby doc i understand the point of using bcrypt for passwords but why for tokens ?
Related
I'm following the Auth0 blog for decoding a JWT and I'm trying to grab the user information from it.
Create a web token class
def self.verify(token)
decoded_token = JWT.decode(token, nil,
true, # Verify the signature of this token
algorithms: 'RS256',
iss: 'https://YOUR_DOMAIN/',
verify_iss: true,
aud: Rails.application.secrets.auth0_api_audience,
verify_aud: true) do |header|
jwks_hash[header['kid']]
end
end
But when I inspect decoded_token its nil.
Looking at the jwt gem, in decode I see:
# Set password to nil and validation to false otherwise this won't work
decoded_token = JWT.decode token, nil, false
So I changed true to false in the auth0 code and I can see the pertinent user data that I need.
(byebug) decoded_token
[{"email"=>"xxx#example.com", "iss"=>"https://example.com/", "sub"=>"auth0|123456", "aud"=>["https://example.com", "https://example.auth0.com/userinfo"], "iat"=>123456, "exp"=>123456, "azp"=>"123456abc", "scope"=>"openid profile email"}, {"alg"=>"RS256", "typ"=>"JWT", "kid"=>"abcdefg"}]
I don't fully understand the code, what is happening here. Seems like I would want to keep verification on right?
Your token is invalid. At the very least the issuer (iss) doesn't match (and you've specifically set verify_iss: true) and the expiration claim (exp) is (very far) in the past, which automatically invalidates a JWT.
If you give an invalid token to decode and specify that it should validate its input, it returns nil, per its documentation.
Seems like I would want to keep verification on right?
Yes. You certainly want to reject invalid tokens.
I awarded user229044 with the right answer because they were correct, the token was invalid, but wanted to add context for anyone who may run into something similar.
Check your env vars. The problem turned out to be the string interpolation in json_web_token.rb: iss: "https://#{Rails.application.credentials.auth0[:DOMAIN]}/", and in the domain in the env file also included the full domain (including https://), so JWT.decode was looking for https://https.//... and the issuer was invalid. This was hard to see because the env vars matched my frontend 100% so cross checking those didn't help.
I had littered my call stack with byebugs trying to figure this out which messed with the implicit returns in ruby. The decoded token should be available in your secured_controller.rb as it gets returned implicitly in authorization_service.rb and json_web_token.rb.
I want to implement Google's One tap sign-up and automatic sign-in in my website with the help of documentation https://developers.google.com/identity/one-tap/web/ but I am getting confused on how to implement in python.
def smartlock(request):
try:
CLIENT_ID='*******'
csrf_token_cookie = self.request.cookies.get('g_csrf_token')
if not csrf_token_cookie:
webapp2.abort(400, 'No CSRF token in Cookie.')
csrf_token_body = self.request.get('g_csrf_token')
if not csrf_token_body:
webapp2.abort(400, 'No CSRF token in post body.')
if csrf_token_cookie != csrf_token_body:
webapp2.abort(400, 'Failed to verify double submit cookie.')
# Specify the CLIENT_ID of the app that accesses the backend:
idinfo = id_token.verify_oauth2_token(csrf_token_cookie, requests.Request(), CLIENT_ID)
# Or, if multiple clients access the backend server:
# idinfo = id_token.verify_oauth2_token(token, requests.Request())
# if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]:
# raise ValueError('Could not verify audience.')
if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
raise ValueError('Wrong issuer.')
# If auth request is from a G Suite domain:
# if idinfo['hd'] != GSUITE_DOMAIN_NAME:
# raise ValueError('Wrong hosted domain.')
# ID token is valid. Get the user's Google Account ID from the decoded token.
userid = idinfo['sub']
except ValueError:
# Invalid token
pass
'''
As mentioned in the 'Key Point' section of this page: The ID token is returned in the credential field, instead of the g_csrf_token field.
So, you need to get the idinfo with the code as below:
credential = self.request.get('credential')
idinfo = id_token.verify_oauth2_token(credential, requests.Request(), CLIENT_ID)
The g_csrf_token parameter is for different purpose. It makes sure the request was submitted from a page in your own domain, so as to prevent the cross-site-request-forge attacks.
I am trying my hand ruby on rails. Mostly I have written code in Sinatra. Anyway this question may not have to do anything with framework. And this question may sound a very novice question. I am playing with Twitter 1.1 APIs and OAuth first time.
I have created an app XYZ and registered it with Twitter. I got XYZ's consumer key i.e., CONSUMER_KEY and consumer secret i.e. CONSUMER_SECRET. I also got XYZ's own access token i.e ACCESS_TOKEN and access secret i.e. ACCESS_SECRET
XYZ application type: Read, Write and Access direct messages
XYZ callback URL: http://www.mysite.com/cback
And I have checked: Allow this application to be used to Sign in with Twitter
What I am trying to do is very simple:
1) Users come to my website and click a link Link your twitter account (not signin with twitter)
2) That opens twitter popup where user grants permission to XYZ to perform actions on his/her behalf
3) Once user permits and popup gets closed, XYZ app gets user's access token and secret and save in the database.
4) Then XYZ uses that user's token and secret to perform actions in future.
I may be moron that such work flow has been implemented on several thousands sites and Twitter API documentations explain this 3-legged authentication, still I am unable to figure it out.
I have read https://dev.twitter.com/docs/auth/3-legged-authorization and https://dev.twitter.com/docs/auth/implementing-sign-twitter Unfortunately no ruby code found on internet that explains with step by step example.
What link should be used to open twitter authentication page when user clicks Link your twitter account.
Can anyone here, write some pseudo code with my pseduo credential above to achieve my goal from beging till end of this work flow? Thanks.
UPDATE:
I started with requesting request token as
require 'oauth'
consumer = OAuth::Consumer.new(CONSUMER_KEY, CONSUMER_SECRET,
{ site: "https://twitter.com"})
request_token = consumer.get_request_token oauth_callback: 'http://www.mysite.com/tauth'
redirect_to request_token.authorize_url
I'm not familiar with ROR but here is the workflow of the OAuth 'dance' that you need to follow when the user clicks your button:
Obtain an unauthorized request token from Twitter by sending a
request to
POST https://api.twitter.com/oauth/request_token
signing the request using your consumer secret. This will be done in the background and
will be transparent to the user.
You will receive am oauth_token and oauth_token_secret back from
twitter.
Redirect the user to
https://api.twitter.com/oauth/authorize?oauth_token=[token_received_from_twitter]
using the oauth token value you received from Twitter in step 2.
When the user authorizes your app they will be redirected to your
callback url with oauth_token and oauth_verifier appended to the
url. i.e.
http://www.mysite.com/cback?oauth_token=NPcudxy0yU5T3tBzho7iCotZ3cnetKwcTIRlX0iwRl0&oauth_verifer=uw7NjWHT6OJ1MpJOXsHfNxoAhPKpgI8BlYDhxEjIBY
Convert the request token into an access token by sending a signed
request along with the oauth_verifier to
POST
https://api.twitter.com/oauth/access_token
signing your request
with your consumer secret and the token secret received in step 2.
If everything goes ok, you will receive a new oauth_token and
oauth_token_secret from Twitter. This is your access token for the
user.
Using the access token and secret received in step 6 you can make
Twitter api calls on behalf the the user by sending signed requests
to the appropriate api endpoints.
Hope you solved your problem by this time, but I built this sample Sign in with Twitter ruby web app that provide all explanation you need to do this integration. Below there's a class that implements all necessary methods with comments:
require "net/https"
require "simple_oauth"
# This class implements the requests that should
# be done to Twitter to be able to authenticate
# users with Twitter credentials
class TwitterSignIn
class << self
def configure
#oauth = YAML.load_file(TWITTER)
end
# See https://dev.twitter.com/docs/auth/implementing-sign-twitter (Step 1)
def request_token
# The request to get request tokens should only
# use consumer key and consumer secret, no token
# is necessary
response = TwitterSignIn.request(
:post,
"https://api.twitter.com/oauth/request_token",
{},
#oauth
)
obj = {}
vars = response.body.split("&").each do |v|
obj[v.split("=").first] = v.split("=").last
end
# oauth_token and oauth_token_secret should
# be stored in a database and will be used
# to retrieve user access tokens in next requests
db = Daybreak::DB.new DATABASE
db.lock { db[obj["oauth_token"]] = obj }
db.close
return obj["oauth_token"]
end
# See https://dev.twitter.com/docs/auth/implementing-sign-twitter (Step 2)
def authenticate_url(query)
# The redirection need to be done with oauth_token
# obtained in request_token request
"https://api.twitter.com/oauth/authenticate?oauth_token=" + query
end
# See https://dev.twitter.com/docs/auth/implementing-sign-twitter (Step 3)
def access_token(oauth_token, oauth_verifier)
# To request access token, you need to retrieve
# oauth_token and oauth_token_secret stored in
# database
db = Daybreak::DB.new DATABASE
if dbtoken = db[oauth_token]
# now the oauth signature variables should be
# your app consumer keys and secrets and also
# token key and token secret obtained in request_token
oauth = #oauth.dup
oauth[:token] = oauth_token
oauth[:token_secret] = dbtoken["oauth_token_secret"]
# oauth_verifier got in callback must
# to be passed as body param
response = TwitterSignIn.request(
:post,
"https://api.twitter.com/oauth/access_token",
{:oauth_verifier => oauth_verifier},
oauth
)
obj = {}
vars = response.body.split("&").each do |v|
obj[v.split("=").first] = v.split("=").last
end
# now the we got the access tokens, store it safely
# in database, you're going to use it later to
# access Twitter API in behalf of logged user
dbtoken["access_token"] = obj["oauth_token"]
dbtoken["access_token_secret"] = obj["oauth_token_secret"]
db.lock { db[oauth_token] = dbtoken }
else
oauth_token = nil
end
db.close
return oauth_token
end
# This is a sample Twitter API request to
# make usage of user Access Token
# See https://dev.twitter.com/docs/api/1.1/get/account/verify_credentials
def verify_credentials(oauth_token)
db = Daybreak::DB.new DATABASE
if dbtoken = db[oauth_token]
# see that now we use the app consumer variables
# plus user access token variables to sign the request
oauth = #oauth.dup
oauth[:token] = dbtoken["access_token"]
oauth[:token_secret] = dbtoken["access_token_secret"]
response = TwitterSignIn.request(
:get,
"https://api.twitter.com/1.1/account/verify_credentials.json",
{},
oauth
)
user = JSON.parse(response.body)
# Just saving user info to database
user.merge! dbtoken
db.lock { db[user["screen_name"]] = user }
result = user
else
result = nil
end
db.close
return result
end
# Generic request method used by methods above
def request(method, uri, params, oauth)
uri = URI.parse(uri.to_s)
# always use SSL, you are dealing with other users data
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# uncomment line below for debug purposes
#http.set_debug_output($stdout)
req = (method == :post ? Net::HTTP::Post : Net::HTTP::Get).new(uri.request_uri)
req.body = params.to_a.map { |x| "#{x[0]}=#{x[1]}" }.join("&")
req["Host"] = "api.twitter.com"
# Oauth magic is done by simple_oauth gem.
# This gem is enable you to use any HTTP lib
# you want to connect in OAuth enabled APIs.
# It only creates the Authorization header value for you
# and you can assign it wherever you want
# See https://github.com/laserlemon/simple_oauth
req["Authorization"] = SimpleOAuth::Header.new(method, uri.to_s, params, oauth)
http.request(req)
end
end
end
More detailed explanation at:
https://github.com/lfcipriani/sign_in_with_twitter_sample
I wrote a Rails application. I used omniauth for authentication.
session.rb
auth = request.env["omniauth.auth"]
user = User.find_by_provider_and_uid(auth["provider"], auth["uid"]) || User.create_with_omniauth(auth)
session[:user_id] = user.id
Everything seems normal as well, but when I want to change my facebook status, fbgraph cannot do that. I wrote this code
provider = User.find_by_provider_and_name('facebook', current_user.name)
#facebook = FbGraph::User.me(provider.token)
#facebook.feed!("loanminder-test-message-#{Time.now.utc}")
And the exception is like that
FbGraph::InvalidToken in LoansController#show
OAuthException :: Error validating access token: Session does not
match current stored session. This may be because the user changed the
password since the time the session was created or Facebook has
changed the session for security reasons.
How can I solve the problem, how can I change my status via Rails?
Your stored token is no longer being accepted. You will need to prompt the user to login again and use a new access token, or use the following token
app_id|secret
where if your app ID is 942523352 and your secret is bc76876876f67676ae0 then you access token is
942523352|bc76876876f67676ae0
I currently have a system with django which I need to migrate to rails. I am using Devise for authorization in rails. The old django system has it's own set of users which I need to migrate to rails. The thing that I am concerned with, is the password of the users. It is encrypted using sha1 algorithm. So, how I can modify devise such that it is compatible with the old user's password as well.
Each user gets its own random salt, that way if the table with passwords get leaked, rainbow tables wont help to get the actual passwords.
Checkout django/contrib/auth.models.py, check_password(raw_password, enc_password) is what you need to implement in your Rails auth system:
def get_hexdigest(algorithm, salt, raw_password):
"""
Returns a string of the hexdigest of the given plaintext password and salt
using the given algorithm ('md5', 'sha1' or 'crypt').
"""
raw_password, salt = smart_str(raw_password), smart_str(salt)
if algorithm == 'crypt':
try:
import crypt
except ImportError:
raise ValueError('"crypt" password algorithm not supported in this environment')
return crypt.crypt(raw_password, salt)
if algorithm == 'md5':
return md5_constructor(salt + raw_password).hexdigest()
elif algorithm == 'sha1':
return sha_constructor(salt + raw_password).hexdigest()
raise ValueError("Got unknown password algorithm type in password.")
def check_password(raw_password, enc_password):
"""
Returns a boolean of whether the raw_password was correct. Handles
encryption formats behind the scenes.
"""
algo, salt, hsh = enc_password.split('$')
return constant_time_compare(hsh, get_hexdigest(algo, salt, raw_password))
I have the following method in my user model:
def valid_password?(pwd)
begin
super(pwd)
rescue
my_pwds = self.encrypted_password.split '$'
Digest::SHA1.hexdigest( my_pwds[1] + pwd ) == my_pwds[2] rescue false
end
end
This extends the default_password? method that is used by Devise to see if a user has submitted the correct password. First the user is being checked using the normal devise logics, and if that doesn't work the Django sha1 logic is run. This way devise passwords are supported too, so you won't get compatibility issues in the future.