Rails authentication system for web and API - ruby-on-rails

I am looking for an authentication system for Ruby on Rails. However there seems no gem that supports both direct web authentication (e.g. like devise does) and API authentication (like devise_token_auth). The both I mentioned seem incompatible to each other (at least I got some errors after adding the devise_token_auth to a project with devise already set up). Devise used to have an API authenticable but it was removed (there's probably a good reason for that, however I couldn't find one online).
Is there any gem that can do both of those methods (web and api), or do I need to build some JavaScript based solution, like in the ng-token-auth Live Demo?
I won't reject a JavaScript solution as long as it doesn't dramatically increase load times or is hard to understand/customize. I just can't believe there is no solution to such a common problem.

I took a closer look at devise_token_auth and together with ng-token-auth it seems to solve my problem.
So it seems I'll need to learn working with AngularJS for that, but that should be fine.

Related

Best authentication strategy for Ruby on Rails API only server (with ActiveAdmin)

I have a project where I want to develop the frontend in Next.js (requests based on fetch API from JS) and the backend in RoR and I am having a hard time to get the User authentication to work. I have researched and found four possible solutions:
Sessions and cookies
JWT
devise_token_auth
devise-jwt
I have tried to implement some of them but i always end up getting a server error on client requests at some point. I would like to know if anyone has any resources where I can get to know more about and learn more about it so I can implement such authentication in my project.
If I could take advantage of devise would be even better, since I already have it setup for ActiveAdmin (wanna use the admin dashboard)
Thanks a lot in advance.
I used to use devise, but have since moved to AWS Cognito which handles everything for you and is customizable as needed. You might look into it.
https://aws.amazon.com/cognito/

Rails API authentication for SPA and Client App

I created a Rails API application, that is currently do his job awesomely, but I realized that is missing the most important part, a login from the React application and at the same time the authentication from a python application I developed that should consume those API as well.
Now, looking at the various offering, seems all fuzzy, at least from my prospective and I would like to have an advice that is not from 2016 or before but that is actual today.
Many solutions on the net, was getting dirty the main ApplicationController, that didn't make sense to me.
So I thought that a 'modern' way or let's say, 'a way' is to use doorkeep and devise.
I thought about Doorkeep because allow me to have the 'Applications' therefore I can delegate to applications the authentication in the proper way while using the JWT for the SPA application, but honestly I don't know from where to start deciding :)
I wanted to share here also the link of a blog post that inspired this question: https://www.vic-l.com/jwt-with-refresh-token-using-devise-and-doorkeeper-without-authorization/
Sadly something I found still, without an answer, at the moment, is Setting up DoorKeeper with multiple Rails/React applications?
Now, I can use doorkeeper to manage the JWT for the SPA and the applications for the client in Python ?
Thanks in advance!

Google OpenID running example of Ruby code?

I went through quite a lot of Rails/Rails examples of Google OpenID authentication, but none of them worked properly. Most of them don't work because they are out of date. Even omniauth doesn't for some other reason.
Does anyone have a working example of Ruby Rack web application which works properly now?
I forked one a while back and popped it up on GitHub called rails3-mongoid-omniauth.
It lets you authenticate using a variety of methods. It provably runs on the Bamboo stack on Heroku with Rails 3.0.x. I haven't updated it, but it should give you some insights.
Some of the key files are:
omniauth.rb where the providers are declared. It also includes a monkeypatch to fix the LinkedIn provider, although I suspect that it has been fixed by now.
routes.rb where the route to this app is defined for each authentication provider. This is the callback URL which omniauth sends to the provider.
application_controller.rb where the current_user is defined based on the session key.
sessions_controller.rb where the session is created based on authorization from the authentication provider (e.g. Google)
_navigation.html.erb where the sign-in links take you to the authentication provider.
Now that I have done some more research, it looks like there is also a tutorial at http://railsapps.github.com/tutorial-rails-mongoid-omniauth.html.
I would check this Rails Cast which should help get you up and running on On Open ID and omniauth in general on Rails/Rack based Ruby apps
http://railscasts.com/episodes/304-omniauth-identity
By the way if you are going to be doing allot of Rails development Railscast is a excellent source of information.

Adding external providers to sorcery

I have an app with authentication, which has been done with devise and used omniauth to sign in from various providers (including vk.com, google, twitter and so on). Everything seemed working well, except that I needed to include a separate gem for every provider.
Now I decided to make that authentication much lighter and add some logging, so I decided to move from devise to sorcery. But now I have a problem with external providers, 'cause the gem has only few (no vk.com or yahoo, which I do need).
I tried to understand the code of the externalproviders to add my own just alike, but it seems a little bit too complicated for me. Is there any easier way around?
Just in case someone finds this question while looking for a similar answer, Sorcery does now include External authentication for most major logins. See:
https://github.com/Sorcery/sorcery/wiki/External
In your rails app after installing the External module you'll have a file: config/initializers/sorcery.rb. In it there will be example code for most providers.
I don't think you're going to find an easy solution to this.
I ran into this problem on the last app I worked on. I ended up just going with both Sorcery and Omniauth. I integrated them together in the Users model and Sessions controller. Sorcery's external provider stuff doesn't seem to be kept up to date.
In the end though, if I had to do it again I'd probably just do the authentication from scratch. Sorcery is nice, but it doesn't seem like it provides enough to warrant an additional dependency.
If authentication from scratch is the way you end up going, you can check out these resources:
https://github.com/NoamB/sorcery/tree/master/lib
https://github.com/railscasts/250-authentication-from-scratch-revised

Which authentication gem would you use in Rails 3 to integrate with as many third party authentication providers

We need to have basic authentication in our Rails 3 app but the requirements are to also integrate with providers such as facebook, linked in, google apps, twitter, etc.
We are looking at:
Clearance
Divise
AuthLogic
... and others.
Any advice on which one to use that provides most of what we need?
OmniAuth is great for plugging in to third party authentication:
Code: https://github.com/intridea/omniauth
http://railscasts.com/episodes/235-omniauth-part-1
and
http://railscasts.com/episodes/236-omniauth-part-2
The above railscasts are great resources for a simple overview of using OmniAuth.
Devise is the current top dog, as it sets up sensible defaults, and makes it remarkably easy to override parts of the authentication system without affecting the rest.
It also has a branch and instructions to easily support OmniAuth for OAuth/OpenID authentication: https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
I'm not experienced with either of these gems but I came across this blog post that had some high level points comparing Devise and Authlogic. http://www.quora.com/Ruby-on-Rails/How-should-I-choose-an-authentication-gem
This one persuaded me to start with Authlogic:
When a user logs in I like to set a cookie that has the username so I can access it from JavaScript. I know how to do this with Authlogic: add a line of code to UserSessionsController#create. How do I do it with Devise? I can't see how. (I don't want to do it on every page request. Just when they authenticate.)
You can give a shot to Sorcery gem which nicely handle third party authentification.
I found it easy to learn and to implement, and it's well documented too.
I don't try the other gems but this one is growing very fast right now, despite the fact that it's not an very old project
Good luck!!!

Resources