I am using devise for the signin process.
Now my requirement is:
*User will enter some answers to the questions during registration.
When the user signin with his email and password, he will be asked with those security questions.
If the answers are correct, he will be directed to dashboard or else if he fails to answer (2 out of 3), then the account will be locked.*
Is there any easy method to implement this MFA in Rails?
Thanks in advance..
I would recommend using Devise with the security extension. It is a simple setup, and allows a ton of customization.
Follow that up with adding the questions to your sign in page and adding a before_filter in your UserController
before_filter :security_question_answered!
Forcing the user answer this for every login can become tedious. I see security questions more commonly used for reseting a password when someone does not have an email.
Piggy backing off Slicedpan, this is not MFA. Look into two-factor for devise or another gem. Happy coding.
Related
I have implemented the devise+patreon gem in my Rails application without issues. Now, devise requires an email/password by default when creating a User, but Patreon just uses the oauth integration.
I am wondering, what is the proper strategy to use so that I can migrate the Patreon Oauth users as Devise users, without having to set dummy passwords/emails to allow for validation to go through. I still want to eventually allow users to register via Devise natively, as well as through Patreon.
Is there maybe a known strategy/gem/addition for devise that I may have missed that can easily achieve that?
You can retrieve the user email and a lot of other infos (see here) about the user in the login call to patreon's services, but password will remain unknown, you can't just copy & paste a User.
In my Rails app, we use Devise gem for authentication and authorization. But for viewing some of the pages clients want a second password to be entered who will act like super users. This is not an Multi-Factor authentication request, but a kind of One Time Password (OTP) for a given set of pages/resources, just that the OTP will be static.
Devise does not provide this feature. Googling hasn't helped. Any idea how could this be achieved?
This sounds like a bit of an anti-pattern. Why not have an additional field on User that denotes if the user is a super user or not?
This has the benefits that:
there is no password to remember and distribute
super users have one less step to perform
you can easily remove users from this group, if needed
you don't need to build a secondary login form/page
I have a rails 3 app that is currently using Devise for authentication. I would like to send an email to users from time to time that would contain a link. When they click the link they would...
bypass the login page
go directly to the page i'm directing them to
and authenticate in the process
I tried several Google searches that would shed some light but came up empty. I am interested in the how to's, the risks and how to make it as secure as possible.
Also, are there any other Tags that would be relevant to this question?
Thanks!
I think you're really looking for token authentication.
Take a look at this blog (deleted) which is linked to from the devise wiki here.
It's a bit of a weird example in that UI given is for a user to generate a login link for themselves. Still - it presents the correct approach to login-using-a-link.
Update: Token Authentication has been removed from Devise. This gist and this Stack Overflow post address the issue.
I already migrating from restful_authentification to devise.
I follow every steps. I succeed sign up new user, confirm it.
also login with it's user. Everything is going right.
Until I found a bugs. That some of current user who already able to login with restful_authentification,
cannot login. It returns "Invalid username and password".
It is possible the reason is coursed from different password encryption system between restful_authentification and devise?
Or Devise didn't allow some characters on password?
Please help me? Its already 2 days find ways to resolve the issue
Thanks
Did you configure Devise to use the :restful_authentication_sha1 encryptor, the correct pepper and stretches? See https://github.com/plataformatec/devise/wiki/How-To:-Migrate-from-restful_authentication-to-Devise
I do not know restful_authentication, but i think you will have to reset the passwords of all the users that existed before. It is safe to assume that devise uses a different algorithm to encode the password.
When resetting the password from the console, you need to specify the :password and the :password_confirmation, otherwise it will not work.
This question already has answers here:
Closed 10 years ago.
In the .Net world we have the Membership provider, with this we can fully automate user registration and management. Does such a gem exist for the Ruby on Rails community.
I am looking for something that would allow a user to register, retrieve lost password, modify password and login.
See the answers given to this question recently - again, I would highly recommend Devise and the two railscasts on it, http://railscasts.com/episodes/209-introducing-devise and http://railscasts.com/episodes/210-customizing-devise. Devise handles all the things you described above - from the GitHub page:
"Confirmable: sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
Recoverable: resets the user password and sends reset instructions.
Registerable: handles signing up users through a registration process, also allowing them to edit and destroy their account."
Hope that helps!
Take a look at Devise - http://github.com/plataformatec/devise
It's a popular Rails engine for user authentication and should do what you need (and more).
Not sure that it has all of the features you want, but I really like restful-authentication.
http://agilewebdevelopment.com/plugins/restful_authentication
Features per website:
Login / logout
Secure password handling
Account activation by validating email
Account approval / disabling by admin
Rudimentary hooks for authorization and access control.
It also makes an appearance in a screen cast over at http://www.buildingwebapps.com/learningrails
Episode 11 about adding User Authentication. Watch the others if you are 100% new to rails, but if you just want to see them use the gem, skip to that one.
Check railscasts for a number of new options, including OmniAuth, Sorcery (my choice this week), and authentication from scratch, which may be less painful than the options listed before.