Referring to: Ember authentication best practices?
We have two separate apps: a Rails backend/API and a standalone Ember app. The Ember app will speak to the Rails API.
I've found ember-auth (https://github.com/heartsentwined/ember-auth), but I don't understand why I'm going to benefit from it.
Here's what I want to do :
- When logging in, Ember sends username and password to my /accounts/login endpoint.
- If correct, Rails responds with the authentication token.
- Ember will store the authentication token locally and pass it along with each subsequent requests. I do not want my tokens to expire so users can always close the browser, come back, and still be logged in.
Is there any issues with my approach? What about security?
Take a look at these two Embercasts videos:
Client-side Authentication Part 1
http://www.embercasts.com/episodes/client-side-authentication-part-1
Client-side Authentication Part 2
http://www.embercasts.com/episodes/client-side-authentication-part-2
And this blog post:
Authentication in ember.js
http://log.simplabs.com/post/53016599611/authentication-in-ember-js
Related
I have a fully working product on Rails 5. I now wish to make a Chrome extension, using which users can create an 'Article'.
However, requests from my Chrome extension will be treated as Cross Site by my rails app. Hence, I was thinking of not doing the CSRF check at all on just my create action.
What is the biggest security risk associated with this? I understand after this, anyone will be able to make POST request to my server that creates a new article - however, this is not a damaging action like update, or worse, delete.
The Rails guide states that,
CSRF attack method works by including malicious code or a link in a
page that accesses a web application that the user is believed to have
authenticated. If the session for that web application has not timed
out, an attacker may execute unauthorized commands.
If a CSRF token is a valid one, it is a kind of assurance that the user session has not been hijacked and the request has been made with the user consent.
For more info, I recommend you to refer the Rails guide http://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf
I'm trying to get a Rails app to use an external OAuth2 provider that I set up using django-oauth-toolkit. I'm using the omniauth-oauth2 strategy as a base and set up my own local URLs for the authentication and token URLs. https://github.com/intridea/omniauth-oauth2
The redirect_uri that was sent during the authentication phase is slightly different than the one sent to get the token. It has extra parameters: state and code. django-oauth-toolkit is looking at this URL as being different than the original one because of the extra parameters. Wondering if this is a problem on the rails side, on the django side, or something to do with the way I have it set up.
I'm using ng-token-auth on Angular and with devise-token-auth on Rails for authentication which works fine but there are occasionally I need to sent in id of the user or any other resource for show function in Rails resource
When I however request for show on User resource I don't have a way to find out id of the current user before it reaches the server to be sent as part of url in the request.
What is the recommended way to deal with this Restful routes situation when used with token authentication on Rails and Angular?
I have an rails app which relies on authenticating username/password entered to an external webservice. Rails app will not have a user model. When a user enters login/password and it makes a post request to check that login/password. External application will return back a cookie or token which can be used for subsequent requests made from rails app.
There is no User model in the rails app since all the users are stored in an external application.
Is there a gem which let me strictly do session management? I'm planning on storing that token in a session.
why not just create a sessions controller that saves the token into a session? I don't see a need for a gem.
something like
sessions[:token] = token
If you are dealing with a tokens that expire like facebook you can take a look at this
http://developers.facebook.com/blog/post/2011/05/13/how-to--handle-expired-access-tokens/
hope it helps
I might look at the way Michael Hartl does user sessions in his Rails tutorial. What you want is something slightly different, but you might be able to reuse some of what he did there. http://ruby.railstutorial.org/chapters/sign-in-sign-out#sec-current_user
(It's also just a good tutorial to go through, regardless of your level of Rails experience.)
What is the best way to make authentication?
on frontend I use Angular.js
on backend: Ruby on Rails
Rails app using as API for my frontend.
UPDATE:
This is will be single page application.
Frontend wiil be developed in Angular.js, backend in Ruby on Rails.
In ideal I want to build backend as collection of resources returned in json.
I search best method of security implementation.
When user open the app I need to check if user authenticated.
If not - go to login page,
If authenticated - open that he wants and return needed resource from backend.
I think that I need to store auth token on the client side.
What is the best method to generate it, or maybe Rails already generate it for me?
I don't know Angular.JS at all but I will try to provide you general information on rails that you can use with any Javascript Framework.
For authentication, you just needs:
A model for users
a controller which handle login, this method check user login/password, create a session object with all information needed (session is stored on server side and a cookie is used on client-side to associate each request to a session)
A controller for handling logout which basically only destroy the user's session
You have a good implementation in the rails tutorial here, or you can find several plugins (authlogic seems to be the recommendation of stackoverflow usershere).
Then, there is few differences between handling authentication with static html pages or with AJAX:
A HTML request will send login and password to the controller, which will automatically redirect it to another internal page once the session create
In AJAX, the javascript on client side should send an ajax request, look for the answer by the server (success / failure) and launch adapted actions (message if failure, redirection if success)
In both cases, the important thing is to check that the user is authenticated at at each controller otherwise anybody would be allowed to launch action or access internal information.
I'm trying to do something similar and I found this example app which has been very useful to get me going in the right direction: https://github.com/karlfreeman/angular-devise
Also checkout further discussion about it here: https://github.com/karlfreeman/angular-devise/issues/1
And here's another repo which takes a slightly different approach: https://github.com/colindensem/demo-rails-angularjs
I ended up borrowing ideas from all of the above. Here's a working demo if anyone's interested: https://github.com/jesalg/RADD