Authlogic multiple passwords per resource - ruby-on-rails

I'm using Authlogic to password protect particular routes. The user is able to share certain pages, and can protect them with a password. I have this working fine for one password, but want to be able to let users have multiple passwords for the same pages.
I want to keep it simple, and not resort to a full username and password. The goal is for simple protection of content via a password.
I know I can override the login method, but it is expecting one object to be returned, and the verify password method is expecting to evaluate one value.
Any thoughts?

Related

Second password for a given set up pages in Rails - Not MFA

In my Rails app, we use Devise gem for authentication and authorization. But for viewing some of the pages clients want a second password to be entered who will act like super users. This is not an Multi-Factor authentication request, but a kind of One Time Password (OTP) for a given set of pages/resources, just that the OTP will be static.
Devise does not provide this feature. Googling hasn't helped. Any idea how could this be achieved?
This sounds like a bit of an anti-pattern. Why not have an additional field on User that denotes if the user is a super user or not?
This has the benefits that:
there is no password to remember and distribute
super users have one less step to perform
you can easily remove users from this group, if needed
you don't need to build a secondary login form/page

ASP.NET MVC 5 Identity change password as administrator without email

If you have an ASP.NET MVC 5 site configured without email confirmation, how can a password reset be performed by an administrator?
I can write a console app which resets the password in the database, but that seems inefficient. Also, the old aspnet_Membership_ResetPassword sproc has no counterpart in the new identity system.
I'm not sure I understand what you're trying to achieve. You still have to get the password to the user somehow, so will you be emailing them a generated password instead of the standard "follow a link in a email to a page that lets you pick a new password" approach?
Also, are you talking about specifically resetting one user's password or resetting all user passwords. If the latter, then a console app is the way to go. If the former, you can simply add a view to some backend that's only accessible to admins that let's them perform this function for a specific user.
As far as generating some random password goes, you're on your own there, but a simple web search should turn up plenty of methods to choose from.
Word to the wise, though, the email confirmation approach is standard for a reason. It provides a relatively secure way to allow a user to regain access to their account when they can't remember their password. It's most important feature, though, is that it forces the user to actually change their password, whereas with a provided password, random or not, users will actually use that password, rather than take the time to manually change it after logging in - especially with password managers these days. That means if you sent that password via email, or wrote it on a sticky or whatever, you now have a huge gaping security hole.

Rails and Devise: login without login/password but using a specific URL?

I would like to create URL's that, if the user clicks, log them in automatically without having to supply a username and or password.
Anyone know how to accomplish this in Devise with Rails 3?
Preferrable the URL's that are generated to login a user are as short as possible.
If you are using devise you can use token authenticatable.
Check this out for more info http://zyphmartin.com/blog/simple-auth-token-example-with-devise
Have you considered using cookies? Have a column autologin in your users table, with the contents of that field generated upon first manual login. Set the contents of this field in a cookie and you are done - simply check for the cookie upon entering any page of your application and find a user based on the value in the cookie. Instead of using a cookie, of course, you can pass it through URL. Moreover, you can set that in the session variable, so that the user stays logged in during a session, but must log in again when visiting next time.
On a side note: personally, I believe you should never pass a username and password through a URL.

Authenticate on an 'access code' using Devise in Rails 3

I am working on a rails project and it has been recommended that I use Devise for my authentication and user session management.
I have two user types who need user/password authentication and another user type which I only need to authenticate with an 'access_code'. They are different models with no inheritance.
What would be the best way of doing this in Devise? Is there a way to let all these different authentication types work side by side?
I have looked at allowing users to sign in using a username or email address but how would I go about doing it using only one field? No password involved.
Use the Token Authentication module without the Database one. There's an example in the Devise Wiki.
These tokens, unlike the ones you find on password recovery emails for example, are permanent and stored on the database. They behave by default like service API keys, which means they do not keep the user in session and need to be supplied on every request.
To make them really sign users in:
# If true, authentication through token does not store user in session and needs
# to be supplied on each request. Useful if you are using the token as API token.
config.stateless_token = false

RoR Devise: Using an unchangeable username

I'm using Devise in a Rails 3 app, and I successfully configured it so that it uses a username as its authentication method instead of an email. The problem is that in the default registrations controller for devise, it calls an "update_with_password" method on the params passed in, which effectively allows users to change their username, and password. This behaviour makes sense if you're using email as an authentication method, since it's reasonable to expect people to be able to change their email. However, with using usernames, I'd rather users not be able to change them; I only want them to be able to change their password. Would this best way to do this be to override the RegistrationsController, and prevent the mass-assignment of params so that only the password can be changed?
Hope this is clear. Thanks!
Ok, I solved it. I added attr_readonly to the username variable, so that it cannot be changed with mass assignment.

Resources