How should I log the user in based on a token? - ruby-on-rails

I have users (a model), each with authorizations (a related model) to one oauth system or another (facebook for example).
I want a user to be able to login using information passed in the query string (email & token hash). How can I do this? I am using devise and omniauth.
For instance:
http://site.com/login?email=asdfdsafas&token_hash=43879237498237492347
Rather than passing a username & password or auth token.

Check out this Railscasts episode
http://railscasts.com/episodes/274-remember-me-reset-password
You can use this functionality, with just a little bit of manipulation, to create a secure way of accomplishing what you're trying to do.

Related

Second password for a given set up pages in Rails - Not MFA

In my Rails app, we use Devise gem for authentication and authorization. But for viewing some of the pages clients want a second password to be entered who will act like super users. This is not an Multi-Factor authentication request, but a kind of One Time Password (OTP) for a given set of pages/resources, just that the OTP will be static.
Devise does not provide this feature. Googling hasn't helped. Any idea how could this be achieved?
This sounds like a bit of an anti-pattern. Why not have an additional field on User that denotes if the user is a super user or not?
This has the benefits that:
there is no password to remember and distribute
super users have one less step to perform
you can easily remove users from this group, if needed
you don't need to build a secondary login form/page

Why using an authentication_token instead of the normal authentication process?

I have a Rails web application, and I want to build a JSON API as well so I can have mobile applications bound to it.
I've been reading a lot about it, and I don't get it why so many people prefer to activate authentication_token authentication instead of the normal authentication process that Devise offers us.
So, the question is: why use authentication_token ? Any performance reason ? Any security reason ? What is the best way to authenticate through an API ?
authentication_token is basically used to authenticate user from outside
i.e. say you sent user a email containing the activation link containing the token, so when he clicks the link, he directly gets logged in.

On signup - creating a duplicate account with the same credentials on another site

I am using Devise to handle registration process.
How can I create a duplicate account via ajax on another site using the same credentials?
I can overwrite Registration controller, but don't know how to get unencrypted password.
You need to override the Devise Registration Controller.
On the create method, get the user input, send it to your other website, then call super to handle registration by devise.
You certainly want to send datas to other website through an API, because of the CSRF protection.
You can't get the unencrypted password.
Devise uses Bcrypt, which a one way encryption algorithm. The only way to get create an exact duplicate is top copy the encrypted password directly, rather than using the unencrypted version.
However I'd strongly recommend against this, what are you trying to achieve? Is there a better way to handle this problem - OAuth?

API Access with Devise Authentication - Best Practices?

I'm using Devise in a Rails app and want to expose some of the model data via an API, but access to the API should be restricted just like the app.
$ curl http://myapp.com/api/v1/sales/7.json
{"error":"You need to sign in or sign up before continuing."}
Obviously.
Is there a best practice for accessing the API in situations like this? I'd prefer to authenticate + grab the data in one step, but that's just to make the client's job easier. They'll be pulling in the data client-side with JQuery.
Thanks for any info!
Vanessa
I recommend you follow the Option 2: Using API Key section on the following post to implement API authentication in Rails.
http://www.whatcodecraves.com/articles/2008/11/25/how_to_make_an_api_for_a_rails_app/
It's lightweight and simply requires passing an api_key param with each request.
My suggestion would to generate an API "key" (hash value) and have that passed with the json request. That way you can authenticate and track API use. A lot of APIs use "keys" to track and authenticate use. Google maps for instance, they use just an API key. Where as PayPal uses a user name, password, and key. There are a number of ways to do it.
I would try creating a one-to-many table that belongs to the user, just for keys. That way a user can generate more than one hash key for different purposes. (One for reports, one for backup, one for fancy pie charts that automagically pull from Powerpoint).

Authenticate on an 'access code' using Devise in Rails 3

I am working on a rails project and it has been recommended that I use Devise for my authentication and user session management.
I have two user types who need user/password authentication and another user type which I only need to authenticate with an 'access_code'. They are different models with no inheritance.
What would be the best way of doing this in Devise? Is there a way to let all these different authentication types work side by side?
I have looked at allowing users to sign in using a username or email address but how would I go about doing it using only one field? No password involved.
Use the Token Authentication module without the Database one. There's an example in the Devise Wiki.
These tokens, unlike the ones you find on password recovery emails for example, are permanent and stored on the database. They behave by default like service API keys, which means they do not keep the user in session and need to be supplied on every request.
To make them really sign users in:
# If true, authentication through token does not store user in session and needs
# to be supplied on each request. Useful if you are using the token as API token.
config.stateless_token = false

Resources