I have an API and a Web app working with Rails and Devise gem for authentication.
With Devise and Omniauth I can make the Signup with facebook and Login with Facebook through the web site.
I have my API protected with token_authenticable and a TokensController, so when you want to interact with my API first you have to pass to the TokensController your username and password and it will give you a valid token, my problem is what happen when the user is sign up with facebook, Shall I pass to the TokensController the username and the facebook token to generate the token? are there some standard way to do this?
Thanks for the comments.
In my opinion you can pick whatever you want, as long as it fits your criteria:
it's secret
it's retrievable for you
it has a minimum security (not just '123pw')
So you have two similar options:
Use the Facebook Token as 'password'
Use the password generated by Devise
Normally you generate a password when creating a Facebook user with Devise. I guess you have code like :password => Devise.friendly_token[0,20] in your User.create-call?
The encrypted password is normally 60 characters, the Facebook token can have up to 255 characters. So I personally would pick the Devise generated password. It's long enough to be safe and you don't depend on an API to retrieve it.
Thanks for the comments; After thinking which one would be the best option, Here is what I finally did:
Note: I separate the code in client and server side(API)
Client Side:
Get the Facebook token and the Facebook user ID for a certain user.
Call the API method Create method from TokensController, with the parameters I got above.
Server side:
I receive the Facebook token and the Facebook User ID.
Using the Facebook Token I get the Facebook User ID from the API.
I validate that the receive UID from the request and the Facebook UID are the same.
If the UID are the same I generate a random token for my app and I return it in the response.
Note: All the communication is done via HTTPS.
Related
I have successfully migrated to devise_token_auth (from simple_token_authentication), however for UX reasons I'd like to allow a user to sign up for their account, use their account immediately (previously done by returning a token in the signup response), and then confirm their email to unlock certain functionality. How can one achieve this flow via this gem?
The user is by default signed in after registering.
You can grab the access-token and other information from the query string of the url that you set as the confirm_success_url i.e the url to which the user gets redirected to after signup. Use that authentication token to make a request to the server for protected resources.
I have a rails website in which I am using devise and OmniAuth for authentication (email + social authentication). Now I want to implement an api that will serve as a backend for my android app. I was wondering how can I extend my existing authentication system so that I can provide the same authentication functionality of email and social login to my android users? Also, a person should be able to login using same credentials on web and android app.
You need to add api token field in your user table.
Everytime when a android user request for login, after successfully match email and paasword an API token will create with expiration time. Then each time API token must be send with android request.
Request will be completed if the API token is valid.
To differentiate your request you can use namespace in your route like /api/v1/login
I use rails as backend for ios applications. So far i have been using devise as it looks flexible and comfortable to use with less effort . And i have read about omniauth and that too looks easy to integrate with devise. My question is, consider my ios app requires authentication and the following are the different methods that i should be able to allow user to do
Login using email and password
Login using Facebook account
Login using Twitter account
Login using email can be handled by the devise itself but how about login using Facebook and twitter? Actually in one of my project i came up with the following approach which has all three of these login process. The ios app authenticates the user from the device(not devise) itself and sends the user information like username, email etc whatever required along with auth type so i save this a separate user with username that is sent and one of the field as password. And the next time he sends me these details i allow him to login to the app. But now i realised this is not the best way to do. I read about FBgraph which can be used to verify the access token validity, so should i get the token from user and then verify it and get the profile information and save it in user model and give them the token.
Also i have another doubt which is, For login using email and password i allow user to login through email and password and then for the each requests the user sends me the username and password. Is this is alright or do i have to create a token in login request and send the token as response and then the user can send the token for all the other request he makes.
Sorry if it is confusing but to tell you shortly i need to know what should i do if i have all these three login process. Any help is greatly appreciated. Thankyou
There are couple things to consider when dealing with external applications like on other devices:
You should use an API to communicate with your Rails server
Your server should send an authentication token after the first user authentication using his email and password. It is not a good idea to send user's email and password for each requests.
Devise
Devise is great for authentication both in-app and for remote applications using the token_authenticatable hook. This will allow any registered user to have a unique secret token to use in order to be authenticated on your server.
More information here
OAuth2
OAuth2 is becoming the standard way to authenticate on remote services giving the user the possibility to use his Facebook account to login for example.
This would be the easier way to allow your users to authenticate using their Facebook or Twitter account (note that twitter will not give you the user's email address).
Devise can handle OAuth2 clients.
Finally, you could also create your own OAuth consumer to authenticate users using your service. Doorkeeper is a great gem to protect your API endpoints and to allow users to use OAuth2.
Conclusion
Devise is great for authentication. Using their token module coupled with OAuth2 integration could do the trick in your case.
Here is the OmniAuth wiki page from Devise
Here is the Simple Token Authentication wiki page from Devise
I have a rails application, and I authenticate users to the application using Devise.
The question is that I'm building an Android application and I want to understand how is the flow of authenticating users on the android "the easy way". I read about Basic and Digest Auth.
or the api I use Grape https://github.com/intridea/grape which has Basic and Digest middleware for authentication.
Am just wondering should I have store email/password of user on the android app?
and each request to the api should attach the email/password of the user?
Also, whats my benefits of the auth headers in the authenticated response?
I would highly recommend NOT storing the password anywhere, and storing the username is also most likely unnecessary. Instead, look into the token_authenticatable feature in Devise shown in this blog example. What I would recommend doing is when the Android app user enters his/her username & password combo, you call a custom token authentication sign_in controller with what the user entered and return the token to the app. Then you can store the token in your app without worrying that the username/password may be compromised.
This gives you the flexibility for how frequently you want to regenerate the token, or to invalidate a token arbitrarily.
I use Twitter oAuth to allow users to signup for my site.
I have the user's access_token, access_secret from their signup stored.
When the user wants to return to the site and login to their account, how do I authenticate them using twitter login/password?
I do not want to ask users to give access like:
- give access to example.com to read/write your stuff on twitter
The user already has signed up using their twitter credentials, how do I reuse it instead of asking them to create a separate password?
I would rather not venture towards authlogic in addition to oauth
Currently, if the user is already logged into twitter, I can authenticate him.
using the access_token, access_secret. What if he is not logged in?
How do I prompt for username/password for twitter and authenticate for my app?
Thanks for your help.
Try using them OmniAuth gem. Makes doing that pretty straight forward.
If you're not wanting another gem dependency, you could probably code up your own functionality based on what they do with their twitter strategy and abstract oauth logic.
This RailsCasts episode demonstrates how to create a simple authentication system that only requires an OAuth verification, without the need for a seperate user account maintained by your app.