I am interested in deploying a Node.js along side my Rails application server. Just as a reference, I plan on using socket.IO to create a chat server, so users will be able to chat inside of my web application.
My current application uses Authlogic to authenticate users. I would like to ensure that only a user cannot read other users' messages, so I will need to authenticate the user session somehow. My Node.js will have access to my database, and I know Rails can store the sessions inside of the database, so I would like to use this feature to authenticate chat users. The problem is, I have no idea how to go about doing that. I'm not even sure what information is present in the session, and I do not know how I can use this information to authenticate a user.
Thanks in advance!
The rails session is tricky to use from other languages: it's just a serialised ruby object and pretty much the only documentation for the marshal format is the implementation/rubyspec.
However authlogic doesn't actually store anything in the session: it has a separate cookie (user_credentials by default, assuming your model is User)
The data in that cookie is "#{user.persistence_token}::#{user.id}", so you should be able to easily verify this from your js code
Related
I'm current designing a Rails application that uses a form for user login, then persists session information in a cookie. However, I plan on a bulk of the interaction with the Rails application to be via a mobile app instead of a web browser.
What is the best way to accomplish user auth? I suppose I could save a cookie with my app. Or perhaps authenticate with every request. Perhaps there's a gem for this?
Check out the Devise gem.
It's REALLY good, supported by people that really know about Rails, and I guess I could say it's become the "industry standard" for these matters.
Devise on GitHub
I have an app that is mostly in rails but also uses nodejs for some realtime features, for example, chat. Users log in via Rails and get assigned a session, etc as usual. However, what's the best way to authenticate with nodejs as that same user? For example I would like to prevent users from impersonating one another but login is done on rails right now and messaging is done on nodejs. Rails and nodejs both have access to the same database.
I am using devise and socketio if that matters.
There's a number of ways implementation wise that you could tackle this. The one that jumps to mind is to share the session cookie that devise uses with nodejs via the database.
IIRC devise creates an encrypted session cookie during authentication; save this value temporarily to your database, and let nodejs pop it off the database for its authentication. There's likely some difficulty in accomplishing this (porting some of the devise encryption to nodejs, and the like) but if you're doing a rails/nodejs app, I'm pretty sure you're capable of handling it. :D
The benefit here is that a user can't get between the hand-off to accomplish impersonation.
You could always generate a one-time token for any user passed between rails and node. Much, much easier than re-implementing (and maintaining) the crypto strategy used by devise and rails.
That said, sharing sessions between servers creates a lot of extra work for you and effectively doubles your bug surface area (schema, validations, etc.)
Faye is an awesome project which handles this exact use case, so it's probably worth a look :) http://faye.jcoglan.com/
I want to to decouple some parts in my rather large app and delegate them to an external node app, mainly for uploads but authentication remains a problem.
On the Rails side I'm using Devise, clients and forms will point to this new subdomain where the node app resides.
The node app is using express and I can connect to the shared database through the mysql module.
The idea is to use heroku for the main app, and delegate uploads to a node app running on a EC2 instance. In order to access the app I want to pass authentication informations, given that this endpoint will used by both API clients and web forms.
Devise has support for authentication tokens passed via URL, but I'm wondering what are your solutions.
Well if your subdomains are just 1-dot apart like www.myapp.example and uploads.myapp.example, you can share both the session cookie and the session info in the DB. I would just code the node app to validate the session cookie on every request the same way devise does and you're done. Is the upload subdomain user facing, as in does it render HTML to the browser or have to display a login form? If so, than the shared session table in the DB is probably not the best idea, but if the node.js is just for uploads and can redirect to www.myapp.example when the session is not valid, all should be well. Just make sure you set the domain field of the cookie to .myapp.example.
I have been trying to figure out how to integrate a node.js app into a rails app and having them share sessions. I've so far only been able to dig up sharing sessions between sinatra and ruby on rails via rack middleware. Is it possible to to do this?
I thought of a workaround involving the ror implementing a rest service that "poops" out a guid that node.js can use to create its own session. This solution however requires having model validations ad such stored in two seperate apps.
just wondering if there was a way to integrate them.
and while using a js based webframework like geddy or express is cool, I have alot of existing rails code and 3rd party libraries such as active merchant that I would have to reinvent.
how about using something like memcached to share a validation mechanism, for example set a session in rails and for every message to the nodeJs server a token is given, nodeJs checks on memcached if the token exists and grants or denies based on that. You would of course add the record on memcached from the rails app
Isn't that the same as sharing authentication between two different domains like openid, facebook connect, twitter sign-in.
from rails site do an openid like redirect to node.js with the authentication information encrypted inside the url and vica versa?
I am wondering if it is not possible to use Custom OAuth Provider Strategy from connect-auth and vica versa because connect-auth is "Authentication middleware for connect". I haven't figured the complete details out, but this might be an option?
Im trying to allow users to login to a website by verifying if they are registered users of a sister website. Im not really sure what is the best way to implement this. The website which is referred to uses authlogic authentication, so would it be wise to have a REST method that the new website calls to obtain a session token of some sort.
Thanks in advance.
Do you want to check credentials only or sync sessions too? --i.e., if I'm logged in website A, I'm also logged in website B. If it's the second case, you need some sort of single-sign-on solution. CAS seems to be a protocol with solid Ruby implentations (see Ruby CAS Server and Ruby CAS client. Keep in mind that you'd have to rewrite both apps if you decide to go this way.
If the database is setup to accept external connections, you can access the user info directly that way.