authenticate_or_request_with_http_basic do |user, password|
user == USER && password == PASSWORD
end
The above code asks for a username and password in a regular fashion (using basic_http_auth)
My idea was to create a user login page , some how check the username & password to be valid and then authenticate him.
Now authenticate him means to create a header that would have been sent by browser if he was actually authenticated via basic_http_auth . i.e to set the simple http auth credentials
The requirement is so because there is another non ruby app that would run on the same domain internally & would check if the user is authenticated via simple_http_auth.
The over all picture would be something like this :
Rails app : authenticates user.
The second non ruby app just checks if the user is authenticated since its under the same domin it can simply access the user_name password send via http_basic auth.
The other idea is to run a rails api service that would determine if the user is logged in or not , and call it via the second app. But I don't prefer doing that.
Hi Gaurav you should try to set your default username and password values with default http setting in "config/initializers " folder inside setup_mail.rb file
Related
I've currently installed freeradius on a CentOS server so that I can use a MFA with google authenticator.
The main purpose is the user submits it's username and password(with GoogleAuth code added to password) and freeradius checks against a AD Server if its ok to access.
Well so far so good the Radius server comunicates with AD and validates the user as long as the username has the format user#domain.local
I wanted to be able to allow the user to only submit the username and not adding the #domain.local to the "textbox"
Is there anyway I can tell freeradius pam module to add the suffix to the authentication ?
I am trying to implement AWS Cognito into my application for better all round authentication. The system is a Rails application that is currently using Warden/Devise as the method for handling user accounts (Login,Registration).
My goal is to have a AWS UserPool that contains the list of users for the application. When a user is verified using Cognito I wish to then search the tables that we currently use for the role and move the user to the correct area of the system based on the role that they are assigned too.
I have started to implement the logic to handle this but have come up against a brick wall.
Please see below my code.
cognito_authenticatable.rb
Logic for handling the cognito authentication. All i want to do here is check that the user is registered and return the valid token so i can prefer internal application checks to gather the user role.
def authenticate!
if params[:login]
region_name = 'us-east-2'
user_pool_id = 'us-east-2_Qj78BNQon'
client_id = '1pv3eno72e51mll3q36cuiojmr'
client = Aws::CognitoIdentityProvider::Client.new(
region: region_name
)
resp = client.initiate_auth({
client_id: client_id,
auth_flow: "USER_PASSWORD_AUTH",
auth_parameters: {
"USERNAME" => email,
"PASSWORD" => password
}
})
end
end
divise.rb
This code is just to add the new authentication strategy to the applications warden service.
config.warden do |manager|
manager.strategies.add(:cognito,
Devise::Strategies::CognitoAuthenticatable)
manager.default_strategies(:scope => :login).unshift :cognito
manager.default_strategies(:scope => :login).pop
end
The output error within the console is
Aws::Errors::MissingCredentialsError (unable to sign request without credentials set):
config/initializers/cognito_authenticatable.rb:23:in `authenticate!'
and here is an image from the localhost application that was running.
Any help on this would be amazing.
Thanks in advance.
One solution could be to uncheck the option for generating a client secret when you create the app client in the Cognito user pool. This option is checked by default and you have to know to uncheck it (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html).
By default, user pools generate a client secret for your app. If you don't want that to happen, clear Generate client secret.
It's only possible to uncheck the client secret during the creation of a new client, so you might have to delete your client app and create a new one (not a big deal).
I also collect my learnings on Cognito, Devise, Rails and VueJS in a Medium article: https://medium.com/#morgler/beta-learnings-from-developing-vuejs-quasar-aws-amplify-and-cognito-application-dd38ec58b881
You are getting this error due to your AWS SDK for Ruby not being configured correctly. That error would likely exist not only for Cognito APIs, but it would exist for any AWS Signature V4 signed API calls. Kindly refer to this documentation to configure your SDK correctly for your application.
I am trying to use HTTP Basic Authentication over Devise for my Rails app. I have done following settings ->
config.http_authenticatable = true in the devise initializer
And
:database_authenticatable strategy in my USER model.
When I try to access a web service
mysite.com/user/list.json?email=test#mysite.com&password=test123
The username password is not recognized. A credentials box pops up where on entering the credentials I am authenticated to use the data.
How can I provide the credentials in the URL and avoid the pop up prompt?
HTTP Basic Auth, is passed through HTTP Headers, not GET or POST params.
I found a way of doing this-->
http://username:password#test.com/users/list.json?
I am porting my data from old system to a new system written in ruby on rails. To get the older users registered I am planning to transfer their old data into new system but I can't transfer their old password so I'm planning to create a random password and then a password reset link and send them a custom email inviting them to my new system.
Devise provides this:
user.send_reset_password_instructions
But this sends a "forgot password" email to user. I just want to get the forgot password url somehow so that I can use that url in my own mail and send it at some later time. I've tried looking up but everywhere they talk about "send_reset_password_instructions" function. Any idea how I can do this?
The reset password url was formed by reset_password_token in User model.
So saving the reset_password_token is enough to recover reset password url later on.
reset_password_token = 'XYZ' # Example token
reset_password_url = Rails.application.routes.url_helpers.edit_user_password_path(reset_password_token: reset_password_token)
Due to security (an attacker could read the link from the database to bypass email verification), what Devise stores in user.reset_password_token is only a digest of the token that is sent into the password reset link.
Specifically, in the set_reset_password_token method, the encoded token is saved to the database, while the raw token is returned and then sent in the password reset email.
What you can do is to reset the token yourself and save the raw token somewhere to be used later:
raw = user.send(:set_reset_password_token)
It's also worth noting that you can customize the devise mailer and provide your own templates. However, in this case, it would also affect the legitimate password reset emails.
I am creating an API for my application. On one side, there is the API server (and the main app) and on the other, the client. The sever uses DoorKeeper to secure the API using OAuth 2.0 (basically turning the main app into an OAuth 2.0 provider) and the client is using OmniAuth with a custom strategy for my app.
The main app uses multitenancy using subdomains; so every client has its own subdomain. There is also a oauth subdomain that is routed to the DoorKeeper interface.
When a user clicks on the "Log in with my app" link, he gets redireced to the oauth subdomain. If he is not logged in to the main app, he needs to get redirected to the login page under the correct subdomain. So I need to pass the client's account name to the server so that DoorKeeper knows to which subdomain to redirect to.
How can I achieve that please?
I've researched on the subject and found out how to pass to OmniAuth params that will get passed to the callback action. Will those params be available to the server?
EDIT: I am not using Devise!
EDIT 2: Here is some code.
Client app session controller create action (log in with my app)
def set_client
self.current_client = Client.find(params[:client][:name])
redirect_to "/auth/catapult?client=#{self.current_client.account_name}"
end
As you can see, I append the client param to the OmniAuth route, but this param is not passed to the server app (DoorKeeper), so I have no idea where to redirect to on the server app.
DoorKeeper config
resource_owner_authenticator do
p params
User.find_by_id(session[:user_id]) || redirect_to(log_in_path)
end
In the redirect above, I need to specify the client's account name as subdomain, but I don't have this info (client's account name) since the params hash does't contain the client's account name that I passed (the client param)
I found out how to fix my problem. I had to dig in deeper into the OmniAuth source code. what I had to do is override the request_phase method in my custom strategy as follow:
def request_phase
redirect client.auth_code.authorize_url({:redirect_uri => callback_url, :catapult_client => request.params["client"]}.merge(authorize_params))
end
Where :catapult_client is, add any extra params you want to pass and it just works!
The simplest way is to pass the place-to-redirect-to-after-authenticating-successfully as a query param when they are redirected to the login page, so it's there as part of the GET request's querystring. Store it, and on a successful auth, redirect them there. You don't need to involve this data in the OAuth process at all.
Of course, I'm assuming that they all start at their subdomain too.
Edit:
When a user clicks on the "Log in with my app" link, he gets redireced to the oauth subdomain.
Assuming the user starts at mysubdomain.yourapp.com, they click on the "Log in with my app" link.
The link also contains a query parameter with the subdomain in it, so oauth.yourapp.com?redirect=mysubdomain.yourapp.com (or just oauth.yourapp.com?redirect=mysubdomain)
The user arrives at oauth.yourapp.com. The app stores the query parameter. The user puts in their details or is redirected to a serviceā¦
The OAuth process is finished, the user has been authenticated.
Redirect the user back to the redirect parameter stored earlier.
This is how I do it, just not with Rails, but I don't see why you couldn't use this process with any framework. This, as I mentioned, depends on the user starting on the correct subdomain.