I have created a simple API for a Rails application using token-based-authentication that supports User Log In and Log Out and a couple of other actions to update a User's status. I want this API to be used by devices running iOS. I have based my code on the example found here. In addition to allowing a device to login and update a User's status I would like new users to be able to Sign Up from the device. However looking at Devise's helper class I can't see any methods that support Sign Up, only Log In and Log Out.
Has anyone managed to implement Sign Up through an API? Are there any security issues with allowing this? How should I approach this?
Sign up from an iOS device is really just a (JSON?) POST to the User resource using a different format responder.
This data is passed in the clear from an iOS device, so make sure you use https on these routes if you're worried about security.
Related
I want to open, from an iOS app, a web page that requires authentication in order to get to that page.
I googled a little bit and I believe I need to use WebKit and Javascript injection, but I am not sure and I have never done something like this, so every bit of information is welcomed or pointing me in the right direction.
I will give an example that I hope will make things more clear(I don't actually want to open facebook, it's just part of the example):
Is it possible to do the following scenario? And if yes, how?
Open a web page from an iOS app, for example: "https://www.facebook.com/profile" without having to go through the login page? I do have the user credentials(username and password), as the user is already logged in with those credentials in the iOS app, but the requirement is to not go through the login page, but to go straight to the profile page.
In general the answer is: no. Even if the user is already logged in and has a valid authentication token that token may only be valid from within your app and not from within the browser. And the login form may be protected by something like a captche preventing you from automatically logging someone in.
There certainly are situation where it is possible: For example if the tokens are not scoped to your app you can try passing them along. Or there is an actual API that you can call with the token that logs the user into the website on the website, etc. But those depend on the specific target website or wether you can control that target website and can add this functionality.
I'm developing a rails app that use devise to manage users, and I want to prevent user from signing into my app directly. (can I just prevent it by removing all the relevant routes?)
I have removed the front end logic, but I know that browser is not the only way to access a website. People can also use tools like curl to access website, so I want to know how people do that so I can better prevent it.
I'm building an iOS app with Rails on the back-end.
The Rails application uses Devise for authentication and I want to use the same service for the authentication on the iOS app. Is there any way that after authenticating, keeping the session even after the app restarts, so that it goes straight to the content of the app instead of the login screen?
I've looked around, but haven't found a clear answer.
Thanks on advance!
One solution could be to extend the existing devise models and controllers to also handle a token based authentication system. Based on the request type html or json, the app can choose to authenticate a user either by the authentication token and email or a combination of username/email and password.
The authentication token could could be saved on the client side and reset only when the user logs out.
I was recently working on the same problem and found these sources to be extremely useful.
https://gist.github.com/josevalim/fb706b1e933ef01e4fb6
http://www.soryy.com/blog/2014/apis-with-devise/
https://github.com/lynndylanhurley/devise_token_auth
I've built a Rails app with a simple API. I'm using Devise for authentication. I'm trying to work out how to log a user into the rails app from my iOS app so they can retrieve and post data. I've been searching all day for the best way to do this but most info is outdated (using Devise's deprecated token_authenticable solution.
I've got my rails app. I've got my iOS app. I've written my API. How do I connect the pieces together?
Thanks
Details:
My app allows users to fill in a form and have that data sent to the server. In another section of the app the user can view the data they have previously submitted. When the app first launches the user should login to their account so that the data they post is associated with them and they can only view data they have previously posted. It's quite a simple app. How do I log them in so that I can tell the API to only return their data.
Set your server up to use SSL, then the communication to the server are secure. Post the userID and password to the server in an SSL. You can pass that information on each access to the server.
If you want to pass the UserID/Password only once then you can setup a session with a cookie but you will need server support for the session and timeouts.
What you need to define is how secure you want the authentication to be. That is who are you defending against? A friend, an enemy, a government? Define the value (in $) of a security breach. Defend to this level.
I am currently developing an app that will use the FB SDK (for the first time) to log a user into the app. The flow is typical, I assume. User taps "log in with facebook", facebook graph authenticates, then we do a call to our api and log the user in via their facebook email (only) we have on file.
However, whats freaking me out here is, theoretically if some knew our api_token, and knew that calling a POST to a login url with only a valid existing email to log them in, isn't that a security issue since they could actually log in as someone else. Am I over thinking this? Understandably, they'd have to know every aspect of the api to do any damage. But still, I'm not feeling comfortable with this flow. Am I missing something?
This shouldn't be something you have to worry about. Facebook first protects you by having the requirement for the user to be logged into Facebook. Next, the user's UID(readily available to anyone) and your API Key isn't enough. They'd still need your API Secret Key (which if someone has is a bad thing) to sign requests as you.
What you're really using is OAuth (though Devise, through OmniAuth). I'm not an expert but you can read more here: http://hueniverse.com/oauth/guide/security/
When a user registers via OAuth, you aren't going to have a password set for them, and that's not a huge deal as they have to also first log into Facebook. It might be a good idea though to ask them to set a password if they ever edit their account, that also means they can sign in the old fashion way if they desire/delete Facebook/etc.