Authenticating Web and Mobile to Rails API - ruby-on-rails

I am reading the Service Oriented Design with Ruby book by Paul Dix and many posts here but am left with many questions surrounding authenticating users and the application.
I want to have api.site.com as a RESTful Rails app serving up JSON. Secure.site.com will be a web app (maybe Rails or maybe PHP) that will consume the service. Also a mobile app such as iPad will also consume it.
So is the first step to build in a level of auth so that only my web app and mobile app can consume the service? Then once the calling app has been authenticated, both these apps will have users who want to CRUD their data so then authenticate them as well?
I've read about Http basic, digest, tokens, oauth and many plugins but am having a difficult time narrowing down the most flexible and reusable way. For now this is simply learning so I would like to stay away from plugins so I can learn the code better.
Can my web app use normal sessions like I'm familiar with and then the mobile use their equivalent to sessions. At that point I still have no authenticated the calling app though. Http basic seemed like I could use it from both, but I didn't see a way for my web app to use a normal login form and logging out seemed like an issue.

I would suggest two solutions for you.
Use a Gem like devise for login system and inherit the devise registration and sessions controller to make it respond to JSON requests.
Create your own simple authentication and use respond to HTML and respond to JSON for separating web and mobile login
Iam not totally sure whether a mobile device maintains a session (please look around) but u can always use a token authentication system if it doesnt.

Related

How to make common authentication between 2 server - Rails & Django

the service I'm developing consists of chrome extension & web application.
For it I'm trying to create 2 server:
web application server (build by Rails)
API server(build by Django) to receive requests from chrome extension and process user data.
Those application use same database, same user information.
My question is how to authenticate users -- in Rails app, users can sign-up and sign-in via form. But in API server, how to authenticate users?
One solution might be JWT authentication, user get JWT token from Rails server and send token to Django server, and Django server authenticate by JWT authorization.
Is that best practice -- or simply sending username & password is better then this?
Thanks
I honestly believe that attempting to combine these two web platforms is not the best idea. You can read feedback from a similar question here, but basically attempting to combine rails with Django will lead you down a serious rabbit hole where both Rails and Django are going to be expecting to handle the authentication. You can potentially use a different, more simple Python framework, but I think you can potentially achieve the same overall goal with a single Rails application.
If project specifications require Django, then you can potentially try the latter option of username & password to do a database read, and then manually create a JWT functionality. I think it would be really really difficult though to use many of the built in, or even open source solutions, that Django provides, which is why Django could be overkill.

Authentication with an Existing External API

I am building a Ruby on Rails (Rails - v4.2.3 & Ruby 2.2.2) App which consumes an existing REST API.
The aforementioned API is written in PHP.
I need help regarding how to manage the authentication?
On searching through various forums I came across these two gems
https://github.com/lynndylanhurley/devise_token_auth
https://github.com/gonzalo-bulnes/simple_token_authentication
The problem I am facing with both is that they require my app to have a users model configured (using Devise).
However My app is primarily a front end for the Existing REST API, so if I do configure my own User model, I will end up with two Data Stores (One for the APP I make and the other for the existing API).
I wish to consume the external API and not have any native models for my APP.
I believe I can use ActiveResource for this (I need more reputation points to post a link to the gem, sorry I cannot do that right now, I am new to StackOverflow):
However I am not sure how to go about managing the security of the application. More specifically what measures can I take to prevent the authentication information from being viewed in plaintext while it is being transmitted to my API server for authentication?
Thank You.
Use HTTPS on your API. If your external API is using HTTPS then user info wouldn't be sent in plaintext from your rails app.
Don't forget to use HTTPS for your rails app too, as that is more important.

How to secure access to rails server which provides REST API access

How to secure access to rails server which provides REST API access.
We use Devise for authentication.
Our Rails app talks to another Rails server (Service App) and we would like the user to authenticate before accessing the Service App. Should I do it via device authentication token. Kindly advise? What should be done at the service level
https://github.com/plataformatec/devise
https://github.com/lynndylanhurley/devise_token_auth
Well, it depends of your app architecture.
You can use devise to authenticate users at REST API.
But if your Service App is for internal use only, for example it provides data only for another app, you can restrict access by ip, or Basic HTTP auth.
My opinion, that devise is good only for authorising end-users, but not services.
In my opinion, this question is highly opinion based as it stands at the moment.
What is the purpose of the Service App? Does your Rails app consumes frequently from the Service App? Or the other way around? Is it just for logging purposes, like statistics or tag-like resources or critical data like credentials?
From my rule of thumb, if an actual end-user needs to access it to modify a resource (POST, PUT, DELETE) I'd go for token based authentication. If it only needs to read, I might just go with just Basic or none at all, depending on the context.
Either way, I would consider twice if Devise is the precise tool for your own scenario. More than few times I have found myself writing more to actually modify Devise than it would be necessary if I implement my own authentication system. It's not that hard and you learn a lot!

In which cases do you need to implement these complex token authentication on devise (Rails 3.2)

I'm building a Rails app on Heroku.
I installed devise to manage user authentication on which I wanted to add "token authenticatable".
I basically used this tutorial and it works great
However, I ran across more complex tutorial about token authenticatable like these two ones:
http://matteomelani.wordpress.com/2011/10/17/authentication-for-mobile-devices/
http://mojoware.com/posts/mobile-rails-api-with-devise
I don't understand why they get much more complex than what I implemented? They seem to mention "mobile" stuff so does that mean it's a more complex way to use "token authenticatable" because it allows to authenticate in more cases of use such as on mobile?
Really in the dark so I appreciate any help.
For the most part, authentication in a (native) mobile app works pretty much the same way as authentication through a browser: the user gives his credentials, these are sent over the wire to the server/app, and the app responds by giving the user a 'token' representing an authenticated session.
The main differences: browser-based clients will generally submit said credentials using HTTP POST of an HTML form, using application/x-www-form-urlencoded. The returned token is usually given as a session cookie, which the browser presents with every subsequent HTTP request.
Native mobile clients, on the other hand, while functioning as the browser aren't restricted to the HTML way of doing things, and most of them don't use cookies.
The typical mobile client uses a Web service API. Most APIs are designed to be as stateless as possible (unlike browser/cookie-based sessions).
Most Web service APIs also need/want to be able to send & receive as much hierarchical, complex data as possible, using as little bandwidth as possible. Hence, they favor more compact representations of structured data such as JSON (or in some cases, BSON).
In most cases, as well, it is undesirable to present the authentication token as a URL query parameter (or, if you're sending over a JSON payload you might as well include the token in there).
For that reason, the stock Devise session controller and token authentication mechanism is inadequate, and hence numerous examples of how to provide alternative, REST-ful or JSON-based authentication that extends Devise.

Ruby on Rails application/REST API authentication architecture

I'm going to develop a Ruby on Rails application (basically a back-office) which at the same time will serve data for an Android mobile app via the REST interface Rails provides.
My concerns here are the following: how should I manage and structure my ROR application so that REST calls from Android are authenticated with an API Key + user ID (I was also thinking in using OAuth) and, on the other side, users can interact with via back-office.
Should I use for example different controllers for the same resources (thus, increasing complexity) for BO accesses and Mobile client accesses (so I can implement different auth logic)?
Is there any standard/common way (aka gem) to manage and implement this behavior?
Thanks in advance!

Resources