Reject guest access in a rails application - ruby-on-rails

I want to completely lock down a Rails application, such that all routes which are not explicitly authorized for a particular user role are rejected (403).
I inherited this app, so my understanding of the framework is poor, but it currently seems like I have opposite: everything's open unless I explicitly close it.
I have an authorization_rules.rb file, and I've given the guest role no permissions, yet I can still access pages without being logged in. I think I can go in page by page and make sure a page requires authorization (filter_access_to ?), but I might miss one. How can I just shut everything down, then open access only where I explicitly allow it?
This is using Rails 2.3.5.

Assuming the app uses before_filter to restrict access, you can move the before filter in application controller and skip it for particular actions in individual controllers:
#app/controllers/application_controller.rb
before_filter :filter_access
#app/controllers/your_specific_controller.rb
skip_before_filter :filter_access, :only => [:action1_accessible_by_guest, :action2_accessible_by_guest]

Related

Rails 5 Geolocation with Clearance

I'm currently using Clearance for authentication. As part of the login process I want to ensure that I have a location for the user (stored in the session).
My question is how to do this in the context of clearance? Ideally I only want to perform the lookup on login (to save network traffic / API calls). If I can't locate a user then I'll deny login.
I was thinking of using a guard but I don't seem to have access to request.ip or session which is a bit of a deal breaker. I was also trying to avoid redirecting to a URL that only does the geolocation and then redirects again.
Anybody have ideas on a nice model on how to make this work? Thanks!
Sign in guards are mostly intended for processes that will prevent or allow sign in. I don't think they are a good fit here. For this use case, I would suggest overriding sign_in, which is generally mixed in to ApplicationController
def sign_in(user, &block)
super
if signed_in?
UserGeocoder.call(current_user)
end
end

Using user sessions for the rails web application in conjunction with authorization token for the rails API for mobile apps.

I have a web application already built with its own end points. I am using devise for user registrations/login/logout, basically anything user related is using the session cookies. In the same application, I have separate endpoints for my rails API (used for its mobile application counter part). This API uses authorization tokens (and overriding some Devise methods like current_user) to allow access to the specific user model.
Is this going to give me problems down the line, if I am handling the user session cookies on our website but using authorization tokens on the mobile application? My biggest fear is security issues because we are going to be handling credit card information. The idea is to not use the user session cookies on the mobile application, but keep the web application the same.
The reason I am asking this is because I am having some trouble "logging in" on our web application if I make the web app go through our rails api end points. I am not sure how to safely carry the authorization token from one page to another so I don't make the user login every time.
I hope the way I explained it isn't too confusing.
What about disabling cookies for your Api namespace? If, for example, you're using a BaseController.rb, you can add:
class Api::V1::BaseController < ApplicationController
protect_from_forgery with: :null_session
before_action :destroy_session
def destroy_session
request.session_options[:skip] = true
end
end

In devise, how do you redirect the user back to a non-app url where they came from

Situation: I am building a Rails app that will serve as a central authentication system for a couple of in-house applications. The app will SSO into these other applications.
So, the path of the user will be https://site-a.com, which will redirect to https://site-b.com (this is the one running Rails w/ Devise and Pundit). The user will authenticate there.
I need to take that user back to https://site-a.com.
Everything I've seen with Devise is that it can redirect, but only to routes within the application.
Please be gentle.
Devise can redirect the user to anywhere after they signs in.
The straightforward way to do that is override the after_sign_in_path_for method in controllers:
class ApplicationController < ActionController::Base
def after_sign_in_path_for(resource)
"http://site-a.com/"
end
end
For more information about after_sign_in_path_for, please see How To: redirect to a specific page on successful sign in.
If you have not yet have a clear idea about how to build a SSO system with Devise, you might want to take a look on this article: Multiple Applications with Devise, Omniauth and Single Sign On.

Which actions do I configure SSL to run against in a Rails 4 app for a credit card and login use case?

I have 2 or 3 instances where I want to encrypt pages in my Rails app:
User and password creation (possibly login as well)
Credit card subscription page
The user creation part is absolutely necessary to encrypt, for the password. The credit card page is actually only necessary from a "feel good" standpoint for conversions. Since we use Stripe, their JS API is served only over SSL and that traffic is always encrypted. So we never get those credit cards. But I still need to give the user the good feeling.
What I have gathered so far from documentation is that I will need to use the force_ssl method in the appropriate controller. And I can use :except or :only just as I do with a before_filter.
I know I will need to use the :new action, but do I also need to specify :create?
Here's what I'm starting with:
force_ssl unless Rails.env.development?, only: [:new, :create]
You should use force_ssl for the :create action, this will encrypt all parameters posted to your controller action.
If you really want to make the user feel safe, you should also encrypt the login process and encrypt all pages for a logged in user.

How to show error messages in rails devise plugin for unauthorized page requests?

I am working in a Ruby on Rails project which has implemented authentication mechanism using Devise plugin. I am new to this plugin as well as Ruby. So having a difficulty in fixing a problem in authentications. The problem is, according to current implementation, if a user tries to go access a page in the application without signing in, it redirects the user to Sign In page by saying that he or she should be signed in or signed up before accessing that page. That's correct. That is the implementation that I need. But what happens is, even if a user directly go to the Login page, this error message is shown. That is not required. Because if a user directly accessing Login page, no point of giving an error message.
Any help will be appreciated.
Thank You.
You call devise authenticate_user! where you shouldn't and you do not use require_no_authentication
You must make sure this before filter is called in your sessions controller
prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
these are taken care of in devise's default controllers (e.g, Devise::SessionsController), are you using them?

Resources