This might be a nonsensical question, but I have this task to create a rails app that shares session information, specifically login/authorization info, with an installation of a phpBB that some other person has customized to be more than just a BB.
Basically I need to rely on the user's phpBB login to authorize access to the rails app. I really don't want to have the user maintain two logins to use this conceptual single app.
I read a lot of documentation on phpBB and didn't find anything like exposed services or an API, but I'm hoping I just missed something obvious.
I've been considering adding a method to expose some hash or something to link the two applications rather than try to squeeze possibly different implementations of session.
Quick context, this work needs to be done fast and cleanly and I've never developed in php and rails is super fast so I am investigating the idea of integrating the two sides.
I might be off in the weeds, so don't be afraid to say so :)
thanks!
Have you checked phpbb-auth?
https://github.com/mattfawcett/phpbb-auth
Related
Background
I have a fairly typical Rails application, which uses Devise for authentication management. While building this app, I realized that realtime chat would be a great feature to have. Ideally, of course, this would make use of Websockets, in order to reduce the polling load on the server (as well as making it marginally easier to implement, as you don't have to manage polling).
I realized quickly that Ruby isn't really a great fit for having a large number of concurrent connections open at one time. Phoenix, however, is written in Elixir, so I can make use of the Erlang VM, which is quite good at long connections. It also seems like it could be greatly beneficial if all the chat data was stored separate from the main application database, which should also reduce load in the future.
The Problem
I want to be able to make this separation completely invisible to the user. They visit www.example.com/chat, and it loads all the relevant data in from chat.example.com and starts up the websockets, without requiring them to login to a separate service. I think using an <iframe> is probably the way to go about doing this.
My problem is sharing authentication and data between the two applications. The Rails app needs to be able to create conversations on the Phoenix app in response to certain events. The Phoenix app needs to know what user is currently authenticated into Rails, as well as general data about the user.
An OAuth flow with the Rails app as the ID provider seemed like a good fit at first, but I can't figure out a way for the Phoenix app to automatically be granted access. I also have some concerns about user records existing inside the Phoenix app—it should be aware of all users on the main application, so you can start a chat with a user even if they haven't ever opened chat.
What would be the best way to go about doing this? My intuition says that this is going to involve window.postMessage and some kind of token system, but I wanted to ask what the generally accepted way of doing this was before I accidentally created an insecure mess.
Sharing the session isn't too hard, assuming you are running at least Rails 4.1 and using JSON serialization (default for apps created with >=4.1). A quick google search finds PlugRailsCookieSessionStore, which accomplishes this.
For more information on what it takes to share a session between Rails and another language, Matt Aimonetti has an excellent blog post with detailed information.
Lastly, if you would prefer to stay entirely in Ruby, it's definitely doable. Ryan Stout discusses scalability around persistent connections in the FAQ for Volt, which uses a persistent connection for every user. The article he links is also a great read. Just mentioning it to help you weigh the trade off of building a separate app in another language.
I’m making an app that performs tasks on other sites for you.
Example - my app would login in to your theguardian.com account and check if you have any replies to your comments and perform an action if you do.
I'm wondering how I should store, and read, the login details for the guardian.com in my app? Obviously I want to avoid plain text.
I'm using rails and Postgres, my app is fully SSL.
EDIT:
I'm voting to close the question as it's obviously a bad idea and it looks like people are going to tell me so many times. #jvillian has suggested a gem which will help encrypt properties on a model if I do want to avoid plain text, which may be of use to anyone who stumbles across the question.
Check out attr_encrypted. I haven't used it personally, but it looks like what you're looking for and looks to be an active project.
I want to create a web application in which the main application shall be built using a PHP Framework or RoR. However, there are some sections only, that need real time updates (e.g., collaborative editing, real time feeds) etc. Is it possible that if a user is authenticated on the PHP/RoR app, the user session data can be passed on to the meteor app ? Can the 2 applications share the same database? Any insight on how do I go about implementing this ?
While it is possible to do what you've asked you should possibly ask yourself if you can't achieve your goals with one tech stack. Having multiple tech stacks like Meteor and RoR / PHP means anyone that wants to work on your codebase needs to know all of these frameworks. Additionally you might be able to achieve your requirements around collaborative editing and real time feeds using PHP or RoR.
Since you have not posted your requirements it is hard to make concrete recommendations but maybe you should list your requirements use the least complicated tech stack to implement it.
Are you aware that RoR 4 has built in support for streaming: http://tenderlovemaking.com/2012/07/30/is-it-live.html
You might be able to implement your collabaration requirements using a JS library liek Angular or Ember JS which uses Ajax to keep the users screen in sync with what other users are doing.
Also, this blog post on how Trello is implemented might give you some ideas. They have a great web interface for collaboration: http://blog.fogcreek.com/the-trello-tech-stack/
With regards to your questions:
Two applications implemented in two different technologies can share the same database. You will need to choose a database that is supported by both technology stacks that you want to use. After that, point both applications at the same database.
If you authenticate a user in PHP/RoR app, you can then set a cookie for the user. Assuming your Meteor app is served from the same domain, you can then read in this cookie which might contain some kind of identifier for the authenticated users session. Your Meteor app could then check the db to see if this is a valid session for an authenticated user.
So, this may be a kind of dumb question, but I checked the Google and got no hits. We want to host multiple Rails apps in a way that makes them look homogeneous. We want all the apps to have the same look and feel, and all the apps to use the same sign-on database.
Theming I think we could accomplish by just putting the site theme into a gem, and requiring that gem from our github repository in each app. However, auth is trickier.
I know that I can achieve this "for free" by just not making the different portions of the site (store, chat forums, etc.) different apps. If they're all, say, Rails Engines, we can basically drop them into the same application with their own namespaced routes, and have a single plugin that does auth.
However, for various reasons we'd like to keep these separate apps, if that's technically possible. The number one reason is scalability; since this will be a hosted site, we want the flexibility to spin up more instances of, say, the store (perhaps to handle a holiday sale rush), without needing to spin up the chat forums. Also, we want to be able to completely isolate the portions of the code that AREN'T intertwined.
Ideally, the databases would be separate too (keeping us from falling back into the rut of "put everything including the kitchen sink in the db"), but I do know that one "cheap" way to do cross-app auth is just to use the same plugin (say, Devise), and just point to the same DB.
So, I'm thinking that maybe the way to do this is to auth via a web service call. Is this prior art -- does anyone have a gem for this that "just works" so that authentication can be shared across all apps? Or am I just entering into a world of pain by trying to build things this way?
Thanks in advance!
You could do a single sign on approach described at:
http://blog.joshsoftware.com/2010/12/16/multiple-applications-with-devise-omniauth-and-single-sign-on/
The single sign on approach with oauth and devise has some drawbacks. The main problem I had was I was unable to extend the timeout time across multiple apps.
In my rails app I'd like to let users submit custom "themes" to display data in various ways.
I think they can get the data in the view using API calls and I can create an authentication mechanism for this. Also an authenticated API to save data. So this is probably safe.
But i'm struggling with the best way to let users upload/submit their own code for the theme.
I want this to work sort of like Wordpress themes/plugins where people can upload the thing. But there are some security risks. For example, if I take the uploaded "theme" a user submits and put it in it's own directory somewhere inside the rails app, what are the risks of this?
If the user inserts any rails executable code in their theme, even though it's the view they have full access at that point to all the models, everyone's data, etc. Even from other users. So that is not good.
I need some way to let the uploaded themes exist in a sandbox of the rails app, but I haven't seen a good way to do this. Any ideas?
You could try Liquid (http://www.liquidmarkup.org/), which was developed to allow users to create their own themes for Shopify. Liquid themes aren’t real Ruby code, so you shouldn’t have to worry about users trying to access things they shouldn’t.
Another option is Ruby’s concept of “tainted” objects, which could be used to implement secure themes/plugins while still allowing users to write actual Ruby code. You can read more about it here. I can’t vouch for how secure it is as I’ve never used it.
It looks like this might have potential:
http://flouri.sh/2007/10/27/safely-exposing-your-app-to-a-ruby-sandbox
I'm also thinking about letting users submit their own sinatra apps and then running them from within rails. It looks like with Rack routing this is possible. I haven't been able to find any data on how/if the sinatra app is sandboxed from the rails app though. If anyone has info please let me know!