Authenticate on an 'access code' using Devise in Rails 3 - ruby-on-rails

I am working on a rails project and it has been recommended that I use Devise for my authentication and user session management.
I have two user types who need user/password authentication and another user type which I only need to authenticate with an 'access_code'. They are different models with no inheritance.
What would be the best way of doing this in Devise? Is there a way to let all these different authentication types work side by side?
I have looked at allowing users to sign in using a username or email address but how would I go about doing it using only one field? No password involved.

Use the Token Authentication module without the Database one. There's an example in the Devise Wiki.
These tokens, unlike the ones you find on password recovery emails for example, are permanent and stored on the database. They behave by default like service API keys, which means they do not keep the user in session and need to be supplied on every request.
To make them really sign users in:
# If true, authentication through token does not store user in session and needs
# to be supplied on each request. Useful if you are using the token as API token.
config.stateless_token = false

Related

Devise + Patreon OAuth in Ruby on Rails

I have implemented the devise+patreon gem in my Rails application without issues. Now, devise requires an email/password by default when creating a User, but Patreon just uses the oauth integration.
I am wondering, what is the proper strategy to use so that I can migrate the Patreon Oauth users as Devise users, without having to set dummy passwords/emails to allow for validation to go through. I still want to eventually allow users to register via Devise natively, as well as through Patreon.
Is there maybe a known strategy/gem/addition for devise that I may have missed that can easily achieve that?
You can retrieve the user email and a lot of other infos (see here) about the user in the login call to patreon's services, but password will remain unknown, you can't just copy & paste a User.

spring security role-based needed for full stack app?

I am implementing a basic login app. here are the features:
Upon successful login, there should be a welcome page that shows the name, username and role (manager/user).
If the user has a manager role, the welcome page will have a link to access a restricted webpage.
This restricted webpage can only be accessed by a manager role and not by other user roles.
implement logout functionality.
If the userid or password is not valid, I should remain at the login page with an error message "Invalid userid or password".
All data should be stored in a database.
The application should demonstrate MVC pattern...
my schema:
enter image description here
i am using react js for the front end. i build the backend using spring security with the role-based authorization where certain url can be accessed by certain role. i already do a testing on backend end using postman where i try to access /restricted and it responded with 401 if i use ROLE-USER instead of ROLE-MANAGER by using the mvcMatchers(). now the confusing part is the frontend
i noticed i can do all the necessary validation on the front end. i dont even need to do mvcMatcher() on the backend as i can just load the userdetails and roles and ask react to validate for me! hell, i dont even need to use role-based authorisation. i just need to add extra field in user table named "role" and use that to check for item 3 and display the role on item 1. i just need 1 table, not 3. i can even ask react to redirect to /login if user is trying to access /welcome without login, or disable /unauthorised if user role is USER.
but i dont feel right about this way. i'm confused.
a. whats the best approach?
b. is role-based only applicable to rest-api services, not full stack app? from what i see front end can do ALL validation
back end repo
front end repo
a. The Best approach is to have authorization at the back-end level because your React front-end is not the only way to access the back-end. If the back-end doesn't have authorization implemented, then even if you have validation on the front-end, a malicious user can use any other HTTP client to access the back-end without authorization.
b. Role-based authorization is applicable in all scenarios in which you want to allow access to resources based on user roles, no matter which stack is used.

How to reverse look up a user from an access_token (Rails, Devise)

My Rails app has log in / log out functions working and returning a valid access_token after logging in.
I'm using this gem
https://github.com/lynndylanhurley/devise_token_auth
But how do I use this access_token in subsequent requests? For example:
abc.com/action?access_token=123
I would imagine in my controller, and in the action method, I should be able to find the user from this access_token but I am not sure if it is possible using Devise.
If I also pass in the :client or :uid along with the :access_token, I can validate this token by doing:
user = User.find_by_uid uid
user.valid_token? access_token, client
Is it possible to look up a user by his/her access_token alone?
Thanks.
According to the Docs:
access-token This serves as the user's password for each request. A hashed version of this value is stored in the database for later comparison. This value should be changed on each request.
And it seems to be a tokenization using BCrypt and changes each time for security.
Further they do not allow you to lookup the user in the DB from the Token alone do to security vulnerabilities. You can choose to store the UID in a creative way or in the session for lookups and write a method in your application_controller.rb that then performs some logic on that data.
This is mentioned here:
uid A unique value that is used to identify the user. This is necessary because searching the DB for users by their access token will make the API susceptible to timing attacks.

On signup - creating a duplicate account with the same credentials on another site

I am using Devise to handle registration process.
How can I create a duplicate account via ajax on another site using the same credentials?
I can overwrite Registration controller, but don't know how to get unencrypted password.
You need to override the Devise Registration Controller.
On the create method, get the user input, send it to your other website, then call super to handle registration by devise.
You certainly want to send datas to other website through an API, because of the CSRF protection.
You can't get the unencrypted password.
Devise uses Bcrypt, which a one way encryption algorithm. The only way to get create an exact duplicate is top copy the encrypted password directly, rather than using the unencrypted version.
However I'd strongly recommend against this, what are you trying to achieve? Is there a better way to handle this problem - OAuth?

How should I log the user in based on a token?

I have users (a model), each with authorizations (a related model) to one oauth system or another (facebook for example).
I want a user to be able to login using information passed in the query string (email & token hash). How can I do this? I am using devise and omniauth.
For instance:
http://site.com/login?email=asdfdsafas&token_hash=43879237498237492347
Rather than passing a username & password or auth token.
Check out this Railscasts episode
http://railscasts.com/episodes/274-remember-me-reset-password
You can use this functionality, with just a little bit of manipulation, to create a secure way of accomplishing what you're trying to do.

Resources