Rolling my first heroku app and am currently working on user authentication. (As well as authentication... for example user 1 cant access user 3's stuff).
Is it easier just to roll my own scaffolded authentication? Or use something like devise? I can do the standard salted password authentication, store the user id in the session, and then pull from the database in controllers but is that secure? Would devise be better in the long run?
Thanks for the advice :)
Devise is highly recommended, I think it would save much of your time and it currently do all the magic you need involving the session with a good security.
If you want to take on the challenge (which isn't really that big), I strongly suggest that you roll your own system. Having previously used both Authlogic and Devise I've come to the conclusion, that building your own has more advantages in the long run:
You thoroughly understand how the system works (which is quite important when it comes to authentication, I believe)
Devise and Authlogic is build with a specific use case in mind, and although they can be modified, my experience is that it's a pain. At some point, you will probably feel limited by both systems.
You know where to start and what to do, if you want to add features to the system
If you decide to roll your own, Ryan Bates has created an excellent screen cast on just that. Also, don't forget to test it!
Go with Devise unless you have a solid understanding of how to make a decent authentication system, AND you have a good reason to not use Devise.
And if you do roll your own, make sure you use bcrypt.
Related
As stated in the title, when should devise be used and when should I, instead, implement my own authentication. In essence, I'm wondering whether the created authentications in some tutorials (such as this one) are secure and safe.
If I don't need email confirmation, recoverability, etc. (a lot of the "jazz" associated with Devise), would the account information be just as secure as if I created my own?
If you still may be confused by what answer I'm looking for – is Devise something you should use whenever possible/whenever you have accounts? Or should it really be a decision?
Note: I'm not specifically referring to Devise, any authentication gems may be replaced.
implement my own authentication
Anytime you start thinking whether you should create your own authentication, you need to stop. Take that idea, shred it, douse it with gasoline, and burn it!
Authentication is hard. There are subtleties that exist in authentication and developers that are used to CRUD style programming are going to miss them. This isn't meant to be an insult. I am one of those programmers, and I work in security. Recognize your strengths and weaknesses.
Devise (and most popular authentication frameworks) have had thousands of hours of code review, design, testing, and time in production versus the framework that you're going to roll yourself.
I wrote a blog post about a "smart" security feature that actually made a company's security worse. This is a good example of how subtle authentication and security can be!
I used to use gems like Devise until Rails added the has_secure_password to ActiveRecord. Now I always roll my own since in the end I always need some custom stuff that makes it hard to implement in an existing library.
Ryan Bates have an excellent video on just this topic here.
In my opinion you should decide it according to your project. If you are working on small web-service with minimalistic functionality you can add your own auth using instruments provided by Rails. But if you are working on so-called "enterprise", big project with fast-growing functionality you should definitely use devise, since with this gem, you will not spend time on building existing auth features, it is very easy in maintenance and secure.
I use restful_authentication plugin in rails 2.3.5. application.
In this application, I want to permit to login with a single session for a single account at the same time.
In other words, I don't want the users to login with single account using several computers.
Does the restful_authentication plugin support this function?
If not, how can I realize this function?
Please give me some advise.
Thank you very much in advance.
Out of the box, no. You could track the session ID in a table with the user ID and then check that the same session ID is being used. However, this is clunky and you're going to cause problems for the user when he forgets to log out. You'll need to implement some kind of timeout for the sessions as well, so that you don't end up with sessions locking a user out forever.
The alternative would be to switch to authlogic. It also does not support this out of the box, but it should be easier to implement. One likely solution has been posted here. I haven't tested what was written there, but the approach looks a lot like what I would attempt to do in this situation.
Having used both restful_authentication and authlogic in many apps, authlogic wins hands-down. There's also Devise, which many people have had success with. (I'm not one of them, but maybe my needs didn't align with what this gem was offering.) You should definitely explore Devise and authlogic before hacking something into your existing setup, because the more modular designs of the newer gems should yield cleaner code when it's over.
Also: Update your Rails to the latest 2.3.*. There have been many security fixes since 2.3.5.
First, my obligatory "I'm new to rails" statement: I'm new to rails.
Sorry for the following long-winded expository stuff, but I want to make sure I'm asking my question clearly. I'm building a sample manager for a small analytical lab. So far I have built the core user stuff using devise to manage sessions (Basically so I can use all of Devise's nice helper methods throughout my app). The users don't need to be securely separated, so there is no sign in form, it just automatically signs them in for whatever action the user wishes to do.
I would like to put a front door on the website for macro-security that signs in to either the user version of the site (described above) or the admin version. I understand how to implement this using Devise, however, I am unsure as to whether Rails allows this sort of double-session where there's a macro-security session on constantly while a bunch of internal sessions are created and destroyed. Again, sorry for the long-windedness and thanks for your time and help!
Decided to just give it a shot and it turns out it worked. I have to test to see if there are any kinks in the functionality, but as it stands it works well as a front-door while allowing the internal transient sessions.
Im learning Rails by building apps.
I want to make my first authenticated app: users signup, login, do some changes in models they have access to and logout.
I did the Google search but it is quite confusing: many plugins, many tutorials. Don't know where to start.
Is there a state-of-the-art authentication method for Rails? What do you use in Production to authenticate your users?
Any help in this will be helpful. Thanks
I've used authlogic in the past and have been quite happy with it. Ryan has a railscast (video tutorial) for authlogic here.
+1 to Jason, -1 to NSD and sparky. Authentication system is not the thing you want to build yourself, at least if you're aiming for production use. It's like inventing your own encryption algorithm - it's a lot more safe to use something extensively tested and well-developed.
I've also been using authlogic, but there are some alternatives over there - like the good old restful authentication, and devise, which I guess is more modern so to speak. BTW the two latest railscasts are devoted to devise.
If your application is simple and just want a simple and secure user login page you might want to look into the Restful Authentication plugin. Its very easy to use and if you don't have much authentication requirements this should do fine.
script/plugin install git://github.com/technoweenie/restful-authentication.git
script/generate authenticated user sessions
rake db:migrate
You can find out more by checking out this excellent railscast.
As A beginner I would recommend Restful Authentication as its simple to set up and will get you up and running with no time
following is a step by step guid
http://avnetlabs.com/rails/restful-authentication-with-rails-2
and authlogic - (http://github.com/binarylogic/authlogic) is another great plug in which is more flexible but requires some work to implement user registration and stuff
cheers,
sameera
One man's state-of-the-art authentication system is another man's worthless pile of garbage. You're almost always better off rolling your own in the long run. O'Reilly's Ruby Cookbook has some extremely basic examples that will set you off in the right general direction, then you can decide whether or not other people's solutions are right for you.
I would agree with NSD. Figuring out the plugins & how they should mesh with your application to me longer than creating an auth system in my latest application.
My tips - create a user_sessions controller and use normal CRUD methods to handle creating/destroying (ie logging in & out). Create another model for the user - it can handle create accounts & updating (ie changing passwords). Stick a :before_filter on each controller which needs protection.
Does anyone know of a good guide on building your own authentication system in ruby on rails?
I want to roll my own system to use with my community im building :)
Thanks!
I'd recommend starting with Warden - it'll handle the very basics of sessions for you, and give you a good foundation to build your logic on top of. The Rails Warden plugin is a rather small library that helps integrate it into Rails. Both of these projects are fairly mature and well-constructed yet still under active development - they're good choices all around.
You should be aware of Devise, another authentication framework (like Authlogic or Restful Authentication) that is based on Warden. It may not be a good fit for your project (it wasn't for mine), but looking through the source might give you a few ideas on how best to use Warden.
The other thing I'll note is that, in terms of hashing passwords, you should absolutely use bcrypt.
michael hartl has a good book coming out soon and the first 8 chapters are available in pdf format for free here: http://www.railstutorial.org/ - they cover the entire process of creating a very solid rspec-driven authentication system - can't recommend it highly enough
Well, it came out a while after you asked your question but the best answer if you're keen to build your own authentication system rather than use something like Devise would probably have to be Ryan Bates' Authentication from Scratch Screencast.
Since authentication is a common problem that has been solved many times already, I would start by investigating the solutions already out there.
For example, have a look at Restful Authentication which provides a good foundation for authentication in Rails. Even if you'd rather roll your own system, playing around with Restful Authentication and understanding how it works should give you a good understanding of the components needed when you start building your own system.
Check out this article:
http://www.aidanf.net/rails_user_authentication_tutorial
The author goes, step by step, through an entire authentication framework, with suggestions on further improvements. Even tests are discussed.
I agree with Ritchie... Devise has some very nice features but it doesn't play nice with others. For many use-cases, the way it hijacks the routing can make your job more difficult. In many situations you may be better off rolling your own.
Devise has caused circular references in my Rails asset pipeline, and the settings in the initializer as installed (in the latest version as of yesterday) conflicted with the defaults in the migration it generated.
I have built enterprise-level authentication systems, including email verification, password recovery, etc. And none of it required the routing shenanigans that Devise uses. If you really need all the features, it may be for you. But there are lots of reasons to not use it, too.