Rails best practice for app with only one user? - ruby-on-rails

I am building a website for a client that wants to be able to make edits to things on their website. As such I need a way to allow the client to login to the site to make their changes.
My initial thought was to make an authentication system that relies on a User table in the database that is capped at one and only one user. It seems sort of overkill however to make a database table for just one result, so I was wondering if there were any other approaches or best practices that anyone could point to for building a site with just one user.

You could simply authenticate with a static password that is received from a file(encrypted), if you do not want a db model for that.
However, setting authentication with a gem like Devise is like 10 minutes of work. In order to be more secure(it can be a matter even in single user apps), you can set it up and be fine :)

I would highly recommend you set up authentication. As SpyrosP said it does not take long when you use Devise.

Related

Combining two user databases

I have two apps. They are different code bases. One is in Rails 3.2 and the other is in Rails 4, one on Heroku, one on AWS, both use postgresql. I have users that are signing in to both apps. I would like to make it so that if you signed up for one app (a specific one) then you can use that log in information to sign into the second app.
What is the best way to go about doing this, give one omniauth functionality?
What is the simplest/fastest way to do this, seed one database with other database info?
I know best and fastest might be different approaches.
Thanks for your guidance!
On the top of my head, expose an authentication API on both applications and use one's method in another's authentication process. So if a user signs up in application A his data is in application a. When he signs in first try to authenticate on application a, then use API from application B and if both fail then you can redirect him to sign up or whatever.
This was you don't have to duplicate data from one db to the other.

Looking for good approach for two levels of authentication in Rails

I need two levels of authentication in a Rails app using the same username. One to login and a second to view more sensitive areas such as billing and credit card info. The first level is implemented with Devise. For second level can I use Devise again a different model like setting? Cancan require separate logins.
Not sure of the best approach.
Any ideas would be appreciated!
This problem is so unconventional that it seems there can not be used a ready solution. In my opinion, dual authorization is not necessary in this case (the second password is usually used to confirm some action, not for a second authorization), but sometimes we do not choose such things.
Dirty solution would be to hold another encrypted password, and when you enter to second level give the user a different role temporarily. This role will be checked at the cancan. The role resets during for a while or at the next login (so that an attacker have not at the same time access to billing). I think it's very rough, but a quick solution.
This is just my 50 cents, I doubt that this is a good solution.

Using Devise to implement a front-door on a website, does Rails allow concurrent sessions?

First, my obligatory "I'm new to rails" statement: I'm new to rails.
Sorry for the following long-winded expository stuff, but I want to make sure I'm asking my question clearly. I'm building a sample manager for a small analytical lab. So far I have built the core user stuff using devise to manage sessions (Basically so I can use all of Devise's nice helper methods throughout my app). The users don't need to be securely separated, so there is no sign in form, it just automatically signs them in for whatever action the user wishes to do.
I would like to put a front door on the website for macro-security that signs in to either the user version of the site (described above) or the admin version. I understand how to implement this using Devise, however, I am unsure as to whether Rails allows this sort of double-session where there's a macro-security session on constantly while a bunch of internal sessions are created and destroyed. Again, sorry for the long-windedness and thanks for your time and help!
Decided to just give it a shot and it turns out it worked. I have to test to see if there are any kinks in the functionality, but as it stands it works well as a front-door while allowing the internal transient sessions.

What are people's opinions vis-a-vis my choice of authorization plugins?

I'm slowly but surely putting together my first rails app (first web-app of any kind in fact - I'm not really a programmer) and it's time to set up a user registration/login system. The nature of my app is such that each user will be completely separated from each other user (except for admin roles). When users log in they will have their own unique index page looking at only their data which they and no-one else can ever see or edit. However, I may later want to add a role for a user to be able to view and edit several other user's data (e.g. a group of users may want to allow their secretary to access and edit their data but their secretary would not need any data of their own).
My plan is to use authlogic to create the login system and declarative authorization to control permissions but before I embark on this fairly major and crucial task I thought I would canvas a few opinions as to whether this combo was appropriate for the tasks I envisage or whether there would be a better/simpler/faster/cheaper/awesomer option.
What about cancan by Ryan Bates?
Here you can get a complete visual guided implementation
Take a look at this, it might help:
Basic Rails 3 engine utilizing Authlogic, CanCan and Easy Roles
What about Devise? Take a look at the railscasts.com site.

Ruby on Rails: how to use sessions to implement remote sign-out?

My goal is to allow users of a Rails web app to see all their open sessions on other computers and close/sign out of them remotely. Similar to gmail's "Account activity" page (link found at the bottom of the gmail inbox page).
I can technically achieve this by using the sessions in the database
account_sessions = CGI::Session::ActiveRecordStore::Session.find(:all)
and iterating over them to find sessions corresponding to the current user (the user ID is stored in the session data), and allowing the user to destroy these sessions.
However, this doesn't offer the usual convenience of working with Rails models. I can't easily express a has_many relationship with the user and make use of
current_user.sessions
nor can I easily put an index on user_id since it's in the data part of the session (instead of being its own column).
This approach also may become impractical if the number of sessions grows, since in the above the table is read into memory.
As a solution, I'm thinking of creating my own model which "mirrors" the relevant portions of the session and is created/updated/destroyed to maintain that correspondence.
This isn't a great way to go about it due to data replication and added complexity of code, but I didn't find another way to do it.
So the question is: is this a good way to go about it, or am I missing something?
Thanks in advance!
Fraser
Edit: I should have mentioned that I'm currently using restful-authentication, and would prefer not to switch.
Since authlogic offers a user session model and is easily extendable, you should be able to achieve exactly what you want, if you don't mind to switch to another authentication mechanism.
Edit: This Railscast should give you a pretty good overview.

Resources