Authlogic-oid with ONLY OpenID - ruby-on-rails

I am implementing an internal site, for which I want our company's OpenID server to be the only means of registering and logging in. To be more specific, I don't even want a normal email and password/salt to be stored for the users in this site.
I am using authlogic with the authlogic-oid plugin, but I am getting these errors whenever I try to make a new user:
undefined local variable or method `crypted_password_field' for #<User:0xb68b7c00>
I take this to mean that authlogic is trying to generate a password for this user even though there are no password fields in my database. Is there a workaround for this, or config options I can pass to acts_as_authentic to make this work?

Figured it out. In your User model, you must specify this config in the acts_as_authentic block:
class User < ActiveRecord::Base
acts_as_authentic do |c|
c.crypted_password_field = false
end
end

Looks like maybe you're trying access the crypted_password_field property somehow. If you look at the Authlogic example the documentation lists the optional fields (#3). I was able to get Authlogic and RPX up and running without password fields so I know it's possible.

Related

OmniAuth and Devise, how to set optional passwords

I am using OmniAuth and Devise to authenticate users. I would like users that have signed up using OmniAuth providers to be able to set an optional password (needed for API authentication) but I'm running into a wall.
If a user creates an account via OmniAuth and tries to set a password they get the following error:
BCrypt::Errors::InvalidHash in RegistrationsController#update
I believe this is because the password is blank. What's a good way around this? I've thought about generating a random password but the problem with that approach is the user needs to know the current password in order to edit settings.
Edit:
I looked at allowing the user to change settings without requiring a current password and that's what I would like to do only if the user didn't have a password initially.
An alternative is to add the following into your 'user' model class to bypass password verification if there is no password to verify, where provider is some field that is set when using external authentication.
def valid_password?(password)
!provider.nil? || super(password)
end
I assume you don't want the easy way out which would be to simply reset the password if they wanted to set it?
user.send_reset_password_instructions
This comes a bit late but it might help someone else, with Andrew's answer you can in create a password and store it in the database, but you can't login using your email and your new password, solved this by setting:
def valid_password
!provider.nil? && !encrypted_password.present? || super
end
Another alternative. You don't have to include a new field. Just catch the exception raised and return false. Here is the code.
def valid_password?(password)
begin
super(password)
rescue BCrypt::Errors::InvalidHash
return false
end
end
This should do the job.

Override authlogic's email validation

I am making a login using AuthLogic, but I would like 'email' to be optional. It seems however that authlogic out of the box makes this validated for. Anyone know a workaround?
from the authlogic example rails application:
Set up your model
Make sure you have a model that you
will be authenticating with. Since we
are using the User model it should
look something like:
class User < ActiveRecord::Base
acts_as_authentic do |c|
c.my_config_option = my_value # for available options see documentation in: Authlogic::ActsAsAuthentic
end # block optional
end
One thing to note here is that this tries
to take care of all the authentication
grunt work, including validating your
login, email, password, and token
fields. You can easily disable this
with configuration. Ex:
c.validate_email_field = false. See
the Authlogic::ActsAsAuthentic sub
modules in the documentation for more
details.
Key part to note:
You can easily disable this with configuration. Ex:
c.validate_email_field = false.
Hope that helps.
Source: https://github.com/binarylogic/authlogic_example
While searching my contents ..i found out
http://rdoc.info/github/binarylogic/authlogic/master/Authlogic/ActsAsAuthentic/Email/Config#merge_validates_format_of_email_field_options-instance_method
this will surely help..

Validate password on change of certain fields in RoR

I am building a RoR 3 app, a community. It has a User model and some fields.
So when a user is updating a certain field, like his/her birthday, I want to validate that the User typed in the password that is the same in the database. This way I know that it is the right user trying to change the birthday.
So I ask you how i can create such a validator.
Also I would like to be able to specify an array of which fields the user has to validate the password to change.
This is actually pretty easy to do once you are familiar with the Rails framework.
models/User.rb
class User < ActiveRecord::Base
validate :correct_password?, :if => :check_password?
def check_password?
[birthday_changed?, other_field_changed?].any?
end
def correct_password?
# without knowing more about how you store the password
# this probably won't work with your code directly
errors.add_to_base("Must provide password") unless password?
errors.add_to_base("Incorrect password") unless password == User.find_by_id(id).password
end
end
Even though building user authentication and authorization is not hard - I would advise to use something like "AuthLogic" or "Devise" gems/plugins which will most likely cover 90% of the functionality that you need. You alsways can customize/add new functionality if needed.
Such plugins will do most of the grunt work for you: generate MVC, create database, do proper security checks, even email password recovery and such.

Authenticate users by Customer, Login and Password with Authlogic

I've got a typical Authlogic setup that I need to enhance to require Customer ID in addition to Login and Password.
I've read a bit about using a custom find method and another about using a global variable for accessing the additional parameter and a third referring to documentation about using scopes that doesn't seem to exist.
Seems like this should be easy, but I can't seem to find the right approach.
Anyone got a solution?
In your UserSession class, add:
find_by_login_method :find_by_customer_id_or_login
In your User class, create this customer finder:
def self.find_by_customer_id_or_login(login)
User.find_by_customer_id(login) || User.find_by_login(login)
end
This is assuming a User has both a customer_id field and a login field.
Add a customer_id column through a migration and validate_presence_of :customer_id on your model. It doesn't have anything to do with authlogic. Unless there is more that you are trying to do.

authlogic auto_register feature using my options

I have auto registration working with authlogic using gaizka's version of authlogic_openid which I found on Github since pelle's original addition of the feature seemed to cause issues.
http://github.com/gaizka/authlogic_openid
using authlogic to auto create users bypassing explicit user registeration
This one works fine however when using the auto_register feature it ignores my options for authlogic such as retrieving the email from the openid provider... any ideas what I'm doing wrong?
Hhere's the example:
http://big-glow-mama.heroku.com/
http://github.com/holden/authlogic_openid_selector_example/tree/with-facebook/
You can see the difference if you register vs. login...
#user.rb
class User < ActiveRecord::Base
acts_as_authentic do |c|
c.validate_login_field = false
# optional, but if a user registers by openid, he should at least share his email-address with the app
c.validate_email_field = false
# fetch email by ax
c.openid_required_fields = [:email,"http://axschema.org/contact/email"]
#c.required_fields = ["http://axschema.org/contact/email"]
# fetch email by sreg
#c.optional_fields = ["email"]
end
#private method to deal with emails goes here
end
#UserSession.rb
class UserSession < Authlogic::Session::Base
auto_register
logout_on_timeout true
end
This one works fine however when using the auto_register feature it ignores my options for authlogic such as retrieving the email from the openid provider... any ideas what I'm doing wrong?
The code that handles auto-registration lives in the authlogic_openid's Session module. The code that handles registration (retrieving email form provider, etc), lives in ActsAsAuthentic module.
The first is handling a UserSession object, the latter is handling a User object.
I'll take a look in a couple of days, to see what can be done to merge both behaviours.
Solved! Thanks to this commit:
http://github.com/mreinsch/authlogic_openid/commit/4a1f644be36aec75ae2d35121904b5a846354233
by mreinsch.
Check out the example app here: http://github.com/shripadk/authlogic_openid_selector_example
Live example: http://testingauth.heroku.com/

Resources