How do I authenticate a Flex session with Rails? - ruby-on-rails

I have a Flex UI that will need to connect to Rails. How do I manage authentication and only authenticated user's can connect and see their own data only? UPDATE: And how would I do this if I should not want to use RubyAMF (right or wrong)?

I would say auth_logic might be a better plugin for handling authentication. If you use RubyAMF with auth_logic you will make a call to UserSession.create and pass in the username and password. You may also want to check out Weborb for communicating with Flex, it uses RTMP and depending on your needs it may be a better fit.

Check out RubyAMF, it is super easy to set up and use and enables you to call controller methods directly from flash and return actionscript objects.
homepage: http://blog.rubyamf.org/
google code: http://code.google.com/p/rubyamf/

First, for RubyAMF, check out this link: http://unitedmindset.com/jonbcampos/2009/05/30/ruby-on-rails-with-flex/
Next, for the authenticated users, just use Restful Authentication, a ruby plugin:
http://techno-weenie.net/2006/8/1/restful-authentication-plugin
If you make the smallest change to the authentication failed function in the plugin, your app with throw fault events when a user tries to access a service that they aren't authenticated to access.

Related

How to check for oAuth2 scopes in Apigility?

I am creating an apigility project where we will be hosting all of our APIs. We need to be able to use OAuth2 for authentication but we cannot figure out how to control access to certain APIs, it seems like once a client authenticates, they can use any of our APIs but we want to limit them to use only specific ones that we define. After reading about the OAuth2 library that apigility uses, I saw that there are scopes that can be defined but I have not found any documentation about how to check a user's scope to see if they have access. I want to find out if this is the best way to restrict access to certain APIs and how to set it up if it is, or is there a better way to control access?
Just implemented this functionality using the following recipe ...
https://github.com/remiq/apigility-zfc-rbac-recipe
It worked really well and only took a few hours to get it all working.
Alternatively you can just do the checking in the Controller Action (Resource method)
$identity = $this->getIdentity()->getAuthenticationIdentity();
$scope = $identity["scope"]
if (! in_array('admin', $scope)) {
return new ApiProblem(Response::STATUS_CODE_401, 'No Auth');
}
The above code is untested but should get you on the right path if you wanted to do it that way

How should I handle user validation through Rhodes (without RhoConnect/Sync)?

I have a site build on rails that provides XML version of all relevant pages. Additionally, it has HTTP authentication.
My plan to handle login for the mobile app is to post the username/password to the login page and, assuming I get a good response, I'll set global variables variables for user and password and make all requests to protected data with the validated user/pass in the header. Logout will just wipe wipe the user/password global variables.
Is the best way to handle this or am I making things more difficult than they need to be?
yes, although my advice is to use a gem like Devise or authLogic as rolling your own authentication is fraught with potential problems.
There are different ways you can include external libraries for Rhodes, including RubyGems and custom extensions. Please refer to the link below for information.
http://docs.rhomobile.com/rhodes/extensions

Security in angular.js with Ruby on Rails

What is the best way to make authentication?
on frontend I use Angular.js
on backend: Ruby on Rails
Rails app using as API for my frontend.
UPDATE:
This is will be single page application.
Frontend wiil be developed in Angular.js, backend in Ruby on Rails.
In ideal I want to build backend as collection of resources returned in json.
I search best method of security implementation.
When user open the app I need to check if user authenticated.
If not - go to login page,
If authenticated - open that he wants and return needed resource from backend.
I think that I need to store auth token on the client side.
What is the best method to generate it, or maybe Rails already generate it for me?
I don't know Angular.JS at all but I will try to provide you general information on rails that you can use with any Javascript Framework.
For authentication, you just needs:
A model for users
a controller which handle login, this method check user login/password, create a session object with all information needed (session is stored on server side and a cookie is used on client-side to associate each request to a session)
A controller for handling logout which basically only destroy the user's session
You have a good implementation in the rails tutorial here, or you can find several plugins (authlogic seems to be the recommendation of stackoverflow usershere).
Then, there is few differences between handling authentication with static html pages or with AJAX:
A HTML request will send login and password to the controller, which will automatically redirect it to another internal page once the session create
In AJAX, the javascript on client side should send an ajax request, look for the answer by the server (success / failure) and launch adapted actions (message if failure, redirection if success)
In both cases, the important thing is to check that the user is authenticated at at each controller otherwise anybody would be allowed to launch action or access internal information.
I'm trying to do something similar and I found this example app which has been very useful to get me going in the right direction: https://github.com/karlfreeman/angular-devise
Also checkout further discussion about it here: https://github.com/karlfreeman/angular-devise/issues/1
And here's another repo which takes a slightly different approach: https://github.com/colindensem/demo-rails-angularjs
I ended up borrowing ideas from all of the above. Here's a working demo if anyone's interested: https://github.com/jesalg/RADD

Building an api as a service

I am building an api for others to use. This is a simple enough Json request the user passes as some data and we pass some back.
What I would love is to secure our api and have some sort of user system where we can turn users on and off and we can log how many requests each user makes.
What would be the best way to do this in Rails? I don't want it to slow down the request. I can see ways of doing it using devise maybe but would be great to hear other people's opinions.
Thanks
Another way is to use 3scale (http://www.3scale.net) - it's free up to a traffic cap but handles all the key management, users, documentation etc. and there's a ruby library which you can drop into your code if you're using rails. (other libs are here: https://support.3scale.net/libraries).
I've done this before using the Token Authentication capabilities of devise (see https://github.com/plataformatec/devise ).
I found the following setup works:
Create a user account for each api user.
Configure devise for token authentication
Set the Token Authentication configuration to require the token to be submitted with each request.
This will allow you to enable and disable individual users as well as to track every request back to the api user that made the call.
If you're really interested in tracking usage you may want to consider also creating a database table where you track all api requests. This can be setup to belong_to the users table so that you easily find all requests from different users (e.g., #user.api_requests).
The count of all requests made by a user would be:
#user.api_requests.count
# or use a where clause to find how many of each type
#user.api_requests.where("api_request_type = ?", 'SomeAPICallType').count
One final note -- I recently used the Grape library for building out an API. I thought it was pretty well done and it worked great for our needs. I especially like the ability it provided to version APIs. Details are here: https://github.com/intridea/grape/wiki

RestKit session management

What is the correct way of making "persistent" session with RestKit?
The most simple way is to make long session at the server side, but
not sure it's safe for browser version. I prefer to implicitly re-
login if session is expired, but in this case I have to handle session
expiration, send new login request, receive response and than send
again a target request. Sources become more complicated.
Is there any features in the RestKit which allows manage that
automatically? Maybe just keep persistent session for iPhone app and
short one for web version using features of CakePHP?
Thanks,
Victor
You probably want the session in order to for authentication/authorization to work?
I'm currently working on a RestKit project on iOS. For my needs, what I did was very close to the discussionboard example by RestKit's creators.
in iOS, you can write a uniqueSecurityToken to NSUserDefaults. It can be a property model of your user model on the iOS app. On Rails (Im making an assumption), if you have a auth gem like Authlogic/Sorcery, it's very easy to either override the current_user method or assigning one based on token.
For example,
def user_access_token
request.headers["HTTP_X_USER_ACCESS_TOKEN"] || request.headers["HTTP_USER_ACCESS_TOKEN"]
end
def check_for_mobile_token
if token = user_access_token
current_user = User.find_by_remember_me_token(token) || current_user
end
end
You can call a before filter to make sure that the authentication is always checked. on the IOS side, tell RestKit to send the uniqueSecurityToken as HTTP_USER_ACCESS_TOKEN in the headers. Note that this is probably not the most secure method, you should at least have HTTPS so that the transport is encrypted.
Here's the RestKit Discussion Board Project (very useful for RestKit/IOS)
https://github.com/RestKit/RKDiscussionBoard
Here's a Rails Presentation that outlines Rails/iOS integration
http://www.slideshare.net/maximeguilbot/rails-as-ios-application-backend
If you're using another REST framework other than Rails, you can reference the JSON techniques too.
Probably what you'll want to do is develop a "RESTful" API that your app will use to talk to your server. A REST API, basically, lets the client send up all information that is needed to build state on the server. You shouldn't need to deal with sessions on the server for the iOS app.
The basic idea is that you can get some sort of auth token from the server when you log in. Then you can send that up with every request as a way of identifying the logged in user to your server.

Resources