This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Ruby on Rails Authentication Cheatsheet"
(added a poc link) |
(Added ref to authorization) (Tag: Visual edit) |
||
Line 2: | Line 2: | ||
'''Secure user authentication in ruby on rails''' is discussed here. | '''Secure user authentication in ruby on rails''' is discussed here. | ||
− | Implementing authentication in a typical | + | Implementing authentication in a typical rails application is made easy and secure with devise gem. |
+ | |||
+ | Devise will solve for you the problems of [[Password Storage Cheat Sheet|secure password storage]], [[Session Management Cheat Sheet|secure sessions]] and authenticated-only access to specified | ||
+ | |||
+ | resource ''kinds''. | ||
Install it using: | Install it using: | ||
− | |||
gem 'devise' | gem 'devise' | ||
Line 31: | Line 34: | ||
To make authentication secure, enforce higher password complexity and allow TLS connections only. | To make authentication secure, enforce higher password complexity and allow TLS connections only. | ||
− | You can try out [https://github.com/qutorial/revise this PoC], to learn more about | + | You can try out [https://github.com/qutorial/revise this PoC], to learn more about devise. |
+ | |||
+ | Note, that the authorized access to concrete resource objects (and not the classes of resources), is provided by other solutions, like e.g. CanCanCan. |
Latest revision as of 14:44, 28 February 2018
Secure user authentication in ruby on rails is discussed here.
Implementing authentication in a typical rails application is made easy and secure with devise gem.
Devise will solve for you the problems of secure password storage, secure sessions and authenticated-only access to specified
resource kinds.
Install it using:
gem 'devise'
Then install it to the user model:
rails generate devise:install
Next, specify which resources (routes) require authenticated access in your routes, config/routes.rb:
Rails.application.routes.draw do
authenticate :user do
resources :something do # these resource require authentication
...
end
end
devise_for :users # sign-up/-in/out routes
root to: 'static#home' # no authentication required
end
To make authentication secure, enforce higher password complexity and allow TLS connections only.
You can try out this PoC, to learn more about devise.
Note, that the authorized access to concrete resource objects (and not the classes of resources), is provided by other solutions, like e.g. CanCanCan.