This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Ruby on Rails Authentication Cheatsheet

From OWASP
Revision as of 14:35, 28 February 2018 by ZaurMolotnikov (talk | contribs) (added a poc link)

Jump to: navigation, search

Secure user authentication in ruby on rails is discussed here.

Implementing authentication in a typical Rails application is made easy and secure with devise gem.

Install it using:

   gem 'devise'

Then install it to the user model:

   rails generate devise:install

Next, specify which resources (routes) require authenticated access in your routes, config/routes.rb:

    Rails.application.routes.draw do
      authenticate :user do
        resources :something do  # these resource require authentication
         ...
        end
      end
  
      devise_for :users # sign-up/-in/out routes

      root to: 'static#home' # no authentication required
  
    end

To make authentication secure, enforce higher password complexity and allow TLS connections only.

You can try out this PoC, to learn more about it.