This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Ruby on Rails Authentication Cheatsheet

From OWASP
Revision as of 14:44, 28 February 2018 by ZaurMolotnikov (talk | contribs) (Added ref to authorization)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Secure user authentication in ruby on rails is discussed here.

Implementing authentication in a typical rails application is made easy and secure with devise gem.

Devise will solve for you the problems of secure password storage, secure sessions and authenticated-only access to specified

resource kinds.

Install it using:

   gem 'devise'

Then install it to the user model:

   rails generate devise:install

Next, specify which resources (routes) require authenticated access in your routes, config/routes.rb:

    Rails.application.routes.draw do
      authenticate :user do
        resources :something do  # these resource require authentication
         ...
        end
      end
  
      devise_for :users # sign-up/-in/out routes

      root to: 'static#home' # no authentication required
  
    end

To make authentication secure, enforce higher password complexity and allow TLS connections only.

You can try out this PoC, to learn more about devise.

Note, that the authorized access to concrete resource objects (and not the classes of resources), is provided by other solutions, like e.g. CanCanCan.