I'm weighing up whether to roll my own authentication system (a la the excellent Railscast) or using Devise.
My question is, what are the potential pitfalls when not using Devise but going for something as per the Railscast? Are their security issues I need to think about that are not already covered in the cast? Any other pitfalls you can think of?
Edit: Why am I thinking about not using Devise? Part of the reason I am shying away from Devise is because I am not keen on it's failed log-ins protection. The way Devise does it means anyone can lock anyone else's account if they just know their email address. And it seems to me that on balance, I would be better off rolling my own than getting to know Devise inside out to make these changes, especially if I am going to need to do other things my own way too at some point in the future (which seems likely).
For basic authentication (which means just having a username and a password), rolling out your own wouldn't have any serious pitfalls.
Now, if you also wanted:
Cookies for remembering a logged in user
Recover a forgotten password by sending an email with reset instructions
Require an email confirmation for signing up
Timeout user sessions without activity in a certain period of time
Now these would be quite a bit harder to implement.
So, if you just want a basic authentication system, you can happily go with your own. But if you're worried about the future of your app, then maybe you should just go with Devise. It's not that hard to understand, it provides a ton of features and later you won't have to migrate your data when you actually decide to use Devise.
Edit: So, reiterating what I said. If this is a pet project and you just want to have a basic authentication system and authorization system, where you will only allow certain users to view certain pages, then you're free to implement your own and learn as you go along.
However, if this is something more serious, then I don't see any reason why you shouldn't go with Devise. It reminds me of people creating their own hashing and encryption schemes when they could (and should!) just use something powerful and safe like bcrypt.
I was asking the same question a while back. If you're looking to really dive in and spend some time on authentication, make your own. But if you want to get something pretty standard up fast so you can focus on the features of your app, I would recommend devise.
It doesn't appear the Lockable module is even on by default, but it's easily done either way.
class User < ActiveRecord::Base
# Include default devise modules. Others available are:
# :token_authenticatable, :confirmable,
# :lockable, :timeoutable and :omniauthable
devise :database_authenticatable, :registerable,
:recoverable, :rememberable, :trackable, :validatable
...
end
Also if you did use the Lockable module, since locking is based on a number of failed authentication attempts, you can change the maximum number of attempts before triggering a lock in config/initializers/devise.rb
Devise.setup do |config|
...
# Number of authentication tries before locking an account if lock_strategy
# is failed attempts.
config.maximum_attempts = 20
...
end
Just take a quick read through https://github.com/plataformatec/devise#devise
Related
Background:
User record creation in the application I'm working on is failing with errors "Password is too short (minimum is 4 characters)" and "Password confirmation is too short (minimum is 4 characters)".
Neither the User model nor any of its included models mentions passwords. The only places in the application where I can find them mentioned is in forms within the views and in the original database migrations. There is a crypted_password column, and a password_salt column in our users table. We are NOT using devise. The only security_related gems in our gemfile are attr_encrypted and encryptor, neither of which seem to mention any special treatment of passwords in their documentation.
So, since length validations and encryption are in fact happening, and I can't seem to track it down to a model or a gem, where might these rules be coming from? Is there a way I can disable them?
It turns out our application also makes use of the AuthLogic gem, which adds its own validations on login and password by default. As per this page of the documentation, the validations can be overridden in an application-wide configuration or in per-model configuration blocks.
I'm using Rails 3.2.11 with Devise 2.2.3 for a subscription service application. I inherited the app from another developer who is no longer available. I am new to Rails and Devise.
I want to allow a single user (email) to have more than one session to the same app, running concurrently. The sessions may all have the same IP address or different IP addresses, though probably different devices -- desktop, laptop, table, smart phone.
I want to treat each session independently, so the user can sign on and off one session without affecting any work in progress on another session.
Question: Does devise support multiple concurrent sessions normally? Do I have to customize any code or config?
When I look at the User model, I see single attributes for "current_sign_in_at", "current_sign_in_ip" and "authentication_token" -- this makes me think a single User can only have one session at a time.
I've looked at this discussion and at the devise wiki but haven't found an answer.
Yes, devise allows multiple concurrent sessions for same users by default. Then, if you want restrict this behavior, you need to use some extension like: devise_security_extension
I'm using Rails 3.2.17 with Devise 3.2.2
I'm using devise on Rails 4.0. I need non-login users, that is, people who are considered part of a team but never need to log in or interact with the app, they just get emails, appear in different lists and so on (in the future, however, they can potentially become users).
Ways I'm guessing how to do it are to:
programmatically add them, then -
possibly generate the devise views so I can alter them for non-login users?
write the controller to block non-login users?
I need to know what would be the basic steps for implementing non-login users.
I'm writing a ruby on rails application using mongoid and I'm wondering about the security implications of storing users and admin users in the same document. My current implementation is using devise and kind of modeled on how activeadmin does it. The admin users are in a separate document so there isn't any chance of someone escalating their privileges. This is a public facing site and there is some financial information involved.
But i'm curious if maybe I'm just making more work for myself and this is kind of unneeded.
There shouldn't be any implications as long as you prevent users from being able to update the mechanism for privileges. If you have a boolean flag called is_admin for example, ensuring that you have attr_protected :is_admin is vital to protect against mass-updated from changing this privilege.
I'm creating a Rails app using Devise for user management (Rails 3.0.10, Devise 1.4.2). I've got the basics going - signup, login / logout - but I can't seem to find any facility (or even documentation surrounding) user management.
In other Rails apps I've created, I've had a UsersController with an index method that allows an administrator to list all the users of a system, & to subsequently modify them through edit and update actions on the same controller.
I can't see an obvious way of doing this with Devise. I've used the Rake tasks that come with Devise to generate editable views, which is great, but I can't figure out how to do the equivalent with the Controller.
I fear I'm missing something fundamental here. Could someone please point me in the right direction?
Devise doesn't come with any sort of Admin interface. If you are the only administrator and don't mind a little crudeness - there is always the console and/or scaffolding.
There are also a lot of good gems that make setting up admin interfaces a cinch: Active Admin, Rails Admin and I'm sure there are a bunch more out there.