User:Mdong3
Devise
Devise <ref>https://github.com/plataformatec/devise</ref> is a Rails gem used for authenticating and managing users.
The topic write up for this page can be found here.
Introduction
Security Background
Web applications are relatively easy to attack, as they are simple to understand and manipulate. The Gartner Group estimates that 75% of attacks are at the web application layer, and found out "that out of 300 audited sites, 97% are vulnerable to attack".Security depends on the people using the framework, and sometimes on the development method. There are several ways to ensure security: Encryption, LDAP, Rails Authentication, Rails Authorization, Rails Captcha, Security Tools and Spam Detection. And devise is for Rails Authentication.
User Authentication
how the user authentication process works. Signup: create a new user. This user is going to register with a username, password (which will be encrypted in the database), email, etc. Login: allow a user to sign in with her/his valid username and password. The authentication process happens by matching the username and password in the database, allowing the user access to the protected actions only if the given information matches the recorded values successfully. If not, the user will be redirected to the login page again. Access Restriction: create a session to hold the authenticated user ID after login, so navigation through additional protected actions can be done easily by just checking the userID in the current session. Logout: allow the user to sign out and set the authenticated userID in session file to nil.
Getting Started
Devise
Devise is a flexible authentication solution for Rails helping developers save time and effort while implementing authentication mechanisms from start. User authentication is a major component of most of the web applications, primarily to determine if the user is in fact, who it is declared to be. Devise is based on Warden<ref>https://github.com/hassox/warden/wiki</ref>. (Customized Rack middleware that provides authentication for rack applications). Rack can be considered a middleware between web server such as Mongreal, WEBrick and frameworks such as Rails, Sinatra.
Current Version: 3.4.1
First Release: 5 years ago
Methods
Example applications
Devise and Rails<ref>https://github.com/RailsApps/rails-devise/</ref>
Rails 4.2 starter app with Devise for authentication.
What is implemented
• Home page
• Navigation bar
• Sign up (create account)
• Login
• “Forgot password?” feature
• “Remember me” (stay logged in) feature
• Edit account (edit user profile)
• List of users
Setup Devise
Once you have created a Rails app using the "rails new <app name>" command we first need to add a line to the "Gemfile" using the following command:
echo "gem 'devise'" >> Gemfile
And then install the gem using:
bundle install
The Gem will be installed for your rails application. Then run the following commands:
rails generate devise:install
To create config files.
rails generate devise user
To create model(User) class and routes and to also associate the 'User' model with 'Devise'.
rake db:migrate
To run the migration and create the table with certain fields appropriate for user authentication. The result should be something like:
== 20150217043439 DeviseCreateUsers: migrating ================================ -- create_table(:users) -> 0.0178s -- add_index(:users, :email, {:unique=>true}) -> 0.0010s -- add_index(:users, :reset_password_token, {:unique=>true}) -> 0.0055s == 20150217043439 DeviseCreateUsers: migrated (0.0255s) =======================
rails generate devise:views users
To create the directory /app/views/users with all the devise views, such as login form, registration form .
Setup Devise
Installing
To build the example application, run:
rails new rails-devise -m https://raw.github.com/RailsApps/rails-composer/master/composer.rb
This will create a Rails app named rails-devise
.
Then, select “Build a RailsApps example application”. After that, select”6) rails-devise”.
As for additional preferences:
• If you plan to deploy to Heroku, select “Unicorn" as your production web server.
• Use “SQLite" for development on Mac or Linux. If you plan to deploy to Heroku, use “PostgreSQL"
• The example application uses the default “ERB” Rails template engine.
• If you are a beginner, for test framework, select “None”.
• if you choose either “Foundation" or “Bootstrap", it will automatically install Devise views with attractive styling.
• “Gmail" is for development if you have one. if your site will be heavily used, then choose “SendGrid" or “Mandrill" for production.
• The example uses "Devise with default modules".
Devise and Pundit and Rails<ref>https://github.com/RailsApps/rails-devise-pundit</ref>
It extends the rails-devise example application to add authorization with Pundit.
What is implemented
It adds authorization with Pundit, showing how to implement user roles, and limit access to pages based on user role.
• an admin can see a list of users
• an admin can change a user’s role
• an ordinary user can’t see a list of users
• an ordinary user can’t change their role
• an ordinary user can’t see (or edit) another user’s profile
• an ordinary user can see (and edit) their own user profile
Installing
To build the example application, run:
rails new rails-devise-pundit -m https://raw.github.com/RailsApps/rails-composer/master/composer.rb
This will creates a new Rails app named rails-devise-pundit
.
Then, select “Build a RailsApps example application”. After that, select ”8) rails-devise-pundit”.
The following step is the same as Devise and Rails.
other Rails Authentication
OmniAuth<ref>https://github.com/intridea/omniauth</ref>: A generalized Rack framework for multiple-provider authentication.
Authlogic<ref>https://github.com/binarylogic/authlogic</ref>: A clean, simple, and unobtrusive ruby authentication solution.
Restful-authentication<ref>https://github.com/technoweenie/restful-authentication</ref>: Generates common user authentication code for Rails/Merb, with a full test/unit and rspec suite and optional Acts as State Machine support built-in.
Conclusion
Devise is the most popular Rails Authentication tools. It provides a full gamut of features, and can be configured to meet most requirements. Devise often interacts with Warden which does not provide helper methods, controller classes, views, configuration options and log in failure handling. All of these things are what Devise supplies. So if you need to extend or augment Devise, you may need to implement a customized Strategy class for your own.
References
<references/>