• Stars
    star
    1,530
  • Rank 30,597 (Top 0.7 %)
  • Language
    Ruby
  • License
    MIT License
  • Created almost 3 years ago
  • Updated 9 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

An authentication system generator for Rails applications.

Authentication Zero

The purpose of authentication zero is to generate a pre-built authentication system into a rails application (web or api-only) that follows both security and rails best practices. By generating code into the user's application instead of using a library, the user has complete freedom to modify the authentication system so it works best with their app.

Installation

$ bundle add authentication-zero

If you are using Rails < 7.1, you must use version 2.

$ bundle add authentication-zero --version "~> 2"

Usage

$ rails generate authentication

Developer responsibilities

Since Authentication Zero generates this code into your application instead of building these modules into the gem itself, you now have complete freedom to modify the authentication system, so it works best with your use case. The one caveat with using a generated authentication system is it will not be updated after it's been generated. Therefore, as improvements are made to the output of rails generate authentication, it becomes your responsibility to determine if these changes need to be ported into your application. Security-related and other important improvements will be explicitly and clearly marked in the CHANGELOG.md file and upgrade notes.

Features

Essential

  • Sign up
  • Email and password validations
  • Checks if a password has been found in any data breach (--pwned)
  • Authentication by cookie
  • Authentication by token (--api)
  • Two factor authentication + recovery codes (--two-factor)
  • Two factor authentication using a hardware security key (--webauthn)
  • Verify email using a link with token
  • Ask password before sensitive data changes, aka: sudo (--sudoable)
  • Reset the user password and send reset instructions
  • Reset the user password only from verified emails
  • Lock mechanism to prevent email bombing (--lockable)
  • Rate limiting for your app, 1000 reqs/minute (--ratelimit)
  • Send e-mail confirmation when your email has been changed
  • Manage multiple sessions & devices
  • Activity log (--trackable)
  • Log out

More

  • Social login with omni auth (--omniauthable)
  • Passwordless authentication (--passwordless)
  • Send invitations (--invitable)
  • "Sign-in as" button (--masqueradable)
  • Multi-tentant application (--tenantable)

Generated code

  • has_secure_password: Adds methods to set and authenticate against a bcrypt password.
  • authenticate_by: Given a set of attributes, finds a record using the non-password attributes, and then authenticates that record using the password attributes.
  • generates_token_for: Defines the behavior of tokens generated for a specific purpose.
  • signed cookies: Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from the cookie again.
  • httponly cookies: A cookie with the httponly attribute is inaccessible to the JavaScript, this precaution helps mitigate cross-site scripting (XSS) attacks.
  • signed_id: Returns a signed id that is tamper proof, so it's safe to send in an email or otherwise share with the outside world.
  • current attributes: Abstract super class that provides a thread-isolated attributes singleton, which resets automatically before and after each request.
  • action mailer: Action Mailer allows you to send email from your application using a mailer model and views.
  • log filtering: Parameters 'token' and 'password' are marked [FILTERED] in the log.
  • functional tests: In Rails, testing the various actions of a controller is a form of writing functional tests.
  • system testing: System tests allow you to test user interactions with your application, running tests in either a real or a headless browser.

Sudoable

Use before_action :require_sudo in controllers with sensitive information, it will ask for your password on the first access or after 30 minutes.

Tenantable

Some artifacts are generated in the application, which makes it possible to implement row-level multitenancy applications. The Current.account is set using the current user account.

You should follow some steps to make it work:

  • Add account_id to each scoped table. ex: rails g migration add_account_to_projects account:references.
  • Add include AccountScoped to scoped models. It set up the account relationship and default scope using the current account.

Set Current.account through the URL. http://myapp.com/:account_id. (optional)

  • Add require_relative "../lib/account_middleware" to config/application.rb.
  • Add config.middleware.use AccountMiddleware to your application class.
  • More customization is required...

Development

To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/lazaronixon/authentication-zero. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the AuthenticationZero project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.

More Repositories

1

react-native-qrcode-reader

JavaScript
250
star
2

the_construct

A Modern Rails Template
CSS
214
star
3

react-native-turbolinks

React Native adapter for building hybrid apps with Turbolinks 5
Java
193
star
4

trix-extensions

Trix Extensions
JavaScript
193
star
5

administration-zero

An administration system generator for Rails applications.
HTML
107
star
6

react-native-date-range-picker

Simple date range picker extended from react-native-calendars
JavaScript
105
star
7

turbo-native-initializer

Turbo IOS/Android project generator
Swift
80
star
8

css-zero

An opinionated CSS starter kit for your "nobuild" application
CSS
61
star
9

sass-zero

A CSS framework for custom UI development. (Ruby on Rails)
SCSS
39
star
10

react-native-turbo

React Native framework for making Turbo native apps
Objective-C
28
star
11

strada-rails

Use Strada in your Ruby on Rails app
Ruby
28
star
12

rinha_de_backend

Ruby
23
star
13

css-properties-counter

The 35 CSS properties you must know to do 80% of the work.
CSS
19
star
14

active-persistence

Active Persistence is a implementation of Active Record Query Interface for JPA that makes it easy and fun.
Java
16
star
15

stimulus-web-authn

JavaScript
13
star
16

corona-prophet

Profeta do corona - Using facebook prophet to predict corona vírus
Ruby
11
star
17

jsf-perfect-crud

A modern and sofisticated start template for JSF/JAVAEE
Java
10
star
18

documentation-zero

A rest api documentation generator for rails applications using markdown
Ruby
9
star
19

prime-rails

prime-rails
CSS
7
star
20

react-native-turbo-poc

Objective-C
5
star
21

react-native-form-sheet

Native dialog solution for React Native
Objective-C
2
star
22

prime-rails-showcase

Prime-Rails Showcase
JavaScript
1
star
23

primefaces-mobile

JavaScript
1
star
24

all-hallows-eve-theme

Atom All Hallows Eve Theme
CSS
1
star
25

ksroute-csv

Integração do Ksroute por arquivos csv
Java
1
star
26

lazaronixon-web-programming-exercise

Ruby
1
star
27

rinha-de-backend-2

Ruby
1
star