• This repository has been archived on 21/Jul/2020
  • Stars
    star
    1,573
  • Rank 29,762 (Top 0.6 %)
  • Language
    Ruby
  • License
    MIT License
  • Created almost 17 years ago
  • Updated over 9 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

inactive project

This widely-used plugin provides a foundation for securely managing user authentication:

  • Login / logout
  • Secure password handling
  • Account activation by validating email
  • Account approval / disabling by admin
  • Rudimentary hooks for authorization and access control.

Several features were updated in May, 2008.

IMPORTANT: if you upgrade your site, existing user account passwords will stop working unless you use --old-passwords


Issue Tracker

Please submit any bugs or annoyances on the lighthouse tracker at

For anything simple enough, please github message both maintainers: Rick Olson ("technoweenie":http://github.com/technoweenie) and Flip Kromer ("mrflip":http://github.com/mrflip).


Documentation

This page has notes on

  • "Installation":#INSTALL
  • "New Features":#AWESOME
  • "After installing":#POST-INSTALL

See the "wiki":http://github.com/technoweenie/restful-authentication/wikis/home (or the notes/ directory) if you want to learn more about:

  • "Extensions, Addons and Alternatives":addons such as HAML templates
  • "Security Design Patterns":security-patterns with "snazzy diagram":http://github.com/technoweenie/restful-authentication/tree/master/notes/SecurityFramework.png
  • Authentication -- Lets a visitor identify herself (and lay claim to her corresponding Roles and measure of Trust)
  • "Trust Metrics":Trustification -- Confidence we can rely on the outcomes of this visitor's actions.
  • Authorization and Policy -- Based on trust and identity, what actions may this visitor perform?
  • Access Control -- How the Authorization policy is actually enforced in your code (A: hopefully without turning it into a spaghetti of if thens)
  • Rails Plugins for Authentication, Trust, Authorization and Access Control
  • Tradeoffs -- for the paranoid or the curious, a rundown of tradeoffs made in the code
  • CHANGELOG -- Summary of changes to internals
  • TODO -- Ideas for how you can help

These best version of the release notes are in the notes/ directory in the "source code":http://github.com/technoweenie/restful-authentication/tree/master -- look there for the latest version. The wiki versions are taken (manually) from there.


Exciting new features

Stories

There are now "Cucumber":http://wiki.github.com/aslakhellesoy/cucumber/home features that allow expressive, enjoyable tests for the authentication code. The flexible code for resource testing in stories was extended from "Ben Mabey's.":http://www.benmabey.com/2008/02/04/rspec-plain-text-stories-webrat-chunky-bacon/

Modularize to match security design patterns:

  • Authentication (currently: password, browser cookie token, HTTP basic)
  • Trust metric (email validation)
  • Authorization (stateful roles)
  • Leave a flexible framework that will play nicely with other access control / policy definition / trust metric plugins

Other

  • Added a few helper methods for linking to user pages
  • Uniform handling of logout, remember_token
  • Stricter email, login field validation
  • Minor security fixes -- see CHANGELOG

Non-backwards compatible Changes

Here are a few changes in the May 2008 release that increase "Defense in Depth" but may require changes to existing accounts

  • If you have an existing site, none of these changes are compelling enough to warrant migrating your userbase.
  • If you are generating for a new site, all of these changes are low-impact. You should apply them.

Passwords

The new password encryption (using a site key salt and stretching) will break existing user accounts' passwords. We recommend you use the --old-passwords option or write a migration tool and submit it as a patch. See the [[Tradeoffs]] note for more information.

Validations

By default, email and usernames are validated against a somewhat strict pattern; your users' values may be now illegal. Adjust to suit.


Installation

This is a basic restful authentication generator for rails, taken from acts as authenticated. Currently it requires Rails 1.2.6 or above.

IMPORTANT FOR RAILS > 2.1 USERS To avoid a @NameError@ exception ("lighthouse tracker ticket":http://rails_security.lighthouseapp.com/projects/15332-restful_authentication/tickets/2-not-a-valid-constant-name-errors#ticket-2-2), check out the code to have an underscore and not dash in its name:

  • either use git clone git://github.com/technoweenie/restful-authentication.git restful_authentication
  • or rename the plugin's directory to be restful_authentication after fetching it.

To use the generator:

./script/generate authenticated user sessions
--include-activation
--stateful
--rspec
--skip-migration
--skip-routes
--old-passwords

  • The first parameter specifies the model that gets created in signup (typically a user or account model). A model with migration is created, as well as a basic controller with the create method. You probably want to say "User" here.

  • The second parameter specifies the session controller name. This is the controller that handles the actual login/logout function on the site. (probably: "Session").

  • --include-activation: Generates the code for a ActionMailer and its respective Activation Code through email.

  • --stateful: Builds in support for acts_as_state_machine and generates activation code. (@--stateful@ implies @--include-activation@). Based on the idea at [[http://www.vaporbase.com/postings/stateful_authentication]]. Passing @--skip-migration@ will skip the user migration, and @--skip-routes@ will skip resource generation -- both useful if you've already run this generator. (Needs the "acts_as_state_machine plugin":http://elitists.textdriven.com/svn/plugins/acts_as_state_machine/, but new installs should probably run with @--aasm@ instead.)

  • --aasm: Works the same as stateful but uses the "updated aasm gem":http://github.com/rubyist/aasm/tree/master

  • --rspec: Generate RSpec tests and Stories in place of standard rails tests. This requires the "RSpec and Rspec-on-rails plugins":http://rspec.info/ (make sure you "./script/generate rspec" after installing RSpec.) The rspec and story suite are much more thorough than the rails tests, and changes are unlikely to be backported.

  • --old-passwords: Use the older password scheme (see [[#COMPATIBILITY]], above)

  • --skip-migration: Don't generate a migration file for this model

  • --skip-routes: Don't generate a resource line in @config/routes.rb@


After installing

The below assumes a Model named 'User' and a Controller named 'Session'; please alter to suit. There are additional security minutae in @notes/README-Tradeoffs@ -- only the paranoid or the curious need bother, though.

  • Add these familiar login URLs to your @config/routes.rb@ if you like:

    
      map.signup  '/signup', :controller => 'users',   :action => 'new'
      map.login  '/login',  :controller => 'session', :action => 'new'
      map.logout '/logout', :controller => 'session', :action => 'destroy'
      
  • With @--include-activation@, also add to your @config/routes.rb@:

    
      map.activate '/activate/:activation_code', :controller => 'users', :action => 'activate', :activation_code => nil
      

    and add an observer to @config/environment.rb@:

    
      config.active_record.observers = :user_observer
      

    Pay attention, may be this is not an issue for everybody, but if you should have problems, that the sent activation_code does match with that in the database stored, reload your user object before sending its data through email something like:

    
      class UserObserver < ActiveRecord::Observer
        def after_create(user)
          user.reload
          UserMailer.deliver_signup_notification(user)
        end
        def after_save(user)
          user.reload
          UserMailer.deliver_activation(user) if user.recently_activated?
        end
      end
      
  • With @--stateful@, add an observer to config/environment.rb:

    
      config.active_record.observers = :user_observer
      

    and modify the users resource line to read

    map.resources :users, :member => { :suspend => :put, :unsuspend => :put, :purge => :delete }

  • If you use a public repository for your code (such as github, rubyforge, gitorious, etc.) make sure to NOT post your site_keys.rb (add a line like '/config/initializers/site_keys.rb' to your .gitignore or do the svn ignore dance), but make sure you DO keep it backed up somewhere safe.

More Repositories

1

attachment_fu

Treat an ActiveRecord model as a file attachment, storing its patch, size, content type, etc.
Ruby
1,026
star
2

coffee-resque

CoffeeScript
545
star
3

guillotine

URL shortening hobby kit
Ruby
485
star
4

twitter-node

Discontinued: check out nTwitter
JavaScript
445
star
5

acts_as_versioned

ActiveRecord plugin for versioning your models.
Ruby
408
star
6

permalink_fu

ActiveRecord plugin for automatically converting fields to permalinks.
Ruby
264
star
7

masochism

ActiveRecord connection proxy for master/slave connections
Ruby
248
star
8

grohl

Combination logging, exception reporting, and metrics library for Go.
Go
165
star
9

madrox

Distributed Twitter implementation in Git.
Ruby
153
star
10

nubnub

Node.js PubSubHubbub client/server implementation
CoffeeScript
144
star
11

jquery.doubletap

This jquery plugin adds custom touch-screen events to the given HTML elements.
JavaScript
137
star
12

wheres-waldo

track what users are on which pages with redis
JavaScript
119
star
13

cronwtf

silly cron => english translator
JavaScript
94
star
14

can_search

Build common named scopes automatically, and provide a simple way to merge them with a single #search call.
Ruby
93
star
15

node-scoped-http-client

Unmaintained. Free push/npm access to anyone interested.
CoffeeScript
84
star
16

node-chain-gang

CoffeeScript
81
star
17

serialized_attributes

kind of a bridge between using AR and a full blown schema-free db
Ruby
61
star
18

model_stubbing

Replacement for ActiveRecord fixtures using an extremely flexible ruby-based approach.
Ruby
55
star
19

viking

Discontinued, see https://github.com/dimelo/viking
Ruby
53
star
20

go-scientist

Go
49
star
21

faraday-zeromq

Ruby
47
star
22

relative_time_helpers

ActionView helpers for showing relative time spans like "Jan 1 - 5" or "Jan 1 - Feb 5"
Ruby
45
star
23

multipartstreamer

Go
44
star
24

sentry

Painless encryption wrapper library
Ruby
32
star
25

model_iterator

Ruby
32
star
26

twitter-server

ruby/sinatra extensions for implementing the twitter api
Ruby
31
star
27

yajl-rails

Rails plugin for using YAJL with Rails 3
Ruby
29
star
28

app_bootstrap

app:bootstrap rake task providing a command line menu to setup a rails app.
Ruby
29
star
29

emoji-css-builder

Quick Ruby rake task for generating CSS and tiled image for displaying emoji in browsers.
Ruby
29
star
30

sparkplug

Ruby Rack module for generating sparkline graphs on the fly
Ruby
26
star
31

astrotrain

email => http_post
Ruby
26
star
32

duplikate

Syncs one directory to another (example: a git project to an svn repo)
Ruby
25
star
33

running_man

Ruby
23
star
34

dealer.js

JavaScript
21
star
35

chat_gram

Barebones Instagram realtime endpoint for posting images to a chat service (Campfire).
Ruby
19
star
36

github_twitter_server

wrap github with a twitter api.
Ruby
18
star
37

islostonyet.com

no really, i need to know
Ruby
18
star
38

will_sign

Small module for creating time-based hashes based on URLs.
Ruby
17
star
39

horcrux

A Horcrux is a powerful object in which a Dark wizard or witch has hidden a fragment of his or her soul for the purpose of attaining immortality.
Ruby
16
star
40

weatherhue

Ruby
13
star
41

queue_kit

Ruby
11
star
42

zcollab

Rad ZeroMQ scripts to supercharge your cloud.
JavaScript
11
star
43

context_on_crack

experimental macros for testing rails controllers. port of rspec_on_rails_on_crack
11
star
44

ultraviolence

web service for formatting text with the ultraviolet lib. ruby 1.9 only
Ruby
10
star
45

schemagram

Generate JSON Schema files from Ruby.
Ruby
9
star
46

go-httppipe

Go
9
star
47

service-queue

experimental ZeroMQ task worker thing.
CoffeeScript
9
star
48

activesupport_notifications_backport

Ruby
9
star
49

httpretry

Go
9
star
50

flappy-atom

CoffeeScript
8
star
51

urban_api

quick and dirty urban dictionary scraper
Ruby
8
star
52

dangerroom

Go
7
star
53

git-nosql-talk

Git is a Stupid NOSQL Database - talk given at Ruby and Rails.eu 2010
Ruby
7
star
54

rack-sparklines

DISCONTINUED, SEE http://github.com/technoweenie/sparkplug
Ruby
7
star
55

markup_cloud

Render text into markup through local and zeromq endpoints
Ruby
7
star
56

coffee-sprites

simple html 5 animation/sprites system heavily inspired by http://gamesinhtml5.blogspot.com/2010/07/game-in-progress-sprites-and-animation.html
JavaScript
6
star
57

go-contentaddressable

Go
5
star
58

unique_content_set

Check for uniquely created content in a Redis set
Ruby
5
star
59

elixir-rubyports

Elixir
5
star
60

fantomex

[ALPHA] Small, per-process persistent queue.
CoffeeScript
4
star
61

camo.go

Go
4
star
62

http_token_authentication

Rails plugin for parsing http token authorization headers
Ruby
4
star
63

active_record_context

simple identity map for active record. eager loading associations FTL
Ruby
4
star
64

go-passthrough

Simple package for passing responses untouched from an internal API
Go
4
star
65

pylists

Python
4
star
66

zue

Ruby
4
star
67

pki

Ruby
4
star
68

rubysweetsixteen

i'm probably jumping the shark by posting this...
Ruby
4
star
69

lighthouse-notifier

Ruby
3
star
70

ud

Ruby
3
star
71

15

3
star
72

redis_active_set

Tracks the number of active objects during a certain time period in a Redis sorted set.
Ruby
3
star
73

guillotine-zeromq

ZeroMQ API for Guillotine
Ruby
2
star
74

hubot-zeromq

proof-of-concept zeromq adapter for Hubot
CoffeeScript
2
star
75

apub

experimental golang package for parsing ActivityPub objects
Go
2
star
76

pdxjs-twitter-node

JavaScript
2
star
77

fantomex.rb

[ALPHA] Small, per-process persistent queue.
Ruby
1
star
78

tender_sync

sync Tender FAQs to and from Tender
Ruby
1
star
79

dummy-repo

1
star
80

playground

1
star
81

go-ronn

Go
1
star