Token authenctication

[Sander Obdeijn]

Hi all, i'm building my first project in RoR. And i'm now looking into authentication. A lot of the posts online recommended devise so i'm looking into that. 

I require authentication in a html website and a json api and i'm using ruby 1.9.3 and rails 4.1.4. Now I have seen that devise has removed TokenAuthenticatable. Is devise still a good option for token authentication or are there better options?

I have seen some custom implementations of token authentication with devise. But i'm reluctant to use these, security is one of those area's I try to prevent hacking together my own code. My users trust me with their personal information, and I think I should respect that trust by using a mature solution, which has the best chance of keeping their data secure. 

Just to be clear I'm not running a bank or handling medical data, but still I don't want to implement the first snippet of code that I see and risk leaking my users data.

Could someone offer me some advise?

Regards,

Sander

  

[Matt Jones]

Some info on token_authenticatable, direct from Jose Valim:

https://gist.github.com/josevalim/fb706b1e933ef01e4fb6

A gemified version of it, recently extracted:

https://github.com/baschtl/devise-token_authenticatable

I've used the Gist version in a production app.

--Matt Jones 

[Jason Fleetwood-Boldt]

I think you can implement that yourself along with Devise. Since you get so much with devise I would do that if it were me.

last time I discussed this with business people, the need for the token auth outweighed the security considerations. We ameliorated this by  1) Making the token expire 7 days after you generate it, and 2) making it automatically expire the moment it is used. 

Also, if you send that sh*t over email then you're still transmitting it in plain-text, which is susceptible to MITM. But the limits we put in made us confident this was an acceptable middle-ground.

Then again, if you're storing celebrities' naked pictures of themselves, you might want to reconsider ;)

-Jason

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/6911f179-05a0-4c87-bbd7-6aefcae81837%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Sander Obdeijn]

No only my own private 'au natural' pictures will be hosted. 

I'm looking a the gem, but i can't find how to request a token after you have implemented it. Is there more documention about using the token authentication?

Op donderdag 4 september 2014 17:20:05 UTC+2 schreef Jason FB:

[Emil S]

Sander, devise( https://github.com/plataformatec/devise ) + doorkeeper( https://github.com/doorkeeper-gem/doorkeeper ) may work well for your case. Doorkeeper is based on OAuth specs which is pretty solid for token based auth. A google search involving both the gems would give you enough material to get started. Good luck !

To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/13b03f67-70af-40fc-9cdc-bc7aee21dfc3%40googlegroups.com.