Implementing login in Sinatra

[Cesare]

I am developing a webapp in Sinatra and now I am working on the
implementation of the login functionality. I have seen a few examples:

https://github.com/ratbeard/sinatra-warden
https://github.com/nanodeath/SinatraHamlSignin
https://github.com/maxjustus/sinatra-authentication

but some seem pretty outdated. I did not find a decent tutorial about
the matter. Any suggestion?

ps: I plan to deploy the app on heroku, probably with an ssl
certificate installed.

[k.h...@finn.de]

I usually do authenticatin on my own

-- Gesendet von meinem Palm Pre

---

--
You received this message because you are subscribed to the Google Groups "sinatrarb" group.
To post to this group, send email to sina...@googlegroups.com.
To unsubscribe from this group, send email to sinatrarb+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/sinatrarb?hl=en.

[Charlie Park]

I can't speak to how outdated they are, but if an OAuth solution would work for you — where users can use their Twitter / Facebook credentials to log in on your site — I wrote a very simple Sinatra implementation of OmniAuth, here: https://github.com/charliepark/omniauth-for-sinatra.

All you need are your auth keys from Twitter or whomever, and you're good to go. You can always then request your user's e-mail address or other contact info, if you need to reach them directly later on.

[Sylvain Desvé]

I do on my own to, it's not that difficult.

Here is a tutorial :

http://railscasts.com/episodes/250-authentication-from-scratch

It's Rails oriented but it's not very difficult to adapt for Sinatra.

2011/5/4 k.h...@finn.de <k.h...@finn.de>

[Cesare]

Yes, it's easy but I am wondering, is it "safe"?
"is is safe?" = "can I sleep tight?"

-c.

On May 5, 9:15 am, Sylvain Desvé <sylvain.de...@gmail.com> wrote:
> I do on my own to, it's not that difficult.
>
> Here is a tutorial :http://railscasts.com/episodes/250-authentication-from-scratch
>
> <http://railscasts.com/episodes/250-authentication-from-scratch>It's Rails
> oriented but it's not very difficult to adapt for Sinatra.
>

> 2011/5/4 k.ha...@finn.de <k.ha...@finn.de>

>
>
>
> > I usually do authenticatin on my own
>
> > -- Gesendet von meinem Palm Pre
>

> > ------------------------------

[Cesare]

I gave omniauth a thought/try but I'd prefer my own login system.
Thanks for the suggestion.

On May 5, 12:46 am, Charlie Park <char...@pearbudget.com> wrote:
> I can't speak to how outdated they are, but if an OAuth solution would work
> for you — where users can use their Twitter / Facebook credentials to log in

> on your site — I wrote a *very* simple Sinatra implementation of OmniAuth,

[Jeremy Cowgar]

Just take a peek at some of the existing auth systems. I also roll my
own as each system has different requirements and I have not been able
to find a one size fits all solution. It's not hard to make them and
not hard to make them safe. It's also not hard to make them unsafe
either, so just be sure you know what you are doing.

setcookie: current_user="jdoe" is NOT safe, LOL!

Jeremy

[Cesare]

Ended up with rack, sessions and salted Passwords.
Probably will integrate omni auth in the next release.

[Paolo Perego]

On 5 May 2011 11:07, Cesare <cesare...@gmail.com> wrote:
> I gave omniauth a thought/try but I'd prefer my own login system.
> Thanks for the suggestion.

Hi Cesare, please note that re-inventing the wheel instead of using
well known and widely tested solutions for basic tasks (as auth) can
be risky from a security point of view.

Make sure to check your code with a penetration test or at least
against session fixation vulnerability.

Paolo
--
"... static analysis is fun, again!"

OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
OWASP Esapi Ruby project leader, https://github.com/thesp0nge/owasp-esapi-ruby

[Jeremy Cowgar]

Implementing an existing solution can be a security risk as well.
Something as important as security should be understood indepth and
internally.

Jeremy

On Mon, May 9, 2011 at 3:53 AM, Paolo Perego <thes...@gmail.com> wrote:
> Hi Cesare, please note that re-inventing the wheel instead of using
> well known and widely tested solutions for basic tasks (as auth) can
> be risky from a security point of view.
>
> Make sure to check your code with a penetration test or at least
> against session fixation vulnerability.
>
> Paolo
> --
> "... static analysis is fun, again!"
>
> OWASP Orizon project leader, http://github.com/thesp0nge/owasp-orizon
> OWASP Esapi Ruby project leader, https://github.com/thesp0nge/owasp-esapi-ruby
>

[rjjm]

Hi Cesare,

I'd have to agree with the consensus. There is no easy answer to
authentication in the first instance, it's one of those learning
curves that I resisted for too long.

The best solution I found was to take an existing solution (like
https://github.com/maxjustus/sinatra-authentication) and alter it to
my needs.

At the same time take a look at the authentication tutorials mentioned
on railscasts and this one I found useful:
http://ididitmyway.heroku.com/past/2011/2/22/really_simple_authentication_in_sinatra/

I also found the detailed explanation in Agile Dev with Rails quite
helpful: http://pragprog.com/titles/rails2/agile-web-development-with-rails

Once you have implemented one of the 'out-of-the-box' solutions from
github you should be able to apply the lessons from the tutorials. At
least, that's how it worked for me.

HTH,
Robin

On May 4, 5:46 pm, Cesare <cesareroc...@gmail.com> wrote:
> I am developing a webapp in Sinatra and now I am working on the
> implementation of the login functionality. I have seen a few examples:
>

> https://github.com/ratbeard/sinatra-wardenhttps://github.com/nanodeath/SinatraHamlSigninhttps://github.com/maxjustus/sinatra-authentication

[djangst]

For more background information see:

http://stackoverflow.com/questions/549/the-definitive-guide-to-website-authentication