Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rodauth: Clean Authentication - Valentine Ostakh

355 views

Published on

Ruby Meditation 13 - 11.02.2017, BC Incom, Kyiv, 31-33 Smolenska str.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Rodauth: Clean Authentication - Valentine Ostakh

  1. 1. Valentyn Ostakh https://github.com/valikos https://twitter.com/valikos_ost
  2. 2. Rodauth Clean Authentication
  3. 3. What is the most necessary feature for interaction with users?
  4. 4. Authentication
  5. 5. Authentication is the act of identification of user that going to interact with your product
  6. 6. I want authentication for my application
  7. 7. Ruby-toolbox
  8. 8. Awesome-ruby
  9. 9. Authentication • Authlogic • Devise • Clearance • Sorcery • Warden • Rodauth
  10. 10. What about custom solution?
  11. 11. Custom Solution vs Authentication Libraries Library Issues Pull Requests First Release Sorcery 64/451 28/306 31 Jan 2011 Clearance 12/374 4/369 1 Sep 2009 Authlogic 124/221 6/186 3 Nov 2008 Devise 39/3353 29/979 21 Oct 2009 Warden 18/74 4/49 26 May 2009 Rodauth 0/8 0/11 12 Aug 2015
  12. 12. I want flexible authentication that can be used with any framework
  13. 13. How to choose a library for my application?
  14. 14. Dependencies
  15. 15. • Authlogic - activerecord, activesupport • Devise - rails, warden • Clearance - rails, rack • Sorcery - rails • Warden - rack • Rodauth - roda, rack
  16. 16. Clearance
  17. 17. Features
  18. 18. Registration • Authlogic • Devise • Clearance • Sorcery • Warden • Rodauth
  19. 19. Login • Authlogic • Devise • Clearance • Sorcery • Warden • Rodauth
  20. 20. Logout • Authlogic • Devise • Clearance • Sorcery • Warden • Rodauth
  21. 21. Would be great to have token authentication
  22. 22. Token Authentication • Authlogic • Devise • Clearance • Sorcery • Warden • Rodauth
  23. 23. Token Authentication Articles • An Introduction to Using JWT Authentication in Rails • Authenticate Your Rails API with JWT from Scratch • Token-based authentication with Ruby on Rails 5 API • JWT Auth in Rails, From Scratch • Implementing JWT in Ruby on Rails-based API • Authenticate Your Rails API with JWT • Rails Api Backed With JWT • Rails, Devise, JWT and the forgotten Warden
  24. 24. Token Authentication
 Gems • jwt_authentication • simple_token_authentication • devise_token_auth
  25. 25. Token Authentication
 Gems • jwt_authentication (based on devise) • simple_token_authentication (based on devise) • devise_token_auth (based on devise)
  26. 26. Token Authentication
  27. 27. Popularity
  28. 28. Library Total Downloads rubygems.org Devise 21,407,462 Warden 21,018,495 Authlogic 2,343,678 Sorcery 527,431 Clearance 317,409 Rodauth 6,163
  29. 29. Summary
  30. 30. Library Dependencies Features Token
 Authentication Devise Warden Authlogic Sorcery Clearance Rodauth
  31. 31. Rodauth
  32. 32. Rodauth
  33. 33. Jeremy Evans Twitter: @jeremyevans0
  34. 34. Roda Sequel
  35. 35. Rodauth Goals • Security • Simplicity • Flexibility
  36. 36. Features first
  37. 37. Rodauth Features Login
  38. 38. Rodauth Features Login Logout
  39. 39. Rodauth Features Login Logout Change Password
  40. 40. Rodauth Features Login Logout Change Password Change Login
  41. 41. Rodauth Features Login Logout Change Password Change Login Reset Password
  42. 42. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account
  43. 43. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account
  44. 44. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account
  45. 45. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password
  46. 46. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token)
  47. 47. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection)
  48. 48. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP)
  49. 49. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes)
  50. 50. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS)
  51. 51. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login
  52. 52. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period
  53. 53. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period
  54. 54. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity
  55. 55. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse
  56. 56. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration
  57. 57. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration
  58. 58. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration
  59. 59. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session
  60. 60. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT
  61. 61. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT Update Password Hash
  62. 62. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT Update Password HashHTTP Basic Auth
  63. 63. Security
  64. 64. • Uses database functions to access password hashes • Two database accounts are used
  65. 65. • Uses database functions to access password hashes (optional) • Two database accounts are used (optional)
  66. 66. Flexibility
  67. 67. Can be used with the any rack framework
  68. 68. require "roda" class RodauthApp < Roda # If using Rodauth in a non-Roda application # plugin :middleware plugin :rodauth do enable :login, :logout, :change_password end route do |r| r.rodauth rodauth.require_authentication # If using Rodauth in a Roda application # Your app code here end end # If using Rodauth in a non-Roda application # use RodauthApp # If using Rodauth in a Roda application run RodauthApp
  69. 69. require "roda" class RodauthApp < Roda # If using Rodauth in a non-Roda application # plugin :middleware plugin :rodauth do enable :login, :logout, :change_password end route do |r| r.rodauth rodauth.require_authentication # If using Rodauth in a Roda application # Your app code here end end # If using Rodauth in a non-Roda application # use RodauthApp # If using Rodauth in a Roda application run RodauthApp
  70. 70. Rodauth uses a simple configuration DSL
  71. 71. require 'simple_ldap_authenticator' plugin :rodauth do enable :login, :logout # Don't require the bcrypt library, since using LDAP for auth require_bcrypt? false # Treat the login itself as the account account_from_login{|l| l.to_s} # Use the login provided as the session value account_session_value{account} # Store session value in :login key, since the :account_id # default wouldn't make sense session_key :login password_match? do |password| SimpleLdapAuthenticator.valid?(account, password) end end
  72. 72. Simplicity
  73. 73. Rodauth allows for overriding any part of the framework
  74. 74. module Auth class Rodauth < Roda plugin :rodauth do enable :login end route do |r| r.post 'login' do # Custom POST /login handling here end r.rodauth end end end
  75. 75. How to start use Rodauth?
  76. 76. • Resolve database dependencies • Define Rodauth features
  77. 77. Database dependencies
  78. 78. • Setup database • Create tables
  79. 79. Setup With Postgresql # Load extentions psql -U postgres -c "CREATE EXTENSION citext" ${DATABASE_NAME} # Create database accounts createuser -U postgres ${DATABASE_NAME} createuser -U postgres ${DATABASE_NAME}_password
  80. 80. Setup With Postgresql create_table(:accounts) do primary_key :id, :type=>:Bignum foreign_key :status_id, :account_statuses, :null=>false, :default=>1 if db.database_type == :postgres citext :email, :null=>false constraint :valid_email, :email=>/^[^,;@ rn]+@[^,@; rn]+.[^,@; rn]+$/ index :email, :unique=>true, :where=>{:status_id=>[1, 2]} else String :email, :null=>false index :email, :unique=>true end end case database_type when :postgres user = get{Sequel.lit('current_user')} + '_password' run "GRANT REFERENCES ON accounts TO #{user}" end
  81. 81. Define Rodauth Features plugin :rodauth, :json=>true, :csrf=>false, :flash=>false do enable :change_password, :close_account, :create_account, :login, :logout, :remember, :reset_password, :verify_account, :otp, :recovery_codes, :sms_codes, :password_complexity, :disallow_password_reuse, :password_grace_period, :account_expiration, :single_session, :jwt, :session_expiration, max_invalid_logins 2 allow_password_change_after 60 verify_account_grace_period 300 jwt_secret secret sms_send do |phone_number, message| MUTEX.synchronize{SMS[session_value] = "..."} end end
  82. 82. Summary
  83. 83. Rodauth Advantages • Integration with any rack application • Minimun dependencies • Features • Security • Simplicity
  84. 84. Rodauth Disadvantages • Doesn’t work with OAuth • Routes design: can mismatch with your design
  85. 85. My own experience
  86. 86. Registration module Auth class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL']) plugin :middleware plugin :rodauth, json: :only do enable :login, :logout, :jwt, :create_account jwt_session_hash do super().merge(exp: SmartTaskApi::Utils.jwt_expiration) end jwt_secret ENV['JWT_SECRET'] end route do |r| r.rodauth env['rodauth'] = rodauth end end end
  87. 87. Token Authentication module Api class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL']) plugin :middleware plugin :rodauth, json: :only do enable :jwt jwt_secret ENV['JWT_SECRET'] end route do |r| r.rodauth rodauth.require_authentication env['rodauth'] = rodauth end end end
  88. 88. Rodauth Examples • https://github.com/jeremyevans/ginatra • https://github.com/jeremyevans/rodauth-demo-rails • https://github.com/davydovanton/rodauth_hanami • https://github.com/davydovanton/grape-rodauth • https://github.com/valikos/smart-task-api-hanami
  89. 89. Rodauth Clean Authentication
  90. 90. Thanks!
  91. 91. Questions?
  92. 92. Valentyn Ostakh https://github.com/valikos https://twitter.com/valikos_ost

×