Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Valentyn Ostakh
https://github.com/valikos
https://twitter.com/valikos_ost
Rodauth
Clean Authentication
What is the most
necessary feature for
interaction with users?
Authentication
Authentication is the act of
identification of user that going
to interact with your product
I want authentication
for my application
Ruby-toolbox
Awesome-ruby
Authentication
• Authlogic
• Devise
• Clearance
• Sorcery
• Warden
• Rodauth
What about custom
solution?
Custom Solution vs
Authentication Libraries
Library Issues Pull Requests First Release
Sorcery 64/451 28/306 31 Jan 2011
C...
I want flexible
authentication that can be
used with any framework
How to choose a library
for my application?
Dependencies
• Authlogic - activerecord, activesupport
• Devise - rails, warden
• Clearance - rails, rack
• Sorcery - rails
• Warden - ...
Clearance
Features
Registration
• Authlogic
• Devise
• Clearance
• Sorcery
• Warden
• Rodauth
Login
• Authlogic
• Devise
• Clearance
• Sorcery
• Warden
• Rodauth
Logout
• Authlogic
• Devise
• Clearance
• Sorcery
• Warden
• Rodauth
Would be great to have
token authentication
Token Authentication
• Authlogic
• Devise
• Clearance
• Sorcery
• Warden
• Rodauth
Token Authentication
Articles
• An Introduction to Using JWT Authentication in Rails
• Authenticate Your Rails API with JW...
Token Authentication

Gems
• jwt_authentication
• simple_token_authentication
• devise_token_auth
Token Authentication

Gems
• jwt_authentication (based on devise)
• simple_token_authentication (based on devise)
• devise...
Token Authentication
Popularity
Library
Total Downloads
rubygems.org
Devise 21,407,462
Warden 21,018,495
Authlogic 2,343,678
Sorcery 527,431
Clearance 317...
Summary
Library Dependencies Features
Token

Authentication
Devise
Warden
Authlogic
Sorcery
Clearance
Rodauth
Rodauth
Rodauth
Jeremy Evans
Twitter: @jeremyevans0
Roda
Sequel
Rodauth Goals
• Security
• Simplicity
• Flexibility
Features first
Rodauth Features
Login
Rodauth Features
Login
Logout
Rodauth Features
Login
Logout
Change Password
Rodauth Features
Login
Logout
Change Password
Change Login
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Rodauth Features
Login
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confi...
Security
• Uses database functions to access password
hashes
• Two database accounts are used
• Uses database functions to access password
hashes (optional)
• Two database accounts are used (optional)
Flexibility
Can be used with the
any rack framework
require "roda"
class RodauthApp < Roda
# If using Rodauth in a non-Roda application
# plugin :middleware
plugin :rodauth d...
require "roda"
class RodauthApp < Roda
# If using Rodauth in a non-Roda application
# plugin :middleware
plugin :rodauth d...
Rodauth uses a simple
configuration DSL
require 'simple_ldap_authenticator'
plugin :rodauth do
enable :login, :logout
# Don't require the bcrypt library, since us...
Simplicity
Rodauth allows for
overriding any part of the
framework
module Auth
class Rodauth < Roda
plugin :rodauth do
enable :login
end
route do |r|
r.post 'login' do
# Custom POST /login ...
How to start use
Rodauth?
• Resolve database dependencies
• Define Rodauth features
Database
dependencies
• Setup database
• Create tables
Setup With Postgresql
# Load extentions
psql -U postgres -c "CREATE EXTENSION citext" ${DATABASE_NAME}
# Create database a...
Setup With Postgresql
create_table(:accounts) do
primary_key :id, :type=>:Bignum
foreign_key :status_id, :account_statuses...
Define Rodauth Features
plugin :rodauth, :json=>true, :csrf=>false, :flash=>false do
enable :change_password, :close_accoun...
Summary
Rodauth Advantages
• Integration with any rack application
• Minimun dependencies
• Features
• Security
• Simplicity
Rodauth Disadvantages
• Doesn’t work with OAuth
• Routes design: can mismatch with your design
My own experience
Registration
module Auth
class Rodauth < Roda
DB = Sequel.connect(ENV['DATABASE_URL'])
plugin :middleware
plugin :rodauth,...
Token Authentication
module Api
class Rodauth < Roda
DB = Sequel.connect(ENV['DATABASE_URL'])
plugin :middleware
plugin :r...
Rodauth Examples
• https://github.com/jeremyevans/ginatra
• https://github.com/jeremyevans/rodauth-demo-rails
• https://gi...
Rodauth
Clean Authentication
Thanks!
Questions?
Valentyn Ostakh
https://github.com/valikos
https://twitter.com/valikos_ost
Rodauth: Clean Authentication - Valentine Ostakh
Rodauth: Clean Authentication - Valentine Ostakh
Rodauth: Clean Authentication - Valentine Ostakh
Rodauth: Clean Authentication - Valentine Ostakh
Rodauth: Clean Authentication - Valentine Ostakh
Rodauth: Clean Authentication - Valentine Ostakh
Rodauth: Clean Authentication - Valentine Ostakh
You’ve finished this document.
Download and read it offline.
Upcoming SlideShare
Functional Web Apps with WebMachine Framework - Mikhail Bortnyk
Next
Upcoming SlideShare
Functional Web Apps with WebMachine Framework - Mikhail Bortnyk
Next
Download to read offline and view in fullscreen.

Share

Rodauth: Clean Authentication - Valentine Ostakh

Download to read offline

Ruby Meditation 13 - 11.02.2017, BC Incom, Kyiv, 31-33 Smolenska str.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Rodauth: Clean Authentication - Valentine Ostakh

  1. 1. Valentyn Ostakh https://github.com/valikos https://twitter.com/valikos_ost
  2. 2. Rodauth Clean Authentication
  3. 3. What is the most necessary feature for interaction with users?
  4. 4. Authentication
  5. 5. Authentication is the act of identification of user that going to interact with your product
  6. 6. I want authentication for my application
  7. 7. Ruby-toolbox
  8. 8. Awesome-ruby
  9. 9. Authentication • Authlogic • Devise • Clearance • Sorcery • Warden • Rodauth
  10. 10. What about custom solution?
  11. 11. Custom Solution vs Authentication Libraries Library Issues Pull Requests First Release Sorcery 64/451 28/306 31 Jan 2011 Clearance 12/374 4/369 1 Sep 2009 Authlogic 124/221 6/186 3 Nov 2008 Devise 39/3353 29/979 21 Oct 2009 Warden 18/74 4/49 26 May 2009 Rodauth 0/8 0/11 12 Aug 2015
  12. 12. I want flexible authentication that can be used with any framework
  13. 13. How to choose a library for my application?
  14. 14. Dependencies
  15. 15. • Authlogic - activerecord, activesupport • Devise - rails, warden • Clearance - rails, rack • Sorcery - rails • Warden - rack • Rodauth - roda, rack
  16. 16. Clearance
  17. 17. Features
  18. 18. Registration • Authlogic • Devise • Clearance • Sorcery • Warden • Rodauth
  19. 19. Login • Authlogic • Devise • Clearance • Sorcery • Warden • Rodauth
  20. 20. Logout • Authlogic • Devise • Clearance • Sorcery • Warden • Rodauth
  21. 21. Would be great to have token authentication
  22. 22. Token Authentication • Authlogic • Devise • Clearance • Sorcery • Warden • Rodauth
  23. 23. Token Authentication Articles • An Introduction to Using JWT Authentication in Rails • Authenticate Your Rails API with JWT from Scratch • Token-based authentication with Ruby on Rails 5 API • JWT Auth in Rails, From Scratch • Implementing JWT in Ruby on Rails-based API • Authenticate Your Rails API with JWT • Rails Api Backed With JWT • Rails, Devise, JWT and the forgotten Warden
  24. 24. Token Authentication
 Gems • jwt_authentication • simple_token_authentication • devise_token_auth
  25. 25. Token Authentication
 Gems • jwt_authentication (based on devise) • simple_token_authentication (based on devise) • devise_token_auth (based on devise)
  26. 26. Token Authentication
  27. 27. Popularity
  28. 28. Library Total Downloads rubygems.org Devise 21,407,462 Warden 21,018,495 Authlogic 2,343,678 Sorcery 527,431 Clearance 317,409 Rodauth 6,163
  29. 29. Summary
  30. 30. Library Dependencies Features Token
 Authentication Devise Warden Authlogic Sorcery Clearance Rodauth
  31. 31. Rodauth
  32. 32. Rodauth
  33. 33. Jeremy Evans Twitter: @jeremyevans0
  34. 34. Roda Sequel
  35. 35. Rodauth Goals • Security • Simplicity • Flexibility
  36. 36. Features first
  37. 37. Rodauth Features Login
  38. 38. Rodauth Features Login Logout
  39. 39. Rodauth Features Login Logout Change Password
  40. 40. Rodauth Features Login Logout Change Password Change Login
  41. 41. Rodauth Features Login Logout Change Password Change Login Reset Password
  42. 42. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account
  43. 43. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account
  44. 44. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account
  45. 45. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password
  46. 46. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token)
  47. 47. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection)
  48. 48. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP)
  49. 49. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes)
  50. 50. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS)
  51. 51. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login
  52. 52. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period
  53. 53. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period
  54. 54. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity
  55. 55. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse
  56. 56. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration
  57. 57. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration
  58. 58. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration
  59. 59. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session
  60. 60. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT
  61. 61. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT Update Password Hash
  62. 62. Rodauth Features Login Logout Change Password Change Login Reset Password Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT Update Password HashHTTP Basic Auth
  63. 63. Security
  64. 64. • Uses database functions to access password hashes • Two database accounts are used
  65. 65. • Uses database functions to access password hashes (optional) • Two database accounts are used (optional)
  66. 66. Flexibility
  67. 67. Can be used with the any rack framework
  68. 68. require "roda" class RodauthApp < Roda # If using Rodauth in a non-Roda application # plugin :middleware plugin :rodauth do enable :login, :logout, :change_password end route do |r| r.rodauth rodauth.require_authentication # If using Rodauth in a Roda application # Your app code here end end # If using Rodauth in a non-Roda application # use RodauthApp # If using Rodauth in a Roda application run RodauthApp
  69. 69. require "roda" class RodauthApp < Roda # If using Rodauth in a non-Roda application # plugin :middleware plugin :rodauth do enable :login, :logout, :change_password end route do |r| r.rodauth rodauth.require_authentication # If using Rodauth in a Roda application # Your app code here end end # If using Rodauth in a non-Roda application # use RodauthApp # If using Rodauth in a Roda application run RodauthApp
  70. 70. Rodauth uses a simple configuration DSL
  71. 71. require 'simple_ldap_authenticator' plugin :rodauth do enable :login, :logout # Don't require the bcrypt library, since using LDAP for auth require_bcrypt? false # Treat the login itself as the account account_from_login{|l| l.to_s} # Use the login provided as the session value account_session_value{account} # Store session value in :login key, since the :account_id # default wouldn't make sense session_key :login password_match? do |password| SimpleLdapAuthenticator.valid?(account, password) end end
  72. 72. Simplicity
  73. 73. Rodauth allows for overriding any part of the framework
  74. 74. module Auth class Rodauth < Roda plugin :rodauth do enable :login end route do |r| r.post 'login' do # Custom POST /login handling here end r.rodauth end end end
  75. 75. How to start use Rodauth?
  76. 76. • Resolve database dependencies • Define Rodauth features
  77. 77. Database dependencies
  78. 78. • Setup database • Create tables
  79. 79. Setup With Postgresql # Load extentions psql -U postgres -c "CREATE EXTENSION citext" ${DATABASE_NAME} # Create database accounts createuser -U postgres ${DATABASE_NAME} createuser -U postgres ${DATABASE_NAME}_password
  80. 80. Setup With Postgresql create_table(:accounts) do primary_key :id, :type=>:Bignum foreign_key :status_id, :account_statuses, :null=>false, :default=>1 if db.database_type == :postgres citext :email, :null=>false constraint :valid_email, :email=>/^[^,;@ rn]+@[^,@; rn]+.[^,@; rn]+$/ index :email, :unique=>true, :where=>{:status_id=>[1, 2]} else String :email, :null=>false index :email, :unique=>true end end case database_type when :postgres user = get{Sequel.lit('current_user')} + '_password' run "GRANT REFERENCES ON accounts TO #{user}" end
  81. 81. Define Rodauth Features plugin :rodauth, :json=>true, :csrf=>false, :flash=>false do enable :change_password, :close_account, :create_account, :login, :logout, :remember, :reset_password, :verify_account, :otp, :recovery_codes, :sms_codes, :password_complexity, :disallow_password_reuse, :password_grace_period, :account_expiration, :single_session, :jwt, :session_expiration, max_invalid_logins 2 allow_password_change_after 60 verify_account_grace_period 300 jwt_secret secret sms_send do |phone_number, message| MUTEX.synchronize{SMS[session_value] = "..."} end end
  82. 82. Summary
  83. 83. Rodauth Advantages • Integration with any rack application • Minimun dependencies • Features • Security • Simplicity
  84. 84. Rodauth Disadvantages • Doesn’t work with OAuth • Routes design: can mismatch with your design
  85. 85. My own experience
  86. 86. Registration module Auth class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL']) plugin :middleware plugin :rodauth, json: :only do enable :login, :logout, :jwt, :create_account jwt_session_hash do super().merge(exp: SmartTaskApi::Utils.jwt_expiration) end jwt_secret ENV['JWT_SECRET'] end route do |r| r.rodauth env['rodauth'] = rodauth end end end
  87. 87. Token Authentication module Api class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL']) plugin :middleware plugin :rodauth, json: :only do enable :jwt jwt_secret ENV['JWT_SECRET'] end route do |r| r.rodauth rodauth.require_authentication env['rodauth'] = rodauth end end end
  88. 88. Rodauth Examples • https://github.com/jeremyevans/ginatra • https://github.com/jeremyevans/rodauth-demo-rails • https://github.com/davydovanton/rodauth_hanami • https://github.com/davydovanton/grape-rodauth • https://github.com/valikos/smart-task-api-hanami
  89. 89. Rodauth Clean Authentication
  90. 90. Thanks!
  91. 91. Questions?
  92. 92. Valentyn Ostakh https://github.com/valikos https://twitter.com/valikos_ost

Ruby Meditation 13 - 11.02.2017, BC Incom, Kyiv, 31-33 Smolenska str.

Views

Total views

1,154

On Slideshare

0

From embeds

0

Number of embeds

2

Actions

Downloads

2

Shares

0

Comments

0

Likes

0

×