Rails 3 and OAuth




BarCamp Tampa, September 26, 2010
Who am I?

Hello, I’m Bryce.
I snuck up here from Miami.
I make web applications with Ruby on
Rails.
I tweet as @bonzoesc
Quick Disclaimer

This used to be two
presentations but I
 combined them.
    Thanks for your cooperation!
What is Rails?
Ruby on Rails® is an open-source web
framework that’s optimized for
programmer happiness and sustainable
pr...
What is Rails?

 Rails is a way to build
web applications quickly
and be able to maintain
  them in the future.
What is Rails?
Twitter      Scribd
Hulu         Less Accounting
Basecamp     Shopify
Groupon      Get Satisfaction
Lightho...
What is Rails?



Four main parts
What is Rails?

ActiveRecord
turns database into
Ruby objects
What is Rails?

ActionController
turns web requests
into Ruby method
calls
What is Rails?

ActionView
turns Ruby code into
web responses
What is Rails?

Railties
turns the parts into
Rails
History
So What?


Rails 3 feels like Rails
in the right places.
So What?


Rails 3 is as exible as
Merb.
The Speci cs
ActiveRecord
 Database interactions
ActiveRecord Classic
@published = Post.find(
  :all,
  :where=>{:published=>true},
  :order=>'created_at desc'
)

@unpublis...
ActiveRecord Arel


@ordered = Post.order('created_at asc')
@published = @ordered.where(:published=>true)
@unpublished = @...
ActiveRecord Arel

Compositional
Chainable
Less code
Lazy
ActiveModel

   Put the ActiveRecord
features you love on plain,
   non-database objects
ActiveModel

Validations
Serialization (JSON, XML)
Callbacks (before_save)
Translations
ActionController
    Handling requests
Responder

   Exposed to the
developer for the rst
       time
Responder

Allows precise yet
reusable control of
how responses are
    generated
Responder

class EpisodesController < ApplicationController
  respond_to :html, :xml, :json

  def index
    @episodes = E...
CSRF Protection

Cross-Site Request Forgery is
    an attack allowing an
 attacker to impersonate a
            user.
CSRF Protection


1. User clicks link in a friend’s tweet
   to http://evilsite.us/
CSRF Protection


2. User clicks play on a video on
   http://evilsite.us/
CSRF Protection


3. User ends up tweeting link to
   http://evilsite.us/
CSRF Protection

Note that Twitter isn’t
 vulnerable to this.
CSRF Protection

   Note that Twitter isn’t
    vulnerable to this.
They use Rails’ built-in CSRF
        protection.
CSRF Protection

Enabled by default
Transparent
Use the built-in form builders
ActionView
 Producing responses
XSS Protection

Cross Site Scripting is a class
of attack allowing an attacker
 to execute code on a user’s
        web br...
XSS Protection


1. User watches video on YouTube
XSS Protection

2. Malicious code in the comments
   cause the user to post malicious
   code in videos they’re previously...
XSS Protection
Rails 3 has protection for this
   built in and enabled by
            default.
Think hard before using raw...
A side note

Curious about CSRF and XSS attacks?
  Hack Miami had presentations about these
  vulnerabilities on Saturday,...
Unobtrusive
     JavaScript

   Rails 1 & 2 injected
 JavaScript into pages to
make AJAX features work.
Unobtrusive
     JavaScript

Rails 3 annotates the HTML
  with special properties.
Unobtrusive
      JavaScript

    There are drivers for
Prototype, jQuery, and more.
No more scripts/*


The scripts directory used to
 contain tools for generating
and running your application.
No more scripts/*


Rails 3 does this with the rails tool.
Big Changes
ActiveRecord: Arel, ActiveModel
ActionController: CSRF protection,
ActionController::Responder
ActionView: XSS...
Authorization
 with OAuth
Authentication

Authentication is
proving who you
      are.
Authentication

•Driver’s license
•Passport
•Fingerprint on     le
Authorization

 Authorization is
letting something
 happen on your
      behalf.
Authorization

•Signature on a contract
•Key in your car’s ignition
•Verbal permission
Authentication
      and
 Authorization
Two security primitives that
  taste great together!
On the Web
The Old Stupid Way
The Old Stupid Way

• You want TripIt to read your address
  book.
• You don’t want TripIt to read all your
  email.
Another Bad Idea
Another Bad Idea

• How do you revoke access?
• How do you revoke access to only one
  client?
• How do you ensure clients...
OAuth
OAuth
An open protocol to allow
secure API authorization in a
simple and standard method
from desktop and web
applications...
OAuth

OAuth lets you limit
 and control client
applications working
  on your behalf.
OAuth
Facebook     Yahoo
Twitter      Net ix
Github       Picomoney
Google       37signals
An OAuth Session

1.You nd a useful website
that reads your friends’
tweets about movies, and
adds them to your Net ix
que...
An OAuth Session

2.You click the “Connect with
Net ix” button, and are
redirected to:
https://api-user.net ix.com/
An OAuth Session

3.You enter your Net ix
account information, and are
returned to the client
website.
An OAuth Session

4.You click the “Connect with
Twitter” button, and are
redirected to:
https://api.twitter.com/
An OAuth Session

5.You enter your Twitter
account information, and are
returned to the client
website.
An OAuth Session

The client application
gets tokens for each
service.
An OAuth Session
If you decide (at any time) to quit using the
service, you can visit Twitter and Net ix and
revoke its au...
An OAuth Session
The Guts

1. The consumer (client) asks the
   provider (server) for a new blank
   request token, and sends the user
   t...
The Guts

2. The user authenticates with the
   provider, and accepts (or denies)
   the authorization the consumer
   wan...
The Guts


3. The user is redirected back to the
   consumer with a request token
   bound to that user.
The Guts


4. The consumer gives the request
   token to the server in exchange for
   an access token.
The Guts


5. The consumer can use the access
   token as authorization.
OAuth 2

OAuth 1.0a and 2
are different and
  incompatible.
OAuth 1 or 2?

 If you’re making a
    consumer, the
provider made that
   choice for you.
OAuth 1 or 2?


If you’re making a
provider, OAuth 2.
Getting Started
I Didn’t Finish My Demo
Photo Credits
http://www. ickr.com/photos/lazytom/320269269/
http://www. ickr.com/photos/andrewmbutler/428388719/
http://w...
Photo Credits

http://www. ickr.com/photos/95453014@N00/451238739/
http://www. ickr.com/photos/mattkieffer/4671197999/
htt...
Look at Stuff

http://db.tt/wDfs5nd - slides (keynote & pdf)
http://bit.ly/r3oauth - half- nished source
http://twitter.co...
Questions
Thanks!
What I’m Using


• Ruby 1.8.7
• Rails 3
• “twitter” gem
Follow along!

The hexits at the bottom of
the slide are a git commit
number.
http://bit.ly/r3oauth
Build the Skeleton


> rails new oauthdemo




       fbdb7051
Add Gems

Gem le:
  gem 'oauth'

> bundle install

    96919add
Start the Server


    > rails s
Add a Users table
> rails g model user 
 screen_name:string 
 twitter_token:string 
 twitter_secret:string


           34...
Stub Controller
> rails g controller 
 authorization 
 new 
 show


           767512e2
Stub Controller
con g/routes.rb:
Oauthdemo::Application.routes.draw do
  resource :authorization

app/controllers/authoriz...
OAuth Con guration
con g/initializers/twitter.rb:

TWITTER_OAUTH_TOKENS = {
  :key=>'DCtwdGNS38Sr9JN…',
  :secret=>'gJ6RN7...
Rails 3 and OAuth for Barcamp Tampa
Upcoming SlideShare
Loading in …5
×

Rails 3 and OAuth for Barcamp Tampa

3,238 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,238
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
34
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide











  • Merb started as a smaller, simpler Rails.
    Merb didn&amp;#x2019;t force you to use some of the libraries that Rails 1 &amp; 2 did.
    In December 2008, the Rails and Merb teams announced they were merging and collaborating on Rails 3.


  • ActiveRecord: Arel, ActiveModel
    ActionController: CSRF protection, ActionController::Responder
    ActionView: XSS Protection, Unobtrusive JavaScript
    Railties: No more scripts/*








  • Easily add XML or JSON support to a resource.
    Add pagination support for HTML views.

  • For example, visiting http://malicious.site/ could post a message as you on Twitter.





  • Unless you go through the work to disable this, you won&amp;#x2019;t have to worry






  • On a page with 100 AJAX buttons, this could double the size of the page load.
  • The client downloads a driver once per site, instead of on every page load.

  • The most &amp;#x201C;gotcha&amp;#x201D; of the rails changes.

    When upgrading Rails, these scripts would have to be added to or replaced.
  • When new versions are released, you won&amp;#x2019;t have to update any scripts.

















































  • Rails 3 and OAuth for Barcamp Tampa

    1. 1. Rails 3 and OAuth BarCamp Tampa, September 26, 2010
    2. 2. Who am I? Hello, I’m Bryce. I snuck up here from Miami. I make web applications with Ruby on Rails. I tweet as @bonzoesc
    3. 3. Quick Disclaimer This used to be two presentations but I combined them. Thanks for your cooperation!
    4. 4. What is Rails? Ruby on Rails® is an open-source web framework that’s optimized for programmer happiness and sustainable productivity. It lets you write beautiful code by favoring convention over con guration. - http://rubyonrails.org/
    5. 5. What is Rails? Rails is a way to build web applications quickly and be able to maintain them in the future.
    6. 6. What is Rails? Twitter Scribd Hulu Less Accounting Basecamp Shopify Groupon Get Satisfaction Lighthouse Urban Dictionary Github Kongregate
    7. 7. What is Rails? Four main parts
    8. 8. What is Rails? ActiveRecord turns database into Ruby objects
    9. 9. What is Rails? ActionController turns web requests into Ruby method calls
    10. 10. What is Rails? ActionView turns Ruby code into web responses
    11. 11. What is Rails? Railties turns the parts into Rails
    12. 12. History
    13. 13. So What? Rails 3 feels like Rails in the right places.
    14. 14. So What? Rails 3 is as exible as Merb.
    15. 15. The Speci cs
    16. 16. ActiveRecord Database interactions
    17. 17. ActiveRecord Classic @published = Post.find( :all, :where=>{:published=>true}, :order=>'created_at desc' ) @unpublished = Post.find( :all, :where=>:published=>false}, :order=>'created_at desc' )
    18. 18. ActiveRecord Arel @ordered = Post.order('created_at asc') @published = @ordered.where(:published=>true) @unpublished = @ordered.where(:published=>false)
    19. 19. ActiveRecord Arel Compositional Chainable Less code Lazy
    20. 20. ActiveModel Put the ActiveRecord features you love on plain, non-database objects
    21. 21. ActiveModel Validations Serialization (JSON, XML) Callbacks (before_save) Translations
    22. 22. ActionController Handling requests
    23. 23. Responder Exposed to the developer for the rst time
    24. 24. Responder Allows precise yet reusable control of how responses are generated
    25. 25. Responder class EpisodesController < ApplicationController   respond_to :html, :xml, :json   def index     @episodes = Episode.all     respond_with @episodes   end end
    26. 26. CSRF Protection Cross-Site Request Forgery is an attack allowing an attacker to impersonate a user.
    27. 27. CSRF Protection 1. User clicks link in a friend’s tweet to http://evilsite.us/
    28. 28. CSRF Protection 2. User clicks play on a video on http://evilsite.us/
    29. 29. CSRF Protection 3. User ends up tweeting link to http://evilsite.us/
    30. 30. CSRF Protection Note that Twitter isn’t vulnerable to this.
    31. 31. CSRF Protection Note that Twitter isn’t vulnerable to this. They use Rails’ built-in CSRF protection.
    32. 32. CSRF Protection Enabled by default Transparent Use the built-in form builders
    33. 33. ActionView Producing responses
    34. 34. XSS Protection Cross Site Scripting is a class of attack allowing an attacker to execute code on a user’s web browser.
    35. 35. XSS Protection 1. User watches video on YouTube
    36. 36. XSS Protection 2. Malicious code in the comments cause the user to post malicious code in videos they’re previously watched.
    37. 37. XSS Protection Rails 3 has protection for this built in and enabled by default. Think hard before using raw output in views.
    38. 38. A side note Curious about CSRF and XSS attacks? Hack Miami had presentations about these vulnerabilities on Saturday, September 18. Hop in your DeLorean to learn more! http://hackmiami.org/
    39. 39. Unobtrusive JavaScript Rails 1 & 2 injected JavaScript into pages to make AJAX features work.
    40. 40. Unobtrusive JavaScript Rails 3 annotates the HTML with special properties.
    41. 41. Unobtrusive JavaScript There are drivers for Prototype, jQuery, and more.
    42. 42. No more scripts/* The scripts directory used to contain tools for generating and running your application.
    43. 43. No more scripts/* Rails 3 does this with the rails tool.
    44. 44. Big Changes ActiveRecord: Arel, ActiveModel ActionController: CSRF protection, ActionController::Responder ActionView: XSS Protection, Unobtrusive JavaScript Railties: No more scripts/*
    45. 45. Authorization with OAuth
    46. 46. Authentication Authentication is proving who you are.
    47. 47. Authentication •Driver’s license •Passport •Fingerprint on le
    48. 48. Authorization Authorization is letting something happen on your behalf.
    49. 49. Authorization •Signature on a contract •Key in your car’s ignition •Verbal permission
    50. 50. Authentication and Authorization Two security primitives that taste great together!
    51. 51. On the Web
    52. 52. The Old Stupid Way
    53. 53. The Old Stupid Way • You want TripIt to read your address book. • You don’t want TripIt to read all your email.
    54. 54. Another Bad Idea
    55. 55. Another Bad Idea • How do you revoke access? • How do you revoke access to only one client? • How do you ensure clients only do certain things?
    56. 56. OAuth
    57. 57. OAuth An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications. - http://oauth.net/
    58. 58. OAuth OAuth lets you limit and control client applications working on your behalf.
    59. 59. OAuth Facebook Yahoo Twitter Net ix Github Picomoney Google 37signals
    60. 60. An OAuth Session 1.You nd a useful website that reads your friends’ tweets about movies, and adds them to your Net ix queue.
    61. 61. An OAuth Session 2.You click the “Connect with Net ix” button, and are redirected to: https://api-user.net ix.com/
    62. 62. An OAuth Session 3.You enter your Net ix account information, and are returned to the client website.
    63. 63. An OAuth Session 4.You click the “Connect with Twitter” button, and are redirected to: https://api.twitter.com/
    64. 64. An OAuth Session 5.You enter your Twitter account information, and are returned to the client website.
    65. 65. An OAuth Session The client application gets tokens for each service.
    66. 66. An OAuth Session If you decide (at any time) to quit using the service, you can visit Twitter and Net ix and revoke its authorization.
    67. 67. An OAuth Session
    68. 68. The Guts 1. The consumer (client) asks the provider (server) for a new blank request token, and sends the user to the provider with that request token.
    69. 69. The Guts 2. The user authenticates with the provider, and accepts (or denies) the authorization the consumer wants.
    70. 70. The Guts 3. The user is redirected back to the consumer with a request token bound to that user.
    71. 71. The Guts 4. The consumer gives the request token to the server in exchange for an access token.
    72. 72. The Guts 5. The consumer can use the access token as authorization.
    73. 73. OAuth 2 OAuth 1.0a and 2 are different and incompatible.
    74. 74. OAuth 1 or 2? If you’re making a consumer, the provider made that choice for you.
    75. 75. OAuth 1 or 2? If you’re making a provider, OAuth 2.
    76. 76. Getting Started
    77. 77. I Didn’t Finish My Demo
    78. 78. Photo Credits http://www. ickr.com/photos/lazytom/320269269/ http://www. ickr.com/photos/andrewmbutler/428388719/ http://www. ickr.com/photos/emdurso/2686817699/ http://www. ickr.com/photos/beleaveme/1871344753/ http://www. ickr.com/photos/beleaveme/4676893419/ http://www. ickr.com/photos/scottobear/186001665/ (pretty smug about Tri-Rail photos in a Rails 3 presentation)
    79. 79. Photo Credits http://www. ickr.com/photos/95453014@N00/451238739/ http://www. ickr.com/photos/mattkieffer/4671197999/ http://www. ickr.com/photos/italintheheart/4018162624/ http://www. ickr.com/photos/spbutterworth/2756176408/ http://www. ickr.com/photos/gesteves/3336482837/
    80. 80. Look at Stuff http://db.tt/wDfs5nd - slides (keynote & pdf) http://bit.ly/r3oauth - half- nished source http://twitter.com/bonzoesc
    81. 81. Questions
    82. 82. Thanks!
    83. 83. What I’m Using • Ruby 1.8.7 • Rails 3 • “twitter” gem
    84. 84. Follow along! The hexits at the bottom of the slide are a git commit number. http://bit.ly/r3oauth
    85. 85. Build the Skeleton > rails new oauthdemo fbdb7051
    86. 86. Add Gems Gem le: gem 'oauth' > bundle install 96919add
    87. 87. Start the Server > rails s
    88. 88. Add a Users table > rails g model user screen_name:string twitter_token:string twitter_secret:string 3473158b
    89. 89. Stub Controller > rails g controller authorization new show 767512e2
    90. 90. Stub Controller con g/routes.rb: Oauthdemo::Application.routes.draw do   resource :authorization app/controllers/authorization_controller.rb: class AuthorizationController < ApplicationController …   def create   end   def destroy   end 2dd53ba0
    91. 91. OAuth Con guration con g/initializers/twitter.rb: TWITTER_OAUTH_TOKENS = {   :key=>'DCtwdGNS38Sr9JN…',   :secret=>'gJ6RN7Nblq9t…' } bb1dd05b

    ×