|Join hundreds of other Developers and InfoSec professionals for Training, Sessions and Community at our first conference of 2019|
[AppSec Tel Aviv, May 26-30th]
Ruby on Rails Authentication Cheatsheet
Secure user authentication in ruby on rails is discussed here.
Implementing authentication in a typical rails application is made easy and secure with devise gem.
Install it using:
Then install it to the user model:
rails generate devise:install
Next, specify which resources (routes) require authenticated access in your routes, config/routes.rb:
1 Rails.application.routes.draw do 2 authenticate :user do 3 resources :something do # these resource require authentication 4 ... 5 end 6 end 7 8 devise_for :users # sign-up/-in/out routes 9 10 root to: 'static#home' # no authentication required 11 12 end
To make authentication secure, enforce higher password complexity and allow TLS connections only.
You can try out this PoC, to learn more about devise.
Note, that the authorized access to concrete resource objects (and not the classes of resources), is provided by other solutions, like e.g. CanCanCan.