#270 Authentication in Rails 3.1

Ryan, is the "force_ssl" needed if nginx setup with force ssl redirection?

If you need something like hash_secure_password on Rails 3.0.x, you can use my plugin at https://github.com/SMWEB/salt-and-pepper . As a bonus, it only uses a single column in the database and doesn't force you to call your attribute "password".

I noticed you used "flash.now.warning" = instead of "flash.now[:warning] =". I was curious about it but it doesn't work in 3.1RC4. Was this just a mistake or is there a plugin that has this functionality?

I'm probably missing something obvious here. But what is the use case for the "sign up" authentication method?

If anyone can sign up and set up a password, isn't the site just as unprotected as a site with no password?

Great screencast. I have a couple of questions though after watching it. I noticed that you are using a couple of 'old school' methods in your code which I thought were not considered the 'Rails 3' way of doing things. I'm referring to:

user = User.find_by_email(params[:email])

and

validates_presence_of :password, :on => :create

Is this still considered good practice in Rails 3 when we have the alternatives?

user = User.where(:email => params[:email]).first

and

validates :password, :on => :create

Thanks for your help!

Hello! This is certainly not the first time I am implementing authentication, but the question rises again, as I need it in a social website.. is using session[:user_id] safe by default?

arguments:
http://stackoverflow.com/questions/623379/rails-tracking-a-users-id#answer-623463
http://www.issociate.de/board/post/475749/Is_it_safe_to_store_user_id_in_Session?.html

No password salt?

Hi Ryan:

As always, a wonderful screencast.
Is CanCan compatible with the new Rails 3.1 authentication?

Thanks,
-Alex

Hi,

I have previously used devise for authentication but think it is to heavy with too many functions and too much I have to customize. This new built-in methods are really nice.

In devise you use a before_filter to authenticate certain actions, e.g.

before_filter :authenticate_user!

How can I do the same thing without using devise and instead use the new methods?

What about creating a user via the console? I can't find any methods for creating the password_digest.

Personally, I find using a 'login' method that takes a username (or email if you like) and a password is shorter and nicer than 2 lines of first finding the user in the db and then checking for the password explicitly.

See my gem https://github.com/NoamB/sorcery for an example (wiki).

Anybody know how to create a fixture (traditional YAML style) for a model using has_secure_password?

I like this but can't figure out how to override the duplicate validation errors when say the password field is left blank:

• Password digest can't be blank
• Password can't be blank

"Password digest" means NOTHING to a user. How can we suppress this first error when the validator is in Rails 3.1 source?

Anybody know a way to "un" force_ssl? I've got it set on one controller, but if a user clicks a relative link on my page, I want to revert to http. I can think of a few ways, but they're all pretty nasty. Hoping there's a simpler way.

Thanks in advance for any help!

Using this screencast, I was able to get rid of Devise in about 20 minutes. THANKS!!

I think a lot of people would benefit from a screencast that shows 'advanced' authentication options like: remember me, forgot password, session timeouts, email registrations confirmations, ...

Is this buildin solution capable to replace and be a real alternative to authetication gems/plugins like authlogic?

Hi Ryan,

You mentioned it is important to name the field password_digest when you created the model. However then the model/view/controller uses password. Does rails somehow know how to match password to password_digest?

If I use a name pass_digest, would rails match to pass?

This is a really great tutorial, especially in terms of security and understanding authorization, however, I'd just like to caution everyone about rolling their own authentication.

Pre oAuth, every site required it's own username/email and password. This results in countless accounts on multiple servers. However, now, it's easy to authenticate with Facebook, Amazon, or (like Railscasts) github.

I'd just like to encourage developers to consider using an oAuth mechanism in their next project, if deemed fit. Do we really need another account? :)

Hi Ryan

does has_secure_password works also with mongoid?
I still get "undefined local variable or method `has_secure_password' for User:Class (NameError)". This with Rails 3.1.0.rc4 and mongoid 2.0.2

As I read somewhere else "Any ActiveModel based model will get this functionality. (ActiveRecord, Mongoid)".

Thanks for the great job!

SET "password_digest = '$2a$10erAAjsAfskv...' 

appears unfiltered in the log files (Rails 3.1.rc4) Is this a security issue ?

Hey Ryan,

Thank you for this screencast! I was wondering.. is there a way to "delay" the Password validations when using has_secure_password?

I'm working on a 3-step signup wizard where the last step is the authentication (email and password), however I can't get past the first step because of validation errors (i.e. 2 errors prohibited this user from being saved: * Password digest can't be blank * Password can't be blank).

Any help would be appreciated. Thanks again for your screencasts!!!

J

(newbie alert)

I'm having a hard time understanding how the successful "signed up!" message appears as shown in the video, esp when comparing it to the downloadable episode code. There doesn't seem to be anything in a View or Layout to output flash[:notice]

when I got to the SSL portion of the screencast, everything worked fine in Safari with the same sort of message "Safari can't open page".

however when I switched to Firefox, the error message is quite diff't:

"Secure Connection Failed

An error occurred during a connection to localhost:3000.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)"

Likewise the log output from the server, which on Safari was:

Started GET "/login" for 127.0.0.1 at 2011-07-28 21:44:32 -0500
  Processing by SessionsController#new as HTML
Redirected to https://localhost:3000/login
Completed 301 Moved Permanently in 1ms
[2011-07-28 21:44:32] ERROR bad URI `?,rz?7?1\x00\x00H\x00??'.
[2011-07-28 21:44:56] ERROR bad URI `?????>]\x03????X?y?\x00\x00H\x00??'.
cache: [GET /login] miss

now, in Firefox , looks like:

Started GET "/login" for 127.0.0.1 at 2011-07-28 21:46:06 -0500
  Processing by SessionsController#new as HTML
Redirected to https://localhost:3000/login
Completed 301 Moved Permanently in 0ms
[2011-07-28 21:46:06] ERROR bad URI `|a\x00\x00F?'.
[2011-07-28 21:46:06] ERROR bad Request-Line `\x16\x03\x00\x00Q\x01\x00\x00M\x03\x00N2\x1E?][4\x01\x00??u?9^?!RY?g0??%?H?\b?\x00\x00&\x00/\x00\x05\x00\x04\x005\x00'.
[2011-07-28 21:47:06] ERROR bad Request-Line `\x16\x03\x01\x00?\x01\x00\x00?\x03\x01N2\x1F*\x10?o-k\eD?\x7F?T??u?9?\eN\x01?.???\x12\x00\x00H\x00??'.

Is this as expected? I note that both say redirected to the SSL equivalent. But the Safari message looks legit whereas the Firefox one looks like more of an error

Edit @sethvargo - fixed code formatting

As usual, excellent screencast Ryan. Have you built tests for authentication with has_secure_password? I'm encountering this error when creating a user in a functional test:

NoMethodError: undefined method `password_digest' for #<User:0x007faf810f8b00>

Hello

I'm having an issue with testing this using Rspec and capybara. I can get and post in Rspec which will set and pass session variables, but when I try and do Capybara request specs I cannot. The end result is that I cannot test any page that has before_filter authorize set on its action.

Thanks,
This is driving me crazy!

I just set this up using CanCan for authorization. Works great!

I also added a check in the session controller to make sure the user isn't already logged in when visiting the login path:

  def new
    redirect_to root_path, :notice => 'You are already logged in.' if session[:user_id]
  end 

How can i restrict use of SecureAuthentication to html requests only? I want use HTTP basic authentication for json requests. Thanks

So what's the downside? You mentioned that you prefer rolling your own authentication from scratch -- is this any less secure/effective/flexible/etc... ? Advantages/disadvantages?

Thanks

Thanks Ryan, great screencast, I am using it in my app.

I have a users model with only an email and password_digest attributes.

One question (I really need help!): Once the user is logged in, how can I require the user to enter their current password in order to change/update their email or password?

Thanks!

After reading up on Rails sessions, I added

reset_session

to SessionsController#create

"One line of code will protect you from session fixation. The most effective countermeasure is to issue a new session identifier and declare the old one invalid after a successful login. That way, an attacker cannot use the fixed session identifier. This is a good countermeasure against session hijacking, as well."

http://guides.rubyonrails.org/security.html

Got a site I'm working on and have followed the example above and got the authentication working except for the logout link, with the sessions#destroy not deleting the session and the redirect is going to the login page not the root_url.

Any help with this would be appreciated.

Thanks for a great tutorial Ryan. I've noticed this method, when using Heroku, means that login details are case sensitive. I think it's because of the way Postgres works - has anyone found a way to adapt the code to allow login details to not be case-sensitive for Heroku?

How would I make HTTP basic authentication conditional? For example, I have a staging server at work, and I only want to make people authenticate if they access the server from outside the local network.

class ApplicationController << ActionController::Base
  http_basic_authenticate_with :realm => "Staging", :name => "user", :password => "password" if :needs_authentication?

private

  def needs_authentication?
    Rails.env == "staging" && request.remote_addr !~ /^192.168.0.\d{1,3}$/
  end

end

With this, I am always prompted to authenticate—even if needs_authentication? explicitly returns false. Moving http_basic_authenticate_with inside a method doesn't seem to work, either—I get an undefined method error.

Is it possible to do a post to create a new user via json?

I've added validates_presence_of :email, :on => :create

I'm trying.

POST /users.json HTTP/1.1
Content-Type: application/json

{
"email": "myuser@useremail.com",
"password": "1234",
"password_confirmation": "1234"
}

It picks up the email field but not the others. Is it even possible to do a post like this with the password_digest system?

This is what I cam up with for the time being...

def create
            t_params = params.dup

              if params["format"] == "json"
                    t_params.delete("action")
                t_params.delete("controller")
                t_params.delete("format")
                t_params.delete("user")

                @user = User.new(t_params)
              else
                @user = User.new(t_params[:user])
              end

            respond_to do |format|
                    if @user.save
                            format.html { redirect_to root_url, :notice => "Signed up!" }
                                format.json { render json: @user, status: :created, location: @user }
                    else
                            format.html { render action: "new" }
                            format.json { render json: @user.errors, status: :unprocessable_entity }
                    end
            end
        end

Thanks for the screencast, Ryan! For a small project, this is much better than a full-blown authentication system like Devise.

I'm working on an app where I have a Customer model that should just store basic contact information and may optionally include a login with username and password. Is there any way to use has_secure_password if a password is set yet also allow for a Customer to be created without a password?

Sorry new to rails/ruby this is all that's needed...

@user = User.new(params[:user])
def create
if params["format"] == "json"
    @user.password = [params[:password]]
end
#etc..

The User.authenticate method will not exist in Rails 3.1.3. I have posted a question here: http://stackoverflow.com/questions/8585104/method-authenticate-misssing-from-user-model-using-secure-password

The workaround that I used is to call
get_logged_in_user(password)

Anybody know more about this issue?

It seems that the issue with "authenticate" is particular to ruby 1.9.3. I tried with Ruby 1.9.2, and I don't see any issues.

I would like to not have to update the password every time I modify a user. How can I leave the password field blank and just ignore the validation for the password? Does anybody know how?

Could someone post an example of what the routes file for this project would look like? Im an extreme beginner, and so far can't figure out how I would configure it correctly.

-Thanks

I was watching this and a question came to mind. Is there no need ever to put authentication to the model level, that even people using console will need to be authenticated? From what I know, at production technical person with access to app directory can access all data through console with a little know knowledge of the models. Is that right? If there is a need, is it possible?

ACTIVE MODEL CHANGES RAILS 3.1.1
http://weblog.rubyonrails.org/2011/10/7/ann-rails-3-1-1

Remove hard dependency on bcrypt-ruby to avoid make ActiveModel dependent on a binary library. You must add the gem explicitly to your Gemfile if you want use ActiveModel::SecurePassword:

gem 'bcrypt-ruby', '~> 3.0.0'

This might help others that might be staring at an Error page, wondering why that gem wasn't required. @rbates You should add it to the show notes. :)

Quick question,

I have all of this working like a charm. However is not clear how I can call the login and what parameters it takes.
For example I would like the use to be signed in when on successful signup.
How can I do it?

Thanks :)

davodesign84,

Have a look here: http://ruby.railstutorial.org/chapters/sign-in-sign-out#sec:signin_upon_signup

Hartl doesn't use has_secure_password. But I think you can use same logic when implementing that feature.

I had a problem with the users_controller as posted in the screencast. I copied it directly into my app, and on running got - undefined method `model_name' for NilClass:Class. I'm not sure if this was an issue with my routes, but rails needed a respond_to to be able to handle the "new" request. ie

def new
    @user = User.new
    respond_to do |format|
      format.html # new.html.erb
      format.json { render json: @user }
    end
end

Probably only an issue if new to rails!
(Currently running rails 3.1.3)

Any idea on how to add a restriction to the number of user sessions with this approach? What I'd like to have is one browser window per user. Opening the app in another browser window would display a warning, signing in from another browser window would also display a warning+a choice to destroy the other session.

Has anyone implemented anything like this?

I am on windows and i am getting the following error when i tried to sign up

"NoMethodError in UsersController#new

undefined method `key?' for nil:NilClass"

I am using rails 3.2.3

What is the way to test beyond login_required?

Trying this in spec/requests does not seem to help:

before do
  @user = FactoryGirl.create :user
  cookies[:auth_token] = @user.auth_token
  visit "/"
end

Results in a redirect to the signin page. Can anybody help with this?

Upon login I get the following error returned:

NoMethodError in SessionsController#create

undefined method `authenticate' for #Class:0xb69d4638

  class User < ActiveRecord::Base
  has_secure_password

  attr_accessible :email, :password_digest, :password, :password_confirmation

  validates_uniqueness_of :email
end

Any suggestions?

How do you write a functional test for the login?

Hello. Newbie here.

I cant get the http://localhost:3000/users view to show properly. I get served a:

Unknown action
The action 'index' could not be found for UsersController

Any hints to as what I am doing wrong?

greatfull for any input.

HTTPBasicAuth is still the best way IMO to add quick authentication for things that don't need a full blown login system.