rodauth: clean authentication - valentine ostakh
TRANSCRIPT
Valentyn Ostakh
https://github.com/valikos
https://twitter.com/valikos_ost
RodauthClean Authentication
What is the most necessary feature for interaction with users?
Authentication
Authentication is the act of identification of user that going
to interact with your product
I want authentication for my application
Ruby-toolbox
Awesome-ruby
Authentication• Authlogic
• Devise
• Clearance
• Sorcery
• Warden
• Rodauth
What about custom solution?
Custom Solution vs Authentication LibrariesLibrary Issues Pull Requests First Release
Sorcery 64/451 28/306 31 Jan 2011
Clearance 12/374 4/369 1 Sep 2009
Authlogic 124/221 6/186 3 Nov 2008
Devise 39/3353 29/979 21 Oct 2009
Warden 18/74 4/49 26 May 2009
Rodauth 0/8 0/11 12 Aug 2015
I want flexible authentication that can be used with any framework
How to choose a library for my application?
Dependencies
• Authlogic - activerecord, activesupport
• Devise - rails, warden
• Clearance - rails, rack
• Sorcery - rails
• Warden - rack
• Rodauth - roda, rack
Clearance
Features
Registration• Authlogic
• Devise
• Clearance
• Sorcery
• Warden
• Rodauth
Login• Authlogic
• Devise
• Clearance
• Sorcery
• Warden
• Rodauth
Logout• Authlogic
• Devise
• Clearance
• Sorcery
• Warden
• Rodauth
Would be great to have token authentication
Token Authentication• Authlogic
• Devise
• Clearance
• Sorcery
• Warden
• Rodauth
Token Authentication Articles
• An Introduction to Using JWT Authentication in Rails
• Authenticate Your Rails API with JWT from Scratch
• Token-based authentication with Ruby on Rails 5 API
• JWT Auth in Rails, From Scratch
• Implementing JWT in Ruby on Rails-based API
• Authenticate Your Rails API with JWT
• Rails Api Backed With JWT
• Rails, Devise, JWT and the forgotten Warden
Token Authentication Gems
• jwt_authentication
• simple_token_authentication
• devise_token_auth
Token Authentication Gems
• jwt_authentication (based on devise)
• simple_token_authentication (based on devise)
• devise_token_auth (based on devise)
Token Authentication
Popularity
Library Total Downloads rubygems.org
Devise 21,407,462
Warden 21,018,495
Authlogic 2,343,678
Sorcery 527,431
Clearance 317,409
Rodauth 6,163
Summary
Library Dependencies Features TokenAuthentication
Devise
Warden
Authlogic
Sorcery
Clearance
Rodauth
Rodauth
Rodauth
Jeremy EvansTwitter: @jeremyevans0
Roda
Sequel
Rodauth Goals
• Security
• Simplicity
• Flexibility
Features first
Rodauth FeaturesLogin
Rodauth FeaturesLogin
Logout
Rodauth FeaturesLogin
Logout
Change Password
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Password Grace Period
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Password Grace Period
Password Complexity
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Password Grace Period
Password Complexity
Disallow Password Reuse
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Password Grace Period
Password Complexity
Disallow Password Reuse
Password Expiration
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Password Grace Period
Password Complexity
Disallow Password Reuse
Password Expiration
Account Expiration
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Password Grace Period
Password Complexity
Disallow Password Reuse
Password Expiration
Account Expiration
Session Expiration
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Password Grace Period
Password Complexity
Disallow Password Reuse
Password Expiration
Account Expiration
Session Expiration
Single Session
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Password Grace Period
Password Complexity
Disallow Password Reuse
Password Expiration
Account Expiration
Session Expiration
Single Session
JWT
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Password Grace Period
Password Complexity
Disallow Password Reuse
Password Expiration
Account Expiration
Session Expiration
Single Session
JWT
Update Password Hash
Rodauth FeaturesLogin
Logout
Change Password
Change Login
Reset Password
Create Account
Close Account
Verify Account
Confirm Password
Remember (Autologin via token)
Lockout (Bruteforce protection)
OTP (2 factor authentication via TOTP)
Recovery Codes (2 factor authentication via backup codes)
SMS Codes (2 factor authentication via SMS)
Verify Change Login
Verify Account Grace Period
Password Grace Period
Password Complexity
Disallow Password Reuse
Password Expiration
Account Expiration
Session Expiration
Single Session
JWT
Update Password HashHTTP Basic Auth
Security
• Uses database functions to access password hashes
• Two database accounts are used
• Uses database functions to access password hashes (optional)
• Two database accounts are used (optional)
Flexibility
Can be used with the any rack framework
require "roda"
class RodauthApp < Roda # If using Rodauth in a non-Roda application # plugin :middleware
plugin :rodauth do enable :login, :logout, :change_password end
route do |r| r.rodauth
rodauth.require_authentication
# If using Rodauth in a Roda application # Your app code here end end
# If using Rodauth in a non-Roda application # use RodauthApp
# If using Rodauth in a Roda application run RodauthApp
require "roda"
class RodauthApp < Roda # If using Rodauth in a non-Roda application # plugin :middleware
plugin :rodauth do enable :login, :logout, :change_password end
route do |r| r.rodauth
rodauth.require_authentication
# If using Rodauth in a Roda application # Your app code here end end
# If using Rodauth in a non-Roda application # use RodauthApp
# If using Rodauth in a Roda application run RodauthApp
Rodauth uses a simple configuration DSL
require 'simple_ldap_authenticator' plugin :rodauth do enable :login, :logout
# Don't require the bcrypt library, since using LDAP for auth require_bcrypt? false
# Treat the login itself as the account account_from_login{|l| l.to_s}
# Use the login provided as the session value account_session_value{account}
# Store session value in :login key, since the :account_id # default wouldn't make sense session_key :login
password_match? do |password| SimpleLdapAuthenticator.valid?(account, password) end end
Simplicity
Rodauth allows for overriding any part of the
framework
module Auth class Rodauth < Roda plugin :rodauth do enable :login end
route do |r| r.post 'login' do # Custom POST /login handling here end
r.rodauth end end end
How to start use Rodauth?
• Resolve database dependencies
• Define Rodauth features
Database dependencies
• Setup database
• Create tables
Setup With Postgresql
# Load extentions psql -U postgres -c "CREATE EXTENSION citext" ${DATABASE_NAME}
# Create database accounts createuser -U postgres ${DATABASE_NAME} createuser -U postgres ${DATABASE_NAME}_password
Setup With Postgresqlcreate_table(:accounts) do primary_key :id, :type=>:Bignum foreign_key :status_id, :account_statuses, :null=>false, :default=>1 if db.database_type == :postgres citext :email, :null=>false constraint :valid_email, :email=>/^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/ index :email, :unique=>true, :where=>{:status_id=>[1, 2]} else String :email, :null=>false index :email, :unique=>true end end
case database_type when :postgres user = get{Sequel.lit('current_user')} + '_password' run "GRANT REFERENCES ON accounts TO #{user}" end
Define Rodauth Featuresplugin :rodauth, :json=>true, :csrf=>false, :flash=>false do enable :change_password, :close_account, :create_account, :login, :logout, :remember, :reset_password, :verify_account, :otp, :recovery_codes, :sms_codes, :password_complexity, :disallow_password_reuse, :password_grace_period, :account_expiration, :single_session, :jwt, :session_expiration, max_invalid_logins 2 allow_password_change_after 60 verify_account_grace_period 300 jwt_secret secret sms_send do |phone_number, message| MUTEX.synchronize{SMS[session_value] = "..."} end end
Summary
Rodauth Advantages• Integration with any rack application
• Minimun dependencies
• Features
• Security
• Simplicity
Rodauth Disadvantages
• Doesn’t work with OAuth
• Routes design: can mismatch with your design
My own experience
Registrationmodule Auth class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL'])
plugin :middleware
plugin :rodauth, json: :only do enable :login, :logout, :jwt, :create_account
jwt_session_hash do super().merge(exp: SmartTaskApi::Utils.jwt_expiration) end
jwt_secret ENV['JWT_SECRET'] end
route do |r| r.rodauth
env['rodauth'] = rodauth end end end
Token Authenticationmodule Api class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL'])
plugin :middleware
plugin :rodauth, json: :only do enable :jwt
jwt_secret ENV['JWT_SECRET'] end
route do |r| r.rodauth rodauth.require_authentication env['rodauth'] = rodauth end end end
Rodauth Examples• https://github.com/jeremyevans/ginatra
• https://github.com/jeremyevans/rodauth-demo-rails
• https://github.com/davydovanton/rodauth_hanami
• https://github.com/davydovanton/grape-rodauth
• https://github.com/valikos/smart-task-api-hanami
RodauthClean Authentication
Thanks!
Questions?
Valentyn Ostakh
https://github.com/valikos
https://twitter.com/valikos_ost