rodauth: clean authentication - valentine ostakh

Valentyn Ostakh

https://github.com/valikos

https://twitter.com/valikos_ost


RodauthClean Authentication

What is the most necessary feature for interaction with users?

Authentication

Authentication is the act of identification of user that going

to interact with your product

I want authentication for my application

Ruby-toolbox

Awesome-ruby

Authentication• Authlogic

• Devise

• Clearance

• Sorcery

• Warden

• Rodauth

What about custom solution?

Custom Solution vs Authentication LibrariesLibrary Issues Pull Requests First Release

Sorcery 64/451 28/306 31 Jan 2011

Clearance 12/374 4/369 1 Sep 2009

Authlogic 124/221 6/186 3 Nov 2008

Devise 39/3353 29/979 21 Oct 2009

Warden 18/74 4/49 26 May 2009

Rodauth 0/8 0/11 12 Aug 2015

I want flexible authentication that can be used with any framework

How to choose a library for my application?

Dependencies

• Authlogic - activerecord, activesupport

• Devise - rails, warden

• Clearance - rails, rack

• Sorcery - rails

• Warden - rack

• Rodauth - roda, rack

Clearance

Features

Registration• Authlogic

• Devise

• Clearance

• Sorcery

• Warden

• Rodauth

Login• Authlogic

• Devise

• Clearance

• Sorcery

• Warden

• Rodauth

Logout• Authlogic

• Devise

• Clearance

• Sorcery

• Warden

• Rodauth

Would be great to have token authentication

Token Authentication• Authlogic

• Devise

• Clearance

• Sorcery

• Warden

• Rodauth

Token Authentication Articles

• An Introduction to Using JWT Authentication in Rails

• Authenticate Your Rails API with JWT from Scratch

• Token-based authentication with Ruby on Rails 5 API

• JWT Auth in Rails, From Scratch

• Implementing JWT in Ruby on Rails-based API

• Authenticate Your Rails API with JWT

• Rails Api Backed With JWT

• Rails, Devise, JWT and the forgotten Warden

Token Authentication Gems

• jwt_authentication

• simple_token_authentication

• devise_token_auth

Token Authentication Gems

• jwt_authentication (based on devise)

• simple_token_authentication (based on devise)

• devise_token_auth (based on devise)

Token Authentication

Popularity

Library Total Downloads rubygems.org

Devise 21,407,462

Warden 21,018,495

Authlogic 2,343,678

Sorcery 527,431

Clearance 317,409

Rodauth 6,163

http://rubygems.org

Summary

Library Dependencies Features TokenAuthentication

Devise

Warden

Authlogic

Sorcery

Clearance

Rodauth

Rodauth

Jeremy EvansTwitter: @jeremyevans0

Roda

Sequel

Rodauth Goals

• Security

• Simplicity

• Flexibility

Features first

Rodauth FeaturesLogin


Logout


Logout

Change Password


Logout

Change Password

Change Login


Logout

Change Password

Change Login

Reset Password


Logout

Change Password

Change Login

Reset Password

Create Account


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password

Remember (Autologin via token)


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password


Lockout (Bruteforce protection)


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password



OTP (2 factor authentication via TOTP)


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password




Recovery Codes (2 factor authentication via backup codes)


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password





SMS Codes (2 factor authentication via SMS)


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login

Verify Account Grace Period


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login


Password Grace Period


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login



Password Complexity


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login



Password Complexity

Disallow Password Reuse


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login



Password Complexity


Password Expiration


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login



Password Complexity


Password Expiration

Account Expiration


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login



Password Complexity


Password Expiration

Account Expiration

Session Expiration


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login



Password Complexity


Password Expiration

Account Expiration

Session Expiration

Single Session


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login



Password Complexity


Password Expiration

Account Expiration

Session Expiration

Single Session

JWT


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login



Password Complexity


Password Expiration

Account Expiration

Session Expiration

Single Session

JWT

Update Password Hash


Logout

Change Password

Change Login

Reset Password

Create Account

Close Account

Verify Account

Confirm Password






Verify Change Login



Password Complexity


Password Expiration

Account Expiration

Session Expiration

Single Session

JWT

Update Password HashHTTP Basic Auth

Security

• Uses database functions to access password hashes

• Two database accounts are used

• Uses database functions to access password hashes (optional)

• Two database accounts are used (optional)

Flexibility

Can be used with the any rack framework

require "roda"

class RodauthApp < Roda # If using Rodauth in a non-Roda application # plugin :middleware

plugin :rodauth do enable :login, :logout, :change_password end

route do |r| r.rodauth

rodauth.require_authentication

# If using Rodauth in a Roda application # Your app code here end end

# If using Rodauth in a non-Roda application # use RodauthApp

# If using Rodauth in a Roda application run RodauthApp

Rodauth uses a simple configuration DSL

require 'simple_ldap_authenticator' plugin :rodauth do enable :login, :logout

# Don't require the bcrypt library, since using LDAP for auth require_bcrypt? false

# Treat the login itself as the account account_from_login{|l| l.to_s}

# Use the login provided as the session value account_session_value{account}

# Store session value in :login key, since the :account_id # default wouldn't make sense session_key :login

password_match? do |password| SimpleLdapAuthenticator.valid?(account, password) end end

Simplicity

Rodauth allows for overriding any part of the

framework

module Auth class Rodauth < Roda plugin :rodauth do enable :login end

route do |r| r.post 'login' do # Custom POST /login handling here end

r.rodauth end end end

How to start use Rodauth?

• Resolve database dependencies

• Define Rodauth features

Database dependencies

• Setup database

• Create tables

Setup With Postgresql

# Load extentions psql -U postgres -c "CREATE EXTENSION citext" ${DATABASE_NAME}

# Create database accounts createuser -U postgres ${DATABASE_NAME} createuser -U postgres ${DATABASE_NAME}_password

Setup With Postgresqlcreate_table(:accounts) do primary_key :id, :type=>:Bignum foreign_key :status_id, :account_statuses, :null=>false, :default=>1 if db.database_type == :postgres citext :email, :null=>false constraint :valid_email, :email=>/^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/ index :email, :unique=>true, :where=>{:status_id=>[1, 2]} else String :email, :null=>false index :email, :unique=>true end end

case database_type when :postgres user = get{Sequel.lit('current_user')} + '_password' run "GRANT REFERENCES ON accounts TO #{user}" end

Define Rodauth Featuresplugin :rodauth, :json=>true, :csrf=>false, :flash=>false do enable :change_password, :close_account, :create_account, :login, :logout, :remember, :reset_password, :verify_account, :otp, :recovery_codes, :sms_codes, :password_complexity, :disallow_password_reuse, :password_grace_period, :account_expiration, :single_session, :jwt, :session_expiration, max_invalid_logins 2 allow_password_change_after 60 verify_account_grace_period 300 jwt_secret secret sms_send do |phone_number, message| MUTEX.synchronize{SMS[session_value] = "..."} end end

Summary

Rodauth Advantages• Integration with any rack application

• Minimun dependencies

• Features

• Security

• Simplicity

Rodauth Disadvantages

• Doesn’t work with OAuth

• Routes design: can mismatch with your design

My own experience

Registrationmodule Auth class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL'])

plugin :middleware

plugin :rodauth, json: :only do enable :login, :logout, :jwt, :create_account

jwt_session_hash do super().merge(exp: SmartTaskApi::Utils.jwt_expiration) end

jwt_secret ENV['JWT_SECRET'] end

route do |r| r.rodauth

env['rodauth'] = rodauth end end end

Token Authenticationmodule Api class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL'])

plugin :middleware

plugin :rodauth, json: :only do enable :jwt

jwt_secret ENV['JWT_SECRET'] end

route do |r| r.rodauth rodauth.require_authentication env['rodauth'] = rodauth end end end

Rodauth Examples• https://github.com/jeremyevans/ginatra

• https://github.com/jeremyevans/rodauth-demo-rails

• https://github.com/davydovanton/rodauth_hanami

• https://github.com/davydovanton/grape-rodauth

• https://github.com/valikos/smart-task-api-hanami

https://github.com/jeremyevans/ginatra

https://github.com/davydovanton/rodauth_hanami

https://github.com/davydovanton/grape-rodauth

https://github.com/valikos/smart-task-api-hanami

RodauthClean Authentication

Thanks!

Questions?

Valentyn Ostakh


https://twitter.com/valikos_ost


rodauth: clean authentication - valentine ostakh

Technology