Authentication in-rails

•Als PPTX, PDF herunterladen•

2 gefällt mir•713 views

Slides from my talk at the Eastside Incubator's Rails Chat series. With so many authentication solutions out there (Devise, OmniAuth, AuthLogic, just to name a few), this slide deck goes through various options, and guides with choosing the best authentication solution for your app. The deck covers following areas... Your Own Auth (Authentication from Scratch) Your Own Auth With Facebook Connect OmniAuth (Facebook + Twitter) OmniAuth (Facebook + Twitter + Identity) Devise (+ Omniauthable, example includes Facebook and Twitter) All source code for this talk is available on GitHub at https://github.com/mvaidya/Authentication-In-Rails

Technologie

•

–
•

•
http_basic_authenticate_with
:name => "ror",
:password => "rocks",
:except=>[:index]

•
–
–
–
•
•
•
•
–
•
• current_user, authenticate_user!
–

•
–
–
–
–

•
–
•
–
–
•
– 
–
»
• Perform all authentication in a HTML POPUP with your own handler pages before and after
Facebook OAuth calls
–
•
•
–
–
•
–
–

•
•
–
•
–
–
•
•
–
– (session[:user_id])
– (current_user, authenticate_user!)
•
•

$• • • – • – gem „omniauth-twitter‟ – gem „omniauth-facebook‟ – bundle install • – • Rails.application.config.middleware.use OmniAuth::Builder do provider :twitter, APP_CONFIG[:twitter]['consumer_key'], APP_CONFIG[:twitter]['consumer_secret'] provider :facebook, APP_CONFIG[:facebook]['app_id'], APP_CONFIG[:facebook]['app_secret'], :client_options => { :ssl => { :ca_file => "#{Rails.root}/config/ca-bundle.crt" } } End • • (/auth/:provider/callback) – request.env[“omniauth.auth”]$

•
–
•
•

•
–
OmniAuth.config.on_failure = -> env do
env[ActionDispatch::Flash::KEY] ||= ActionDispatch::Flash::FlashHash.new
env[ActionDispatch::Flash::KEY][:error] = "Authentication failed, please try again."
SessionsController.action(:new).call(env) #call whatever controller/action that displays your signup form
end

•
– '/auth/:provider/callback' => 'sessions#create'
•
–
•

–

–
•

$• – provider :identity, on_failed_registration: lambda { |env| # lambda is used so that the class IdentitiesController is not cached (important for dev environment). # That way, changes to the controller will be picked up automatically since # lamda is the rack application to handle failures and not IndentitiesController#new directly IdentitiesController.action(:new).call(env) }$

•
–
–
–

–
• password_salt = BCrypt::Engine.generate_salt
• password_hash = BCrypt::Engine.hash_secret(password, password_salt)

•

–

Weitere ähnliche Inhalte

Ähnlich wie Authentication in-rails

Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf

Lior Rotkovitch

Codeception is a PHP testing framework for Behavior Driven Development, which covers all kinds of tests: unit tests, functional tests and acceptance tests. It is fast and simple in both usage and execution. This talk will give you a introduction to the software testing basics using codeception. It will also cover some stumbling blocks when writing tests, like: - Test code stability against small changes - Data stability - Test structure Last but not least I will give you a short outlook how to make your tests also understandable for product owners.

Testing mit Codeception: Full-stack testing PHP framework

SusannSgorzaly

There have long been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. However, the latest variation has moved beyond simple text links to "Google-image poisoning" - placing malware in the middle of Google searches for images where users have traditionally had no reason to be wary. Our presentation will focus on How malware writers are able to infect the average website; detailed analyses of the PHP script used to infect s ites and SEO techniques to get infected images at the top of search results.

Poisoning Google images

lukash4

InSpec is an open-source testing framework for infrastructure with a human- and machine-readable language for specifying compliance, security, and policy requirements. Using a combination of command-line and remote-execution tools, InSpec can help you keep your infrastructure aligned with security and compliance guidelines on an ongoing basis, rather than waiting for and then remediating from arduous annual audits. InSpec’s flexibility makes it a key tool choice for incorporating security into a complete continuous delivery workflow, reducing the risk of new features and releases breaking established host-based security guidelines. This talk covers the basics of working with InSpec, writing tests to reflect your organization’s security guidelines, and managing InSpec as part of a high-velocity workflow.

DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...

DevOpsDays Riga

IBM Connection - customize it, #dd13

Dominopoint - Italian Lotus User Group

下吧开发总结

Night Sailer

Leadership Guide, 초보팀장을 위한 리더십 가이드

Jinho Jung

SharePoint Saturday Philly - SharePoint 2010 Administrative Blunders

Dan Usher

Have you ever inherited a SharePoint site? Are you the new “content administrator?” Do you suddenly find yourself in charge of managing the permissions for your department? Did you happen to volunteer to manage the SharePoint site for that new project without knowing just what you were getting into? Come to this highly interactive session where Scott and Dan will show you all the things that can go wrong with your newly inherited SharePoint installation from the common mistakes your users will make to the not so common mistakes we've made.

SPSPhilly - SharePoint 2010 Tips & Tricks of the Trade - Avoiding Administrat...

Scott Hoag

Getting Started With SharePoint REST API in Nintex Workflows for Office 365 I...

Prashant G Bhoyar (Microsoft MVP)

Are you working with a Web Agency? Is your company responsible for the websites of other businesses? In this webinar we covered the implications of a security breach and why security should be important to your Web Agency. After seeing this material you will be able to answer the question: “What can I do to reduce the risk to our business and our clients” by exploring a 3 tiered approach to web security: Prevention, Detection, Response

Sucuri Webinar: Website Security for Web Agencies

Sucuri

For quite a while now, there have been links on the internet that take the unwary user to a page with unexpected or malicious content. Most of these attempts rely on the user to click on the link to be successful. However, the latest variation has moved beyond simple text links to "Google-image poisoning" - placing malware in the middle of Google searches for images where users have traditionally had no reason to be wary. This presentation focuses on how malware writers are able to infect the average website; detailed analyses of the PHP script used to infect sites, and SEO techniques to get infected images at the top of search results. Presented at AVAR 2011 by Lukas Hasik, head of Quality Assurance at Avast Software, and Jan Sirmer, a Virus Analyst & Researcher at Avast’s Virus Lab.

Google-image poisoning: How hackers use images to spread malware

Avast

Code profiling gives a rich, detailed view of runtime performance. However, it's difficult to achieve in production: for even a small fraction of web requests, huge challenges in scalability, access, and ease of use appear. Despite this, Yelp profiles a nontrivial fraction of its traffic by combining Amazon EC2, Amazon EMR, and Amazon S3. Developers can search, sort, filter, and combine interesting profiles; during a site slowdown or page failure, this allows a fast diagnosis and speedy recovery. Some of our analyses run nightly, while others run in real-time via Storm topologies. This session includes our use cases for code profiling, its benefits, and the implementation of its handlers and analysis flows. We include both performance results and implementation challenges of our MapReduce and Storm jobs, including code overviews. We also touch on issues such as concurrent logging, cross-data center replication, job scheduling, and API definitions.

(BDT402) Performance Profiling in Production: Analyzing Web Requests at Scale...

Amazon Web Services

memories of tumblr gear & Tumblrowl

honishi

Chaione Ember.js Training

aortbals

SharePoint 2010 - Tips and Tricks of the Trade - Avoiding Administrative Blun...

Dan Usher

BSides São Paulo - Trabalho no exterior e segurança de aplicações

Ismael Goncalves

HTML5 History & Features

Dave Ross

Premature optimisation: The Root of All Evil

Fabio Akita

DevCommerce Conference 2016: Performance, anti-patterns e stacks pra desenvol...

iMasters

Ähnlich wie Authentication in-rails (20)

Brute Force - Lior Rotkovitch - f5 SIRT v5.pdf

Testing mit Codeception: Full-stack testing PHP framework

Poisoning Google images

DevOpsDaysRiga 2017: Mandi Walls - Building security into your workflow with ...

IBM Connection - customize it, #dd13

下吧开发总结

Leadership Guide, 초보팀장을 위한 리더십 가이드

SharePoint Saturday Philly - SharePoint 2010 Administrative Blunders

SPSPhilly - SharePoint 2010 Tips & Tricks of the Trade - Avoiding Administrat...

Getting Started With SharePoint REST API in Nintex Workflows for Office 365 I...

Sucuri Webinar: Website Security for Web Agencies

Google-image poisoning: How hackers use images to spread malware

(BDT402) Performance Profiling in Production: Analyzing Web Requests at Scale...

memories of tumblr gear & Tumblrowl

Chaione Ember.js Training

SharePoint 2010 - Tips and Tricks of the Trade - Avoiding Administrative Blun...

BSides São Paulo - Trabalho no exterior e segurança de aplicações

HTML5 History & Features

Premature optimisation: The Root of All Evil

DevCommerce Conference 2016: Performance, anti-patterns e stacks pra desenvol...

Kürzlich hochgeladen

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Exploring Multimodal Embeddings with Milvus

Zilliz

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

CNIC Information System with Pakdata Cf In Pakistan

danishmna97

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Tracing the root cause of a performance issue requires a lot of patience, experience, and focus. It’s so hard that we sometimes attempt to guess by trying out tentative fixes, but that usually results in frustration, messy code, and a considerable waste of time and money. This talk explains how to correctly zoom in on a performance bottleneck using three levels of profiling: distributed tracing, metrics, and method profiling. After we learn to read the JVM profiler output as a flame graph, we explore a series of bottlenecks typical for backend systems, like connection/thread pool starvation, invisible aspects, blocking code, hot CPU methods, lock contention, and Virtual Thread pinning, and we learn to trace them even if they occur in library code you are not familiar with. Attend this talk and prepare for the performance issues that will eventually hit any successful system. About authorWith two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Victor Rentea

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Understanding the FAA Part 107 License ..

Christopher Logan Kennedy

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Dubai, often portrayed as a shimmering oasis in the desert, faces its own set of challenges, including the occasional threat of flooding. Despite its reputation for opulence and modernity, the emirate is not immune to the forces of nature. In recent years, Dubai has experienced sporadic but significant floods, testing the resilience of its infrastructure and communities. Among the critical lifelines in this bustling metropolis is the Dubai International Airport, a bustling hub that connects the city to the world. This article explores the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

Orbitshub

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Angeliki Cooney has spent over twenty years at the forefront of the life sciences industry, working out of Wynantskill, NY. She is highly regarded for her dedication to advancing the development and accessibility of innovative treatments for chronic diseases, rare disorders, and cancer. Her professional journey has centered on strategic consulting for biopharmaceutical companies, facilitating digital transformation, enhancing omnichannel engagement, and refining strategic commercial practices. Angeliki's innovative contributions include pioneering several software-as-a-service (SaaS) products for the life sciences sector, earning her three patents. As the Senior Vice President of Life Sciences at Avenga, Angeliki orchestrated the firm's strategic entry into the U.S. market. Avenga, a renowned digital engineering and consulting firm, partners with significant entities in the pharmaceutical and biotechnology fields. Her leadership was instrumental in expanding Avenga's client base and establishing its presence in the competitive U.S. market.

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Angeliki Cooney

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

presentation ICT roal in 21st century education

jfdjdjcjdnsjd

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Juan lago vázquez

Kürzlich hochgeladen (20)

[BuildWithAI] Introduction to Gemini.pdf

Exploring Multimodal Embeddings with Milvus

Strategies for Landing an Oracle DBA Job as a Fresher

CNIC Information System with Pakdata Cf In Pakistan

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Finding Java's Hidden Performance Traps @ DevoxxUK 2024

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Understanding the FAA Part 107 License ..

Boost Fertility New Invention Ups Success Rates.pdf

Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...

How to Troubleshoot Apps for the Modern Connected Worker

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

presentation ICT roal in 21st century education

Corporate and higher education May webinar.pptx

Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood

Authentication in-rails

2. Experience Technologies V.P. Engineering Dec 2011 - now Software Engineer August 2010 – Dec 2011 Software Engineer Mihir A. Vaidya Feb 2006 – August 2010 Co-Founder and V.P. Engineering ReadyPulse Software Engineer https://www.linkedin.com/in/vaidyamihir May 2004 – Feb 2006 https://twitter.com/mihirvaidya Researcher May 2003 – May 2004

3. • • •

4. • – –

5. • – – • – – – – – – – •

6. • • – • • •

7. • – • • http_basic_authenticate_with :name => "ror", :password => "rocks", :except=>[:index]

8. • – – – • • • • – • • current_user, authenticate_user! – • – – – –

9. • –

10. • – – • • – • – • – • – • – – • • • • •

11. • • • • •

12. • • • – – – • – • – –

13. • – • – – • –  – » • Perform all authentication in a HTML POPUP with your own handler pages before and after Facebook OAuth calls – • • – – • – –

14. •

15. • • – Sessions#fb_auth •

16. • – • •

17. • • – • – – • • – – (session[:user_id]) – (current_user, authenticate_user!) • •

18. • • • – • – gem „omniauth-twitter‟ – gem „omniauth-facebook‟ – bundle install • – • Rails.application.config.middleware.use OmniAuth::Builder do provider :twitter, APP_CONFIG[:twitter]['consumer_key'], APP_CONFIG[:twitter]['consumer_secret'] provider :facebook, APP_CONFIG[:facebook]['app_id'], APP_CONFIG[:facebook]['app_secret'], :client_options => { :ssl => { :ca_file => "#{Rails.root}/config/ca-bundle.crt" } } End • • (/auth/:provider/callback) – request.env[“omniauth.auth”]

19. • – • • • – OmniAuth.config.on_failure = -> env do env[ActionDispatch::Flash::KEY] ||= ActionDispatch::Flash::FlashHash.new env[ActionDispatch::Flash::KEY][:error] = "Authentication failed, please try again." SessionsController.action(:new).call(env) #call whatever controller/action that displays your signup form end

20. • – – – – • – –

21. • – • •

22. • – '/auth/:provider/callback' => 'sessions#create' • – • – – •

23. • – provider :identity, on_failed_registration: lambda { |env| # lambda is used so that the class IdentitiesController is not cached (important for dev environment). # That way, changes to the controller will be picked up automatically since # lamda is the rack application to handle failures and not IndentitiesController#new directly IdentitiesController.action(:new).call(env) }

24. • – • – –

25. • • – • • – • • – • – • • • –

26. • – – • – • • – – • – • • – –

27. • – • • • • • –

28.  • • – • –

29. • – • – – – • – –

30. • • • – – • • • – –

31. • • –

32. • – – • – • • – • – – • • •

33. • • • • – – – – • –

34. • • –  • – – • – – –  • – •

35. • • •

36. • •

37.

38.

39.

40. • – • • • – • • – • – – – – • – – – • • – current_user – authenticate_user!

41. • – – – – • password_salt = BCrypt::Engine.generate_salt • password_hash = BCrypt::Engine.hash_secret(password, password_salt) • –

42. • – • – • –

Authentication in-rails

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Authentication in-rails

Ähnlich wie Authentication in-rails (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Authentication in-rails