Rodauth: Clean Authentication

Transcript

1. Valentyn Ostakh https://github.com/valikos https://twitter.com/valikos_ost

2. Rodauth Clean Authentication

3. What is the most necessary feature for interaction with users?

4. Authentication

5. Authentication is the act of identification of user that going

   to interact with your product

6. I want authentication for my application

7. None

8. Ruby-toolbox

9. Awesome-ruby

10. Authentication • Authlogic • Devise • Clearance • Sorcery •

    Warden • Rodauth

11. What about custom solution?

12. None
13. None

14. Custom Solution vs Authentication Libraries Library Issues Pull Requests First

    Release Sorcery 64/451 28/306 31 Jan 2011 Clearance 12/374 4/369 1 Sep 2009 Authlogic 124/221 6/186 3 Nov 2008 Devise 39/3353 29/979 21 Oct 2009 Warden 18/74 4/49 26 May 2009 Rodauth 0/8 0/11 12 Aug 2015

15. I want flexible authentication that can be used with any

    framework
16. None
17. None
18. None

19. How to choose a library for my application?

20. Dependencies

21. • Authlogic - activerecord, activesupport • Devise - rails, warden

    • Clearance - rails, rack • Sorcery - rails • Warden - rack • Rodauth - roda, rack

22. Clearance

23. Features

24. Registration • Authlogic • Devise • Clearance • Sorcery •

    Warden • Rodauth

25. Login • Authlogic • Devise • Clearance • Sorcery •

    Warden • Rodauth

26. Logout • Authlogic • Devise • Clearance • Sorcery •

    Warden • Rodauth

27. Would be great to have token authentication

28. Token Authentication • Authlogic • Devise • Clearance • Sorcery

    • Warden • Rodauth

29. Token Authentication Articles • An Introduction to Using JWT Authentication

    in Rails • Authenticate Your Rails API with JWT from Scratch • Token-based authentication with Ruby on Rails 5 API • JWT Auth in Rails, From Scratch • Implementing JWT in Ruby on Rails-based API • Authenticate Your Rails API with JWT • Rails Api Backed With JWT • Rails, Devise, JWT and the forgotten Warden

30. Token Authentication
 Gems • jwt_authentication • simple_token_authentication • devise_token_auth

31. Token Authentication
 Gems • jwt_authentication (based on devise) • simple_token_authentication

    (based on devise) • devise_token_auth (based on devise)

32. Token Authentication

33. Popularity

34. Library Total Downloads rubygems.org Devise 21,407,462 Warden 21,018,495 Authlogic 2,343,678

    Sorcery 527,431 Clearance 317,409 Rodauth 6,163

35. Summary

36. Library Dependencies Features Token
 Authentication Devise Warden Authlogic Sorcery Clearance

    Rodauth

37. Rodauth

38. Rodauth

39. Jeremy Evans Twitter: @jeremyevans0

40. Roda Sequel

41. Rodauth Goals • Security • Simplicity • Flexibility

42. Features first

43. Rodauth Features Login

44. Rodauth Features Login Logout

45. Rodauth Features Login Logout Change Password

46. Rodauth Features Login Logout Change Password Change Login

47. Rodauth Features Login Logout Change Password Change Login Reset Password

48. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account

49. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account

50. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account

51. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password

52. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token)

53. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection)

54. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP)

55. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes)

56. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS)

57. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login

58. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period

59. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period

60. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity

61. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse

62. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration

63. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration

64. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration

65. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session

66. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT

67. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT Update Password Hash

68. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT Update Password Hash HTTP Basic Auth
69. None

70. Security

71. • Uses database functions to access password hashes • Two

    database accounts are used

72. • Uses database functions to access password hashes (optional) •

    Two database accounts are used (optional)

73. Flexibility

74. Can be used with the any rack framework

75. require "roda" class RodauthApp < Roda # If using Rodauth

    in a non-Roda application # plugin :middleware plugin :rodauth do enable :login, :logout, :change_password end route do |r| r.rodauth rodauth.require_authentication # If using Rodauth in a Roda application # Your app code here end end # If using Rodauth in a non-Roda application # use RodauthApp # If using Rodauth in a Roda application run RodauthApp

76. require "roda" class RodauthApp < Roda # If using Rodauth

    in a non-Roda application # plugin :middleware plugin :rodauth do enable :login, :logout, :change_password end route do |r| r.rodauth rodauth.require_authentication # If using Rodauth in a Roda application # Your app code here end end # If using Rodauth in a non-Roda application # use RodauthApp # If using Rodauth in a Roda application run RodauthApp

77. Rodauth uses a simple configuration DSL

78. require 'simple_ldap_authenticator' plugin :rodauth do enable :login, :logout # Don't

    require the bcrypt library, since using LDAP for auth require_bcrypt? false # Treat the login itself as the account account_from_login{|l| l.to_s} # Use the login provided as the session value account_session_value{account} # Store session value in :login key, since the :account_id # default wouldn't make sense session_key :login password_match? do |password| SimpleLdapAuthenticator.valid?(account, password) end end

79. Simplicity

80. Rodauth allows for overriding any part of the framework

81. module Auth class Rodauth < Roda plugin :rodauth do enable

    :login end route do |r| r.post 'login' do # Custom POST /login handling here end r.rodauth end end end

82. How to start use Rodauth?

83. • Resolve database dependencies • Define Rodauth features

84. Database dependencies

85. • Setup database • Create tables

86. Setup With Postgresql # Load extentions psql -U postgres -c

    "CREATE EXTENSION citext" ${DATABASE_NAME} # Create database accounts createuser -U postgres ${DATABASE_NAME} createuser -U postgres ${DATABASE_NAME}_password

87. Setup With Postgresql create_table(:accounts) do primary_key :id, :type=>:Bignum foreign_key :status_id,

    :account_statuses, :null=>false, :default=>1 if db.database_type == :postgres citext :email, :null=>false constraint :valid_email, :email=>/^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/ index :email, :unique=>true, :where=>{:status_id=>[1, 2]} else String :email, :null=>false index :email, :unique=>true end end case database_type when :postgres user = get{Sequel.lit('current_user')} + '_password' run "GRANT REFERENCES ON accounts TO #{user}" end

88. Define Rodauth Features plugin :rodauth, :json=>true, :csrf=>false, :flash=>false do enable

    :change_password, :close_account, :create_account, :login, :logout, :remember, :reset_password, :verify_account, :otp, :recovery_codes, :sms_codes, :password_complexity, :disallow_password_reuse, :password_grace_period, :account_expiration, :single_session, :jwt, :session_expiration, max_invalid_logins 2 allow_password_change_after 60 verify_account_grace_period 300 jwt_secret secret sms_send do |phone_number, message| MUTEX.synchronize{SMS[session_value] = "..."} end end

89. Summary

90. Rodauth Advantages • Integration with any rack application • Minimun

    dependencies • Features • Security • Simplicity

91. Rodauth Disadvantages • Doesn’t work with OAuth • Routes design:

    can mismatch with your design

92. My own experience

93. Registration module Auth class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL'])

    plugin :middleware plugin :rodauth, json: :only do enable :login, :logout, :jwt, :create_account jwt_session_hash do super().merge(exp: SmartTaskApi::Utils.jwt_expiration) end jwt_secret ENV['JWT_SECRET'] end route do |r| r.rodauth env['rodauth'] = rodauth end end end

94. Token Authentication module Api class Rodauth < Roda DB =

    Sequel.connect(ENV['DATABASE_URL']) plugin :middleware plugin :rodauth, json: :only do enable :jwt jwt_secret ENV['JWT_SECRET'] end route do |r| r.rodauth rodauth.require_authentication env['rodauth'] = rodauth end end end

95. Rodauth Examples • https://github.com/jeremyevans/ginatra • https://github.com/jeremyevans/rodauth-demo-rails • https://github.com/davydovanton/rodauth_hanami • https://github.com/davydovanton/grape-rodauth

    • https://github.com/valikos/smart-task-api-hanami

96. Rodauth Clean Authentication

97. Thanks!

98. Questions?

99. Valentyn Ostakh https://github.com/valikos https://twitter.com/valikos_ost