What Devise is doing when you are not looking

@lucasmazza

EQPUWNVKPIaCPFaUQHVYCTGaGPIKPGGTKPI

No content

“[…]Everything is deterministic and known, there is nothing magical. […]“ Xavier Noria (@fxn)

October, ‘09 8m+ downloads Rails 3.2+

Full stack Rails Authentication

Models Controllers Views

Models Controllers Rack Views

Models Controllers Middlewares Views

Models Controllers Router Views

Models Controllers Engines Views

hassox/warden

warden is awesome

Authentication infrastructure, like rack is HTTP infrastructure

User session management Failure handling Lifecycle callbacks

SessionStore … Rails & Devise … … Warden

So, what is inside Devise?

Models

Models Router

Models Router Controllers & Views

Models Router Controllers & Views Warden Callbacks & Failure App

Models Router Controllers & Views Warden Callbacks & Failure App and a ton of configurations

Everything starts with the models

class User < ActiveRecord::Base devise :database_authenticatable, :trackable, :confirmable end Which modules to pick up Can load routes and controllers on the app

database_authenticatable => Devise::Models::DatabaseAuthenticatable confirmable => Devise::Models::Confirmable lockable => Devise::Models::Lockable omniauthable => Devise::Models::Omniauthable recoverable => Devise::Models::Recoverable registerable => Devise::Models::Registerable rememberable => Devise::Models::Rememberable timeoutable => Devise::Models::Timeoutable trackable => Devise::Models::Trackable validatable => Devise::Models::Validatable Everything is opt in

Thingy::Application.routes.draw do devise_for :users end The router macro get things started

Thingy::Application.routes.draw do devise_for :users, controllers: { registrations: 'users/registrations' } end Custom flows → custom controllers

$ bin/rake routes Prefix Verb URI Pattern Controller#Action new_user_session GET /users/sign_in(.:format) devise/sessions#new user_session POST /users/sign_in(.:format) devise/sessions#create destroy_user_session DELETE /users/sign_out(.:format) devise/sessions#destroy user_password POST /users/password(.:format) devise/passwords#create new_user_password GET /users/password/new(.:format) devise/passwords#new edit_user_password GET /users/password/edit(.:format) devise/passwords#edit PATCH /users/password(.:format) devise/passwords#update PUT /users/password(.:format) devise/passwords#update cancel_user_registration GET /users/cancel(.:format) devise/registrations#cancel user_registration POST /users(.:format) devise/registrations#create new_user_registration GET /users/sign_up(.:format) devise/registrations#new edit_user_registration GET /users/edit(.:format) devise/registrations#edit PATCH /users(.:format) devise/registrations#update PUT /users(.:format) devise/registrations#update DELETE /users(.:format) devise/registrations#destroy

Thing::Application.routes.draw do authenticate :user, -> { |user| user.admin? } do mount Resque::Server.new, at: 'resque' end ! devise_scope :user do get 'sign_in', to: 'devise/sessions#new' end end

Devise::SessionsController Devise::PasswordsController Devise::RegistrationsController Devise::ConfirmationsController Devise::UnlocksController Builtin controllers: workflow & redirects

app/views/devise/ "## confirmations $ # new.html.erb "## mailer $ "## confirmation_instructions.html.erb $ "## reset_password_instructions.html.erb $ # unlock_instructions.html.erb "## passwords $ "## edit.html.erb $ # new.html.erb "## registrations $ "## edit.html.erb $ # new.html.erb "## sessions $ # new.html.erb "## shared $ # _links.html.erb # unlocks # new.html.erb rails g devise:views [-v registrations confirmations]

unauthenticated?

unauthenticated? (›°□°ʣ›ớ ᵲᴸᵲ

unauthenticated? (›°□°ʣ›ớ ᵲᴸᵲ FailureApp

Nothing but a Rack endpoint

Authentication lifecycle

Session expiration Unconfirmed accounts Account locking Track user requests Cleanup cookies/tokens/etc

❤ warden ❤

Security

Everything should be secure by default

I don’t want to worry (so much) about security while working on my app.

Bcrypt by default Encrypted tokens Timing attacks

Friendly Reminder ! If you found a security bug, please do not open an Issue on GitHub. Report to opensource@plataformatec.com.br instead.

Extending it

Model API (it could use some extra documentation)

class User < ActiveRecord::Base # Deliver notifications using Rails 4.2 ‘deliver_later'. def send_devise_notification(email, *args) devise_mailer.send(email, self, *args).deliver_later end end

class User < ActiveRecord::Base # Delivers a welcome notification when the user confirms # its email. def after_confirmation send_devise_notification(:welcome) end end

class User < ActiveRecord::Base devise :database_authenticatable, :trackable, :confirmable # Unconfirmed users can still log in. def confirmation_required? false end end

Devise.timeout_in = 30.minutes ! class User < ActiveRecord::Base devise :database_authenticatable, :timeoutable def timeout_in staff? ? 10.minutes : 2.hours end end Instance based configuration

class User < ActiveRecord::Base devise :database_authenticatable, :timeoutable, timeout_in: 2.hours end ! class Admin < ActiveRecord::Base devise :database_authenticatable, :timeoutable, timeout_in: 10.minutes end Scope based configuration

Custom controllers

class SessionsController < Devise::SessionsController def after_sign_out_path_for(resource) 'goodbye' end end Custom redirections

after_resending_confirmation_instructions_path_for after_confirmation_path_for after_omniauth_failure_path_for after_resetting_password_path_for after_sending_reset_password_instructions_path_for after_sign_up_path_for after_inactive_sign_up_path_for after_update_path_for after_sending_unlock_instructions_path_for after_unlock_path_for after_sign_in_path_for after_sign_out_path_for

class RegistrationsController < Devise::RegistrationsController # Track down registration origins through a param def build_resource(hash = nil) super self.resource.origin = params['_origin'] self.resource end end

class ApplicationController < ActionController::Base # Include the subdomain in the i18n interpolation options. def devise_i18n_options(options) options.merge(subdomain: current_account.subdomain) end end

❤ I18n ❤

en: devise: confirmations: confirmed: "Your email address has been successfully confirmed." send_instructions: "You will receive an email with instructions for how to confirm your email address in a few minutes." send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions for how to confirm your email address in a few minutes." failure: already_authenticated: "You are already signed in." inactive: "Your account is not activated yet." invalid: "Invalid email or password." locked: "Your account is locked." last_attempt: "You have one more attempt before your account is locked." not_found_in_database: "Invalid email address or password." # ...

❤ I18n ❤ https://github.com/plataformatec/devise/wiki/I18n

Extending the Warden integration

config.warden do |manager| manager.failure_app = MyFailureApp end ! class MyFailureApp < Devise::FailureApp def redirect_url warden_options[:checkout] ? checkout_sign_in_path : super end end Custom Failure

class RemoteAuthenticable < Devise::Strategies::Authenticatable # ... end ! Warden::Strategies.add :remote_authenticable, RemoteAuthenticable Devise.add_module :remote_authenticable, strategy: true ! class User < ActiveRecord::Base devise :remote_authenticable end Alternative Strategies

And a boatload of configurations

Devise.email_regexp Devise.password_length Devise.remember_for Devise.scoped_views Devise.parent_controller # ... Check your config/initializers/devise.rb and https://github.com/plataformatec/devise/blob/v3.3.0/lib/devise.rb

Extensions in the wild

scambra/devise_invitable

mhfs/devise-async

tinfoil/devise-two-factor

phatworx/devise_security_extension

Other ORMs Bundled i18ns And more stuff that I don’t know

The Future

Keep it stable Keep it tidy

No new modules Pluggable APIs when required

Rails 4.0/4.1+ only ! Remove our TokenGenerator StrongParameters by default Compatibility hacks are boring

More docs for the public/private API

Thanks! https://twitter.com/lucasmazza https://speakerdeck.com/lucas