Warden - The building block behind Devise (Português)

Transcript

generate devise User › rails db:migrate › rails server

e-mail confirmation password recovery account registration Devise account locking account

tracking session timeout

authentication logout session management Warden e-mail confirmation password recovery account

registration Devise account locking account tracking session timeout

“Warden is a Rack-based middleware, designed to provide a mechanism

for authentication in Ruby web applications” - Warden’s GitHub Wiki

None

Uma interface Ruby para servidores web

GET https://github.com/plataformatec/devise

class MyApp def call(env) status = 200 headers = {

"Content-Type" => "application/json" } body = ['{ "text": "Olar, Guru-SP!" }'] [status, headers, body] end end run MyApp.new Aplicação Rack

class MyApp def call(env) status = 200 headers = {

"Content-Type" => "application/json" } body = ['{ "text": "Olar, Guru-SP!" }'] [status, headers, body] end end run MyApp.new { "rack.version"=>[1, 3], "rack.multithread"=>true, "rack.multiprocess"=>false, "rack.run_once"=>false, "SCRIPT_NAME"=>"", "SERVER_PROTOCOL"=>"HTTP/1.1", "SERVER_SOFTWARE"=>"puma 3.11.0 Love Song", "GATEWAY_INTERFACE"=>"CGI/1.2", "REQUEST_METHOD"=>"GET", "REQUEST_PATH"=>"/", "HTTP_VERSION"=>"HTTP/1.1", "HTTP_HOST"=>"localhost:9292", "HTTP_USER_AGENT"=>"curl/7.54.0", "HTTP_ACCEPT"=>"*/*", "SERVER_NAME"=>"localhost", "SERVER_PORT"=>"9292" } Aplicação Rack

Middleware class MyMiddleware def initialize(app) @app = app end def

call(env) # do something with env @app.call(env) end end

Middleware class MyMiddleware def initialize(app) @app = app end def

call(env) # do something with env @app.call(env) end end #<MyApp:0x007fb8972a39e0>

GET https://github.com/plataformatec/devise

Rails::Rack::Logger GET https://github.com/plataformatec/devise

Rails::Rack::Logger ActionDispatch::Cookies GET https://github.com/plataformatec/devise

Rails::Rack::Logger ActionDispatch::Cookies ActionDispatch::Flash GET https://github.com/plataformatec/devise

Um middleware pode interromper uma requisição

GET https://github.com/plataformatec/devise

Rails::Rack::Logger GET https://github.com/plataformatec/devise

Rails::Rack::Logger Warden::Manager GET https://github.com/plataformatec/devise

Rails::Rack::Logger Warden::Manager GET https://github.com/plataformatec/devise 401 unauthorized

Aplicação de exemplo # config.ru class MyApp def call(env) status

= 200 headers = { "Content-Type" => "application/json" } body = ['{ "text": "Olar, Guru-SP!" }'] [status, headers, body] end end run MyApp.new

› curl -i localhost:9292 HTTP/1.1 200 OK Content-Type: application/json Transfer-Encoding:

chunked { "text": "Olar, Guru-SP!" } › rackup

Warden não lida com armazenamento de sessão

GET https://github.com/plataformatec/devise

GET https://github.com/plataformatec/devise Rack::Session::Cookie

GET https://github.com/plataformatec/devise Rack::Session::Cookie env["rack.session"]

GET https://github.com/plataformatec/devise Rack::Session::Cookie Warden::Manager env["rack.session"]

GET https://github.com/plataformatec/devise Rack::Session::Cookie Warden::Manager env["rack.session"] env["warden"]

use Rack::Session::Cookie, secret: "warden" use Warden::Manager do |manager| manager.default_strategies :password

manager.failure_app = FailureApp.new end run MyApp.new Configuração do Warden

Serialização de sessão Warden::Manager.serialize_into_session do |user| user[:id] end Warden::Manager.serialize_from_session do

|id| USERS.find { |user| user[:id] == id } end

Serialização de sessão Warden::Manager.serialize_into_session do |user| user[:id] end Warden::Manager.serialize_from_session do

|id| USERS.find { |user| user[:id] == id } end USERS = [ { id: 1, email: "[email protected]", password: "123", name: "Bruce Wayne" }, { id: 2, email: "[email protected]", password: "321", name: "James Gordon" } ]

use Rack::Session::Cookie, secret: "warden" use Warden::Manager do |manager| manager.default_strategies :password

Strategies

None

email & senha Warden::Strategies.add(:password) do def valid? params["email"] && params["password"]

end def authenticate! user = USERS.find do |user| user[:email] == params["email"] && user[:password] == params["password"] end if user.nil? fail!("Invalid email or password") else success!(user) end end end

email & senha Warden::Strategies.add(:password) do def valid? params["email"] && params["password"]

Métodos disponíveis dentro de strategies • params – Parâmetros da

requisição • request – Objeto da requisição (Rack::Request) • session – Sessão da requisição • env – Hash do Rack contendo os dados da requisição

• success! – Indica que a autenticação deu certo (resulta

em halt!) • fail! – Indica que a autenticação falhou (resulta em halt!) • halt! – Interrompe a execução • redirect! – Redireciona para outra URL (resulta em halt!) • custom! – Aceita um array no formato do Rack (resulta em halt!) • pass – Ignora a strategy (padrão) Métodos disponíveis dentro de strategies

Utilizando uma strategy # authenticates with the default strategy env["warden"].authenticate

# authenticates with the `password` strategy env["warden"].authenticate(:password) # try to authenticate with the `password` strategy. # If it fails, authenticate with the `api_token` strategy env["warden"].authenticate(:password, :api_token)

# devise/lib/devise/strategies/rememberable.rb def valid? @remember_cookie = nil remember_cookie.present? end def

authenticate! resource = mapping.to.serialize_from_cookie(*remember_cookie) unless resource cookies.delete(remember_key) return pass end if validate(resource) remember_me(resource) if extend_remember_me?(resource) resource.after_remembered success!(resource) end end devise sample

# devise/lib/devise/strategies/rememberable.rb def valid? @remember_cookie = nil remember_cookie.present? end def

# devise/lib/devise/strategies/database_authenticatable.rb def authenticate! resource = password.present? && mapping.to.find_for_database_authentication(authentication_hash) hashed

= false if validate(resource){ hashed = true; resource.valid_password?(password) } remember_me(resource) resource.after_database_authentication success!(resource) end mapping.to.new.password = password if !hashed && Devise.paranoid fail(:not_found_in_database) unless resource end devise sample

# devise/lib/devise/strategies/database_authenticatable.rb def authenticate! resource = password.present? && mapping.to.find_for_database_authentication(authentication_hash) hashed

use Rack::Session::Cookie, secret: "warden" use Warden::Manager do |manager| manager.default_strategies :password

Failure applications

class FailureApp def call(env) status = 401 headers = {

"Content-Type" => "application/json" } body = ["Deu ruim”] [status, headers, body] end end

require "warden" class MyApp def call(env) env["warden"].authenticate! user = env["warden"].user

status = 200 headers = { "Content-Type" => "application/json" } body = ["{ \"user\": \"#{user[:name]}\" }"] [status, headers, body] end end

require "warden" class MyApp def call(env) env["warden"].authenticate! user = env["warden"].user

› curl -i "localhost:[email protected]&password=123" HTTP/1.1 200 OK Content-Type: application/json Set-Cookie:

rack.session=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiRWE3ZjA3MTkzNTY2MG U1ZmE1MzZh%0AZWY5M2QzZmNjNTg1MTVhNmYwZmNmNDQyMzFiZWExNzNkOGZkND RiNmU2NTcG%0AOwBGSSIcd2FyZGVuLnVzZXIuZGVmYXVsdC5rZXkGOwBUaQY%3D %0A--ac7c6d8d93aba354ad6cff80c59ef0d1730f8938; path=/; HttpOnly Transfer-Encoding: chunked { "user": "Bruce Wayne" }

› curl -i "localhost:9292? [email protected]&password=abc" HTTP/1.1 401 Unauthorized Content-Type: application/json

Transfer-Encoding: chunked Deu ruim

email & senha Warden::Strategies.add(:password) do def valid? params["email"] && params["password"]

end def authenticate! user = USERS.find do |user| user[:email] == params["email"] && user[:password] == params["password"] end if user.nil? fail!("Invalid email or password") else success!(user) end end end env["warden"].message

class FailureApp def call(env) error_message = env["warden"].message status = 401

headers = { "Content-Type" => "application/json" } body = ["Deu ruim: #{error_message}"] [status, headers, body] end end

class FailureApp def call(env) error_message = env["warden"].message status = 401

› curl -i "localhost:9292? [email protected]&password=abc" HTTP/1.1 401 Unauthorized Content-Type: application/json

Transfer-Encoding: chunked Deu ruim: Invalid email or password

bcrypt-ruby https://github.com/codahale/bcrypt-ruby

Criptografando uma senha > BCrypt::Password.create("123") => "$2a$10$eyNdqvloKRe0hlzSz5Q7VOSKTMQq9PpmegqgYNMBb e0.fRxVskP76"

USERS = [ { id: 1, email: '[email protected]', password: '$2a$10$eyNdqvloKRe0hlzSz5Q7VOSKTMQq9PpmegqgYNMBbe0.fRxVskP76',

name: 'Bruce Wayne' }, { id: 2, email: '[email protected]', password: '$2a$10$alIdvOG32Z11Brn9XuX.FuDmoCyEQDLUQEWc/PdoaHvaGDjghp6ZO', name: 'James Gordon' } ]

def authenticate! user = USERS.find { |user| user[:email] == params["email"]

} return fail!("Invalid email or password") if user.nil? if BCrypt::Password.new(user[:password]).is_password?(params["password"]) success!(user) else fail!("Invalid email or password") end end

def authenticate! user = USERS.find { |user| user[:email] == params["email"]

› curl -i "localhost:[email protected]&password=123" HTTP/1.1 200 OK Content-Type: application/json Set-Cookie:

rack.session=BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiRWRkZGY1NzBkMDM1 YTE5OTI0OGI5%0AMWU5NWM2NTdlZjAxN2QwZjE2NmNjZWU2YTNkOWFiZmI0Zj c5Y2E5MmI4OTAG%0AOwBGSSIcd2FyZGVuLnVzZXIuZGVmYXVsdC5rZXkGOwBU aQY%3D%0A--49fb8a3f9f887658cff35ee6c48d93618b044be3; path=/; HttpOnly Transfer-Encoding: chunked { "user": "Bruce Wayne" }

Scopes

e-commerce

e-commerce search wishlist purchases customers

e-commerce search wishlist purchases customers manage items promotions refunds editors

Modelo User com muitas roles class User < ApplicationRecord has_many

:roles

Modelo User com muitas roles class User < ApplicationRecord has_many

:roles

Modelo User com muitas roles class User < ApplicationRecord has_many

:roles def search_items(query)

Modelo User com muitas roles class User < ApplicationRecord has_many

:roles def search_items(query) def add_to_wishlist(item)

Modelo User com muitas roles class User < ApplicationRecord has_many

:roles def search_items(query) def add_to_wishlist(item) def purchase!(item)

Modelo User com muitas roles class User < ApplicationRecord has_many

:roles def search_items(query) def add_to_wishlist(item) def purchase!(item) def create_item(attributes)

Modelo User com muitas roles class User < ApplicationRecord has_many

:roles def search_items(query) def add_to_wishlist(item) def purchase!(item) def create_item(attributes) def promote_item(item)

Modelo User com muitas roles class User < ApplicationRecord has_many

:roles def search_items(query) def add_to_wishlist(item) def purchase!(item) def create_item(attributes) def promote_item(item) def refund_purchase(order)

Modelo User com muitas roles class User < ApplicationRecord has_many

:roles def search_items(query) def add_to_wishlist(item) def purchase!(item) def create_item(attributes) def promote_item(item) def refund_purchase(order) end

Vários modelos com devise /editors/sign_in current_editor class Editor < ApplicationRecord

devise :editors def create_item(attributes) def promote_item(item) def refund_purchase(order) end /customers/sign_in current_customer class Customer < ApplicationRecord devise :customers def search_items(query) def add_to_wishlist(item) def purchase!(item) end

Vários modelos com devise /editors/sign_in current_editor class Editor < ApplicationRecord

devise :editors def create_item(attributes) def promote_item(item) def refund_purchase(order) end /customers/sign_in current_customer class Customer < ApplicationRecord devise :customers def search_items(query) def add_to_wishlist(item) def purchase!(item) end env["rack.session"] => {"warden.user.editor.key"=>1}

Vários modelos com devise /editors/sign_in current_editor class Editor < ApplicationRecord

devise :editors def create_item(attributes) def promote_item(item) def refund_purchase(order) end /customers/sign_in current_customer class Customer < ApplicationRecord devise :customers def search_items(query) def add_to_wishlist(item) def purchase!(item) end

Vários modelos com devise /editors/sign_in current_editor class Editor < ApplicationRecord

devise :editors def create_item(attributes) def promote_item(item) def refund_purchase(order) end /customers/sign_in current_customer class Customer < ApplicationRecord devise :customers def search_items(query) def add_to_wishlist(item) def purchase!(item) end env["rack.session"] => {"warden.user.editor.key"=>1, "warden.user.customer.key"=>2}

# authenticate the :customer scope with the :api_token strategy env["warden"].authenticate(:api_token,

scope: :customer) # if no scope is passed, :default is used env["warden"].authenticated? # check the :customer scope env["warden"].authenticated?(:customer) # fetch the customer env[“warden"].user(:customer) Utilizando scopes

# logs everyone out env["warden"].logout # logs :default scope out

env["warden"].logout(:default) # logs :customer out env[“warden"].logout(:customer) Utilizando scopes

Configuração de Scopes use Warden::Manager do |config| config.default_scope = :customer

config.scope_defaults(:customer, strategies: [:password]) config.scope_defaults( :editor, store: false, strategies: [:editor, :account_owner] ) end

Callbacks

after_set_user Warden::Manager.after_set_user do |user, warden, opts| # do something end

Causas env["warden"].user env["warden"].authenticate env["warden"].set_user(user)

after_set_user Warden::Manager.after_set_user do |user, warden, opts| # do something end

Causas env["warden"].user env["warden"].authenticate env["warden"].set_user(user) {:id=>1, :email=>"[email protected]", :password=>"$2a$10$eyNdqvloKRe0hlzS z5Q7VOSKTMQq9PpmegqgYNMBbe0.fRxVskP 76", :name=>"Bruce Wayne"}

after_set_user Warden::Manager.after_set_user do |user, warden, opts| # do something end

Causas env["warden"].user env["warden"].authenticate env["warden"].set_user(user) Warden::Proxy:70215393660020 @config={:default_scope=>:default, :scope_defaults=> {}, :default_strategies=>{:_all=>[:password]}, :inte rcept_401=>true, :failure_app=>#<FailureApp: 0x007fb8972a39e0>}

after_set_user Warden::Manager.after_set_user do |user, warden, opts| # do something end

Causas env["warden"].user env["warden"].authenticate env["warden"].set_user(user) {:store=>true, :event=>:authentication, :scope=>:default}

# fetch env["warden"].user # authentication env["warden"].authenticate # set_user env["warden"].set_user(user) Warden::Manager.after_set_user

except: :fetch Warden::Manager.after_set_user only: :authentication Warden::Manager.after_authentication Warden::Manager.after_set_user only: :fetch Warden::Manager.after_fetch Warden::Manager.after_set_user scope: :admin

# devise/lib/devise/hooks/activatable.rb Warden::Manager.after_set_user do |record, warden, options| if record &&

record.respond_to?(:active_for_authentication?) && ! record.active_for_authentication? scope = options[:scope] warden.logout(scope) throw :warden, scope: scope, message: record.inactive_message end end devise sample

# devise/lib/devise/hooks/activatable.rb Warden::Manager.after_set_user do |record, warden, options| if record &&

# devise/lib/devise/hooks/rememberable.rb Warden::Manager.after_set_user except: :fetch do |record, warden, options| scope

= options[:scope] if record.respond_to?(:remember_me) && options[:store] != false && record.remember_me && warden.authenticated?(scope) Devise::Hooks::Proxy.new(warden).remember_me(record) end end devise sample

# devise/lib/devise/hooks/rememberable.rb Warden::Manager.after_set_user except: :fetch do |record, warden, options| scope

= options[:scope] if record.respond_to?(:remember_me) && options[:store] != false && record.remember_me && warden.authenticated?(scope) Devise::Hooks::Proxy.new(warden).remember_me(record) end end devise sample

# devise/lib/devise/hooks/trackable.rb Warden::Manager.after_set_user except: :fetch do |record, warden, options| if

record.respond_to?(:update_tracked_fields!) && warden.authenticated? (options[:scope]) && !warden.request.env['devise.skip_trackable'] record.update_tracked_fields!(warden.request) end end devise sample

# devise/lib/devise/hooks/trackable.rb Warden::Manager.after_set_user except: :fetch do |record, warden, options| if

record.respond_to?(:update_tracked_fields!) && warden.authenticated? (options[:scope]) && !warden.request.env['devise.skip_trackable'] record.update_tracked_fields!(warden.request) end end devise sample

after_failed_fetch Warden::Manager.after_failed_fetch do |user, warden, opts| Warden::Manager.after_failed_fetch scope: :admin do

|user, warden, opts| Causas # fails because the user isn't authenticated env["warden"].user env["warden"].user(:admin)

on_request Warden::Manager.on_request do |warden| # do something end

on_request Warden::Manager.on_request do |warden| # do something end Warden::Proxy:70215393660020 @config={:default_scope=>:default,

:scope_defaults=> {}, :default_strategies=>{:_all=>[:password]}, :inte rcept_401=>true, :failure_app=>#<FailureApp: 0x007fb8972a39e0>}

before_failure Warden::Manager.before_failure do |env, opts| # do something end

before_failure Warden::Manager.before_failure do |env, opts| # do something end {

"rack.version"=>[1, 3], "QUERY_STRING"=>"[email protected]&password=1234", "REQUEST_METHOD"=>"GET", "REQUEST_PATH"=>"/", "REQUEST_URI"=>"/[email protected]&password=1234", "SERVER_NAME"=>"localhost", "SERVER_PORT"=>"9292", "PATH_INFO"=>"/unauthenticated", "warden.options"=> { :action=>"unauthenticated", :message=>"Invalid email or password", :attempted_path=>"/[email protected]&password=1234" } }

before_failure Warden::Manager.before_failure do |env, opts| # do something end

before_failure Warden::Manager.before_failure do |env, opts| # do something end {:action=>"unauthenticated",

:message=>"Invalid email or password", :attempted_path=>"/? [email protected]&password=1234"}

before_logout Causas env["warden"].logout env["warden"].logout(:admin) Warden::Manager.before_logout do |user, warden, opts| Warden::Manager.before_logout

scope: :admin do |user, warden, opts|

# devise/lib/devise/hooks/forgetable.rb Warden::Manager.before_logout do |record, warden, options| if record.respond_to?(:forget_me!) Devise::Hooks::Proxy.new(warden).forget_me(record)

end end devise sample

# devise/lib/devise/hooks/forgetable.rb Warden::Manager.before_logout do |record, warden, options| if record.respond_to?(:forget_me!) Devise::Hooks::Proxy.new(warden).forget_me(record)

end end devise sample

Callbacks com prioridade Warden::Manager.prepend_before_logout do |user, warden, opts| # do

something end

Revisão

Revisão • Warden é middleware de autenticação baseado em Rack

• Uma strategy define a lógica para autenticar uma requisição

Revisão • Warden é middleware de autenticação baseado em Rack

• Uma strategy define a lógica para autenticar uma requisição • É possível configurar uma aplicação Rack para lidar com falhas de autenticação

Revisão • Warden é middleware de autenticação baseado em Rack

• Uma strategy define a lógica para autenticar uma requisição • É possível configurar uma aplicação Rack para lidar com falhas de autenticação • Scopes permitem que vários tipos de usuários estejam autenticados ao mesmo tempo

Revisão • Warden é middleware de autenticação baseado em Rack

• Uma strategy define a lógica para autenticar uma requisição • É possível configurar uma aplicação Rack para lidar com falhas de autenticação • Scopes permitem que vários tipos de usuários estejam autenticados ao mesmo tempo • Callbacks são executados em eventos de autenticação

Revisão • Warden é middleware de autenticação baseado em Rack

• Uma strategy define a lógica para autenticar uma requisição • É possível configurar uma aplicação Rack para lidar com falhas de autenticação • Scopes permitem que vários tipos de usuários estejam autenticados ao mesmo tempo • Callbacks são executados em eventos de autenticação • Exemplos do Devise

Warden - The building block behind Devise (Português)

Warden - The building block behind Devise (Português)

More Decks by Leonardo Tegon

Other Decks in Programming

Featured

Transcript