The State of Auth - Boulder Ruby Oct. 2011

Transcript

1. THE STATE OF AUTH Boulder Ruby Group, October 2011 tyler

   montgomery @ubermajestix Wednesday, October 19, 2011

2. Hi, I’m Tyler Ruby and Rails ~ 5 Years Everlater

   formerly of CollectiveIntellect Wednesday, October 19, 2011

3. Warning: this will be about Rails Wednesday, October 19, 2011

4. What’s up with auth these days? Wednesday, October 19, 2011

5. Why do you care? Wednesday, October 19, 2011

6. Should you roll your own? Wednesday, October 19, 2011

7. Let’s discuss. Wednesday, October 19, 2011

8. The goal: secure maintainable easy to use Wednesday, October 19,

   2011

9. Some stats: “75% of attacks are at the web application

   layer” - The Gartner Group Wednesday, October 19, 2011

10. Some more stats: “300 audited sites 97% are vulnerable to

    attack” - The Gartner Group Wednesday, October 19, 2011

11. Informal Survey 3rd party vs. rolled own? Wednesday, October 19,

    2011

12. Predicted Results: Wednesday, October 19, 2011

13. Frameworks Survey Wednesday, October 19, 2011

14. Auth is kinda a lot to deal with. Wednesday, October

    19, 2011

15. Sounds easy. signup login logout profit Wednesday, October 19, 2011

16. There’s a few things to think about Wednesday, October 19,

    2011

17. UI Wednesday, October 19, 2011

18. hashing passwords Wednesday, October 19, 2011

19. reseting passwords Wednesday, October 19, 2011

20. sending emails Wednesday, October 19, 2011

21. sudoing Wednesday, October 19, 2011

22. token based login Wednesday, October 19, 2011

23. sso Wednesday, October 19, 2011

24. oauth with friends Wednesday, October 19, 2011

25. oauth with yourself Wednesday, October 19, 2011

26. api access Wednesday, October 19, 2011

27. not getting hacked Wednesday, October 19, 2011

28. sql injection Wednesday, October 19, 2011

29. cleartext passwords Wednesday, October 19, 2011

30. session fixation Wednesday, October 19, 2011

31. russians Wednesday, October 19, 2011

32. What’s out there? (Fill in pros and cons if I

    miss any) Wednesday, October 19, 2011

33. Warden :) Rack Middleware to manage the session. Scopes! oooh

    neat. Easy to extend. Wednesday, October 19, 2011

34. Warden :( Setup, in my experience, was a little difficult.

    Sinatra-Warden project is dead. No helpers. You're going to hack it anyway. Wednesday, October 19, 2011

35. Devise :) “a complete MVC solution based on Rails engines”

    Wednesday, October 19, 2011

36. Devise :( “a complete MVC solution based on Rails engines”

    You're going to hack it anyway. Wednesday, October 19, 2011

37. Authlogic :) Wednesday, October 19, 2011

38. Authlogic :( Lots of options to cover every use case

    you don’t have You're going to hack it anyway. Wednesday, October 19, 2011

39. Sorcery :) Modular Config in one place You do the

    MVC Lots of docs Wednesday, October 19, 2011

40. Sorcery :( Only at 0.7.0 You're going to hack it

    anyway. Wednesday, October 19, 2011

41. Wednesday, October 19, 2011

42. Should you roll your own? Wednesday, October 19, 2011

43. Probably. Wednesday, October 19, 2011

44. Using a gem to help is great, but you're at

    someone else's mercy. Wednesday, October 19, 2011

45. Your system is weird. Wednesday, October 19, 2011

46. A 3rd party lib will not meet your requirements nor

    cover all of your edge cases... rails generate scaffold... done. Wednesday, October 19, 2011

47. ...without a lot of hacking. Wednesday, October 19, 2011

48. Sorcery wouldn’t handle login via username OR email Wednesday, October

    19, 2011

49. I thought Authlogic couldn’t but there was some weird dsl

    to handle it Wednesday, October 19, 2011

50. The whole point is to have a secure, maintainable and

    easy to use system. Wednesday, October 19, 2011

51. If you’re going to have to maintain something, why not

    maintain your own code? Wednesday, October 19, 2011

52. Mostly, auth is set it and forget it. Wednesday, October

    19, 2011

53. Wednesday, October 19, 2011

54. but your requirements are going to change Wednesday, October 19,

    2011

55. They will. That's the nature of requirements. Wednesday, October 19,

    2011

56. Writing your own auth system FORCES YOU to understand the

    problem. Wednesday, October 19, 2011

57. Examples Wednesday, October 19, 2011

58. Basic roll your own Wednesday, October 19, 2011

59. Signup vs. User Signups are mostly baked users Wednesday, October

    19, 2011

60. Auth controller - everything's at /auth signup, activation, login, logout,

    forgot_password, reset_password sudo, unsudo Wednesday, October 19, 2011

61. Auth helper logged_in? current_user auto_login(current_user=) require_login, require_admin, etc... not_authenticated Wednesday,

    October 19, 2011

62. Use BCrypt. End of line Wednesday, October 19, 2011

63. OMG OMG Wednesday, October 19, 2011

64. Rails 3.1 has_secure_password Wednesday, October 19, 2011

65. Provides BCrypt! password= and authenticate(unencrypted_password) Wednesday, October 19, 2011

66. Wednesday, October 19, 2011

67. Roll Your Own SSO Wednesday, October 19, 2011

68. several small internal apps (instead of the monolithic app) Wednesday,

    October 19, 2011

69. each one needs auth Wednesday, October 19, 2011

70. One login app. Wednesday, October 19, 2011

71. All apps get middleware to deal with the session and

    redirection. like Warden Wednesday, October 19, 2011

72. Middleware provides auth helpers Wednesday, October 19, 2011

73. Wins: each app has almost no setup login happens in

    one place Wednesday, October 19, 2011

74. Not wins: users randomly getting logged in as each other.

    doesn’t conform to a standard (like oauth) Wednesday, October 19, 2011

75. True story passenger forks hilarity does not ensue Wednesday, October

    19, 2011

76. Github implemented oauth You can use it. “Sign in with

    github” Wednesday, October 19, 2011

77. They use it to authenticate internal apps sso done. Wednesday,

    October 19, 2011

78. In conclusion Wednesday, October 19, 2011

79. Something like sorcery will get you going. Wednesday, October 19,

    2011

80. Rolling your own may lead to more maintainable and flexible

    code Wednesday, October 19, 2011

81. Resources: http://guides.rubyonrails.org/security.html http://railscasts.com/episodes/283-authentication-with-sorcery http://railscasts.com/episodes/270-authentication-in-rails-3-1 Wednesday, October 19, 2011