Rodauth: Clean Authentication

Rodauth: Clean Authentication

Have you had any concerns with a selection of tool for authentication? This talk about Rodauth, awesome authentication framework. We will see how Rodauth can compete with existing libraries and which advantages and disadvantages do they have.

15925832552071efd53de799a9152436?s=128

Valentine Ostakh

February 14, 2017
Tweet

Transcript

  1. Valentyn Ostakh https://github.com/valikos https://twitter.com/valikos_ost

  2. Rodauth Clean Authentication

  3. What is the most necessary feature for interaction with users?

  4. Authentication

  5. Authentication is the act of identification of user that going

    to interact with your product
  6. I want authentication for my application

  7. None
  8. Ruby-toolbox

  9. Awesome-ruby

  10. Authentication • Authlogic • Devise • Clearance • Sorcery •

    Warden • Rodauth
  11. What about custom solution?

  12. None
  13. None
  14. Custom Solution vs Authentication Libraries Library Issues Pull Requests First

    Release Sorcery 64/451 28/306 31 Jan 2011 Clearance 12/374 4/369 1 Sep 2009 Authlogic 124/221 6/186 3 Nov 2008 Devise 39/3353 29/979 21 Oct 2009 Warden 18/74 4/49 26 May 2009 Rodauth 0/8 0/11 12 Aug 2015
  15. I want flexible authentication that can be used with any

    framework
  16. None
  17. None
  18. None
  19. How to choose a library for my application?

  20. Dependencies

  21. • Authlogic - activerecord, activesupport • Devise - rails, warden

    • Clearance - rails, rack • Sorcery - rails • Warden - rack • Rodauth - roda, rack
  22. Clearance

  23. Features

  24. Registration • Authlogic • Devise • Clearance • Sorcery •

    Warden • Rodauth
  25. Login • Authlogic • Devise • Clearance • Sorcery •

    Warden • Rodauth
  26. Logout • Authlogic • Devise • Clearance • Sorcery •

    Warden • Rodauth
  27. Would be great to have token authentication

  28. Token Authentication • Authlogic • Devise • Clearance • Sorcery

    • Warden • Rodauth
  29. Token Authentication Articles • An Introduction to Using JWT Authentication

    in Rails • Authenticate Your Rails API with JWT from Scratch • Token-based authentication with Ruby on Rails 5 API • JWT Auth in Rails, From Scratch • Implementing JWT in Ruby on Rails-based API • Authenticate Your Rails API with JWT • Rails Api Backed With JWT • Rails, Devise, JWT and the forgotten Warden
  30. Token Authentication
 Gems • jwt_authentication • simple_token_authentication • devise_token_auth

  31. Token Authentication
 Gems • jwt_authentication (based on devise) • simple_token_authentication

    (based on devise) • devise_token_auth (based on devise)
  32. Token Authentication

  33. Popularity

  34. Library Total Downloads rubygems.org Devise 21,407,462 Warden 21,018,495 Authlogic 2,343,678

    Sorcery 527,431 Clearance 317,409 Rodauth 6,163
  35. Summary

  36. Library Dependencies Features Token
 Authentication Devise Warden Authlogic Sorcery Clearance

    Rodauth
  37. Rodauth

  38. Rodauth

  39. Jeremy Evans Twitter: @jeremyevans0

  40. Roda Sequel

  41. Rodauth Goals • Security • Simplicity • Flexibility

  42. Features first

  43. Rodauth Features Login

  44. Rodauth Features Login Logout

  45. Rodauth Features Login Logout Change Password

  46. Rodauth Features Login Logout Change Password Change Login

  47. Rodauth Features Login Logout Change Password Change Login Reset Password

  48. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account
  49. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account
  50. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account
  51. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password
  52. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token)
  53. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection)
  54. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP)
  55. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes)
  56. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS)
  57. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login
  58. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period
  59. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period
  60. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity
  61. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse
  62. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration
  63. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration
  64. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration
  65. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session
  66. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT
  67. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT Update Password Hash
  68. Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT Update Password Hash HTTP Basic Auth
  69. None
  70. Security

  71. • Uses database functions to access password hashes • Two

    database accounts are used
  72. • Uses database functions to access password hashes (optional) •

    Two database accounts are used (optional)
  73. Flexibility

  74. Can be used with the any rack framework

  75. require "roda" class RodauthApp < Roda # If using Rodauth

    in a non-Roda application # plugin :middleware plugin :rodauth do enable :login, :logout, :change_password end route do |r| r.rodauth rodauth.require_authentication # If using Rodauth in a Roda application # Your app code here end end # If using Rodauth in a non-Roda application # use RodauthApp # If using Rodauth in a Roda application run RodauthApp
  76. require "roda" class RodauthApp < Roda # If using Rodauth

    in a non-Roda application # plugin :middleware plugin :rodauth do enable :login, :logout, :change_password end route do |r| r.rodauth rodauth.require_authentication # If using Rodauth in a Roda application # Your app code here end end # If using Rodauth in a non-Roda application # use RodauthApp # If using Rodauth in a Roda application run RodauthApp
  77. Rodauth uses a simple configuration DSL

  78. require 'simple_ldap_authenticator' plugin :rodauth do enable :login, :logout # Don't

    require the bcrypt library, since using LDAP for auth require_bcrypt? false # Treat the login itself as the account account_from_login{|l| l.to_s} # Use the login provided as the session value account_session_value{account} # Store session value in :login key, since the :account_id # default wouldn't make sense session_key :login password_match? do |password| SimpleLdapAuthenticator.valid?(account, password) end end
  79. Simplicity

  80. Rodauth allows for overriding any part of the framework

  81. module Auth class Rodauth < Roda plugin :rodauth do enable

    :login end route do |r| r.post 'login' do # Custom POST /login handling here end r.rodauth end end end
  82. How to start use Rodauth?

  83. • Resolve database dependencies • Define Rodauth features

  84. Database dependencies

  85. • Setup database • Create tables

  86. Setup With Postgresql # Load extentions psql -U postgres -c

    "CREATE EXTENSION citext" ${DATABASE_NAME} # Create database accounts createuser -U postgres ${DATABASE_NAME} createuser -U postgres ${DATABASE_NAME}_password
  87. Setup With Postgresql create_table(:accounts) do primary_key :id, :type=>:Bignum foreign_key :status_id,

    :account_statuses, :null=>false, :default=>1 if db.database_type == :postgres citext :email, :null=>false constraint :valid_email, :email=>/^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/ index :email, :unique=>true, :where=>{:status_id=>[1, 2]} else String :email, :null=>false index :email, :unique=>true end end case database_type when :postgres user = get{Sequel.lit('current_user')} + '_password' run "GRANT REFERENCES ON accounts TO #{user}" end
  88. Define Rodauth Features plugin :rodauth, :json=>true, :csrf=>false, :flash=>false do enable

    :change_password, :close_account, :create_account, :login, :logout, :remember, :reset_password, :verify_account, :otp, :recovery_codes, :sms_codes, :password_complexity, :disallow_password_reuse, :password_grace_period, :account_expiration, :single_session, :jwt, :session_expiration, max_invalid_logins 2 allow_password_change_after 60 verify_account_grace_period 300 jwt_secret secret sms_send do |phone_number, message| MUTEX.synchronize{SMS[session_value] = "..."} end end
  89. Summary

  90. Rodauth Advantages • Integration with any rack application • Minimun

    dependencies • Features • Security • Simplicity
  91. Rodauth Disadvantages • Doesn’t work with OAuth • Routes design:

    can mismatch with your design
  92. My own experience

  93. Registration module Auth class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL'])

    plugin :middleware plugin :rodauth, json: :only do enable :login, :logout, :jwt, :create_account jwt_session_hash do super().merge(exp: SmartTaskApi::Utils.jwt_expiration) end jwt_secret ENV['JWT_SECRET'] end route do |r| r.rodauth env['rodauth'] = rodauth end end end
  94. Token Authentication module Api class Rodauth < Roda DB =

    Sequel.connect(ENV['DATABASE_URL']) plugin :middleware plugin :rodauth, json: :only do enable :jwt jwt_secret ENV['JWT_SECRET'] end route do |r| r.rodauth rodauth.require_authentication env['rodauth'] = rodauth end end end
  95. Rodauth Examples • https://github.com/jeremyevans/ginatra • https://github.com/jeremyevans/rodauth-demo-rails • https://github.com/davydovanton/rodauth_hanami • https://github.com/davydovanton/grape-rodauth

    • https://github.com/valikos/smart-task-api-hanami
  96. Rodauth Clean Authentication

  97. Thanks!

  98. Questions?

  99. Valentyn Ostakh https://github.com/valikos https://twitter.com/valikos_ost