Rodauth: Clean Authentication

Rodauth: Clean Authentication

Have you had any concerns with a selection of tool for authentication? This talk about Rodauth, awesome authentication framework. We will see how Rodauth can compete with existing libraries and which advantages and disadvantages do they have.

15925832552071efd53de799a9152436?s=128

Valentine Ostakh

February 14, 2017
Tweet

Transcript

  1. 7.
  2. 12.
  3. 13.
  4. 14.

    Custom Solution vs Authentication Libraries Library Issues Pull Requests First

    Release Sorcery 64/451 28/306 31 Jan 2011 Clearance 12/374 4/369 1 Sep 2009 Authlogic 124/221 6/186 3 Nov 2008 Devise 39/3353 29/979 21 Oct 2009 Warden 18/74 4/49 26 May 2009 Rodauth 0/8 0/11 12 Aug 2015
  5. 16.
  6. 17.
  7. 18.
  8. 21.

    • Authlogic - activerecord, activesupport • Devise - rails, warden

    • Clearance - rails, rack • Sorcery - rails • Warden - rack • Rodauth - roda, rack
  9. 22.
  10. 23.
  11. 29.

    Token Authentication Articles • An Introduction to Using JWT Authentication

    in Rails • Authenticate Your Rails API with JWT from Scratch • Token-based authentication with Ruby on Rails 5 API • JWT Auth in Rails, From Scratch • Implementing JWT in Ruby on Rails-based API • Authenticate Your Rails API with JWT • Rails Api Backed With JWT • Rails, Devise, JWT and the forgotten Warden
  12. 35.
  13. 37.
  14. 38.
  15. 50.
  16. 51.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password
  17. 52.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token)
  18. 53.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection)
  19. 54.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP)
  20. 55.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes)
  21. 56.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS)
  22. 57.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login
  23. 58.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period
  24. 59.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period
  25. 60.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity
  26. 61.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse
  27. 62.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration
  28. 63.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration
  29. 64.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration
  30. 65.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session
  31. 66.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT
  32. 67.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT Update Password Hash
  33. 68.

    Rodauth Features Login Logout Change Password Change Login Reset Password

    Create Account Close Account Verify Account Confirm Password Remember (Autologin via token) Lockout (Bruteforce protection) OTP (2 factor authentication via TOTP) Recovery Codes (2 factor authentication via backup codes) SMS Codes (2 factor authentication via SMS) Verify Change Login Verify Account Grace Period Password Grace Period Password Complexity Disallow Password Reuse Password Expiration Account Expiration Session Expiration Single Session JWT Update Password Hash HTTP Basic Auth
  34. 69.
  35. 70.
  36. 72.
  37. 75.

    require "roda" class RodauthApp < Roda # If using Rodauth

    in a non-Roda application # plugin :middleware plugin :rodauth do enable :login, :logout, :change_password end route do |r| r.rodauth rodauth.require_authentication # If using Rodauth in a Roda application # Your app code here end end # If using Rodauth in a non-Roda application # use RodauthApp # If using Rodauth in a Roda application run RodauthApp
  38. 76.

    require "roda" class RodauthApp < Roda # If using Rodauth

    in a non-Roda application # plugin :middleware plugin :rodauth do enable :login, :logout, :change_password end route do |r| r.rodauth rodauth.require_authentication # If using Rodauth in a Roda application # Your app code here end end # If using Rodauth in a non-Roda application # use RodauthApp # If using Rodauth in a Roda application run RodauthApp
  39. 78.

    require 'simple_ldap_authenticator' plugin :rodauth do enable :login, :logout # Don't

    require the bcrypt library, since using LDAP for auth require_bcrypt? false # Treat the login itself as the account account_from_login{|l| l.to_s} # Use the login provided as the session value account_session_value{account} # Store session value in :login key, since the :account_id # default wouldn't make sense session_key :login password_match? do |password| SimpleLdapAuthenticator.valid?(account, password) end end
  40. 81.

    module Auth class Rodauth < Roda plugin :rodauth do enable

    :login end route do |r| r.post 'login' do # Custom POST /login handling here end r.rodauth end end end
  41. 86.

    Setup With Postgresql # Load extentions psql -U postgres -c

    "CREATE EXTENSION citext" ${DATABASE_NAME} # Create database accounts createuser -U postgres ${DATABASE_NAME} createuser -U postgres ${DATABASE_NAME}_password
  42. 87.

    Setup With Postgresql create_table(:accounts) do primary_key :id, :type=>:Bignum foreign_key :status_id,

    :account_statuses, :null=>false, :default=>1 if db.database_type == :postgres citext :email, :null=>false constraint :valid_email, :email=>/^[^,;@ \r\n]+@[^,@; \r\n]+\.[^,@; \r\n]+$/ index :email, :unique=>true, :where=>{:status_id=>[1, 2]} else String :email, :null=>false index :email, :unique=>true end end case database_type when :postgres user = get{Sequel.lit('current_user')} + '_password' run "GRANT REFERENCES ON accounts TO #{user}" end
  43. 88.

    Define Rodauth Features plugin :rodauth, :json=>true, :csrf=>false, :flash=>false do enable

    :change_password, :close_account, :create_account, :login, :logout, :remember, :reset_password, :verify_account, :otp, :recovery_codes, :sms_codes, :password_complexity, :disallow_password_reuse, :password_grace_period, :account_expiration, :single_session, :jwt, :session_expiration, max_invalid_logins 2 allow_password_change_after 60 verify_account_grace_period 300 jwt_secret secret sms_send do |phone_number, message| MUTEX.synchronize{SMS[session_value] = "..."} end end
  44. 89.
  45. 90.

    Rodauth Advantages • Integration with any rack application • Minimun

    dependencies • Features • Security • Simplicity
  46. 93.

    Registration module Auth class Rodauth < Roda DB = Sequel.connect(ENV['DATABASE_URL'])

    plugin :middleware plugin :rodauth, json: :only do enable :login, :logout, :jwt, :create_account jwt_session_hash do super().merge(exp: SmartTaskApi::Utils.jwt_expiration) end jwt_secret ENV['JWT_SECRET'] end route do |r| r.rodauth env['rodauth'] = rodauth end end end
  47. 94.

    Token Authentication module Api class Rodauth < Roda DB =

    Sequel.connect(ENV['DATABASE_URL']) plugin :middleware plugin :rodauth, json: :only do enable :jwt jwt_secret ENV['JWT_SECRET'] end route do |r| r.rodauth rodauth.require_authentication env['rodauth'] = rodauth end end end
  48. 97.