Using rails secret to salt authentication keys in devise -


i creating ember app has devise worked in authentication. i'm getting stuck how these different tokens come play.

i'm reimplementing deprecated :token_authenticatable devise "strategy" using method described here. i'd add token authentication api , sign requests user's token.

what i'm wondering is, though it's using devise.secure_compare thwart timing attacks, it's still storing authentication_token in plain text, if gain access database, tokens potentially used steal session, no?

devise seems use 2 different types of "tokens" in modules:

  1. creating token devise.friendly_token , storing plain text. doing token (as used in :rememberable).
  2. creating salted token devise.token_generator (as seem in :confirmable).

the second method looks me token salted using devise.secret_key derived rails secret in config/secrets.yml. way token encrypted , if database exposed reason, tokens couldn't used, right? equivalent of having private key (rails secret) , public key (authentication_token).

i have quite few concerns:

  • should use devise.token_generator create authentication_tokens?
  • what word on security these type of tokens?
  • how csrf token factor devise?

devise lot of things, , not things particular application needs or in way applications needs. found wasn't fit application. lack of support/removal of api token authentication provided enough motivation move on , implement needed. able implement token auth scratch easily. gained full flexibility managing user signup/workflows/invitations , on without constraints , contortions required of devise. still use warden devise uses rack middleware integration.

i've provided example of implementing token authentication/authorisation on another stackoverflow question. should able use code starting point token authentication, , implement additional token protection require. i'm using oauth token approach ember.js.

also consider if encrypting tokens hand-waving because depending on deployment environment , how manage master key/secret, may giving false sense of security. remember encryption says nothing integrity/validity of token or related authentication/authorisation information, unless have mac/signature encompasses used in access decision. whilst may go trouble of protecting tokens attackers whom have access database, may trivial same attackers inject bogus tokens or elevate privileges existing users in database, or steal or modify real data may want achieve!

i've made large comments in respect of providing integrity , confidentiality controls authentication/authorisation information (which tokens part of) on doorkeeper gem. suggest reading full issue idea of scope of problem , things consider because none of gems should done. i've provided overview on how avoid storing tokens on server altogether , i've provided sample token generation , authentication code in gist deals timing based attacks.


Comments

Post a Comment

Popular posts from this blog

java - How to specify maven bin in eclipse maven plugin? -

i have eclipse maven plugin coming on centos. how can execute maven command on linx like: mvn clean package [abigail@localhost ~]$ mvn bash: mvn: command not found how should specify path executable of maven plugin in eclipse? or have install maven seperately? thanks. eclipse (m2e) have bundled central parts of maven inside eclipse plugin, why not detected, , not usable. investigation find correct way bootstrap it, have create launcher file manually. if want run maven outside of eclipse, far better off standalone version of maven. mvn command bootstrap maven runtime system correctly, , secondly, able use advice concerning use of maven. maven binaries quite stable, wouldn't need upgrade upgrade eclipse. you can subsequently switch eclipse use external installation if prefer.
Read more

single sign on - Logging into Plone site with credentials passed through HTTP -

i using plone 4.3.3 , new plone development. here trying achieve: i have site going redirect plone site. in http url line redirects plone site pass username whereas plone site should automatically log user username in without asking credentials password. not care safety or encryption @ point. how achieve that? (i guess need somehow modify existing login view, how do that?) thanks. i had same problem , @ end i've developed own pas plugin. i've followed next steps: create pas plugin implement extractcredentials method following this example implement authenticatecredentials method following this example add plugin develop section in build.conf. start plone , open zope console. go acl_users folder , add plugin pas system there examples here can use templates.
Read more

php - Why does AJAX not process login form? -

i writing simple login script in php form. can't work. there wrong ajax. when click submit button doesn't anything. this login html form: <form id="login_form"> <input type="text" class="input_field" name="username" id="username" value="gebruikersnaam" onclick="if(value=='gebruikersnaam'){ this.value='' }"/> <input type="password" class="input_field" name="password" id="password"/> <input type="submit" class="login_button" id="login_button" value="ga door"/> </form> this ajax: $(document).ready(function(){ $("#login_form").submit(function() { $.ajax({ type: "post", url: 'php/login_check.php', data: $("#login_form").serialize(), // serializes form...
Read more