Adding Devise to Railsgoat

[cktricky]

See https://github.com/OWASP/railsgoat/issues/140 for reference but the basic gist is we want to change Railsgoat's current auth to use Devise and demonstrate weaknesses in configuration when using Devise. Ideally though, we figure out a way to discuss the "strengthening" aspects in our tutorials. Maybe a recommended guide or something.

Thanks to @jasnow for keeping an eye on this.

[cktricky]

Working on this in the devise branch.

[jasnow]

4 random references I found in my notes:

• https://github.com/plataformatec/devise
• http://guides.railsgirls.com/devise
• http://www.sitepoint.com/devise-authentication-in-depth
• https://github.com/phatworx/devise_security_extension

[cktricky]

Thank you, @jasnow

[diegorv]

May I help? 😄

What's the idea?

[cktricky]

Hi @diegorv 👋,

My apologies. I saw this message and meant to reply but somehow forgot to!

We would of course love any help you would be willing to provide 🙇

In the current version of Railsgoat, we use our own custom authentication, for example, you can see a terrible password hashing mechanism here. At the time, this was fine from a tutorial standpoint because it was common to see developers rolling their own custom authentication (this was back between 2010-2013). However, Devise went ahead and fixed that problem (thank you ❤️) - meaning, more people are relying on devise rather than custom authentication.

My thinking was to switch to using devise but build railsgoat with the "less than secure" defaults of Devise and write the wiki pages on how to use devise in the most secure fashion. Almost a hardening guide.

I started the work in the devise branch but this was 2 years ago and not only is it woefully out of date but honestly I don't even remember how far I got.

So the three major tasks at hand are:

• [ ] Switching our authentication to use devise
• [ ] Changing our wiki entries
• [ ] Changing our unit-tests

I'd be happy to do any of these but could definitely use your input and any of these tasks you'd like to pick up, please do!

[cktricky]

Also I was just in São Paulo back in May! Had a great time at BSides and you sh0t the sheriff

[lawrence-berry]

Just wondering if this is still on the roadmap for this project? Was keen to start using this in our org but think it would be more valuable if based on Devise, and I think others would too as it seems to be the most common auth lib for Rails projects these days.