Closed JangoSteve closed 10 years ago
scouttyg
commented
10 years ago Looks good! Is there something we can fix with https://github.com/kandanapp/hubot-kandan-app so that it can authenticate via other methods, or is there another strategy we can use?
In the mean time let's pull this in so its fixed.
JangoSteve
commented
10 years ago To be fair, there's a reason authentication tokens were removed from core Devise. Authenticating via static authenticity tokens has some vulnerabilities. This is the writeup from when it was removed and why:
http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
To do this sort of thing securely, we'd need to build dynamic authentication tokens that expire and get regenerated after each use, using some sort of handshake method for the bot to get and use the authentication method.
I'm guessing this will have to do for now.
scouttyg
commented
10 years ago Alright we'll pull this in for now and make sure we note it somewhere so we know to come back to it at a later time.
Hubot couldn't actually create activities in Kandan due to the removal of authenticity-token based validation from Devise in the Kandan app. This isn't ideal, but it works and will allow the Kandan Hubot to post activities in response to commands.