technoweenie / restful-authentication

inactive project
MIT License
1.57k stars 280 forks source link

"Restful Authentication Generator":http://github.com/technoweenie/restful-authentication

This widely-used plugin provides a foundation for securely managing user authentication:

Several features were updated in May, 2008.

IMPORTANT: if you upgrade your site, existing user account passwords will stop working unless you use --old-passwords


Issue Tracker

Please submit any bugs or annoyances on the lighthouse tracker at

For anything simple enough, please github message both maintainers: Rick Olson ("technoweenie":http://github.com/technoweenie) and Flip Kromer ("mrflip":http://github.com/mrflip).


Documentation

This page has notes on

See the "wiki":http://github.com/technoweenie/restful-authentication/wikis/home (or the notes/ directory) if you want to learn more about:

These best version of the release notes are in the notes/ directory in the "source code":http://github.com/technoweenie/restful-authentication/tree/master -- look there for the latest version. The wiki versions are taken (manually) from there.


Exciting new features

Stories

There are now "Cucumber":http://wiki.github.com/aslakhellesoy/cucumber/home features that allow expressive, enjoyable tests for the authentication code. The flexible code for resource testing in stories was extended from "Ben Mabey's.":http://www.benmabey.com/2008/02/04/rspec-plain-text-stories-webrat-chunky-bacon/

Modularize to match security design patterns:

Other


Non-backwards compatible Changes

Here are a few changes in the May 2008 release that increase "Defense in Depth" but may require changes to existing accounts

Passwords

The new password encryption (using a site key salt and stretching) will break existing user accounts' passwords. We recommend you use the --old-passwords option or write a migration tool and submit it as a patch. See the [[Tradeoffs]] note for more information.

Validations

By default, email and usernames are validated against a somewhat strict pattern; your users' values may be now illegal. Adjust to suit.


Installation

This is a basic restful authentication generator for rails, taken from acts as authenticated. Currently it requires Rails 1.2.6 or above.

IMPORTANT FOR RAILS > 2.1 USERS To avoid a @NameError@ exception ("lighthouse tracker ticket":http://rails_security.lighthouseapp.com/projects/15332-restful_authentication/tickets/2-not-a-valid-constant-name-errors#ticket-2-2), check out the code to have an underscore and not dash in its name:

To use the generator:

./script/generate authenticated user sessions \ --include-activation \ --stateful \ --rspec \ --skip-migration \ --skip-routes \ --old-passwords


After installing

The below assumes a Model named 'User' and a Controller named 'Session'; please alter to suit. There are additional security minutae in @notes/README-Tradeoffs@ -- only the paranoid or the curious need bother, though.