This thread was for our Q&A session with [Ilya Bodrov][1], which took place on September 3rd, 2015.
Ilya is a long time [SitePoint author][2] and recently a [SitePoint Premium teacher][3] with the release of his latest course [Getting Started with Backbone.JS][4]. Ilya loves all things web and regularly contributes to many open source projects [amongst other things][5], but he is most passionate about building web components and authentication in Rails. Just have a read of some of his articles:
[Messaging with Rails and Mailboxer][6]
[Steam-Powered DOTA on Rails][7]
[Rails Authentication with Authlogic][8]
[CanCanCan: The Rails Authorization Dance][9]
Itās clear to see that Ilya knows his Rails!
Original message:
If you have been itching to ask him a question, or have a rails question youād like answered then please come along and join us. He will be answering all of your Rails authentication questions for 30 minutes on this very page.
To ensure your question is answered, weāre accepting early submissions. Please feel free to pop in your question through this thread, Twitter (#askilyaSP) or [this form][10].
Want to join but are unsure about when it takes place in your timezone? [This link][11] will be able to assist. Not familiar with SitePoint? Really?! [Go have a look][12]. Not familiar with SitePoint Premium? [This][13] will will bring you up to speed.
Hi Ilya and Angela! Thanks for organizing the Live Q&A on Rails Authentication this Thursday!
My question for Ilya, is whether there are any leading practices he would recommend with respect to implementing SSO (Single Sign-On) with Rails with LDAP/Active Directory (e.g. - a typical internal corporate user database, in a Windows environment) ā or, alternately, āgotchasā to be aware of.
Thanks in advance for any insights, experiences or wisdom he can share on the subject!
Iām working on a PR to make rubygems.org an OAuth2 provider for authenticating users on other rubygems.org properties.
Would love some feedback on setting up Doorkeeper, whether rg users should each own an Application, or not, and how youād test this. Weāre using the authentticated_client flow (not password) and use SSL, and also appreciate any thoughts on security.
Users must be signed in to rg to create or view Applications.
Have you used Doorkeeper, opro, or other provider libraries? Looked at Mozilla macaroons?
Welcome to todays Q&A with @bodrovis, a SitePoint author and SitePoint Premium teacher.
Today Ilya will be answering all your Rails authentication questions, in fact any question relating Rails and Ruby (his favourite topics). Feel free to ask him all of your questions on the forums. If youāre on twitter, you can tweet questions using #askIlyaSP and weāll bring them into the discussion.
Thank you for the question. Iād really love to help, however I havenāt used Doorkeeper that extensively. The only thing that you are discussing and I did use is Clearance (and my article on it is coming soon). Still, youāve given me a lot to think of and research so hopefully in a couple of weeks Iāll write about Doorkeeper and opro as well, so that other folks have some place to set off.
Also, thanks to everyone working on rubygems for all the hard work!
Hi @bodrovis,
We had a couple of questions come through social. This one is from @James_Hibbard:
Scenario 1: I have a Rails app with reasonable test coverage. I then decide to add user authentication with Devise. In itself, this is successful, however requiring users to be authenticated before accessing certain resources, causes many of my existing tests to fail.
Do you have any tips or resources you can point towards for handling this scenario?
@bodrovis Thanks for your reply. Do you have any experience with authentication providers? (as opposed to clients?). RubyGems.org already uses Clearance as you noted, but it, like Devise, AuthLogic, etc. are to OAuth was having a password-based login on my personal site to having a āLog in with GitHubā button, no?
Unfortunately, I donāt quite get the idea. Why canāt you just set some fake session for the tests and pretend that a user is authenticated? As long as Devise uses Warden, it is totally possible. Sorry if I misunderstood you.
module RequestHelpers
include Warden::Test::Helpers
# Requests do not have a sign_in helper
# Polyfill with login_as from Warden::Test::Helpers
def sign_in(user)
login_as(user)
end
and then in our spec file
require 'spec_helper'
describe SomeRequest do
let(:user) { create(:user) }
describe "#index" do
before do
sign_in user
end
# tests etc
end
end
@James_Hibbard Devise has test-helpers for login_in(@user) etc. that youād often put in a before/setup block. Iāll update this comment when I find a good example.
Hereās another question from @James_Hibbard:
Scenario 2: Iām planning on building a Rails app from scratch using TDD. I know in advance that the users will have to log in to use the app. Iām using Devise for authentication and the cancancan gem for authorization.
Do you have any tips or resources you can point towards for handling this scenario? (i.e. where to start and the best order to do what)