0

I'm trying figure out a way to secure the login URL using Devise. I want to change the default route for users/sign_in. I don't want someone to stumble across the URL and gain access to the app.

Changing the following in the routes.rb file should give me the solution I'm looking for. However, I'm not sure if this is the best path to follow. 

devise_scope :user do
  get "/login" => "devise/sessions#new"
end

or

as :user do
  get "/login" => "devise/sessions#new"
end

Using the following may be easier

devise_for :users, :path => '', :path_names => {:sign_in => 'login', :sign_out => 'logout'}

"But I haven't gotten it to work"

I'm using a simple install of devise without pundit or any other type of authorization. The other thought I had was to implement a role and add the current users to that role. Therefore, blocking access to the app by default. But that would require me to add every new legitimate user to that role as they sign up. Don't really want to do that.

M.T Davis
  • 1,078
  • 2
  • 10
  • 31

3 Answers3

4

I would question your logic here - using a different url is simply security by obscurity. Even if you had your users login with /gobeligook its pretty trivial for any dedicated attacker to figure that out by sniffing traffic for example.

However you might want to change the path for various reasons - but don't fool yourself that you are adding any real security benefits by doing so.

Also you need to separate the concerns of authentication - which what Devise does and authorization. Authentication is verifying that the users is who he/she claims to be. Authorization is who gets to do what.

If you want to lock down your site to users that are vetted that is a authorization concern and there are a few ways to solve it based on your requirements:

Disable signups

The most basic way to do this would be to disable signups and only allow users to be created by admins. Its relatively secure but really tedious for admins and pretty draconian. In this case your authentication would simply be to lock down everything save for the sign in unless the user is authenticated.

Thats where before_action :authenticate_user! comes in.

Invitation only

You can use something like the DeviseInvitable module to invite users by email and then override the sign up method to require an invitation token.

Walled garden approach

What you may want is users to be able to sign up - but they are really only allowed to access anything when they have been vetted by an admin or a peer.

This is a basic sketch of how something like this could be setup:

class Approval
  belongs_to :user, 
  belongs_to :vetting_user, class_name: 'User'
end

class User
  # ...
  has_many :approvals, dependent: :destroy
  has_many :granted_approvals, 
    class_name: 'Approval', 
    source: :vetting_user, 
    dependent: :destroy

  def approved?
    approvals.any?
  end
end

class ApplicationController
  before_action :authenticate_user!
  before_action :authorize_user!, unless: :devise_controller?
  def authorize_user!
    redirect_to user_signup_path, unless current_user.approved?
  end
end

For breivity this does not include stuff like the controller where peers or admins vet users - but thats the simple part.

Although I would seriously consider using a purpose built authentication library like Pundit instead of rolling your own.

max
  • 96,212
  • 14
  • 104
  • 165
  • I’m glad you quested my logic. That is exactly what I was looking for because I wasn’t sure if my methods were sound. I believe using the ”Invitation” only approach would be the preferred method for my app. I will also look into the “Walled Garden” approach as well. That may be a better selection for another project that I’m working on. I appreciate your feedback. – M.T Davis Jan 21 '16 at 14:58
3

Adding before_filter :authenticate_user! to controllers should force anyone to go through the login process if the session is not authenticated. That's the whole purpose of using Devise and/or any other gem of that type.

Oscar Valdez Esquea
  • 890
  • 1
  • 11
  • 26
2

Its all up to you, the ways you listed are correct, please refer the devise-wiki : How-To:-Change-the-default-sign_in-and-sign_out-routes

And if you want user's authentication for most of your application then use

# application controller

before_action :authenticate_user!

# And then you can skip this before_action filter in your other controllers something like this

skip_before_action :require_login, only: [:new, :create]

And these are two things don't be confused in this.

  1. authentication

Devise is a flexible authentication solution for Rails based on Warden

  1. authorization

Pundit provides a set of helpers which guide you in leveraging regular Ruby classes and object oriented design patterns to build a simple, robust and scaleable authorization system.

Devise will help you in user authentication and if you want to authorization users based on some criteria then you should use Pundit

Raghvendra Parashar
  • 3,883
  • 1
  • 23
  • 36