adamcooke / authie Goto Github PK
View Code? Open in Web Editor NEW๐ฎโโ๏ธ Improve user session security in Ruby on Rails applications with database session storage
License: MIT License
๐ฎโโ๏ธ Improve user session security in Ruby on Rails applications with database session storage
License: MIT License
I have implemented the "user impersonation" feature as described in the readme and while the first step (impersonating as a user) works great, returning to the parent session does not.
After calling auth_session.revert_to_parent!
i am completely logged out instead.
When logging in in a second browser window (inkognito) and looking at all sessions for the admin user, I can see that the session from which the impersonation is started is marked inactive once the impersonation starts and also marked active again when it ends, but in the browser where i end the impersonation i have no active session anymore.
Hereโs the code (in a controller), which is pretty much exactly as it is in the readme:
def impersonate_user
auth_session.impersonate!(User.find(params[:user_id]))
redirect_to root_path
end
def revert_impersonation
auth_session.revert_to_parent!
redirect_to root_path
end
I hope that makes sense. Is there anything Iโm missing?
Update: I can get it to work by grabbing the user off the parent session, destroying the parent session, and then starting a new session for the user. Seems a bit unnecessary though, Iโd prefer to just properly activate the parent again.
def revert_impersonation
parent_session = auth_session.revert_to_parent!
parent_session.destroy!
create_auth_session(parent_session.user)
redirect_to root_path
end
This commit, which changed auto-loading behaviour, bumped the version to 3.3.0
but that hasnโt been released to RubyGems yet (the latest is 3.2.0
).
I assume that that change also closes #17, as it completely removes the line in question. That would be great because I could install authie regularly instead of pointing to master when upgrading to Rails 6.
So:
3.3.0
to RubyGemsThank you!
After upgrading to rails 6 and enabling the new autoloader, it seems rails is no longer able to find authie session properly throwing this error: uninitialized constant Authie::Session (NameError)
. The error is specifically being thrown because of this line rescue_from Authie::Session::ValidityError, with: :auth_session_error
. If I turn back on the classic autoloader then no errors are thrown.
Let me know if you need anymore info from me about this.
We have some controllers for a public api that we would like to turn off authie for. Is this possible to do this cleanly? I tried doing a skip_before_action
with set_browser_id
and touch_auth_session
but it still runs some of the code. We would like to be able to disable it completely for all but 1 or 2 of the endpoints as they don't need any kind of session checking (some of the endpoints still rely on cookie authentication).
If I try to run the migrations task, I get the following error (Rails 6.0.3.4, Ruby 2.7.2)
rake aborted!
NoMethodError: undefined method `helper_method' for ActionController::API:Class
/home/mkrs/pdms/config/environment.rb:5:in `<main>'
Tasks: TOP => railties:install:migrations => db:load_config => environment
EDIT
The problem seems to occur in this piece of code:
module Authie
module ControllerExtension
def self.included(base)
base.helper_method :logged_in?, :current_user, :auth_session
before_action_method = base.respond_to?(:before_action) ? :before_action : :before_filter
base.public_send(before_action_method, :set_browser_id, :touch_auth_session)
end
It happens the second time this function is called, when base is equal to ActionController::API
Seems to be an incompatibility issue with some inheritance.
Can I fix this on my side or has it to be fixed on the gem side?
Hi @adamcooke , thanks for this great gem! ๐ ๐ฏ
In an existing project I would like to upgrade from authie version 2 to 3.
Can you provide some advices/instructions on how to do so?
The errors I get have to do with undefined method
token_hash=' `. Is the solution to simply add a migration?
Thanks for your efforts!
This is good, but it would be better to bypass ActiveRecord and use SQL directly. I've found the following, but I don't know how up-to-date or secure or reliable they are. Rails would benefit from an up-to-date fast cookie/sql session store with the features you have here. Also I would like to see more adoption to convince me it's secure before I bet the business on it.
http://apidock.com/rails/v3.2.8/ActiveRecord/SessionStore/SqlBypass included in Rails 3.2
http://archive.railsforum.com/viewtopic.php?id=42802
http://kovyrin.net/2008/02/06/fastsessions-rails-plugin-released/
https://code.google.com/p/rails-fast-sessions/
http://railsexpress.de/blog/articles/2005/12/19/roll-your-own-sql-session-store/
https://gist.github.com/robertsosinski/3869435
https://github.com/nateware/sql_session_store
https://github.com/skaes/sql_session_store
Hi, how to make it work with uuid?
because its error "Operand type clash: int is incompatible with uniqueidentifier "
Hi @adamcooke. I think d315875 is incomplete. I use version 1.2.4 of this gem on a project at work (thanks so much for your work on this) and required this fix after hitting the same issue that you undoubtedly did but I'm not quite ready to upgrade to the next major version.
The before_create
above, where it assigns AuthieSession#user_agent
in a controller context is still able to throw the same error.
Locally, I've implemented a fix for this by overriding AuthieSession#user_agent=
like so:
module Authie
class Session < ActiveRecord::Base
def user_agent=(value)
super value[0,255]
rescue
super
end
end
end
This seems to take care of the issue and allows me to save Authie::Session
instances again.
I couldn't override the before_create
as it's implemented with an anonymous block and wasn't sure I could guarantee the callback order if I'd added another before_create
. before_create
is the last callback in the stack before a record is persisted so I couldn't add another (different) one.
Just wanted to bring this to your attention. Hope this is helpful.
I notice this gem doesn't act as a drop in replacement, i.e. ActiveRecord Session Store alternative. What do we do with existing Rails session management? For instance, the default Rails project will have:
# config/initialisers/ session_store.rb
Rails.application.config.session_store :cookie_store, key: '_my_app_session'
Would you remove ActionDispatch::Session::CookieStore
Rack middleware?
Nice work btw.
Hi there,
I've got a question regarding to using the current_user in a route constraint of Rails. I've got a route constraint in which I check the role of the authenticated user (if any) and adjust the root_path according to their role.
The code looks something like this;
class UserTypeConstraint
def initialize(user_type)
@user_type = user_type
end
def matches?(request)
controller = Authie::RackController.new(request.env)
current_user = controller.current_user
current_user && current_user.send("#{@user_type}?".to_sym)
end
end
But it seems the Authie::RackController
can't be loaded. Any ideas why this happens, whether it's intended or am I just doing something wrong?
Cheers
Currently id
type columns are created as integer
s, Since Rails 5.1 the default has been bigint
, so it would make sense to update the Authie migrations to use bigint
as well
Thanks for writing this gem.
Under Sudo functions I think the configuration setting
Authie.config.sudo_timeout = 30.minutes
should be
Authie.config.sudo_session_timeout = 30.minutes
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.