Skip to content
Newer
Older
100644 276 lines (190 sloc) 20.6 KB
43e849c @binarylogic Released v0.10.4
authored Nov 3, 2008
1 = Authlogic
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
2
605162d @binarylogic Release v2.0 RC1
authored Mar 20, 2009
3 Authlogic is a clean, simple, and unobtrusive ruby authentication solution.
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
4
ee1f49b @binarylogic * Use MockCookieJar in tests instead of a Hash.
authored Apr 5, 2009
5 What inspired me to create Authlogic was the messiness of the current authentication solutions. Put simply, they just didn't feel right, because the logic was not organized properly. As you may know, a common misconception with the MVC design pattern is that the model "M" is only for data access logic, which is wrong. A model is a place for domain logic. This is why the RESTful design pattern and the current authentication solutions don't play nice. Authlogic solves this by placing the session maintenance logic into its own domain (aka "model"). Moving session maintenance into its own domain has its benefits:
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
6
ee1f49b @binarylogic * Use MockCookieJar in tests instead of a Hash.
authored Apr 5, 2009
7 1. It's easier to update and stay current with the latest security practices. Since authlogic sits in between you and your session it can assist in keeping your security up to date. For example: upgrading your hashing algorithm, helping you transition to a new algorithm, etc. Since all of this logic is in the Authlogic library, staying up to date is as easy as updating the library.
91f86dd @binarylogic Session method definitions now check for already defined methods, all…
authored Jan 2, 2009
8 2. It ties everything together on the domain level. Take a new user registration for example, no reason to manually log the user in, authlogic handles this for you via callbacks. The same applies to a user changing their password. Authlogic handles maintaining the session for you.
ee1f49b @binarylogic * Use MockCookieJar in tests instead of a Hash.
authored Apr 5, 2009
9 3. Your application can stay clean, focused, and free of redundant authentication code from app to app. Meaning generators are *NOT* necessary. Not any more neccessary than any other control
91f86dd @binarylogic Session method definitions now check for already defined methods, all…
authored Jan 2, 2009
10 4. A byproduct of #3 is that you don't have to test the same code over and over in each of your apps. You don't test the internals of ActiveRecord in each of your apps, so why would you test the internals of Authlogic? It's already been thoroughly tested for you. Focus on your application, and get rid of the noise by testing your application specific code and not generated code that you didn't write.
af4f7e0 @binarylogic Documentation fix for using AES as an encryption method.
authored Jan 1, 2009
11 5. You get to write your own code, just like you do for any other model. Meaning the code you write is specific to your application, the way you want it, and more importantly you understand it.
12 6. You are not restricted to a single session. Think about Apple's me.com, where they need you to authenticate a second time before changing your billing information. Why not just create a second session for this? It works just like your initial session. Then your billing controller can require an "ultra secure" session.
13
91f86dd @binarylogic Session method definitions now check for already defined methods, all…
authored Jan 2, 2009
14 Authlogic can do all of this and much more, keep reading to see...
9bca67d @binarylogic Reorganized ORM code and tests
authored Nov 9, 2008
15
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
16 == Helpful links
17
18 * <b>Documentation:</b> http://authlogic.rubyforge.org
98f01be @binarylogic Add authlogic_openid link in README
authored Mar 30, 2009
19 * <b>Live example with OpenID & source code:</b> http://authlogicexample.binarylogic.com
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
20 * <b>Tutorial: Authlogic basic setup:</b> http://www.binarylogic.com/2008/11/3/tutorial-authlogic-basic-setup
21 * <b>Tutorial: Reset passwords with Authlogic the RESTful way:</b> http://www.binarylogic.com/2008/11/16/tutorial-reset-passwords-with-authlogic
22 * <b>Tutorial: Easily migrate from restful_authentication:</b> http://www.binarylogic.com/2008/11/23/tutorial-easily-migrate-from-restful_authentication-to-authlogic
23 * <b>Tutorial: Upgrade passwords easily with Authlogic:</b> http://www.binarylogic.com/2008/11/23/tutorial-upgrade-passwords-easily-with-authlogic
24 * <b>Bugs / feature suggestions:</b> http://binarylogic.lighthouseapp.com/projects/18752-authlogic
25 * <b>Google group:</b> http://groups.google.com/group/authlogic
26
27 **Before contacting me, please read:**
ee1f49b @binarylogic * Use MockCookieJar in tests instead of a Hash.
authored Apr 5, 2009
28 If you find a bug or a problem please post it on lighthouse. If you need help with something, please use google groups. I check both regularly and get emails when anything happens, so that is the best place to get help. Please do not email me directly with issues regarding Authlogic.
29
5c0ac4f @binarylogic * Make password and login fields optional. This allows you to have an…
authored Apr 8, 2009
30 == Authlogic "add ons"
ee1f49b @binarylogic * Use MockCookieJar in tests instead of a Hash.
authored Apr 5, 2009
31
32 * <b>Authlogic OpenID addon:</b> http://github.com/binarylogic/authlogic_openid
33
34 If you create one of your own, please let me know about it so I can add it to this list.
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
35
36 == Documentation
37
38 You can find anything you want about Authlogic in the documentation, all that you need to do is understand the basic design behind it.
39
40 That being said, Authlogic is split into 2 main parts:
41
42 1. Authlogic::Session, which manages sessions.
43 2. Authlogic::ActsAsAuthentic, which adds in functionality to your ActiveRecord model.
44
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
45 Each of the above has its various sub modules that contain common logic. The sub modules are responsible for including everything related to it: configuration, class methods, instance methods, etc.
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
46
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
47 For example, if you want to timeout users after a certain period of inactivity, you would look in Authlogic::Session::Timeout. To help you out, I listed the following "publicly relevant" modules with short descriptions. For the sake of brevity, there are more modules than listed here, the ones not listed are more for internal use, but you can easily read up on them in the documentation.
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
48
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
49 === Authlogic::ActsAsAuthentic sub modules
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
50
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
51 These modules are for the acts_as_authentic method you call in your model. It contains all code for the "model side" of the authentication.
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
52
53 * Authlogic::ActsAsAuthentic::Base - Provides the acts_as_authentic class method and includes all of the submodules.
54 * Authlogic::ActsAsAuthentic::Email - Handles everything related to the email field.
55 * Authlogic::ActsAsAuthentic::LoggedInStatus - Provides handy named scopes and methods for determining if the user is logged in or out.
56 * Authlogic::ActsAsAuthentic::Login - Handles everything related to the login field.
57 * Authlogic::ActsAsAuthentic::MagicColumns - Handles everything related to the "magic" fields: login_count, failed_login_count, etc.
b3fb9bb @binarylogic Added MD5 crypto provider and made password salt field optional, for …
authored Mar 22, 2009
58 * Authlogic::ActsAsAuthentic::Password - This one is important. It handles encrypting your password, salting it, etc. It also has support for transitioning password algorithms.
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
59 * Authlogic::ActsAsAuthentic::PerishableToken - Handles maintaining the perishable token field, also provides a class level method for finding record using the token.
60 * Authlogic::ActsAsAuthentic::PersistenceToken - Handles maintaining the persistence token. This is the token stored in cookies and sessions to persist the users session.
61 * Authlogic::ActsAsAuthentic::RestfulAuthentication - Provides configuration options to easily migrate from the restful_authentication plugin.
62 * Authlogic::ActsAsAuthentic::SessionMaintenance - Handles automatically logging the user in. EX: a new user registers, automatically log them in.
63 * Authlogic::ActsAsAuthentic::SingleAccessToken - Handles maintaining the single access token.
9078901 @binarylogic Dont save sessions with a ! during automatic session maintenance
authored Mar 23, 2009
64 * Authlogic::ActsAsAuthentic::ValidationsScope - Allows you to scope validations, etc. Just like the :scope option for validates_uniqueness_of
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
65
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
66 === Authlogic::Session sub modules
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
67
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
68 These modules are for the "session side" of authentication. They create a new domain for session logic, allowing you to create, destroy, and ultimately manage your sessions.
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
69
26e57e6 @binarylogic Completely rewrote Authlogic::Testing, it's now called Authlogic::Tes…
authored Mar 26, 2009
70 * Authlogic::Session::BruteForceProtection - Disables accounts after a certain number of consecutive failed logins attempted.
281ec5c @binarylogic Release v2.0.4
authored Mar 28, 2009
71 * Authlogic::Session::Callbacks - Your tools to extend, change, or add onto Authlogic. Lets you hook in and do just about anything you want. Start here if you want to write a plugin or add on for Authlogic
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
72 * Authlogic::Session::Cookies - Authentication via cookies.
73 * Authlogic::Session::Existence - Creating, saving, and destroying objects.
74 * Authlogic::Session::HttpAuth - Authentication via basic HTTP authentication.
b3fb9bb @binarylogic Added MD5 crypto provider and made password salt field optional, for …
authored Mar 22, 2009
75 * Authlogic::Session::Id - Allows sessions to be separated by an id, letting you have multiple sessions for a single user.
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
76 * Authlogic::Session::MagicColumns - Maintains "magic" database columns, similar to created_at and updated_at for ActiveRecord.
26e57e6 @binarylogic Completely rewrote Authlogic::Testing, it's now called Authlogic::Tes…
authored Mar 26, 2009
77 * Authlogic::Session::MagicStates - Automatically validates based on the records states: active?, approved?, and confirmed?. If those methods exist for the record.
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
78 * Authlogic::Session::Params - Authentication via params, aka single access token.
79 * Authlogic::Session::Password - Authentication via a traditional username and password.
80 * Authlogic::Session::Persistence - Persisting sessions / finding sessions.
26e57e6 @binarylogic Completely rewrote Authlogic::Testing, it's now called Authlogic::Tes…
authored Mar 26, 2009
81 * Authlogic::Session::Session - Authentication via the session, the controller session that is.
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
82 * Authlogic::Session::Timeout - Automatically logging out after a certain period of inactivity.
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
83 * Authlogic::Session::UnauthorizedRecord - Handles authentication by passing an ActiveRecord object.
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
84 * Authlogic::Session::Validation - Validation / errors.
2155477 @binarylogic Updated readme
authored Oct 28, 2008
85
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
86 === Miscellaneous modules
43e849c @binarylogic Released v0.10.4
authored Nov 3, 2008
87
78f5bef @binarylogic Restructure configuration for acts_as_authentic
authored Mar 23, 2009
88 Miscellaneous modules that don't really belong solely to either the session or model aspect.
89
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
90 * Authlogic::AuthenticatesMany - Responsible for allowing you to scope sessions to a parent record. Similar to a has_many and belongs_to relationship. This lets you do the same thing with sessions.
91 * Authlogic::CryptoProviders - Contains various encryption algorithms that Authlogic uses, allowing you to choose your encryption method.
92 * Authlogic::I18n - Acts JUST LIKE the rails I18n library, and provides internationalization to Authlogic.
9be1f26 @binarylogic Added validates_uniqueness_of_login_field_options and validates_uniqu…
authored Mar 26, 2009
93 * Authlogic::Random - A simple class to generate random tokens.
94 * Authlogic::TestCase - Various helper methods for testing frameworks to help you test your code.
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
95 * Authlogic::Version - A handy class for determine the version of Authlogic in a number of ways.
96
97 == Quick example
98
99 What if creating sessions worked like an ORM library on the surface...
e77ca8a @binarylogic Updated readme
authored Oct 25, 2008
100
4b1f8fa @binarylogic User column_names instead of colums when determining if a column exists
authored Oct 28, 2008
101 UserSession.create(params[:user_session])
e77ca8a @binarylogic Updated readme
authored Oct 25, 2008
102
34b225c @binarylogic Updated readme
authored Oct 25, 2008
103 What if your user sessions controller could look just like your other controllers...
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
104
105 class UserSessionsController < ApplicationController
106 def new
107 @user_session = UserSession.new
108 end
109
110 def create
111 @user_session = UserSession.new(params[:user_session])
35f14ba @binarylogic Released v0.10.0
authored Oct 27, 2008
112 if @user_session.save
c93bec2 @binarylogic Changed scope to id
authored Oct 24, 2008
113 redirect_to account_url
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
114 else
115 render :action => :new
116 end
117 end
118
119 def destroy
ebdebfa @binarylogic Released v1.1.1
authored Nov 13, 2008
120 current_user_session.destroy
4caccd0 @binarylogic Released 1.2.1
authored Nov 19, 2008
121 redirect_to new_user_session_url
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
122 end
123 end
124
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
125 As you can see, this fits nicely into the RESTful development pattern. What about the view...
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
126
127 <% form_for @user_session do |f| %>
791f700 @binarylogic Released v1.0.0 (see changelog)
authored Nov 5, 2008
128 <%= f.error_messages %>
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
129 <%= f.label :login %><br />
130 <%= f.text_field :login %><br />
131 <br />
132 <%= f.label :password %><br />
133 <%= f.password_field :password %><br />
134 <br />
135 <%= f.submit "Login" %>
136 <% end %>
137
34b225c @binarylogic Updated readme
authored Oct 25, 2008
138 Or how about persisting the session...
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
139
140 class ApplicationController
ebdebfa @binarylogic Released v1.1.1
authored Nov 14, 2008
141 helper_method :current_user_session, :current_user
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
142
dbd8b8f @binarylogic Release v1.2.0
authored Nov 16, 2008
143 private
ebdebfa @binarylogic Released v1.1.1
authored Nov 14, 2008
144 def current_user_session
145 return @current_user_session if defined?(@current_user_session)
146 @current_user_session = UserSession.find
147 end
148
69f2c2b @binarylogic Add a logout_on_timeout configuration option for Session::Base
authored Jan 9, 2009
149 def current_user
ebdebfa @binarylogic Released v1.1.1
authored Nov 14, 2008
150 return @current_user if defined?(@current_user)
151 @current_user = current_user_session && current_user_session.user
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
152 end
153 end
154
155 == Install and use
156
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
157 === 1. Install the gem
158
93a4787 @binarylogic Added Sha1 crypto provider to help with the restful_authentication tr…
authored Nov 9, 2008
159 Install the gem / plugin (recommended)
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
160
43e849c @binarylogic Released v0.10.4
authored Nov 3, 2008
161 $ sudo gem install authlogic
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
162
62ac95a @binarylogic Added should_be_authentic shoulda macro
authored Nov 10, 2008
163 Now add the gem dependency in your config:
1d38644 @binarylogic Added last_request_at_threshold cconfig option
authored Nov 10, 2008
164
93a4787 @binarylogic Added Sha1 crypto provider to help with the restful_authentication tr…
authored Nov 10, 2008
165 # config/environment.rb
ebdebfa @binarylogic Released v1.1.1
authored Nov 14, 2008
166 config.gem "authlogic"
93a4787 @binarylogic Added Sha1 crypto provider to help with the restful_authentication tr…
authored Nov 10, 2008
167
62ac95a @binarylogic Added should_be_authentic shoulda macro
authored Nov 11, 2008
168 Or you install this as a plugin (for older versions of rails)
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
169
43e849c @binarylogic Released v0.10.4
authored Nov 3, 2008
170 script/plugin install git://github.com/binarylogic/authlogic.git
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
171
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
172 === 2. Create your session
6af9b61 @binarylogic Updated readme
authored Nov 3, 2008
173
174 Lets assume you are setting up a session for your User model.
175
176 Create your user_session.rb file:
177
6306af3 @binarylogic Added option to modify options for validates_presence_of for the pass…
authored Dec 2, 2008
178 $ script/generate session user_session
179
180 This will create a file that looks similar to:
181
6af9b61 @binarylogic Updated readme
authored Nov 3, 2008
182 # app/models/user_session.rb
1d38644 @binarylogic Added last_request_at_threshold cconfig option
authored Nov 10, 2008
183 class UserSession < Authlogic::Session::Base
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
184 # configuration here, see sub modules of Authlogic::Session
6af9b61 @binarylogic Updated readme
authored Nov 3, 2008
185 end
186
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
187 === 3. Ensure proper database fields
6af9b61 @binarylogic Updated readme
authored Nov 3, 2008
188
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
189 The user model should have the following columns. The names of these columns can be changed with configuration. Better yet, Authlogic tries to guess these names by checking for the existence of common names. See the sub modules of Authlogic::Session for more details, but chances are you won't have to specify any configuration for your field names, even if they aren't the same names as below.
6af9b61 @binarylogic Updated readme
authored Nov 3, 2008
190
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
191 t.string :login, :null => false # optional, you can use email instead, or both
5c0ac4f @binarylogic * Make password and login fields optional. This allows you to have an…
authored Apr 8, 2009
192 t.string :crypted_password, :null => false # optional, see below
b3fb9bb @binarylogic Added MD5 crypto provider and made password salt field optional, for …
authored Mar 22, 2009
193 t.string :password_salt, :null => false # optional, but highly recommended
281ec5c @binarylogic Release v2.0.4
authored Mar 28, 2009
194 t.string :persistence_token, :null => false # required
605162d @binarylogic Release v2.0 RC1
authored Mar 21, 2009
195 t.string :single_access_token, :null => false # optional, see Authlogic::Session::Params
196 t.string :perishable_token, :null => false # optional, see Authlogic::Session::Perishability
197 t.integer :login_count, :null => false, :default => 0 # optional, see Authlogic::Session::MagicColumns
198 t.integer :failed_login_count, :null => false, :default => 0 # optional, see Authlogic::Session::MagicColumns
199 t.datetime :last_request_at # optional, see Authlogic::Session::MagicColumns
200 t.datetime :current_login_at # optional, see Authlogic::Session::MagicColumns
201 t.datetime :last_login_at # optional, see Authlogic::Session::MagicColumns
202 t.string :current_login_ip # optional, see Authlogic::Session::MagicColumns
203 t.string :last_login_ip # optional, see Authlogic::Session::MagicColumns
6af9b61 @binarylogic Updated readme
authored Nov 3, 2008
204
5c0ac4f @binarylogic * Make password and login fields optional. This allows you to have an…
authored Apr 8, 2009
205 Notice the login and crypted_password fields are optional. If you prefer, you could use OpenID, LDAP, or whatever you want as your main authentication source and not even provide your own authentication system. I recommend providing your own as an option though. Your interface, such as the registration form, can dictate which method is the default. Lastly, adding 3rd party authentication methods should be as easy as installing an Authlogic "add on" gem. See "Authligic add ons" above.
206
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
207 === 4. Set up your model
6af9b61 @binarylogic Updated readme
authored Nov 3, 2008
208
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
209 Make sure you have a model that you will be authenticating with. Since we are using the User model it should look something like:
6af9b61 @binarylogic Updated readme
authored Nov 3, 2008
210
211 class User < ActiveRecord::Base
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
212 acts_as_authentic do |c|
213 c.my_config_option = my_value # for available options see documentation in: Authlogic::ActsAsAuthentic
214 end # block optional
43e849c @binarylogic Released v0.10.4
authored Nov 3, 2008
215 end
216
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
217 You are all set.
35f14ba @binarylogic Released v0.10.0
authored Oct 27, 2008
218
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
219 === 5. Next Steps
791f700 @binarylogic Released v1.0.0 (see changelog)
authored Nov 6, 2008
220
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
221 Here are some common next steps. They might or might not apply to you. For a complete list of everything Authlogic can do please read the documentation or see the sub module list above.
791f700 @binarylogic Released v1.0.0 (see changelog)
authored Nov 6, 2008
222
c355cdd @binarylogic Some documentation clean up
authored Mar 22, 2009
223 1. Want to use another encryption algorithm, such as BCrypt? See Authlogic::ActsAsAuthentic::Password::Config
224 2. Migrating from restful_authentication? See Authlogic::ActsAsAuthentic::RestfulAuthentication::Config
225 3. Want to timeout sessions after a period if inactivity? See Authlogic::Session::Timeout
226 4. Need to scope your sessions to an account or parent model? See Authlogic::AuthenticatesMany
227 5. Need multiple session types in your app? Check out Authlogic::Session::Id
228 6. Need to reset passwords or activate accounts? Use the perishable token. See Authlogic::ActsAsAuthentic::PerishableToken
229 7. Need to give API access or access to a private feed? Use basic HTTP auth or authentication by params. See Authlogic::Session::HttpAuth or Authlogic::Session::Params
230 8. Need to internationalize your app? See Authlogic::I18n
281ec5c @binarylogic Release v2.0.4
authored Mar 28, 2009
231 9. Need help testing? See the Authlogic::TestCase
35f14ba @binarylogic Released v0.10.0
authored Oct 27, 2008
232
9078901 @binarylogic Dont save sessions with a ! during automatic session maintenance
authored Mar 23, 2009
233 == Interested in how it works?
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
234
72f3a21 @binarylogic Added AES256 as an option for crypto_providers
authored Nov 26, 2008
235 Interested in how all of this all works? Basically a before filter is automatically set in your controller which lets Authlogic know about the current controller object. This "activates" Authlogic and allows Authlogic to set sessions, cookies, login via basic http auth, etc. If you are using your framework in a multiple thread environment, don't worry. I kept that in mind and made this thread safe.
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
236
77798f2 @binarylogic Updated installation guide
authored Oct 25, 2008
237 From there it is pretty simple. When you try to create a new session the record is authenticated and then all of the session / cookie magic is done for you. The sky is the limit.
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
238
b49258f @binarylogic Updated readme
authored Oct 28, 2008
239 == What's wrong with the current solutions?
2155477 @binarylogic Updated readme
authored Oct 28, 2008
240
6ddadfb @binarylogic Release v1.3.5
authored Nov 30, 2008
241 You probably don't care, but I think releasing the millionth ruby authentication solution requires a little explanation.
2155477 @binarylogic Updated readme
authored Oct 28, 2008
242
43e849c @binarylogic Released v0.10.4
authored Nov 3, 2008
243 I don't necessarily think the current solutions are "wrong", nor am I saying Authlogic is the answer to your prayers. But, to me, the current solutions were lacking something. Here's what I came up with...
2155477 @binarylogic Updated readme
authored Oct 28, 2008
244
ec0eb78 @binarylogic Updated readme
authored Oct 31, 2008
245 === Generators are messy
2155477 @binarylogic Updated readme
authored Oct 28, 2008
246
791f700 @binarylogic Released v1.0.0 (see changelog)
authored Nov 6, 2008
247 Generators have their place, and it is not to add authentication to an app. It doesn't make sense. Generators are meant to be a starting point for repetitive tasks that have no sustainable pattern. Take controllers, the set up is the same thing over and over, but they eventually evolve to a point where there is no clear cut pattern. Trying to extract a pattern out into a library would be extremely hard, messy, and overly complicated. As a result, generators make sense here.
2155477 @binarylogic Updated readme
authored Oct 28, 2008
248
a03f931 @binarylogic Fix readme errors
authored Oct 31, 2008
249 Authentication is a one time set up process for your app. It's the same thing over and over and the pattern never really changes. The only time it changes is to conform with newer / stricter security techniques. This is exactly why generators should not be an authentication solution. Generators add code to your application, once code crosses that line, you are responsible for maintaining it. You get to make sure it stays up with the latest and greatest security techniques. And when the plugin you used releases some major update, you can't just re-run the generator, you get to sift through the code to see what changed. You don't really have a choice either, because you can't ignore security updates.
2155477 @binarylogic Updated readme
authored Oct 28, 2008
250
43e849c @binarylogic Released v0.10.4
authored Nov 3, 2008
251 Using a library that hundreds of other people use has it advantages. Probably one of the biggest advantages if that you get to benefit from other people using the same code. When Bob in California figures out a new awesome security technique and adds it into Authlogic, you get to benefit from that with a single update. The catch is that this benefit is limited to code that is not "generated" or added into your app. As I said above, once code is "generated" and added into your app, it's your responsibility.
832b7f0 @binarylogic Cleaned up readme
authored Oct 29, 2008
252
ec0eb78 @binarylogic Updated readme
authored Oct 31, 2008
253 Lastly, there is a pattern here, why clutter up all of your applications with the same code over and over?
2155477 @binarylogic Updated readme
authored Oct 28, 2008
254
6ddadfb @binarylogic Release v1.3.5
authored Nov 30, 2008
255 === Security gets outdated
256
257 Just as I stated in the above section, you can't stay up to date with your security since the code is generated and updating the plugin does nothing. If there is one thing you should stay up to date with, it's security. But it's not just the fact that there is no reasonable method for receiving updates. It's the fact that they tie you down to an encryption algorithm *AND* they use a bad one at that. Every single solution I've seen uses Sha1, which is joining the party with MD5. Sha1 is not as secure as it used to be. But that's the nature of algorithms, they eventually get phased out, which is fine. Everyone knows this, why not accommodate for this? Authlogic does this with the :transition_from_crypto_provider option. It takes care of transitioning all of your users to a new algorithm. Even better, it provides BCrypt as an option which should, in theory, never require you to switch since you can adjust the cost and make the encryption stronger. At the same time, still compatible with older passwords using the lower cost.
258
dbd8b8f @binarylogic Release v1.2.0
authored Nov 16, 2008
259 === Why test the same code over and over?
c190c77 @binarylogic Forced logged_in and logged_out named scopes to use seconds for the l…
authored Nov 14, 2008
260
261 I've noticed my apps get cluttered with authentication tests, and they are the same exact tests! This irritates me. When you have identical tests across your apps thats a red flag that code can be extracted into a library. What's great about Authlogic is that I tested it for you. You don't write tests that test the internals of ActiveRecord do you? The same applies for Authlogic. Only test code that you've written. Essentially testing authentication is similar to testing any another RESTful controller. This makes your tests focused and easier to understand.
262
2155477 @binarylogic Updated readme
authored Oct 28, 2008
263 === Limited to a single authentication
264
43e849c @binarylogic Released v0.10.4
authored Nov 3, 2008
265 I recently had an app where you could log in as a user and also log in as an employee. I won't go into the specifics of the app, but it made the most sense to do it this way. So I had two sessions in one app. None of the current solutions I found easily supported this. They all assumed a single session. One session was messy enough, adding another just put me over the edge and eventually forced me to write Authlogic. Authlogic can support 100 different sessions easily and in a clean format. Just like an app can support 100 different models and 100 different records of each model.
2155477 @binarylogic Updated readme
authored Oct 28, 2008
266
832b7f0 @binarylogic Cleaned up readme
authored Oct 29, 2008
267 === Too presumptuous
268
4d42802 @binarylogic Ignore invalid credential fields, dont raise an exception
authored Oct 29, 2008
269 A lot of them forced me to name my password column as "this", or the key of my cookie had to be "this". They were a little too presumptuous. I am probably overly picky, but little details like that should be configurable. This also made it very hard to implement into an existing app.
832b7f0 @binarylogic Cleaned up readme
authored Oct 29, 2008
270
ec0eb78 @binarylogic Updated readme
authored Oct 31, 2008
271 === Disclaimer
272
72f3a21 @binarylogic Added AES256 as an option for crypto_providers
authored Nov 26, 2008
273 I am not trying to "bash" any other authentication solutions. These are just my opinions, formulate your own opinion. I released Authlogic because I was "scratching my own itch". It has made my life easier and I enjoy using it, hopefully it does the same for you.
ec0eb78 @binarylogic Updated readme
authored Oct 31, 2008
274
1b98335 @binarylogic Initial commit
authored Oct 24, 2008
275
283e38b @binarylogic * Update shoulda macro for 2.0
authored Apr 3, 2009
276 Copyright (c) 2009 {Ben Johnson of Binary Logic}(http://www.binarylogic.com), released under the MIT license
Something went wrong with that request. Please try again.