Added ability to authenticate by authenticity token, needed for compatibility with hubot. #346
Conversation
…tibility with hubot. Conflicts: app/controllers/application_controller.rb
|
Looks good! Is there something we can fix with https://github.com/kandanapp/hubot-kandan-app so that it can authenticate via other methods, or is there another strategy we can use? In the mean time let's pull this in so its fixed. |
|
To be fair, there's a reason authentication tokens were removed from core Devise. Authenticating via static authenticity tokens has some vulnerabilities. This is the writeup from when it was removed and why: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/ To do this sort of thing securely, we'd need to build dynamic authentication tokens that expire and get regenerated after each use, using some sort of handshake method for the bot to get and use the authentication method. I'm guessing this will have to do for now. |
|
Alright we'll pull this in for now and make sure we note it somewhere so we know to come back to it at a later time. |
Added ability to authenticate by authenticity token, needed for compatibility with hubot.
Hubot couldn't actually create activities in Kandan due to the removal of authenticity-token based validation from Devise in the Kandan app. This isn't ideal, but it works and will allow the Kandan Hubot to post activities in response to commands.