Description
The purpose of authentication zero is to generate a pre-built authentication system into a rails application (web or api-only) that follows both security and rails best practices. By generating code into the user's application instead of using a library, the user has complete freedom to modify the authentication system so it works best with their app.
Authentication Zero alternatives and similar gems
Based on the "Authentication and OAuth" category.
Alternatively, view authentication-zero alternatives based on common mentions on social networks and blogs.
-
Devise
Flexible authentication solution for Rails with Warden. -
OmniAuth
OmniAuth is a flexible authentication system utilizing Rack middleware. -
Doorkeeper
Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape. -
Devise Token Auth
Token based authentication for Rails JSON APIs. Designed to work with jToker and ng-token-auth. -
JWT
A ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard. -
passwordless
๐ Authentication for your Rails app without the icky-ness of passwords -
Monban
Oath is rails authentication made simple. Previously known as Monban -
Shield
Authentication protocol for use in your routing and model context -
warden-github-rails
Use GitHub as authorization and more. Use organizations and teams as means of authorization by simply wrapping your rails routes in a block. Also useful to get a user's details through OAuth. -
๐ Rails MVP Authentication
An authentication generator for Rails 7. Generate all the files needed to create a feature rich authentication system that you control. No configuration needed. -
OmniAuth Instagram Graph ย
OmniAuth strategy for Instagram Graph API. -
genkan
:door::running:Genkan is authentication engine for Rails
PopRuby: Clothing and Accessories for Ruby Developers
* Code Quality Rankings and insights are calculated and provided by Lumnify.
They vary from L1 to L5 with "L5" being the highest.
Do you think we are missing an alternative of Authentication Zero or a related project?
README
Authentication Zero
The purpose of authentication zero is to generate a pre-built authentication system into a rails application (web or api-only) that follows both security and rails best practices. By generating code into the user's application instead of using a library, the user has complete freedom to modify the authentication system so it works best with their app.
Features
- Simplest code ever (~200 lines of code)
- Inspired by hey.com
- Sign up
- Email and password validations
- Checks if a password has been found in any data breach (--pwned)
- Authentication by cookie
- Authentication by token (--api)
- Two factor authentication (--two-factor)
- Social Login with OmniAuth (--omniauthable)
- Verify email using a link with token
- Verify email using a six random digits code for api (--code-verifiable)
- Ask password before sensitive data changes, aka: sudo (--sudoable)
- Reset the user password and send reset instructions
- Reset the user password only from verified emails
- Lock sending reset password email after many attempts (--lockable)
- Rate limiting for your app, 1000 reqs/hour (--ratelimit)
- Send e-mail confirmation when your email has been changed
- Send e-mail notification when someone has logged into your account
- Manage multiple sessions & devices
- Activity log (--trackable)
- Log out
- API documentation
Security and best practices
- has_secure_password: Adds methods to set and authenticate against a BCrypt password.
- signed cookies: Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from the cookie again.
- httponly cookies: A cookie with the httponly attribute is inaccessible to the JavaScript, this precaution helps mitigate cross-site scripting (XSS) attacks.
- signed_id: Returns a signed id that is tamper proof, so it's safe to send in an email or otherwise share with the outside world.
- Current attributes: Abstract super class that provides a thread-isolated attributes singleton, which resets automatically before and after each request.
- Action mailer: Action Mailer allows you to send email from your application using a mailer model and views.
- Log filtering: Parameters 'token' and 'password' are marked [FILTERED] in the log.
- Functional Tests: In Rails, testing the various actions of a controller is a form of writing functional tests.
- System Testing: System tests allow you to test user interactions with your application, running tests in either a real or a headless browser.
Installation
Add this lines to your application's Gemfile:
gem "authentication-zero"
Then run bundle install
You'll need to set the root path in your routes.rb, for this example let's use the following:
root "home#index"
rails generate controller home index
Add these lines to your app/views/home/index.html.erb
:
<p style="color: green"><%= notice %></p>
<p>Signed as <%= Current.user.email %></p>
<div>
<%= link_to "Change email address", edit_identity_email_path %>
</div>
<div>
<%= link_to "Change password", edit_password_path %>
</div>
<div>
<%= link_to "Devices & Sessions", sessions_path %>
</div>
<div>
<%# link_to "Activity Log", authentications_events_path %>
</div>
<div>
<%# link_to "Two-Factor Authentication", new_two_factor_authentication_totp_path %>
</div>
<br>
<%= button_to "Log out", Current.session, method: :delete %>
And you'll need to set up the default URL options for the mailer in each environment. Here is a possible configuration for config/environments/development.rb
:
config.action_mailer.default_url_options = { host: 'localhost', port: 3000 }
Usage
rails generate authentication
Then run bundle install
again!
Development
To release a new version, update the version number in version.rb
, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and tags, and push the .gem
file to rubygems.org.
Contributing
Bug reports and pull requests are welcome on GitHub at https://github.com/lazaronixon/authentication-zero. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.
License
The gem is available as open source under the terms of the MIT License.
Code of Conduct
Everyone interacting in the AuthenticationZero project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.
*Note that all licence references and agreements mentioned in the Authentication Zero README section above
are relevant to that project's source code only.