Menu
Is it possible to set up Devise to authenticate without a password?
This is an intranet app. In order to connect to it, you would have to be on the VPN in the first place, plus the app only allows to see the status of orders & history, not submit any information. I guess similar to FedEx or UPS tracking website but allows to user to see the whole account, with an added security of a VPN box the client get from us.
Now I would still require a password, but this is a non-negotiable requirement on the project. Clients are used to this scheme and are not very computer savvy to adjust to a change quickly.
647
Devise is a well known solution for authentication in Rails applications. It's full featured (it not only adds authentication but also password recovery, email changing, session timeout, locking, ip tracking, etc.) and can be expanded to add even more (like JWT authentication).
current_user works by storing id of current user in the application session. Most commonly session is stored in cookies. Whether or not the cookies survive browser restart depends on client's browser settings.
Devise is the cornerstone gem for Ruby on Rails authentication. With Devise, creating a User that can log in and out of your application is so simple because Devise takes care of all the controllers necessary for user creation ( users_controller ) and for user sessions ( users_sessions_controller ).
This can definitely be done using sign_in by including Devise::Controllers::Helpers if you're not already inheriting from a DeviseController or a controller that inherits from DeviseController (such as Devise::SessionsController). Then just call sign_in(user):
class SignInWithoutPasswordsController < ApplicationController
include Devise::Controllers::Helpers
def sign_a_user_in_without_password
user = User.find(params[:user_id])
sign_in(user)
end
end
In this instance, I prefer to monkey-patch Devise::Strategies::Authenticatable instead of forking the whole devise repository to make a one line change.
Devise::Strategies::Authenticatable.class_eval do
private
def valid_password?
true
end
end
Just place it in an initializer file or at the end of the devise.rb initializer (I prefer this because it seems a bit like an additional devise configuration).
To explain, the valid_password? patched here usually just returns password.present? and is used by Devise::Strategies::DatabaseAuthenticatable as an initial validation of the password before actually checking it against the database. Therefore this will only change the behaviour when the password is not provided.
DISCLAIMER: This works so far for me, but is not fully tested so use at your own risk.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
