Menu
I have my authentication on my web app running on the devise gem. I was wondering if it was secure. Yes, it stores the passwords as hashes in the database, uses encrypted tokens after logging in etc. But how about in the initial log in phase? Does it send the user's password unencrypted over the air (I dont have SSL)? Could it have the client encrypt it with a certain public key that only the server could decrypt? Or is SSL the only way to encrypt the user's password?
Thanks!
724
Devise is the cornerstone gem for Ruby on Rails authentication. With Devise, creating a User that can log in and out of your application is so simple because Devise takes care of all the controllers necessary for user creation ( users_controller ) and for user sessions ( users_sessions_controller ).
The new version of devise uses characters 0 to 29 of the encrypted password field as the salt and the remaining characters in that database field for the encrypted password. So your passwords are actually still salted with BCrypt.
The devise gem is basically based on a warden gem, which gives an opportunity to build authorization direct on a Ruby Rack Stack. This gem is pretty straightforward and well documented. Warden fetches a request data and checks if the request includes valid credentials, according to a defined strategy.
Our out-of-the box Devise setup is now working with Rails 7. Once again, if you'd like to refer to any of the code for this setup, or use the template wholesale for a new app, the code is available on GitHub, and you may also use it as a template repo to kick off your own Rails 7 devise projects.
It is secure, remember rails uses authenticity_token. I haven't heard of issues yet.
109
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
