I have an app that is mostly in rails but also uses nodejs for some realtime features, for example, chat. Users log in via Rails and get assigned a session, etc as usual. However, what's the best way to authenticate with nodejs as that same user? For example I would like to prevent users from impersonating one another but login is done on rails right now and messaging is done on nodejs. Rails and nodejs both have access to the same database.
I am using devise and socketio if that matters.
There's a number of ways implementation wise that you could tackle this. The one that jumps to mind is to share the session cookie that devise uses with nodejs via the database.
IIRC devise creates an encrypted session cookie during authentication; save this value temporarily to your database, and let nodejs pop it off the database for its authentication. There's likely some difficulty in accomplishing this (porting some of the devise encryption to nodejs, and the like) but if you're doing a rails/nodejs app, I'm pretty sure you're capable of handling it. :D
The benefit here is that a user can't get between the hand-off to accomplish impersonation.
You could always generate a one-time token for any user passed between rails and node. Much, much easier than re-implementing (and maintaining) the crypto strategy used by devise and rails.
That said, sharing sessions between servers creates a lot of extra work for you and effectively doubles your bug surface area (schema, validations, etc.)
Faye is an awesome project which handles this exact use case, so it's probably worth a look :) http://faye.jcoglan.com/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With