Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Security between rails and nodejs

I have an app that is mostly in rails but also uses nodejs for some realtime features, for example, chat. Users log in via Rails and get assigned a session, etc as usual. However, what's the best way to authenticate with nodejs as that same user? For example I would like to prevent users from impersonating one another but login is done on rails right now and messaging is done on nodejs. Rails and nodejs both have access to the same database.

I am using devise and socketio if that matters.

like image 691
jhchen Avatar asked Oct 01 '11 23:10

jhchen


2 Answers

There's a number of ways implementation wise that you could tackle this. The one that jumps to mind is to share the session cookie that devise uses with nodejs via the database.

IIRC devise creates an encrypted session cookie during authentication; save this value temporarily to your database, and let nodejs pop it off the database for its authentication. There's likely some difficulty in accomplishing this (porting some of the devise encryption to nodejs, and the like) but if you're doing a rails/nodejs app, I'm pretty sure you're capable of handling it. :D

The benefit here is that a user can't get between the hand-off to accomplish impersonation.

like image 90
Gavin Miller Avatar answered Oct 21 '22 22:10

Gavin Miller


You could always generate a one-time token for any user passed between rails and node. Much, much easier than re-implementing (and maintaining) the crypto strategy used by devise and rails.

That said, sharing sessions between servers creates a lot of extra work for you and effectively doubles your bug surface area (schema, validations, etc.)

Faye is an awesome project which handles this exact use case, so it's probably worth a look :) http://faye.jcoglan.com/

like image 30
Ed McManus Avatar answered Oct 21 '22 23:10

Ed McManus