tags:

views:

1326

answers:

5
+7  Q: 

What is the best way to extend restful_authentication/AuthLogic to support lazy logins by an anonymous iPhone?

I'm building an iPhone application that talks to a Ruby on Rails backend. The Ruby on Rails application will also service web users. The restful_authentication plugin is an excellent way to provide quick and customizable user authentication. However, I would like users of the iPhone application to have an account created automatically by the phone's unique identifier ([[UIDevice device] uniqueIdentifier]) stored in a new column. Later, when users are ready to create a username/password, the account will be updated to contain the username and password, leaving the iPhone unique identifier intact. Users should not be able to access the website until they've setup their username/password. They can however, use the iPhone application, since the application can authenticate itself using it's identifier.

What is the best way to modify restful_authentication to do this? Create a plugin? Or modify the generated code?

What about alternative frameworks, such as AuthLogic. What is the best way to allow iPhones to get a generated auth token locked to their UUID's, but then let the user create a username/password later?

A: 

Have you tried to use another auth scheme like Authlogic? I've found restful_authentication rather intrusive (although I cheated by using bort).

Keltia  2008-12-09 14:36:44
Yes, restful_authentication seems fairly intrusive. I'll take a look at Authlogic, although, I've come up with a temporary alternative by modifying restful_authentication directly (but this does not future proof upgrades of it).
Kevin Elliott  2008-12-28 05:03:10
+5  A: 

I think you shouldn't use the phone identifier alone to authenticate as it is not a secret and it is probably also guessable/predictable. Don't forget that if someone wanted to hack your web app they don't have to use your code - they can just guess device IDs and try to mess with your users data using any web client.

You should treat the device ID similar to a username - it is for identification and not authentication. I suggest you get the user to pick a password, or even better generate a random code automatically, to go with it - then send the device ID + this password/code to register the device firstly, and then subsequently to authenticate the device.

You can also bet that some users will have more than one device - either they will replace one eventually, or you will get somebody like Stephen Fry who goes around with 4 iphones. To deal with this I would suggest that you look for a way to instantiate restful_authentication twice, once for authenticating users, and a second time for authenticating devices. I haven't used this plugin but I expect you just need to use different table parameters to make this happen. Then in your application logic allow users to associate more than one device with their account.

To do that securely either do it from the device, or have the device display a random code which they then enter into the web app to prove they own the device (this sounds more painful than it is - it is the same process that apple use in itunes, apple TV, and the remote app - look at how they do it - so it won't be that surprising for users).

(Also make sure that when generating any random passwords you use a cryptographic random number generator as the basis - there is probably an iPhone API for this - otherwise your passwords may be predictable).

frankodwyer  2008-12-14 01:27:53
Thanks Franks. That is all great advice about a security scheme for authorizing devices. It does not quite answer my question about a technique for modifying restful_authentication. I think you bring up some excellent points though!
Kevin Elliott  2008-12-28 05:01:47
well really I'm suggesting you don't modify restful_authentication - rethink your scheme so you can use two different instances of it - one to authenticate devices and another to identify users. Plus application logic to allow binding N devices to a user.
frankodwyer  2009-01-08 00:21:51
Do you have any suggestions on how to do that?
Kevin Elliott  2009-01-21 17:42:02
frankodwyer: Is the device UUID less secure than, say, any other API key out there? API keys are usually 40 characters long or longer, how long is the device UUID?
August Lilleaas  2009-08-15 07:48:59
I don't recall the length offhand, but it is of that order. However it is not really a secret. It is available to any application running on the phone, for example. It is also visible in itunes when the phone is connected. People hand it out to developers when they are participating in betas. And there are probably apps sending it in the clear over wifi. Last but not least, it cannot be changed - thus disclosure is a catastrophe and there is no way to recover.
frankodwyer  2009-08-15 20:18:34
Frank: How do you suggest I use AuthLogic to authenticate both User and Device? Does it make sense to allow Devices to authenticate directly?
Kevin Elliott  2010-01-09 23:20:59
A: 

Generate random password in Rails link text I am using Restful_authentication plugin for one of my projects. As part of my user creation workflow, system should to generate a random password for the new user.

 2009-01-06 17:07:29
+1  A: 

Did you ever figure out a solution to this?

Nick Treffiletti  2010-01-21 04:04:41
No. I'm still looking for a good solution. Right now it looks like I need both User and Device to be authenticatable. I'm considering creating a base class that they both extend, and have all the objects owned by the base class. Not sure if that will really work well yet.
Kevin Elliott  2010-01-21 09:09:01
A: 

What do you think on using the UDID and a random password generated using the UDID + a sitewide defined salt?

Something like: 

salt = 'afG553Dvbf3'

udid = '1234567890'
pass = Digest::MD5.hexdigest(udid + salt)

And send that password to the iPhone for the next time it connects.

Leandro Ardissone  2010-04-03 02:47:20

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?