tags:

views:

84

answers:

0
+1  Q: 

Google Apps and Open ID Authentication in Rails - Security

I'm moving an app to use only Google Federated Login (OpenID) for an application (we use google apps for everything and feel it would be easier to combine user management there). While I can successfully login and create users, my thoughts are now on security...

When a user logs in I only have a "Log In" button - nothing else. The site domain is hard coded in (where SITE_DOMAIN appears below) and the user is redirected to the typical google login page.

Here is the code:

    def create
    open_id_authentication
  end

  protected

  def open_id_authentication
    openid_url = 'https://www.google.com/accounts/o8/site-xrds?hd=SITE_DOMAIN'
    authenticate_with_open_id(openid_url, 
                              :required => ['http://axschema.org/contact/email',
                                            'http://axschema.org/namePerson/first',
                                            'http://axschema.org/namePerson/last']) do |result, identity_url, registration|
      case result.status
      when :missing
        failed_login "Sorry, the OpenID server couldn't be found"
      when :invalid
        failed_login "Sorry, but this does not appear to be a valid OpenID"
      when :canceled
        failed_login "OpenID verification was canceled"
      when :failed
        failed_login "Sorry, the OpenID verification failed"
      when :successful
        if @current_user = User.find_by_id_url(identity_url)
          if @current_user.login_from(request.env['REMOTE_ADDR'])
            successful_login
          else
            failed_login "Your OpenID profile registration failed: " + @current_user.errors.full_messages.to_sentence
          end
        else
          ax_response = OpenID::AX::FetchResponse.from_success_response(request.env[Rack::OpenID::RESPONSE])
          @current_user = User.login_create(ax_response, identity_url, request.env['REMOTE_ADDR'])
          successful_login
        end
      end
    end
  end

Upon successful login I simply save the user into a session...

session[:current_user] = @current_user

...and use a simple current_user method in the Application controller...

  def current_user
    return session[:current_user] if defined?(session[:current_user])
  end

My main concern is regarding security. OpenIDAuthentication is using the in-memory store and overall this seemed a bit too easy to implement (after reading thru tons of documentation). Basic tests show this works fine, but I'm nervous. :)

Any thoughts?

I am using the open_id_authentication plugin and the basic ruby openid gem (with ruby-openid-apps-discovery gem for google apps)

related questions

Best place to get Ruby on Vista up and running as dev environment
How can I encode xml files to xfdl (base64-gzip)?
What is the best way to learn Ruby?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a Class using the Singleton Design Pattern in Ruby?
How do I update Ruby Gems from behind a Proxy (ISA-NTLM)
Why Should I Learn Ruby?
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
How do I rake tasks within a ruby script?
Ruby On Rails with Windows Vista - Best Setup?
Mapping values from two array in Ruby
Reverse DNS in Ruby?
Text Editor For Linux (Besides Vi)?
What is good forum software to add to an existing Rails application?
Calling Bash Commands From Ruby
How can I modify .xfdl files? (Update #1)
How do I use (n)curses in Ruby?
Open Source Ruby Projects
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
When to use lambda, when to use Proc.new?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.
.NET Migrations Engine
How do I add existing comments to RDoc in Ruby?