authentication-zero

authentication-zero

Rails应用的自动化认证系统生成器

Authentication Zero是一个Rails插件,为Web和API应用自动生成认证系统代码。它遵循安全和Rails最佳实践,支持注册、登录、密码重置、双因素认证等功能。通过生成代码而非使用库,该插件允许开发者自由修改认证系统,以适应特定需求。Authentication Zero简化了认证系统的实现,同时保持了高度的可定制性。

Authentication ZeroRails身份验证安全代码生成Github开源项目

Authentication Zero

The purpose of authentication zero is to generate a pre-built authentication system into a rails application (web or api-only) that follows both security and rails best practices. By generating code into the user's application instead of using a library, the user has complete freedom to modify the authentication system so it works best with their app.

Installation

$ bundle add authentication-zero

If you are using Rails < 7.1, you must use version 2.

$ bundle add authentication-zero --version "~> 2"

Usage

$ rails generate authentication

Developer responsibilities

Since Authentication Zero generates this code into your application instead of building these modules into the gem itself, you now have complete freedom to modify the authentication system, so it works best with your use case. The one caveat with using a generated authentication system is it will not be updated after it's been generated. Therefore, as improvements are made to the output of rails generate authentication, it becomes your responsibility to determine if these changes need to be ported into your application. Security-related and other important improvements will be explicitly and clearly marked in the CHANGELOG.md file and upgrade notes.

Features

Essential

  • Sign up
  • Email and password validations
  • Checks if a password has been found in any data breach (--pwned)
  • Authentication by cookie
  • Authentication by token (--api)
  • Two factor authentication + recovery codes (--two-factor)
  • Two factor authentication using a hardware security key (--webauthn)
  • Verify email using a link with token
  • Ask password before sensitive data changes, aka: sudo (--sudoable)
  • Reset the user password and send reset instructions
  • Reset the user password only from verified emails
  • Lock mechanism to prevent email bombing (--lockable)
  • Rate limiting for your app, 1000 reqs/minute (--ratelimit)
  • Send e-mail confirmation when your email has been changed
  • Manage multiple sessions & devices
  • Activity log (--trackable)
  • Log out

More

  • Social login with omni auth (--omniauthable)
  • Passwordless authentication (--passwordless)
  • Send invitations (--invitable)
  • "Sign-in as" button (--masqueradable)
  • Multi-tentant application (--tenantable)

Generated code

  • has_secure_password: Adds methods to set and authenticate against a bcrypt password.
  • authenticate_by: Given a set of attributes, finds a record using the non-password attributes, and then authenticates that record using the password attributes.
  • generates_token_for: Defines the behavior of tokens generated for a specific purpose.
  • signed cookies: Returns a jar that'll automatically generate a signed representation of cookie value and verify it when reading from the cookie again.
  • httponly cookies: A cookie with the httponly attribute is inaccessible to the JavaScript, this precaution helps mitigate cross-site scripting (XSS) attacks.
  • signed_id: Returns a signed id that is tamper proof, so it's safe to send in an email or otherwise share with the outside world.
  • current attributes: Abstract super class that provides a thread-isolated attributes singleton, which resets automatically before and after each request.
  • action mailer: Action Mailer allows you to send email from your application using a mailer model and views.
  • log filtering: Parameters 'token' and 'password' are marked [FILTERED] in the log.
  • functional tests: In Rails, testing the various actions of a controller is a form of writing functional tests.
  • system testing: System tests allow you to test user interactions with your application, running tests in either a real or a headless browser.

Sudoable

Use before_action :require_sudo in controllers with sensitive information, it will ask for your password on the first access or after 30 minutes.

Tenantable

Some artifacts are generated in the application, which makes it possible to implement row-level multitenancy applications. The Current.account is set using the current user account.

You should follow some steps to make it work:

  • Add account_id to each scoped table. ex: rails g migration add_account_to_projects account:references.
  • Add include AccountScoped to scoped models. It set up the account relationship and default scope using the current account.

Set Current.account through the URL. http://myapp.com/:account_id. (optional)

  • Add require_relative "../lib/account_middleware" to config/application.rb.
  • Add config.middleware.use AccountMiddleware to your application class.
  • More customization is required...

Development

To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/lazaronixon/authentication-zero. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.

License

The gem is available as open source under the terms of the MIT License.

Code of Conduct

Everyone interacting in the AuthenticationZero project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.

编辑推荐精选

讯飞智文

讯飞智文

一键生成PPT和Word,让学习生活更轻松

讯飞智文是一个利用 AI 技术的项目,能够帮助用户生成 PPT 以及各类文档。无论是商业领域的市场分析报告、年度目标制定,还是学生群体的职业生涯规划、实习避坑指南,亦或是活动策划、旅游攻略等内容,它都能提供支持,帮助用户精准表达,轻松呈现各种信息。

AI办公办公工具AI工具讯飞智文AI在线生成PPTAI撰写助手多语种文档生成AI自动配图热门
讯飞星火

讯飞星火

深度推理能力全新升级,全面对标OpenAI o1

科大讯飞的星火大模型,支持语言理解、知识问答和文本创作等多功能,适用于多种文件和业务场景,提升办公和日常生活的效率。讯飞星火是一个提供丰富智能服务的平台,涵盖科技资讯、图像创作、写作辅助、编程解答、科研文献解读等功能,能为不同需求的用户提供便捷高效的帮助,助力用户轻松获取信息、解决问题,满足多样化使用场景。

热门AI开发模型训练AI工具讯飞星火大模型智能问答内容创作多语种支持智慧生活
Spark-TTS

Spark-TTS

一种基于大语言模型的高效单流解耦语音令牌文本到语音合成模型

Spark-TTS 是一个基于 PyTorch 的开源文本到语音合成项目,由多个知名机构联合参与。该项目提供了高效的 LLM(大语言模型)驱动的语音合成方案,支持语音克隆和语音创建功能,可通过命令行界面(CLI)和 Web UI 两种方式使用。用户可以根据需求调整语音的性别、音高、速度等参数,生成高质量的语音。该项目适用于多种场景,如有声读物制作、智能语音助手开发等。

Trae

Trae

字节跳动发布的AI编程神器IDE

Trae是一种自适应的集成开发环境(IDE),通过自动化和多元协作改变开发流程。利用Trae,团队能够更快速、精确地编写和部署代码,从而提高编程效率和项目交付速度。Trae具备上下文感知和代码自动完成功能,是提升开发效率的理想工具。

AI工具TraeAI IDE协作生产力转型热门
咔片PPT

咔片PPT

AI助力,做PPT更简单!

咔片是一款轻量化在线演示设计工具,借助 AI 技术,实现从内容生成到智能设计的一站式 PPT 制作服务。支持多种文档格式导入生成 PPT,提供海量模板、智能美化、素材替换等功能,适用于销售、教师、学生等各类人群,能高效制作出高品质 PPT,满足不同场景演示需求。

讯飞绘文

讯飞绘文

选题、配图、成文,一站式创作,让内容运营更高效

讯飞绘文,一个AI集成平台,支持写作、选题、配图、排版和发布。高效生成适用于各类媒体的定制内容,加速品牌传播,提升内容营销效果。

热门AI辅助写作AI工具讯飞绘文内容运营AI创作个性化文章多平台分发AI助手
材料星

材料星

专业的AI公文写作平台,公文写作神器

AI 材料星,专业的 AI 公文写作辅助平台,为体制内工作人员提供高效的公文写作解决方案。拥有海量公文文库、9 大核心 AI 功能,支持 30 + 文稿类型生成,助力快速完成领导讲话、工作总结、述职报告等材料,提升办公效率,是体制打工人的得力写作神器。

openai-agents-python

openai-agents-python

OpenAI Agents SDK,助力开发者便捷使用 OpenAI 相关功能。

openai-agents-python 是 OpenAI 推出的一款强大 Python SDK,它为开发者提供了与 OpenAI 模型交互的高效工具,支持工具调用、结果处理、追踪等功能,涵盖多种应用场景,如研究助手、财务研究等,能显著提升开发效率,让开发者更轻松地利用 OpenAI 的技术优势。

Hunyuan3D-2

Hunyuan3D-2

高分辨率纹理 3D 资产生成

Hunyuan3D-2 是腾讯开发的用于 3D 资产生成的强大工具,支持从文本描述、单张图片或多视角图片生成 3D 模型,具备快速形状生成能力,可生成带纹理的高质量 3D 模型,适用于多个领域,为 3D 创作提供了高效解决方案。

3FS

3FS

一个具备存储、管理和客户端操作等多种功能的分布式文件系统相关项目。

3FS 是一个功能强大的分布式文件系统项目,涵盖了存储引擎、元数据管理、客户端工具等多个模块。它支持多种文件操作,如创建文件和目录、设置布局等,同时具备高效的事件循环、节点选择和协程池管理等特性。适用于需要大规模数据存储和管理的场景,能够提高系统的性能和可靠性,是分布式存储领域的优质解决方案。

下拉加载更多