scottburton11 / acts_as_secure_url Goto Github PK
View Code? Open in Web Editor NEWattaches security generation and route-based authentication to Rails models
Home Page: http://github.com/scottburton11/acts_as_secure_url
License: MIT License
attaches security generation and route-based authentication to Rails models
Home Page: http://github.com/scottburton11/acts_as_secure_url
License: MIT License
ActsAsSecureUrl =============== ActsAsSecureUrl provides self-authentication for your Rails models from URL parameters. Basic Setup =========== Include the plugin somewhere in your application: include SecureUrl and in your models, declare: acts_as_secure_url Models gain a #authenticate method that takes an id and public_key, and returns your object if authentication is successful. Set some site key constants somewhere: SecureUrl::SITE_KEY = "some-long-secure-string" SecureUrl::HASH_ITERATIONS = 3 Both of these values should be persisted across your deployment, and kept safe. If either of these values change, all of your old database rows will be inaccessible. Generators ========== script/generate acts_as_secure_url [options] Model Controller Generates a basic model and controller for your secure class, plus a named route for secure URLs. Suported options: --skip-migration Skips the migration file, be sure to include access_key and salt fields in your database table --persist-public-key Adds a public_key column to the database migration. This makes setup easy, but degrades security; if your database is ever compromised, it can be used to recreate public URLs. Security ======== ActsAsSecureUrl generates a secret access_key value for each resource based on a SHA1 hash of a provided public_key and a pre-configured site key. ActsAsSecureUrl uses a public key provided by the user in URL parameters to authenticate a resource by id. This is secure only as far as the public_key parameter is secure, so links such as http://hostname.com/:public_key/:id while difficult to guess, can persist in caches and logs and be reused. It is probably safer to post the public_key parameter through SSL/TLS. Additional layers of security, such as link expiry, limited link usages, and location requirements are strongly urged. It's also suggested that you use complex, unique, non-deterministic primary keys to reduce the effectiveness of brute-force attacks. The #public_key_data method, which is a random SHA1 hash by default, can be overridden by user-verifiable data, making client-side public key calculations or user-provided keys possible. To maximize security, ensure that your database and site key parameters are secured separately. Copyright (c) 2009 [Scott Burton], all rights reserved
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.