Securing Rails, Part II - Authentication and Authorization

Authentication (identifying users) and Authorization (restricting which actions a user performs) create the foundation of every system's security infrastructure.

A system must not only authenticate its users, but provide a session management infrastructure that prevents a user from changing (faking) who they are as well as prevents others from hijacking a legitimate session. The security literature is rife with examples of users being able to flip a bit to upgrade authority (admin=true) or simple asserting they are a different user (current_user="mary"). To hijack session, we find all sorts of attacks, mostly through the theft of browser cookies.

For authentication infrastructure, your best bet is to use a gem that has already been well-tested and reviewed by others rather than rolling your own. The Rails Authentication sub-category has plenty of gems for this area. We are going to try Devise + OmniAuth. I hope to report in a later post our experience with these two gems.

A good authorization framework presents a much larger challenge. There are many reasons for this. First, developers are very creative people. We devise complex code, data and functional models. We devise complex authority hierarchies, roles, permissions. The right to touch a page, a function or a member on an object may be easily determined or based upon a SQL query. There's really no good way to build a gem, DSL or class add-on that presents a one size fits all approach. At least, I've yet to see one. 

Nonetheless, a lot of developers have tried. Check out the Rails Security, Authorization page to see some gems that may suit your needs. In my search, I found the following authorization discussions helpful.

1. Ryan Bates (of Rails Casts fame) discusses his gem CanCan.
2. Tim Morgan tried CanCan and argues for the Authority gem, written by Nathan Long and Adam Hunter.
3. Elabs also tried CanCan and argues for a roll-your-own approach, then supplies Pundit.

No matter the approach, a proper Authorization framework must be implemented for good security. Don't rely on users not being able to boost their authority because they cannot "see" a function. We'll touch on two ways this can happen in the next post on this topic.