Using rails secret for salt authentication keys in development
I am creating an ember app that is designed for authentication. I really get stuck on how all these different tokens come into play.
I am overriding a recently deprecated development strategy :token_authenticatable
using the method outlined here . I would like to add token authentication to my API and sign requests with a user token.
I'm wondering though, when used Devise.secure_compare
to prevent transient attacks, it still stores authentication_token
in plain text, so if someone needs to access the database, these tokens could potentially be used to steal the session, no?
In modules, Devise seems to use two different types of "tokens":
- Create a marker with
Devise.friendly_token
and save it as plain text. Then view this token (as used in:rememberable
). - Create a salted token with
Devise.token_generator
(as shown in:confirmable
).
The second method looks like the token is salted using Devise.secret_key
which is derived from the Rails secrets in config / secrets.yml. So the token is encrypted, and if the database was discovered for some reason, the tokens cannot be used, right? Would be the equivalent of having a private key (rails secret) and a public key (authentication_token).
I have quite a few problems:
- Should I use Devise.token_generator to generate my
authentication_token
s? - What is the security word for these tokens?
- How does the CSRF token work in Devise?
source to share
The developer does a lot of things, not necessarily what your particular application needs or how your applications need it. I found this was not suitable for my application. The lack of support / removal of the api token authentication provided enough motivation to move forward and implement what I needed. I was able to easily implement the token from scratch. I also got full flexibility to manage user subscription / workflows / invitations, etc. No constraints and distortions required for development. I am still using Warden, which Devise also uses to integrate Rack middleware.
I have provided an example of token authentication / authorization implementation on another question about jump_stack . You should be able to use this code as a starting point for token authentication and apply any additional token security you require. I am also using my toAuth token approach with Ember.js.
Also consider if the encrypted tokens are just tame, because depending on your deployment environment and how you manage your master key / secret, this could give a false sense of security. Also remember that encryption says ANYTHING about the integrity / validity of the token or associated authentication / authorization information unless you also have a MAC / signature that covers everything used in your access decision. Therefore, while you may be faced with the problem of protecting tokens from attackers who have access to your database, it may be trivial for the same attackers to introduce fake tokens or elevate privileges for existing users in your database, or simply steal or change real data that can be what they really want to achieve!
I made a few comments about enforcing integrity and confidentiality controls for ALL authentication / authorization information (these tokens are part of) on the Doorkeeper stone. I would suggest reading the full release to get an idea of ββthe scope of the problem and the things to consider, since none of the gems currently do what they are supposed to. I have provided an overview on how to avoid storing tokens on the server altogether , and I have provided some creation and authentication of sample token code in essence that also deals with timing attacks.
source to share