Nick, Thanks for posting!
If I understand your proposed scheme correctly, part of the protection it gives is against replay attacks. I have read in other places, that TLS itself prevents replay attacks, like mentioned here: https://security.stackexchange.com/questions/20105/are-ssl-encrypted-requests-vulnerable-to-replay-attacks which links to the actual TLS 1.1 spec: https://tools.ietf.org/html/rfc4346#appendix-F.2 Is it fair to say then, that if we only accept TLS connection we would be safe from replay attacks? Thanks, -- Ylan Segal On Monday, May 25, 2015 at 10:29:02 AM UTC-7, Nick Zadrozny wrote: > > Old thread, but it piqued my interest. Here's a pattern that I end up > using quite a bit in my internal admin APIs. Once you build it a few times, > it's not really any more work than basic auth, and it has very nice > security characteristics. > > http://git.io/vTNxj > > If I were going to build a public facing version of this, I'd borrow > heavily from Joyent's node-http-signature scheme: > https://github.com/joyent/node-http-signature/blob/master/http_signing.md > > > On Thu, Apr 23, 2015 at 1:42 PM, Ian Young <[email protected] > <javascript:>> wrote: > >> I'm wondering if anyone has recommendations for gems for serving simple >> token-based authentication in Rails. You know, when you need to provide >> safe API access but you don't need the overhead of OAuth2. Just have the >> client send some credentials, get a token, use the token to make requests. >> >> Providing this in Rails is just complicated enough that I don't want to >> reinvent it myself, but there's a strange dearth of good solutions out >> there. There are a couple >> <https://github.com/gonzalo-bulnes/simple_token_authentication> simple >> ones <https://github.com/baschtl/devise-token_authenticatable> that are >> tightly coupled to Devise and don't do quite enough (for example, only one >> token per user), and there's this one >> <https://github.com/lynndylanhurley/devise_token_auth> which does a bit >> too much, is still tightly coupled to Devise, and I'm liking less the more >> I use it. >> >> Am I missing any good ones? It's strange to see such a lack of activity >> around a very common need, and it makes me think that everyone is just >> shamefully reimplementing this anew for each project. >> >> -- >> -- >> SD Ruby mailing list >> [email protected] <javascript:> >> http://groups.google.com/group/sdruby >> --- >> You received this message because you are subscribed to the Google Groups >> "SD Ruby" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> >> -- >> Nick Zadrozny >> > -- -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby --- You received this message because you are subscribed to the Google Groups "SD Ruby" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
