Rails 3 and OAuth for Barcamp Tampa
Download as key, pdf1 like1,021 views
This document summarizes a presentation about Rails 3 and OAuth. It discusses: 1. The history and key components of Rails, including ActiveRecord, ActionController, ActionView, and Railties. 2. New features in Rails 3, such as ActiveModel, ActionController::Responder, CSRF protection, unobtrusive JavaScript, and removing scripts/*. 3. What OAuth is and how it allows secure authorization for API access while limiting client applications' access. 4. The basic flow of an OAuth authorization, including requesting tokens from providers and exchanging them for access tokens.
Rails 3 and OAuth for Barcamp Tampa
- 1. Rails 3 and OAuth BarCamp Tampa, September 26, 2010
- 2. Who am I? Hello, Im Bryce. I snuck up here from Miami. I make web applications with Ruby on Rails. I tweet as @bonzoesc
- 3. Quick Disclaimer This used to be two presentations but I combined them. Thanks for your cooperation!
- 4. What is Rails? Ruby on Rails速 is an open-source web framework thats optimized for programmer happiness and sustainable productivity. It lets you write beautiful code by favoring convention over con guration. - http://rubyonrails.org/
- 5. What is Rails? Rails is a way to build web applications quickly and be able to maintain them in the future.
- 6. What is Rails? Twitter Scribd Hulu Less Accounting Basecamp Shopify Groupon Get Satisfaction Lighthouse Urban Dictionary Github Kongregate
- 7. What is Rails? Four main parts
- 8. What is Rails? ActiveRecord turns database into Ruby objects
- 9. What is Rails? ActionController turns web requests into Ruby method calls
- 10. What is Rails? ActionView turns Ruby code into web responses
- 11. What is Rails? Railties turns the parts into Rails
- 12. History
- 13. So What? Rails 3 feels like Rails in the right places.
- 14. So What? Rails 3 is as exible as Merb.
- 15. The Speci cs
- 17. ActiveRecord Classic @published = Post.鍖nd( :all, :where=>{:published=>true}, :order=>'created_at desc' ) @unpublished = Post.鍖nd( :all, :where=>:published=>false}, :order=>'created_at desc' )
- 18. ActiveRecord Arel @ordered = Post.order('created_at asc') @published = @ordered.where(:published=>true) @unpublished = @ordered.where(:published=>false)
- 20. ActiveModel Put the ActiveRecord features you love on plain, non-database objects
- 21. ActiveModel Validations Serialization (JSON, XML) Callbacks (before_save) Translations
- 22. ActionController Handling requests
- 23. Responder Exposed to the developer for the rst time
- 24. Responder Allows precise yet reusable control of how responses are generated
- 25. Responder class EpisodesController < ApplicationController 油油respond_to :html, :xml, :json 油油def index 油油油油@episodes = Episode.all 油油油油respond_with @episodes 油油end end
- 26. CSRF Protection Cross-Site Request Forgery is an attack allowing an attacker to impersonate a user.
- 27. CSRF Protection 1. User clicks link in a friends tweet to http://evilsite.us/
- 28. CSRF Protection 2. User clicks play on a video on http://evilsite.us/
- 29. CSRF Protection 3. User ends up tweeting link to http://evilsite.us/
- 30. CSRF Protection Note that Twitter isnt vulnerable to this.
- 31. CSRF Protection Note that Twitter isnt vulnerable to this. They use Rails built-in CSRF protection.
- 32. CSRF Protection Enabled by default Transparent Use the built-in form builders
- 34. XSS Protection Cross Site Scripting is a class of attack allowing an attacker to execute code on a users web browser.
- 35. XSS Protection 1. User watches video on YouTube
- 36. XSS Protection 2. Malicious code in the comments cause the user to post malicious code in videos theyre previously watched.
- 37. XSS Protection Rails 3 has protection for this built in and enabled by default. Think hard before using raw output in views.
- 38. A side note Curious about CSRF and XSS attacks? Hack Miami had presentations about these vulnerabilities on Saturday, September 18. Hop in your DeLorean to learn more! http://hackmiami.org/
- 39. Unobtrusive JavaScript Rails 1 & 2 injected JavaScript into pages to make AJAX features work.
- 40. Unobtrusive JavaScript Rails 3 annotates the HTML with special properties.
- 41. Unobtrusive JavaScript There are drivers for Prototype, jQuery, and more.
- 42. No more scripts/* The scripts directory used to contain tools for generating and running your application.
- 43. No more scripts/* Rails 3 does this with the rails tool.
- 44. Big Changes ActiveRecord: Arel, ActiveModel ActionController: CSRF protection, ActionController::Responder ActionView: XSS Protection, Unobtrusive JavaScript Railties: No more scripts/*
- 46. Authentication Authentication is proving who you are.
- 48. Authorization Authorization is letting something happen on your behalf.
- 49. Authorization Signature on a contract Key in your cars ignition Verbal permission
- 50. Authentication and Authorization Two security primitives that taste great together!
- 51. On the Web
- 52. The Old Stupid Way
- 53. The Old Stupid Way You want TripIt to read your address book. You dont want TripIt to read all your email.
- 54. Another Bad Idea
- 55. Another Bad Idea How do you revoke access? How do you revoke access to only one client? How do you ensure clients only do certain things?
- 56. OAuth
- 57. OAuth An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications. - http://oauth.net/
- 58. OAuth OAuth lets you limit and control client applications working on your behalf.
- 59. OAuth Facebook Yahoo Twitter Net ix Github Picomoney Google 37signals
- 60. An OAuth Session 1.You nd a useful website that reads your friends tweets about movies, and adds them to your Net ix queue.
- 61. An OAuth Session 2.You click the Connect with Net ix button, and are redirected to: https://api-user.net ix.com/
- 62. An OAuth Session 3.You enter your Net ix account information, and are returned to the client website.
- 63. An OAuth Session 4.You click the Connect with Twitter button, and are redirected to: https://api.twitter.com/
- 64. An OAuth Session 5.You enter your Twitter account information, and are returned to the client website.
- 65. An OAuth Session The client application gets tokens for each service.
- 66. An OAuth Session If you decide (at any time) to quit using the service, you can visit Twitter and Net ix and revoke its authorization.
- 67. An OAuth Session
- 68. The Guts 1. The consumer (client) asks the provider (server) for a new blank request token, and sends the user to the provider with that request token.
- 69. The Guts 2. The user authenticates with the provider, and accepts (or denies) the authorization the consumer wants.
- 70. The Guts 3. The user is redirected back to the consumer with a request token bound to that user.
- 71. The Guts 4. The consumer gives the request token to the server in exchange for an access token.
- 72. The Guts 5. The consumer can use the access token as authorization.
- 73. OAuth 2 OAuth 1.0a and 2 are different and incompatible.
- 74. OAuth 1 or 2? If youre making a consumer, the provider made that choice for you.
- 75. OAuth 1 or 2? If youre making a provider, OAuth 2.
- 76. Getting Started
- 77. I Didnt Finish My Demo
- 78. Photo Credits http://www. ickr.com/photos/lazytom/320269269/ http://www. ickr.com/photos/andrewmbutler/428388719/ http://www. ickr.com/photos/emdurso/2686817699/ http://www. ickr.com/photos/beleaveme/1871344753/ http://www. ickr.com/photos/beleaveme/4676893419/ http://www. ickr.com/photos/scottobear/186001665/ (pretty smug about Tri-Rail photos in a Rails 3 presentation)
- 79. Photo Credits http://www. ickr.com/photos/95453014@N00/451238739/ http://www. ickr.com/photos/mattkieffer/4671197999/ http://www. ickr.com/photos/italintheheart/4018162624/ http://www. ickr.com/photos/spbutterworth/2756176408/ http://www. ickr.com/photos/gesteves/3336482837/
- 80. Look at Stuff http://db.tt/wDfs5nd - slides (keynote & pdf) http://bit.ly/r3oauth - half- nished source http://twitter.com/bonzoesc
- 81. Questions
- 82. Thanks!
- 83. What Im Using Ruby 1.8.7 Rails 3 twitter gem
- 84. Follow along! The hexits at the bottom of the slide are a git commit number. http://bit.ly/r3oauth
- 85. Build the Skeleton > rails new oauthdemo fbdb7051
- 86. Add Gems Gem le: gem油'oauth' > bundle install 96919add
- 87. Start the Server > rails s
- 89. Add a Users table > rails g model user screen_name:string twitter_token:string twitter_secret:string 3473158b
- 90. Stub Controller > rails g controller authorization new show 767512e2
- 91. Stub Controller con g/routes.rb: Oauthdemo::Application.routes.draw do 油油resource :authorization app/controllers/authorization_controller.rb: class AuthorizationController < ApplicationController 油油def create 油油end 油油def destroy 油油end 2dd53ba0
- 92. OAuth Con guration con g/initializers/twitter.rb: TWITTER_OAUTH_TOKENS = { 油油:key=>'DCtwdGNS38Sr9JN', 油油:secret=>'gJ6RN7Nblq9t' } bb1dd05b
Editor's Notes
- #13: Merb started as a smaller, simpler Rails. Merb didn&#x2019;t force you to use some of the libraries that Rails 1 & 2 did. In December 2008, the Rails and Merb teams announced they were merging and collaborating on Rails 3.
- #16: ActiveRecord: Arel, ActiveModel ActionController: CSRF protection, ActionController::Responder ActionView: XSS Protection, Unobtrusive JavaScript Railties: No more scripts/*
- #25: Easily add XML or JSON support to a resource. Add pagination support for HTML views.
- #27: For example, visiting http://malicious.site/ could post a message as you on Twitter.
- #33: Unless you go through the work to disable this, you won&#x2019;t have to worry
- #40: On a page with 100 AJAX buttons, this could double the size of the page load.
- #41: The client downloads a driver once per site, instead of on every page load.
- #43: The most &#x201C;gotcha&#x201D; of the rails changes. When upgrading Rails, these scripts would have to be added to or replaced.
- #44: When new versions are released, you won&#x2019;t have to update any scripts.