⚡ Inactivity Notice |
---|
Thanks for your interest. I no longer have the bandwidth to maintain this package.
Drop in authorization and authentication suite for Rails APIs.
ApiGuardian includes the following features out of the box:
- User registration (email/pass)
- Password reset workflow
- Roles
- Permissions
- Stateless authentication using OAuth2 (via Doorkeeper and Doorkeeper::JWT)
- Policy enforcement (via Pundit)
- Serialization to JSON API (via AMS)
- Two-factor auth
- External Login (TODO)
What doesn't it include?
- Stateful session support (Cookies)
- HTML/CSS/JS or views of any kind.
- Ruby >= 2.2.2
- PostgreSQL >= 9.3 (JSON and uuid-ossp support)
- Rails >= 5.0
Note: For now, your app must use a PostgreSQL database. This is because ApiGuardian is using UUID primary keys for all records.
Put this in your Gemfile:
# Include ApiGuardian from edge
gem 'api_guardian', git: 'https://github.com/lookitsatravis/api_guardian'
Run the following command. It will:
- Add an initializer
- Mount ApiGuardian in your routes file
- Copy migration files
- Add seed data
rails generate api_guardian:install
You will need to follow this with:
rake db:migrate
Take a moment here to review your seed file and make any changes. And then:
rake db:seed
Make all of your API controllers extend ApiGuardian::ApiController
and your
policies extend ApiGuardian::Policies::ApplicationPolicy
. What is a policy, you ask,
and why should you care? Well, I'm glad you asked!
See our Documentation for way more information on setup and usage, or take a look at the RDoc formatted docs here:
http://www.rubydoc.info/github/lookitsatravis/api_guardian/master
- controller actions:
- Assign permissions to role by name
- Multi-tenancy
- Invite users by email to organization
- Users can belong to multiple organizations?
- Different roles based on organization? Or permissions?
- Configuring allowed CORS domains (to better protect insecure clients)
- omniauth
- Account lockout (failed login attempts)
- https://github.com/kickstarter/rack-attack
- 2FA
- review support for https://www.authy.com/product/
- review support for U2F
- Generate URL for Google Authenticator import
- Backup codes for when device is unavailable
- 16 one time use codes
- Ability to regenerate a new batch of codes
- Activity/Events (User signed in, User authenticated at...)
- Sessions/Devices (attach to tokens, but how?)
- Fix for JWT storage: https://github.com/doorkeeper-gem/doorkeeper/wiki/How-to-fix-PostgreSQL-error-on-index-row-size
- Cache
- SSO
- Review Auth0 feature set
- Documentation
- Microservice usage
- Request logging
- Remove dependency on PostgreSQL
- Use serialize for attributes in models
- https://github.com/jashmenn/activeuuid
- Ability to swap AMS adapter
- Error rendering needs to match this setting
- Toggle custom logger off
- Add test for custom logger
- Soft deleting and cascade deleting
- A role can't be destroyed if users still belong to it
- Remove dependencies on gems
- What could be moved to core?
- pundit
- doorkeeper
- otp
- acts_as_tenant
- Phony
- What could feasibly be added as an "addon" package
- Paranoia
- zxcvbn-js
- twilio-ruby
- What could be moved to core?
If you find a bug, please report an Issue.
If you have a question, please post to Stack Overflow.
Thanks!
See CONTRIBUTING.md
ApiGuardian is copyright © 2015-2017 Travis Vignon. It is free software, and may be
redistributed under the terms specified in the MIT-LICENSE
file.