Authentication - YaleSTC/reservations GitHub Wiki
Reservations Authentication
TL;DR
- We're using the
Devise
gem for password authentication by default. - The
CAS_AUTH
environment variable can be used to switch to CAS authentication (see here for more details). - You can switch between authentication methods, but you can only use CAS if all users in your database have a
cas_login
.
Contents:
Password Authentication
By default, Reservations uses the Devise
gem for password authentication with the DatabaseAuthenticatable
, Recoverable
, and Rememberable
modules enabled. The users' e-mail addresses are used as their login credentials and are copied over to the username
attribute in the database, if necessary, when Rails is started (see below for more details). Devise configuration is defined in config/initializers/00_devise.rb
with the actual parameters set in config/secrets.yml
, including defaults for the development
and test
environments and environment variables used for production
(see here for more details).
If you'd like to modify how Devise is configured you should read the documentation and edit the initializer accordingly. Adding modules to app/models/user.rb
is not recommended as it will likely require database migrations and make maintaining your instance much more difficult in the future.
CAS Authentication
CAS authentication can be enabled by setting the CAS_AUTH
environment variable to value and setting the CAS_BASE_URL
environment variable to the appropriate value (see here for more information). Reservations uses the devise_cas_authenticatable
gem to integrate CAS authentication with Devise. Users are identified by their cas_login
attribute, which is copied over to the username
column in the database when Rails is initialized, if necessary (see below for more details).
Switching Authentication Methods
Reservations does support switching between authentication methods, with a few caveats. The necessary setup is performed in config/initializers/authentication.rb
, and basically copies either the email
or cas_login
column of the users table into the username
column to match the configured authentication method.
It is always possible to use password authentication, even if users don't already have passwords, since they can simply use the Recoverable
Devise module to reset their passwords. However, if you want to use CAS authentication (i.e. the CAS_AUTH
environment variable is set) and there is at least one user in the database without a cas_login
defined, the initializer will raise an exception and Rails will not start at all, preventing you from running a server as well as opening the console or running any rake
commands. If you need to bypass the authentication initializer to perform tasks with the CAS_AUTH
environment variable set, even if the database is not properly configured for CAS authentication, you may do so by setting the SKIP_AUTH_INIT
environment variable to any value (e.g. rake db:reset SKIP_AUTH_INIT=true
).