简体繁体 English

从头开始的 Rails 完整身份验证

[英]Rails Full Authentication from scratch

原文 2011-07-07 18:07:38 1 3 ruby-on-rails/ authentication

I know that there are lot of gems available to implement full authentication in Ruby on Rails.我知道有很多 gem 可用于在 Ruby on Rails 中实现完全身份验证。

But in my case, I will need to implement one from scratch.但就我而言，我需要从头开始实施一个。 There are lots of tutorials that show how to implement authentication in Rails but none of them cover a lot of other important parts like:有很多教程展示了如何在 Rails 中实现身份验证，但没有一个涵盖很多其他重要部分，例如：

1] Tracking last login and current login timestamp. 1] 跟踪上次登录和当前登录时间戳。

2] Keeping a running count of all the successful logins for a user. 2]保持用户所有成功登录的运行计数。

3] Tracking failed login attempts and locking out the user after certain number of failed attempts. 3]跟踪失败的登录尝试并在一定次数的失败尝试后锁定用户。 (we won't be sending out emails to unlock the account. This is because the user will call in, verify their identity and then the person on the phone will unlock the account by resetting a flag. Please suggest if there is another better alternative.) （我们不会发送电子邮件来解锁帐户。这是因为用户会打电话，验证他们的身份，然后手机上的人会通过重置标志来解锁帐户。请建议是否有其他更好的选择.)

4] Remember me functionality. 4]记住我的功能。

Thanks in advance for help!提前感谢您的帮助！

3 个解决方案

I think the pitfall for all self-proclaimed "newbies" are that they always want to build everything from scratch!我认为所有自称“新手”的陷阱是他们总是想从头开始构建一切！ =P =P

You are right, there are many authentication gems out there.你是对的，那里有很多认证宝石。 And I would highly recommend digging a bit deeper into them before trying to roll your own as there are many sticky spots to make sure your authentication system is functional and secure.我强烈建议您在尝试推出自己的产品之前对它们进行更深入的研究，因为有很多难点可以确保您的身份验证系统正常运行且安全。

I would recommend checking out Devise (https://github.com/plataformatec/devise), it's the one I use on my projects.我建议查看 Devise (https://github.com/plataformatec/devise)，这是我在项目中使用的。 If it doesn't provide you with most of your functionality out of the box, it's nearly trivial to add it by modifying the registrations controller.如果它没有为您提供开箱即用的大部分功能，那么通过修改注册 controller 添加它几乎是微不足道的。 Again, if it's not available out of the box, the general approach will be - Add last_login, current_login, login_count, failed_attempts to your user model.同样，如果它不是开箱即用的，一般方法是 - 将 last_login、current_login、login_count、failed_attempts 添加到您的用户 model。 - Override the devise registrations controller and make sure all those values are updated when you want. - 覆盖 devise 注册 controller 并确保在需要时更新所有这些值。

Anther notes, Devise does provide functionality to recover passwords via email, but you can easily disable that to force your users through the call-in/verify.花药笔记，Devise 确实提供了通过 email 恢复密码的功能，但您可以轻松禁用它以强制您的用户通过呼入/验证。

Another entry point for you to consider would be the new Rails 3.1 (not officially released yet).您需要考虑的另一个切入点是新的 Rails 3.1（尚未正式发布）。 But a lot of updates were included to help you build better authentication systems.但其中包含许多更新以帮助您构建更好的身份验证系统。 Check out this railscast for more info: http://railscasts.com/episodes/270-authentication-in-rails-3-1查看此 railscast 了解更多信息： http://railscasts.com/episodes/270-authentication-in-rails-3-1

1] Add two timestamp fields to you table to track those params: last_login_time and current_login_time . 1] 向您的表添加两个时间戳字段以跟踪这些参数： last_login_time和current_login_time 。 When user login last_login_time = current_login_time and current_login_time = Time.now当用户登录时last_login_time = current_login_time和current_login_time = Time.now

2] Add logins_count field to you table and increase it on every login 2] 将logins_count字段添加到您的表中，并在每次登录时增加它

3] 3.1 Add field fails_count and increase it each time when login unsuccessful and reset at success login 3.2 add boolean field 'blocked' and set it to true if fails_count equal some number 3] 3.1 添加字段fails_count并在每次登录不成功时增加它并在成功登录时重置 3.2 添加boolean 字段'blocked' 并将其设置为true 如果fails_count等于某个数字

You may want to check my example Rails application that has authentication built from scratch.您可能想查看我的示例 Rails 应用程序，该应用程序具有从头构建的身份验证。