Users and Authentication
Posted by Denny at 01:05 on Thu, 17 Oct 2019
I just merged Progress on user features, which builds on Add Devise from a day or two ago.
As well as my apparently limitless need to fiddle with default URLs until I find them more pleasing, I've also added some odds and ends to improve security of sites hosted on the CMS - including a check at account creation and every login against the Pwned Passwords database, as well as some config to restrict logging of passwords and other security tokens.
This stuff is all powered by features of Devise and other gems (the password check uses the pwned gem, for example). My plan is to write as little as possible of the authentication and authorisation code myself, on the grounds that a widely-used community-tested library is far more likely to have had its flaws discovered and fixed. Security is hard to get right in every detail, and you only need to get one tiny detail wrong...
Tags: features users devise authentication security pwned gems