-
Notifications
You must be signed in to change notification settings - Fork 261
[v4.0] Devise Integration
Devise is now the standard authentication mechanism for BrowserCMS. This adds some new (and improved) authentication features including:
- Reset Password - Admin users have a link to reset passwords.
- Strong Password storage - Passwords are now encrypted using bcrypt which is a safer method (http://codahale.com/how-to-safely-store-a-password/)
- Remember Me - Allows users to stay logged in for up to two weeks.
- Devise/Warden APIs - Developers can use Devise and/or Warden's APIs to customize how authenication works. The previous RESTful Authentication based solution was not really pluggable.
Upgrading to 4.0 means all user passwords will need to be reset. This doesn't apply where external user databases are used (i.e. CAS) for authentication. Just user accounts stored in the CMS itself.
This reset is a side effect of using a more secure password encryption algorithm (bcrypt). When users try to log in, they will have to request a password reset. This feature is provided on /cms/login as a standard feature. Users will need to provide an email, and a link for reseting their password will be sent to them. Alternatively, developers may choose to change passwords via the admin interface (or rails console) before turning over sites to the site maintainers.
For most sites, the number of admin users is likely limited and part of a cohesive team. So forcing a reset shouldn't be an issue. In the case of sites that have large user databases, a migration strategy to mass update or possibly creating a new Warden/Devise strategy based on the 3.5.x encryption strategy. These two are coding exercises left to the developers working on the project.
For sites that need to keep a record of the old encrypted passwords, remove/comment out the following line from the browsercms400 migration which will preserve the old encrypted passwords.
t.remove :crypted_password
Note that preserving the old password data is just the first step. The new encryption strategy will still be used unless modifications are made to the project.
Users can reset their password via the admin UI. On /cms/login, a link to 'Forgot Password' is available. Users can enter an email and have the reset link mailed to them.
Configuration: For Forgot Password to work, need to ensure the following is present for mailer in BrowserCMS setups. * config.action_mailer.default_url_options = { :host => "yourhost" }
The core 'ForgotPassword' portlet has been reworked and is probably 100% unnecessary on most sites. It is now blacklisted by default. The portlet now just renders the stock /forgot-password view and isn't editable. Use /forgot-password instead.
There is now a core API for handling users that are authenticated/authorized against external data sources. There is a new class (Cms::ExternalUser) which represents a user which has been authenticated using some source other than the Core CMS. This user can have extra information retained as attribute and can be authorized to be part of a specific group(s).
A sample implementation of an authentication strategy can be found in lib/cms/authentication/test_password_strategy. Strategies are implemented as Devise Strategies and should either login or pass to the next strategy.
Don't forget to enable your new strategy in config/initializers/devise.rb
# Add test_password strategy BEFORE other CMS authentication strategies
config.warden do |manager|
manager.default_strategies(:scope => :cms_user).unshift :my_custom_strategy
end