| ⚡ Inactivity Notice |
|---|
Thanks for your interest. I no longer have the bandwidth to maintain this package.
Drop in authorization and authentication suite for Rails APIs.
Special thanks to Anton Visser for his work and support on this project.
ApiGuardian includes the following features out of the box:
- User registration (email/pass)
- Stateless authentication using OAuth2 (via Doorkeeper and Doorkeeper::JWT)
- Roles and Permissions
- Password reset workflow
- Guest access
- Policy enforcement (via Pundit)
- Serialization to JSON API (via fast_jsonapi)
- Two-factor support
- Extensable to support any auth or registration strategies
What doesn't it include?
- Stateful session support (Cookies)
- HTML/CSS/JS or views of any kind.
- Ruby >= 2.5
- PostgreSQL >= 9.3 (JSON and uuid-ossp support)
- Rails >= 6.0
Note: For now, your app must use a PostgreSQL database. This is because ApiGuardian is using UUID primary keys for all records.
Put this in your Gemfile:
# Include ApiGuardian from edge
gem 'api_guardian', git: 'https://github.com/lookitsatravis/api_guardian'Run the following command. It will:
- Add an initializer
- Mount ApiGuardian in your routes file
- Copy migration files
- Add seed data
rails generate api_guardian:installYou will need to follow this with:
rake db:migrateTake a moment here to review your seed file and make any changes. And then:
rake db:seedMake all of your API controllers extend ApiGuardian::ApiController and your
policies extend ApiGuardian::Policies::ApplicationPolicy. What is a policy, you ask,
and why should you care? Well, I'm glad you asked!
See our Documentation for way more information on setup and usage, or take a look at the RDoc formatted docs here:
http://www.rubydoc.info/github/lookitsatravis/api_guardian/master
- controller actions:
- Assign permissions to role by name
- Multi-tenancy
- Invite users by email to organization
- Users can belong to multiple organizations?
- Different roles based on organization? Or permissions?
- Configuring allowed CORS domains (to better protect insecure clients)
- Account lockout (failed login attempts)
- https://github.com/kickstarter/rack-attack
- 2FA
- review support for https://www.authy.com/product/
- review support for U2F
- Generate URL for Google Authenticator import
- Backup codes for when device is unavailable
- 16 one time use codes
- Ability to regenerate a new batch of codes
- Activity/Events (User signed in, User authenticated at...)
- Sessions/Devices (attach to tokens, but how?)
- Fix for JWT storage: https://github.com/doorkeeper-gem/doorkeeper/wiki/How-to-fix-PostgreSQL-error-on-index-row-size
- Cache
- SSO
- Documentation
- Microservice usage
- Request logging
- Remove dependency on PostgreSQL
- Use serialize for attributes in models
- https://github.com/jashmenn/activeuuid
- Ability to swap AMS adapter
- Error rendering needs to match this setting
- Toggle custom logger off
- Add test for custom logger
- A role can't be destroyed if users still belong to it
If you find a bug, please report an Issue.
If you have a question, please post to Stack Overflow.
Thanks!
See CONTRIBUTING.md
ApiGuardian is copyright © 2015-2020 Travis Vignon. It is free software, and may be
redistributed under the terms specified in the MIT-LICENSE file.