Token based registration/Invitations in a nutshell (Ruby on Rails)

This post is all about registrations methods used by various sites. Mainly secure (token) based registration. Majorly, I will be providing links for many related resources and solutions. Here, I will summarize many scenarios applicable to apps based on Ruby on Rails.

Firstly, you might want to go through Token Based Authentication in Rails published by Envy Labs. It describes the most easiest way through which an app can implement “token” system. Though it stores the tokens in database, similar approach can be adopted after integrating with some cryptographic functions (about which I’ll discuss later). As an important link shared on the same page HTTP Token Access Authentication scheme, defines the exact terminology and protocol. One may have to go through certain pages, but its quite worthy. If you short descriptions, jump to google and put such questions. Many will help you find a way.

If your app is widely distributed or hosted on different platform you will need to your webapp to respond to several APIs or even android applications. This blog defines exact solution to do so. It is applicable to people using Devise gem for user registration, authentication.

There can situation where you want to distribute the token to people using invitation models. For instance, lets say your app’s is in  beta phase, and you want limited people to use it, you can implement Beta invitation model. With little bit of brain storming, similar approach can be followed when you have to let your user invite other people.

Many websites have tedious registration process. It drains the user before he/she can peacefully enjoy pretty short facilities. If you don’t want the user to close your site for such reasons, Lazy registration can be quite useful. Here without registering the user can enjoy the features, may be in limited extent.

Okay, coming to “token” system again, much of inspiration can be taken from devise_invitable gem.

But what if we don’t want to store the tokens into database. Of course we need to make the token and sign on it such a way that when a user uses it for the purpose, we are sure of two things:

  1. That the token is the same as what was given to that particular user.
  2. the token is not fake or is not generated by false means or by unauthorized person.

The above two factors can be achieved the following (respectively):

  1. Encrypt the token with user specific data, which can be verified again when the distributed token is used.
  2. Link a unique sign on the token, by which you will come to know about its origin.

By this, it follows that by encrypting and signing all problems can be halted. But should should be done first encryption or signing? Not that, simply signing and encrypting will work, some papers found faults in it and have added much to provide more security.

For encryption-decryption many gems and scripts are used. Though what is contained in this list is related to ActiveRecord, but it can roughly guide you in right direction.

I am assuming that you have atleast little knowledge of Public Key Infrastructure (PKI). Manual encrypting may involve using simple RSA Algorithm (or gem) or broader PGP (or its gem). Got confused? Resolve the difference between two. You might also want to use OpenSSL for generating the public and private keys. Recently I found two blogs : Encrypting Sensitive Data With Ruby (on Rails) and its extension. Both are well written to suceed in guiding someone step by step. The third one by the same person, describes about generating RSA Key Pairs in Ruby. If you are not a cryptographer, you might get confused in understanding difference in PGP and OpenSSL, and there applications.

For now, I am not going further into using encrypting-decrypting scripts, and hash functions. I may write about exact information in the next post or write in continuation.

Concluding on a lighter note, and going back to the title “Invitations”, you can invite friends from Facebook as given here. Gmail is most interesting tool we are using today.  If you want to import gmail contacts you need to wirte some scripts by your own  or use some “contacts” interface.

Hope all links help you in some or the other way.