Authentication is the process of verifying the credentials of a user. We use AWS Cognito for authentication.
- User credentials are stored in AWS Cognito
- Password policy is enforced by Cognito
- Custom pages are built for the AWS Cognito flows (login, signup, forgot password, etc.). We aren't using the hosted UI that Cognito provides since we need more control over the UI and content.
- Devise and Warden facilitate auth and session management
Authorization is the process of determining whether a user has access to a specific resource. We use Pundit for authorization.
- Policies (
app/policies) are created for each model to define who can perform what actions - Policies are used in controllers to authorize actions
- Policies are used in views to show/hide elements based on user permissions
make new-authz-policy MODEL=Foopundit-matchers provides RSpec matchers for testing Pundit policies. Refer to existing policy spec files, or the spec file generated when creating a new policy, for examples.
We use a few after_action Pundit callbacks in the application controller to verify that our controllers are authorizing resources correctly. These aren't foolproof, but they can help catch some common mistakes:
- If you forget to call
authorizein a controller action, you'll see an exception likeAuthorizationNotPerformedError. - If you forget to call
policy_scopein a controller action, you'll see an exception likePolicyScopingNotPerformedError.
To opt out of these checks on actions that don't need them, you can add skip_after_action :verify_authorized or skip_after_action :verify_policy_scoped to your controller. Alternatively, you can add skip_authorization or skip_policy_scope to your controller action.