Monthly Archives: October 2016

How to authenticate one scope from another with Devise

My app has multiple kinds of users, some of which belong to others. It's a result of having many disparate login systems, one per community, and offering the ability to merge them together. This is how I auth the One True account from the local account.

I banged my head on this for a while: what I wanted to do was to just take the

user.one_true_master_account

model and go from there, but the current_#{scope} helpers aren't available in a devise strategy. So I did some digging and figured out how to do it with warden without dragging in more than I had to. (this is in config/devise.rb)

FromUserAuthentication
  class FromUserStrategy < Devise::Strategies::Authenticatable
    def valid?
      # I'd have to authenticate to figure out if it's valid anyway, but I'd
      # rather run it in the devise auth chain 
      true
    end

    def mapping
      Devise.mappings[:one_true_master_account]
    end

    def authenticate!
      # env here is provided in the superclass, it's that enormous hash that 
      # gets passed to middlewares
      user = env['warden'].authenticate(scope: :one_true_master_account)
      if user
        one_true_master_account = user.one_true_master_account
        success!(one_true_master_account)
      end
    end
  end
end

Then I registered it with the various subsystems that needed to know about it

Warden::Strategies.add :from_user_authentication,
                       FromUserAuthentication::FromUserStrategy
Devise.add_module :from_user_authentication, strategy: true

Then I added it as a default strategy for that scope.

Devise.setup do |config|
  config.warden do |manager|
    manager.default_strategies(:some_other_auth_strategy, :another_auth_strategy,
                               :from_user_authentication,
                               scope: :one_true_master_account)
  end
end

This last one is necessary only because of a quirk in our system. Warden can look at the mapping function to figure out which strategies are appropriate in most other situations, but we wanted to have our strategies in different orders for different models.

The Internet Waffle House Index

To squib Wikipedia:

The Waffle House Index is an informal metric used by the Federal Emergency Management Agency (FEMA) to determine the effect of a storm and the likely scale of assistance required for disaster recovery. The measure is based on the reputation of the Waffle House restaurant chain for staying open during extreme weather and for reopening quickly, albeit sometimes with a limited menu, after very severe weather events such as tornadoes or hurricanes.

The Index has three levels, based on the extent of operations and service at the restaurant following a storm:[3][4]

  • Green: the restaurant is serving a full menu, indicating the restaurant has power and damage is limited.
  • Yellow: the restaurant is serving a limited menu, indicating there may be no power or only power from a generator or food supplies may be low.
  • Red: the restaurant is closed, indicating severe damage.

I think the current DDoS again Dyn DNS counts as a sort of "Internet Storm": a dramatic disturbance in the general Internet atmosphere. I propose a general Internet Waffle House Index:

  • Green: Sites have intermittent failures. Some sites may be receiving targeted attacks and be taken down completely for an extend. Services have outages, it happens.
  • Yellow: Multiple major tech company sites are completely down, with many more having intermittent services. You go to check one service to see if anyone else if having problems with another and it's down as well. Major disruptions to just about every workflow, but some basics still work
  • Red: Google, Facebook, Amazon all completely down for most people. There is no Internet today, come back tomorrow.

If there are any other bedrocks that belong in the red category, I'd love to hear them, but those are the ones that would raise an eyebrow from me.

The Dyn DNS DDoS clearly ranks Yellow (if that link doesn't work, that's the issue we're talking about). I don't know what else qualifies: maybe the 2008 cable cut.