Active Entry - Simple and flexible authentication and authorization

Active Entry is a secure way to check for authentication and authorization before an action is performed. It's currently only compatible with Rails. But in later versions will ActiveEntry be Framework independent.

Active Entry works like many other Authorization Systems like Pundit or Action Policy with Policies. However in Active Entry it's all about the method calling the auth mechanism. For every method that needs authentication or authorization, a decision maker method counterpart has to be created in the policy of the class.

Example

Let's say we have an Users controller in our application:

# app/controllers/users_controller.rb
class UsersController < ApplicationController
  include ActiveEntry::ControllerConcern   # Glue for the controller and Active Entry

  def index
    pass!   # The auth happens here
    load_users
  end
end

We have to create the UsersPolicy in order for Active Entry to know who is authenticated and authorized and who not.

# app/policies/users_policy.rb
module UsersPolicy
  class Authentication < ActiveEntry::Base::Authentication
    def index?
      Current.user_signed_in?  # Only signed in users are considered to be authenticated.
    end
  end

  class Authorization < ActiveEntry::Base::Authorization
    def index?
      Current.user.admin?  # Only admins are authorized to perform this action
    end
  end
end

Now every time somebody calls the users#index endpoint, he or she has to be signed in and an admin. Otherwise ActiveEntry::NotAuthenticatedError or ActiveEntry::NotAuthorizedError are raised. You can catch them easily in your controller by using Rails' rescue_from.

class ApplicationController < ActionController::Base
  rescue_from ActiveEntry::NotAuthenticatedError, with: :not_authenticated
  rescue_from ActiveEntry::NotAuthorizedError, with: :not_authorized

  def not_authenticated
    flash[:danger] = "Not authenticated. Please sign in."
    redirect_to sign_in_path
  end

  def not_authorized
    flash[:danger] = "Not authorized."
    redirect_to root_path
  end
end

Installation

Add this line to your application's Gemfile:

gem 'active_entry'

Or install it without bundler:

$ gem install active_entry

Run Bundle:

$ bundle

And then install Active Entry:

$ rails g active_entry:install

This will generate app/policies/application_policy.rb.

Usage

Active Entry works with Policies. You can generate policies the following way:

Let's consider the example from above. We have an UsersController and we want a policy for that:

$ rails g policy Users

This generates a policy called UsersPolicy and is located in app/policies/users_policy.rb.

The above generator call would generate something like this, but with a few comments to help you get started:

module UsersPolicy
  class Authentication < ActiveEntry::Base::Authentication
  end

  class Authorization < ActiveEntry::Base::Authorization
  end
end

Verify authentication and authorization

You probably want to control authentication and authorization for every controller action you have in your app. As a safeguard to ensure, that auth is performed in every request and the auth call is not forgotten in development, add the verify_authentication! and verify_authorization! to your ApplicationController:

class ApplicationController < ActionController::Base
  verify_authentication!
  verify_authorization!
  # ...
end

This ensures, that you perform auth in all your controllers and raises errors if not.

Perform authentication and authorization

in order to do the actual authentication and authorization, you have to use authenticate! and authorize! or pass! as in your actions.

class UsersController < ApplicationController
  def authentication_only_action
    authenticate!
  end

  def authorization_only_action
    authorize!
  end

  def both_authentication_and_authorization_action
    pass!
  end
end

If you try to open a page, Active Entry will raise ActiveEntry::DecisionMakerMethodNotDefinedError. This means we have to define the decision makers in our policy.

module UsersPolicy
  class Authentication < ApplicationPolicy::Authentication
    def authentication_only_action?
      success   # == true | Everybody is allowed
    end

    def both_authentication_and_authorization_action?
      success
    end
  end

  class Authorization < ApplicationPolicy::Authorization
    def authorization_only_action?
      success
    end

    def both_authentication_and_authorization_action?
      success
    end
  end
end

Every decision maker ends with an ?. The name has to be the same as the name of the controller action. So index is going to be index?.

In order for Active Entry to not raise an auth error, the decision makers have to return true. In our above example we used success, which simply returns true.

Note: It has to be an explicit true and not just a truthy value. A string or object return value would raise an auth error.

Rescuing from errors

Catch the errors in your controllers to redirect the user or show them a message.

class ApplicationController < ActionController::Base
  # ...

  rescue_from ActiveEntry::NotAuthenticatedError, with: :not_authenticated
  rescue_from ActiveEntry::NotAuthorizedError, with: :not_authorized

  private

  def not_authenticated
    flash[:danger] = "You are not authenticated!"
    redirect_to login_path
  end

  def not_authorized
    flash[:danger] = "You are not authorized to call this action!"
    redirect_to root_path
  end
end

In this example above, the user will be redirected with a flash message. But you can do whatever you want. For example logging.

Authenticate/authorize outside the action

You can authenticate and authorize outside the action:

class UsersController < ApplicationController
  authenticate_now!
  authorize_now!
  # pass_now!  # Does both, authentication and authorization
end

Access control on class level will ensure that every action performs it.

Note: Don't use the class methods if the controller is inherited in other controllers. Best, don't use them at all and use the methods in the actions conciously.

Variables

You can pass variables to the decision maker.

class UsersController < ApplicationController
  def show
    @user = User.find params[:id]
    pass! user: @user
  end
end

You can now access the user object as instance variable in your decision maker.

module Users
  class Authentication < ApplicationPolicy::Authentication
    def show?
      @user  # == <User:Instance>
    end
  end

  class Authorization < ApplicationPolicy::Authorization
    def show?
      @user  # == <User:Instance>
    end
  end
end

Custom error data

If you write something into @error in our decision maker, you can access it in your rescue methods in the controller:

module UsersPolicy
  class Authentication < ApplicationPolicy::Authentication
    def show?
      @error = { code: 100 }
    end
  end

  class Authorization < ApplicationPolicy::Authorization
    def show?
      @error = { code: 100 }
    end
  end
end

class ApplicationController < ActionController::Base
  # ...

  rescue_from ActiveEntry::NotAuthenticatedError, with: :not_authenticated
  rescue_from ActiveEntry::NotAuthorizedError, with: :not_authorized

  private

  def not_authenticated exception
    flash[:danger] = "You are not authenticated! Code: #{exception.error[:code]}"
    redirect_to root_path
  end

  def not_authorized exception
    flash[:danger] = "You are not authorized to call this action! Code: #{exception.error[:code]}"
    redirect_to root_path
  end
end

But you can pass in whatever you want into your error hash.

Testing

You can easily test your policies in RSpec.

We've created some helpers for your tests. Import them first:

# spec/support/active_entry.rb
require "active_entry/rspec"

Now let's start with the generator:

$ rails g rspec:policy Users

This will generate a spec for the UsersPolicy located in spec/policies/users_policy_spec.rb

require "rails_helper"

RSpec.describe UsersPolicy, type: :policy do
  pending "add some examples to (or delete) #{__FILE__}"
end

Now you can easily test every decision maker with the be_authenticated_for and be_authorized_for matchers.

require "rails_helper"

RSpec.describe UsersPolicy, type: :policy do
  describe UsersPolicy::Authentication do
    subject { UsersPolicy::Authentication }

    context "anonymous" do
      it { is_expected.to_not be_authenticated_for :index }
      it { is_expected.to be_authenticated_for :new }
      it { is_expected.to be_authenticated_for :create }
      it { is_expected.to_not be_authenticated_for :edit }
      it { is_expected.to_not be_authenticated_for :update }
      it { is_expected.to_not be_authenticated_for :destroy }
      it { is_expected.to_not be_authenticated_for :restore }
    end

    context "signed in" do
      before { Current.user = build :user }
      
      it { is_expected.to be_authenticated_for :index }
      it { is_expected.to be_authenticated_for :new }
      it { is_expected.to be_authenticated_for :create }
      it { is_expected.to be_authenticated_for :edit }
      it { is_expected.to be_authenticated_for :update }
      it { is_expected.to be_authenticated_for :destroy }
      it { is_expected.to be_authenticated_for :restore }
    end
  end

  describe UsersPolicy::Authorization do
    subject { UsersPolicy::Authorization }

    let(:user) { build :user }
    
    context "anonymous" do
      it { is_expected.to be_authorized_for :index }
      it { is_expected.to be_authorized_for :new }
      it { is_expected.to be_authorized_for :create }
      it { is_expected.to be_authorized_for :show, user: user }
      it { is_expected.to_not be_authorized_for :edit, user: user }
      it { is_expected.to_not be_authorized_for :update, user: user }
      it { is_expected.to_not be_authorized_for :destroy, user: user }
      it { is_expected.to_not be_authorized_for :restore, user: user }
    end

    context "if @user is Current.user" do
      before { Current.user = user }
      
      it { is_expected.to be_authorized_for :show, user: user }
      it { is_expected.to be_authorized_for :edit, user: user }
      it { is_expected.to be_authorized_for :update, user: user }
      it { is_expected.to be_authorized_for :destroy, user: user }
      it { is_expected.to be_authorized_for :restore, user: user }
    end

    context "if @user is not Current.user" do
      before { Current.user = build :user }

      it { is_expected.to be_authorized_for :show, user: user }
      it { is_expected.to_not be_authorized_for :edit, user: user }
      it { is_expected.to_not be_authorized_for :update, user: user }
      it { is_expected.to_not be_authorized_for :destroy, user: user }
      it { is_expected.to_not be_authorized_for :restore, user: user }
    end
  end
end

Differences to Action Policy

Action Policy is an awesome gem which works pretty similar to Active Entry. But there are some differences:

Action Policy expects a performing subject and a target object

class PostPolicy < ApplicationPolicy
  def update?
    # `user` is a performing subject,
    # `record` is a target object (post we want to update)
    user.admin? || (user.id == record.user_id)
  end
end

In Active Entry you can pass in anything you want into the decision maker, which is accessible as instance variables. See Variables.

One strategy is not better than the other. It's just our preference.

Policies in Action Policy are for Resources/Models

If you have a Post model, you have a PostPolicy in Action Policy. In Active Entry you create policies for controllers. So if you have a PostsController, you have a PostsPolicy. We like to build access control logic around controller endpoints.

Action Policy performs only authorization

Active Entry does technically also not provide authentication mechanisms. It's just that you place your authentication logic in an authentication decision maker. We like both authentication and authorization logic in the same place but seperated hence UsersPolicy::Authentication and UsersPolicy::Authorization.

Contributing

Create pull requests on Github and help us to improve this Gem. There are some guidelines to follow:

• Follow the conventions
• Test all your implementations
• Document methods that aren't self-explaining (we are using YARD)

License

The gem is available as open source under the terms of the MIT License.