Omniauth for humanID, a platform that prevents bots and increases privacy. HumanID is run by Human Internet, a non-profit that is currently financed by organizations such as Harvard and the Mozilla Foundation (I love the Mozilla Developer Network (MDN) which gives great javascript information).
HumanID works best when used as the only sign-up solution, due to this HumanID has to be highly trusted. This is where their non-profit status steps in. HumanID has many benefits:
- Increased privacy for users through both technical innovations and legal responsibilities.
- Making bots inconvienient by requiring phone verification.
- 'One voice one vote' type benefits by making it difficult to have multiple accounts.
- Dont have to deal with users putting in "password123" as a password.
- Dont have to deal with email/password registration generally (my signup process became way less complicated, there was all this stuff which to be honest I just didn't really get).
- Much better look than "sign up with [tech monopoly here]" buttons.
This gem relies on the omniauth gem. It was also developed along-side devise, but should work without it, some of the configuration may change though.
Add this line to your application's Gemfile:
gem 'omniauth-humanid'
And then execute:
$ bundle install
Or install it yourself as:
$ gem install omniauth-humanid
Update as normal.
- Make an account at humanID, and get appropriate credentials
- You will need to set credentials for client-id and client-secret, for both development and production. This can be done using the rails:credentials method or Enviroment Variables. These both have various advantage/disadvantages.
- do some configuration in your initializers, for devise the steps are:
- open config/initializers/devise.rb
- enter the below code within the "Devise.setup" area
Devise.setup do |config| id = Rails.application.credentials.omniauth_humanid_client_id secret = Rails.application.credentials.omniauth_humanid_client_secret config.omniauth :humanid, client_secret: secret, client_id: id end
- Make your signup button
- I use html which is a bit diffrent than what was provided to allow for CSRF concerns raised in this gem. To follow these instructions, first install and setup that gem
- Next your going to want to put this button code in a partial since you will be using it semi-regularly in your code base (convert to irb if needed):
.btn.common-sign-up-with-btn = form_with url: user_humanid_omniauth_authorize_path, method: :post do %input{type: :image, src: image_pack_path("icons/sign_in_logos/humanID.svg"), alt: "Anonymous Login with humanID"}
- Create your callback area
- This area is generally supposed to be customizable, as you might have a different model name, want to attach some validations, etc, etc. So it is not included in the gem, but is here a partial implementation of it.
#in the omnath_callbacks_controller.rb file def accept_country_code?(code) true end def humanid omau = request.env['omniauth.auth'] uid = omau.info.appUserId country_code = omau.info.countryCode provider = omau.provider Rails.logger.info("#{provider} - #{country_code} - #{uid}") unless accept_country_code?(country_code) redirect_to root_path, flash: {info: "phone number's country-code not accepted at this time"} return end user = User.find_by(provider: provider, uid: uid) if user #allready have an account, sign them in sign_in_and_redirect user, event: :authentication else request.session['signup'] ||= {} request.session["signup"]["provider"] = provider request.session["signup"]["uid"] = uid request.session["signup"]["country_code"] = country_code #continue the signup process, perhaps with a redirect, or create the user here, #and redirect to the main website. end end
additional configuration can be set in your initializer file at the same area and in the same method as your client-secret and client-id. Additional configuration is as follows:
- lang: default language code. Defaults to 'en' (english). Set to nil to remove from url.
- humanid_version: version string that goes in the url. Defaults to 'v0.0.3'. If humanid updates this may need to be updated aswell.
- priority_country: not sure exactly what this does or how to use it, but it was in the docs so i added it as an option. Defaults to nil.
- external_signup_url: the web login url. Defaults to: "https://core.human-id.org/[HUMANID_VERSION]/server/users/web-login". [HUMANID_VERSION] gets substituted by humanid_version above.
- exchange_url: the exchange url. Defaults to: "https://core.human-id.org/[HUMANID_VERSION]/server/users/exchange". [HUMANID_VERSION] gets substituted by humanid_version above.
Once again, humanID is better when used alone bue to bot mitigation. This section is how to remove email/password authentication.
Although Devise is easier to deal with without usernames / passwords, it takes a bit to get there. This is out of the gem scope, but here are some pointers below. You may run into other hurdles depending on your setup.
- In your user.rb (or similar) model, in your devise config line, remove all of the following:
- confirmable
- database_authenticatable
- recoverable
- confirmable
- lockable
- In your devise.rb initializer file, make sure to set authentication_keys to []
- delete or comment out the selections in devise.rb related to number 1.
- I had to add back the route below:
as :user do delete "/users/sign_out" => "users/sessions#destroy" end
- For development you may have to create a seperate way to login/signup for testing purposes. You can do this by sending a form that implements the method 'sign_in_and_redirect user, event: :authentication', or that sets fake values for signup. MAKE SURE THIS METHOD IS ONLY ACTIVE DURING DEVELOPMENT. I have a version of this below:
- in my routes.rb:
as :user do if Rails.env.development? post '/users/override' => 'users/omniauth_callbacks#callback_override' end end
- in my OmniauthCallbacksController override (see devise documentation):
if Rails.env.development? def callback_override raise StandardError.new("nope") unless Rails.env.development? provider = 'override' uid = params['uid'] user = User.find_by(provider: provider, uid: uid) if user #allready have an account, sign them in sign_in_and_redirect user, event: :authentication # this will throw if user is not activated else request.session['signup'] ||= {} request.session["signup"]["provider"] = provider request.session["signup"]["uid"] = uid request.session["signup"]["country_code"] = 'US' #continue your usual sign-up process. Note for the override strategy that the username is the uid. end end end
- my form (hidden in a dropdown menu)
- if Rails.env.development? .dropdown-item = form_with url: users_override_path, method: :post do %p put username below to bypass the humanID in development = text_field_tag :uid, '', class: 'form-control' = submit_tag "GO", class: "btn btn-primary"
After checking out the repo, run bin/setup
to install dependencies.
To install this gem onto your local machine, run bundle exec rake install
. To release a new version, update the version number in the gemspec file, and then run bundle exec rake release
, which will create a git tag for the version, push git commits and tags, and push the .gem
file to rubygems.org.
When developing the Gem, for minor updates while debugging etc, we have a custom script to update the gem
- in the root folder of the gem run ./bin/update. This will bump the version number by one in the gemspec, commit all changes with a generic message, and then install this minor version on your machine.
- For more information see the ./bin/update file.
Bug reports and pull requests are welcome on GitHub at https://github.com/LukeClancy/omniauth-humanid. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the code of conduct.
The gem is available as open source under the terms of the MIT License.
Everyone interacting in the Omniauth::Humanid project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.