Why I think Authentication Zero is a bad idea
I came across a new authentication gem for Rails, called authentication-zero. The gem generates the authentication code into the application, and once that’s done, it can be even removed from it.
There is a big security issue with this approach because if a security flaw is found in the gem, how will the users know about it? Services like Github’s dependency scanning won’t alert since the gem might be removed from the Gemfile. Also, suppose the developer who added this authentication system to the application has left. In that case, their descendants might not realize that the authentication system has been generated by this gem, and won’t realize that they need to take action when a security problem is announced.
And likely, there will be security issues. I already found a problematic default: https://github.com/lazaronixon/authentication-zero/issues/50
UPDATE:
The author of Authentication Zero decided to add post-install notes to the gem release, which helps with the above described issue.
Did you enjoy reading this? Sign up to the Rails Tricks newsletter for more content like this!
Or follow me on Twitter
I run an indie startup providing vulnerability scanning for your Ruby on Rails app.
It is free to use at the moment, and I am grateful for any feedback about it.If you would like to give it a spin, you can do it here: Vulnerability Scanning for your Ruby on Rails app!
