From c6675a3d16fd6082b459b694923466333f8d12cf Mon Sep 17 00:00:00 2001 From: James Darling Date: Fri, 4 Feb 2022 14:38:04 +0000 Subject: [PATCH] Draft ADR for using devise for auth --- .../0006-use-auth0-for-authentication.md | 2 ++ ...-omniauth-to-standardise-authentication.md | 2 +- ...p-to-manage-authentication-with-sms-otp.md | 27 +++++++++++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 doc/architecture/decisions/0034-use-devise-and-rotp-to-manage-authentication-with-sms-otp.md diff --git a/doc/architecture/decisions/0006-use-auth0-for-authentication.md b/doc/architecture/decisions/0006-use-auth0-for-authentication.md index 08c21bb80..61f7187a3 100644 --- a/doc/architecture/decisions/0006-use-auth0-for-authentication.md +++ b/doc/architecture/decisions/0006-use-auth0-for-authentication.md @@ -6,6 +6,8 @@ Date: 2019-10-28 Superceded by [16. Disable Auth0's requirement for Javascript during the authentication journey](0016-disable-auth0-s-requirement-for-javascript-during-the-authentication-journey.md) +Superceded by [34. Use devise and rotp to manage authentication with sms OTP](0034-use-devise-and-rotp-to-manage-authentication-with-sms-otp.md) + ## Context We need to allow a number of users to sign in to the service in order to use it. diff --git a/doc/architecture/decisions/0026-use-omniauth-to-standardise-authentication.md b/doc/architecture/decisions/0026-use-omniauth-to-standardise-authentication.md index d5366fac1..79953ae53 100644 --- a/doc/architecture/decisions/0026-use-omniauth-to-standardise-authentication.md +++ b/doc/architecture/decisions/0026-use-omniauth-to-standardise-authentication.md @@ -4,7 +4,7 @@ Date: 2020-11-20 ## Status -Accepted +Superceded by [34. Use devise and rotp to manage authentication with sms OTP](0034-use-devise-and-rotp-to-manage-authentication-with-sms-otp.md) ## Context diff --git a/doc/architecture/decisions/0034-use-devise-and-rotp-to-manage-authentication-with-sms-otp.md b/doc/architecture/decisions/0034-use-devise-and-rotp-to-manage-authentication-with-sms-otp.md new file mode 100644 index 000000000..a87e89ea9 --- /dev/null +++ b/doc/architecture/decisions/0034-use-devise-and-rotp-to-manage-authentication-with-sms-otp.md @@ -0,0 +1,27 @@ +# 34. Use devise and rotp to manage authentication with SMS OTP + +Date: 2022-01-25 + +## Status + +Accepted + +Supercedes [6. Use Auth0 for authentication](0006-use-auth0-for-authentication.md) +Supercedes [26. Use omniauth to standardise authentication](0026-use-omniauth-to-standardise-authentication.md) + +## Context + +We previously used Auth0, via omniauth, to manage users and sessions. We have a user requirement to require MultiFactor authentication using one-time passwords sent over SMS. Auth0 are planning on moving this feature to only be included in expensive enterprise plans. + +## Decision + +We will create our own [devise](https://github.com/heartcombo/devise) [strategy](https://github.com/heartcombo/devise/tree/main/lib/devise/strategies) that uses [rotp](https://github.com/mdp/rotp) to generate one-time passwords that are sent over SMS via [GOV.UK Notify](https://www.notifications.service.gov.uk/). + +## Considerations made + +We tested the assumption that SMS OTP was a requirement, and it is +We decided that the Auth0 costs of an enterprise were too high for our needs +We explored competitors to Auth0, but as we are not ever planning on supporting SSO, we decided that running an external service, even if bought, is an unnecessary overhead +We considered writing our own authentication system in Rails from scratch, but decided that devise gives us enough out of the box to warrant its use +We considered using [devise-two-factor](https://github.com/tinfoil/devise-two-factor), but it would require enough bending to ignore app-based MFA and to add SMS OTP process flow that it makes sense for us to write our own strategy +We considered retaining omniauth as a middleware to enable us to easily use other providers, but we do not believe we will need to do this in the future