I'm using Devise for authentication on a corporate website which is
now only in our intranet. I need to build an interface (controllers
and views) for our customers to access the site out on the internet,
on a publicly addressable url. Right now, you can sign up for an
account on the site simply by furnishing a valid email address (you
need a valid email address, since Devise sends you a confirmation
email which you must click through to gain access). If I make this
site publicly available I'll have all sorts of Tom, Dick and Harry
nefarious users and bots joining in and posting porn links in text
fields and deleting sensitive. I do log all activity, so I'd know who
did the dirty deed, but recovering from vandalism won't be fun.
Does Devise support protection from bots creating accounts?
Is there a best practices for giving access to only a few people on
the internet (our customers) without allowing everyone to create an
account?
Isolate all content by user, if possible: if your design permits it, allow users only to view and edit content under their own user id, and that way, they cannot damage other users’ content.
Dont use the registerable and confirmable options in devise - have a mail account where people send requests to register, and validate the request and add the user yourself (you can do that from the rails console, or by adding an admin form for this purpose).
I know you can customize the views generated by devise, so it may be possible to validate the registration email field with any custom validations you require (say, if you want only people from specific domain email accounts to be allowed to register).
I found a gem devise_invitable which allows you to initiate the
confirmable sequence from inside the app only after you've been
authenticated. You can tweak this to allow only certain users to
invite other users. In addition to what you've suggested, I'm adding
this functionality.
I have a similar case here. My project also using Devise and we are
trying to restrict access to users even robots to the public site.
What we have done is using Devise http_authenticatable to authenticate
users in our database, which is working quite well.