best practices for putting rails site out on the internet with authentication

I'm using Devise for authentication on a corporate website which is now only in our intranet. I need to build an interface (controllers and views) for our customers to access the site out on the internet, on a publicly addressable url. Right now, you can sign up for an account on the site simply by furnishing a valid email address (you need a valid email address, since Devise sends you a confirmation email which you must click through to gain access). If I make this site publicly available I'll have all sorts of Tom, Dick and Harry nefarious users and bots joining in and posting porn links in text fields and deleting sensitive. I do log all activity, so I'd know who did the dirty deed, but recovering from vandalism won't be fun.

Does Devise support protection from bots creating accounts?

Is there a best practices for giving access to only a few people on the internet (our customers) without allowing everyone to create an account?

You could do one or more of the following:

  1. Isolate all content by user, if possible: if your design permits it, allow users only to view and edit content under their own user id, and that way, they cannot damage other users’ content.

  2. Dont use the registerable and confirmable options in devise - have a mail account where people send requests to register, and validate the request and add the user yourself (you can do that from the rails console, or by adding an admin form for this purpose).

  3. I know you can customize the views generated by devise, so it may be possible to validate the registration email field with any custom validations you require (say, if you want only people from specific domain email accounts to be allowed to register).

HTH,

Anand

I found a gem devise_invitable which allows you to initiate the confirmable sequence from inside the app only after you've been authenticated. You can tweak this to allow only certain users to invite other users. In addition to what you've suggested, I'm adding this functionality.

Thanks for your help!

I have a similar case here. My project also using Devise and we are trying to restrict access to users even robots to the public site. What we have done is using Devise http_authenticatable to authenticate users in our database, which is working quite well.

Cheers, Lecky