Build Status Code Climate

OpenSesame is a Warden strategy for providing "walled garden" authentication for access to Rack-based applications via Omniauth. The intent is protect the visibility of your app from the outside world. For example, your company has internal apps and/or staging enviroments for multiple projects and you want something better than HTTP basic auth.

Enter OpenSesame. To authenticate, OpenSesame currently uses Omniauth and the Github API to require that a user is both logged in to Github and a member of the Github organization for which OpenSesame is configured.


In your Gemfile:

gem "opensesame"

Register your application(s) with Github for OAuth access. For each application, you need a name, the site url, and a callback for OAuth. The OmniAuth-Github OAuth strategy used under the hood will expect the callback at mount path + '/github/callback'. So the development version of your client application might be registered as:

Name: MyApp - local
URL: http://localhost:3000
Callback URL: http://localhost:3000/opensesame/github/callback

Configure OpenSesame:

# Rails config/initializers/opensesame.rb

require 'opensesame'

OpenSesame.configure do |config|
  config.enable       Rails.env.staging?
  config.github ENV['GITHUB_APP_ID'], ENV['GITHUB_SECRET']
  config.organization 'challengepost'
  config.mounted_at   '/opensesame'

  config.redirect_to '/path' # Set redirect to for both login and logout
  config. '/path'
  config.redirect_after_logout '/path'

Mount OpenSesame in your Rails routes:

# Rails config/routes.rb
mount OpenSesame::Engine => OpenSesame.mount_prefix

Place the following in your application_controller:

before_filter :authenticate_opensesame!