Posted almost 3 years ago. Visible to the public.

Authentication

Step 1: Homegrown

Start by reading the attached letter about securing Rails authentication. For each point addressed, do you understand what it's about? Talk with your mentor about each point that is unclear.

Now add a User model to the MovieDB application. A User should have:

  • E-mail address
  • Screen name
  • Hashed password

Now add the following features to MovieDB without using a gem:

  • User can sign up through a public registration form
  • User can login
  • User can logout
  • Movie gets an association Movie#creator which points to the user who created that movie. This is an required field.
  • A movie's show view links to the user profile
  • The user profile shows the list of movies created by that user
  • Deny access to all MovieDB pages except for logged in users

Add Cucumber tests for all these features.

Commit and push all changes.

Discuss the implementation with your mentor, with an emphasis on security.

Some questions to answer are:

  • Is access for signed out users really impossible? If you add a new controller, do you have to remember to secure it as well?
  • Can you find out a user's password by looking into the database?
  • Are passwords "salted"?
  • How hard is it to brute-force passwords, if you have access to the database?
  • Can you sign out a user using the Rails console?
  • If someone can read our network traffic, can he see a user's password? Can he hijack her session?

Step 2: Clearance

Replace your homegrown authentication system with the clearance gem.

Commit and push all changes.

Read the card fixing authentication in legacy applications and also the Checklist for implementing authentication

Author of this card:

Avatar
Henning Koch
Last edit:
23 days ago
by Florian Leinsinger
Attachments:
Rails_LTS_Securing_your_Rails_authentication_system.txt
Posted by Henning Koch to makandra Curriculum
This website uses cookies to improve usability and analyze traffic.
Accept or learn more