Posted about 5 years ago. Visible to the public.

Authentication [3d]

Step 1: Homegrown

Start by reading the attached letter about securing Rails authentication. For each point addressed, do you understand what it's about? Talk with your mentor about each point that is unclear.

Now add a User model to the MovieDB application. A User should have:

  • E-mail address
  • Screen name
  • Hashed password

Now add the following features to MovieDB without using a gem:

  • User can sign up through a public registration form
  • User can login
  • User can logout
  • Movie gets an association Movie#creator which points to the user who created that movie. This is a required field.
  • A movie's show view links to the user profile
  • The user profile shows the list of movies created by that user
  • Deny access to all MovieDB pages except for logged in users

Add Cucumber tests for all these features.

Commit and push all changes.

Discuss the implementation with your mentor, with an emphasis on security.

Some questions to answer are:

  • Is access for signed out users really impossible? If you add a new controller, do you have to remember to secure it as well?
  • Can you find out a user's password by looking into the database?
  • Are passwords "salted"?
  • How hard is it to brute-force passwords, if you have access to the database?
  • Can you sign out a user using the Rails console?
  • If someone can read our network traffic, can he see a user's password? Can he hijack her session?

Step 2: Clearance

Replace your homegrown authentication system with the clearance gem.

Commit and push all changes.

Read the card fixing authentication in legacy applications and also the Checklist for implementing authentication

Password reset

You don't need to implement password reset as part of this card. However, let your mentor show you how a password reset feature is implemented and tested in an existing app.

Owner of this card:

Henning Koch
Last edit:
4 months ago
by Henning Koch
Posted by Henning Koch to makandra Curriculum
This website uses short-lived cookies to improve usability.
Accept or learn more