Authentication is all about being able to verify the identity of a user in the context of our application.
While you could roll out a custom authentication solution, this would likely expose you to the various risks of "homegrown crypto". In practice we are using popular authentication libraries like clearance Show archive.org snapshot or devise Show archive.org snapshot for this task.
Learn
- Read the article
Rails Authentication from Scratch
Show archive.org snapshot
You don't need to do write any code, but you should be able to answer the following questions:- How does a user stay signed in across multiple requests after submitting the login form only once?
- How can we authenticate a user without storing their plaintext password in your database?
- How can we authenticate a user without storing their plaintext password in a cookie?
- How could you make the movies' show view only accessible for authenticated users?
- How does logout work?
- Read the documentation of clearance Show archive.org snapshot in preparation for the exercise below
Exercise: Authentication with Clearance
Add a User
model to the MovieDB application. A User
should have:
- E-mail address
- Screen name
Now add the following features to MovieDB using the clearance Show archive.org snapshot gem.
- User can sign up through a public registration form
- User can login with the correct password
- User can logout
-
Movie
gets an associationMovie#creator
which points to the user who created that movie. This is a required field. - A movie's show view links to the user profile
- The user profile shows the list of movies created by that user
- Deny access to all MovieDB pages except for logged in users
- The views provided by Clearance should be customized to work with the existing form styles in your MovieDB.
Add tests for all these features.
Discussion
Discuss the implementation with your mentor, with an emphasis on security. Some questions to answer are:
- Is access for signed out users really impossible? If you add a new controller, do you have to remember to secure it as well?
- Can you find out a user's password by looking into the database?
- Are passwords "salted"?
- How hard is it to brute-force passwords, if you have access to the database?
- Can you sign out a user using the Rails console?
- If someone can read our network traffic, can he see a user's password? Can he hijack her session?
Password reset
You don't need to implement password reset as part of this card. However, let your mentor show you how a password reset feature is implemented and tested in an existing app.