240 Authentication [3d]

Updated . Posted . Visible to the public.

Authentication is all about being able to verify the identity of a user in the context of our application.

While you could roll out a custom authentication solution, this would likely expose you to the various risks of "homegrown crypto". In practice we are using popular authentication libraries like clearance Show archive.org snapshot or devise Show archive.org snapshot for this task.

Learn

  • Read the article Rails Authentication from Scratch Show archive.org snapshot
    You don't need to do write any code, but you should be able to answer the following questions:
    • How does a user stay signed in across multiple requests after submitting the login form only once?
    • How can we authenticate a user without storing their plaintext password in your database?
    • How can we authenticate a user without storing their plaintext password in a cookie?
    • How could you make the movies' show view only accessible for authenticated users?
    • How does logout work?
  • Read the documentation of clearance Show archive.org snapshot in preparation for the exercise below

Exercise: Authentication with Clearance

Add a User model to the MovieDB application. A User should have:

  • E-mail address
  • Screen name

Now add the following features to MovieDB using the clearance Show archive.org snapshot gem.

  • User can sign up through a public registration form
  • User can login with the correct password
  • User can logout
  • Movie gets an association Movie#creator which points to the user who created that movie. This is a required field.
  • A movie's show view links to the user profile
  • The user profile shows the list of movies created by that user
  • Deny access to all MovieDB pages except for logged in users
  • The views provided by Clearance should be customized to work with the existing form styles in your MovieDB.

Add tests for all these features.

Discussion

Discuss the implementation with your mentor, with an emphasis on security. Some questions to answer are:

  • Is access for signed out users really impossible? If you add a new controller, do you have to remember to secure it as well?
  • Can you find out a user's password by looking into the database?
  • Are passwords "salted"?
  • How hard is it to brute-force passwords, if you have access to the database?
  • Can you sign out a user using the Rails console?
  • If someone can read our network traffic, can he see a user's password? Can he hijack her session?

Password reset

You don't need to implement password reset as part of this card. However, let your mentor show you how a password reset feature is implemented and tested in an existing app.

Henning Koch
Last edit
Henning Koch
License
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to makandra Curriculum (2015-08-05 11:39)