Authentication Slides
Authentication
What is authentication? ● mechanism of ensuring you are who you claim you are. ● In real life, matching photo on ID card ● On the web, most popular way is to use username + password ● Not to be mistaken with authorization, you need to be authenticated before you can be authorized
Passwords ● should not be stored in plaintext! ● if the database was ever obtained, everyone’ s passwords and identification would be exposed ● hashing is important!
Hashing + salting ● creates a one-way “digest” of a password and can’t be reversed back to its original form ● bcrypt-ruby gem allows us to use a sophisticated and secure hashing algorithm ● Important to use a salt: hackers use rainbow tables!
has_secure_password ● for sign up, it uses password and password_confirmation ● must add the “password_digest” column to your users table ● if password and password_confirmation match on signup, it auto-generates the corresponding password_digest ● has its own authenticate method
Signing up In Rainforest ● app/models/user.rb ● app/views/users/new.html.erb ● app/controllers/users_controller.rb
Sessions ● stores information about the authenticated user ● without it, you would have to authenticate on every single request ● always require cookies enabled in the browser
Sessions controller ● treat a session like any other resource / model ● use routes and a controller ● after password is verified, log in by creating a session is setting the user_id on the session ● to log out, you destroy the session by setting the session user_id to nil
Verifying the password ● authenticate generates same bcrypt hash on the attempted password and sees if it matches the user’s password_digest
current_user and helper method ● Automatically fetches user based on session id ● helper_method allows controller method to be used in a view as any other helper
Authorization ● don’t allow a user to view a certain page unless they’re authenticated ● redirect them to log in page
What is authentication? ● mechanism of ensuring you are who you claim you are. ● In real life, matching photo on ID card ● On the web, most popular way is to use username + password ● Not to be mistaken with authorization, you need to be authenticated before you can be authorized
Passwords ● should not be stored in plaintext! ● if the database was ever obtained, everyone’ s passwords and identification would be exposed ● hashing is important!
Hashing + salting ● creates a one-way “digest” of a password and can’t be reversed back to its original form ● bcrypt-ruby gem allows us to use a sophisticated and secure hashing algorithm ● Important to use a salt: hackers use rainbow tables!
has_secure_password ● for sign up, it uses password and password_confirmation ● must add the “password_digest” column to your users table ● if password and password_confirmation match on signup, it auto-generates the corresponding password_digest ● has its own authenticate method
Signing up In Rainforest ● app/models/user.rb ● app/views/users/new.html.erb ● app/controllers/users_controller.rb
Sessions ● stores information about the authenticated user ● without it, you would have to authenticate on every single request ● always require cookies enabled in the browser
Sessions controller ● treat a session like any other resource / model ● use routes and a controller ● after password is verified, log in by creating a session is setting the user_id on the session ● to log out, you destroy the session by setting the session user_id to nil
Verifying the password ● authenticate generates same bcrypt hash on the attempted password and sees if it matches the user’s password_digest
current_user and helper method ● Automatically fetches user based on session id ● helper_method allows controller method to be used in a view as any other helper
Authorization ● don’t allow a user to view a certain page unless they’re authenticated ● redirect them to log in page
