Auth stuff
Authentication
Checking that the person trying to sign in is the user they claim to be.
Authorization
Checking if the user is allowed (authorized) to perform a specific action.
get '/articles/:article_id/edit'
@article = Article.find(params[:article_id])
@user = ... # not important now
if @article.author == @user
erb :edit
else
erb :forbidden
end
end@current_user = User.find_by(
email: params[:email],
password: params[:password]
)
Hash passwords
- Hashes passwords so unreadable
- "password" -> "UfJPEBC7B4.jwDV7aIC0u2..."
# create_table :users do |t|
# t.string password_digest
# end
class User < ActiveRecord::Base
private
attr_reader :checkable_pass
public
def check_password(attempt)
if checkable_pass == nil
self.checkable_pass =
BCrypt::Password.new(password_digest)
end
checkable_pass == attempt
end
def set_new_password(plain_password)
self.password_digest =
BCrypt::Password.create(plain_password)
end
enddef password
@checkable_pass || BCrypt::Password.new(password_digest)
end
def password=(plain_password)
@checkable_pass = BCrypt::Password.create(plain_password)
self.password_digest = @checkable_pass
end
def authenticate(attempt)
@checkable_pass == attempt
end
Hashing vs. Encryption
pw = "12345"
pw.hash!
puts pw
# => 2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL17lhWy
pw = "12345"
pw.encrypt!
puts pw
# => 1jf83
pw.decrypt!
puts pw
# => 12345Session
How to store user information between pages?
the web is stateless
Store user's IP address and query it every page load?
What if they changed their IP?
require 'sinatra'
configure do
enable :sessions
end
get '/' do
session[:message] || "blank message for now"
end
get '/message' do
session[:message] = "this is the secret message!"
"You found the message."
end
