Featured image of post Twitor #4: Secure
Ruby Rails

Twitor #4: Secure

Let's create Twito!, a Tweet Clone App by using Ruby on Rails !

Intro

Now we are going to secure our web

  • hash password
  • session token

Install Gem

When encrypting passwords with Rails, something known as a gem is required. A gem is a third-party library you can use with Ruby. There are various gems such as “the search functionality gem”, or “the encrypt passwords gems”. This time we’ll use bcrypt, which is a gem to encrypt password.

In Rails, there’s a file named Gemfile where you write the gems you want to install, like gem 'gem_name'. Some gems are already written when you run the rails new command. When you install gems, the Gemfile.lock file is automatically updated.

You can specify the version of the gem, like gem 'rails', '5.0.3'. If you don’t specify

This time, we’ll add a gem known as bcrypt. You can do this by adding gem 'bcrypt’ to the Gemfile, and run the command bundle install in the terminal.

After installing bcrypt, we can use a method known as has_secure_password. By adding it to the User model, Rails will automatically encrypt the password when saving the user..

Add password_digest column

The password is stored in the password_digest column for safety, not in password column, after being encrypted by has_secure_password method. Then, we need to add password_digest column and remove the existing password column from database.

Let’s create a migration file rails g migration change_users_columns. After creating a file, as We can change multiple columns in one migration file, edit the migration file so that the password_digest column is added and also remove the password column.

1
2
3
4
5
6

class ChangeUsersColumns < ActiveRecord::Migration[5.0]
 def change
   add_column :users, :password_digest, :string
   remove_column :users, :password, :string
 end
end

Then run rails db:migrate

Using Encrypted Password

Create

To save the encrypted password in the password_digest column, we can assign the value to password as we’ve done before. The value assigned to password will be encrypted by has_secure_password, then stored in the password_digest column. Therefore, there’s no need to change the existing code for the password.

In rails console rails c, try to get a user like user = User.first and assign a password on it user.password = yourcustompass. Then check on our database, the password_digest column should be filed.

Login

With the has_secure_password method, you can use the authenticate method. This method encrypts the received argument and compares it with the value of password_digest. We can use this to judge whether the password sent from matches the password_digest. In the user_controller.rb we modify login method, so then

1
2
3
4
5
6
7
8

...
  def login
    # Rewrite the following line to only use the email to find the user
    @user = User.find_by(email: params[:email])
    # Rewrite the if statement using && and the "authenticate" method
    if @user && @user.authenticate(params[:password])
      session[:user_id] = @user.id
...
comments powered by Disqus
© 2020 - 2022 Coding Notes
Built with Hugo
Theme Stack designed by Jimmy