Securing rails activerecord with password cannot be any easier.



Lets say we have a user table that contains password and we would like to secure this from external access.

I assume you already have a controller. So lets go ahead and create our model.


1. Run the following command

rails g model User name email password_digest password_confirmation reputation


2. Run its serializer.

rails g serializer User name email password_digest password_confirmation reputation

3. Next, lets modify our User ActiveRecord by adding a new field called 'has_secure_password', as shown in diagram below :-



This is basically part of bcrypt (a.k.a blowfish encryption) implementation.

Here are the specification

a) In our database, we need a field called 'password_digest'
b) In our ActiveRecord, we need to specify 'has_secure_password'

4. Next, we just need to run rake.

rake db:migrate

This ensure we have created the necessary table structure for our database.


5. We need to wire this up in our controller. Lets say we have a controller called Home and our code might look like something below :-




6. Let's go and see our model in action using rails console. From the command line, type rails console. We will create a new user by using the following command

u = User.new()
u.name = 'jeremy'
u.email = 'jeremy@expert.com'
u.password = 'test'
u.save()

If you look at the output, you will see our field 'password_digest' is automatically populated with hashed characters. From here, i wanted to highlight that the proper way to authenticate is via u.authenticate('abc') => false.  If we try u.authenticate('test') => true  !success.


Now, lets make a get request to our home controller. From the browser link, type http://localhost:3000/home/index. It will returns the following json response to you. Notice that password is null.






 






Comments

Popular posts from this blog

The specified initialization vector (IV) does not match the block size for this algorithm