1 00:00:00,000 --> 00:00:05,000 [Master Class] [Designer and Developer Workflow] [Creating the User Model] 2 00:00:05,000 --> 00:00:08,000 So, we've decided to go with Authlogic for 3 00:00:08,000 --> 00:00:11,000 handling our authentication in our application. 4 00:00:11,000 --> 00:00:14,000 Now, if you're learning this for the first time, it can be a little bit confusing. 5 00:00:14,000 --> 00:00:17,000 The main GitHub repository has a read me in it, 6 00:00:17,000 --> 00:00:20,000 which gives a good overview of how it works. 7 00:00:20,000 --> 00:00:24,000 However, the main sort of tutorial and a lot of the documentation 8 00:00:24,000 --> 00:00:26,000 is lying within some of these links. 9 00:00:26,000 --> 00:00:30,000 One of the best ones to look at while you're working is this live example 10 00:00:30,000 --> 00:00:33,000 with tutorial in the read me, 11 00:00:33,000 --> 00:00:36,000 and this is a basic example of Authlogic implemented in an app, 12 00:00:36,000 --> 00:00:41,000 but it also has a read me with a great step by step tutorial 13 00:00:41,000 --> 00:00:43,000 on how to set up your authentication system. 14 00:00:43,000 --> 00:00:48,000 Now, some of the steps here are a little bit out of date in how we generate things, 15 00:00:48,000 --> 00:00:52,000 but one of the tables that we'll be using is this piece of information right here, 16 00:00:52,000 --> 00:00:56,000 which defines some of the behavior that can be implemented simply by adding 17 00:00:56,000 --> 00:00:59,000 fields to our user model. 18 00:00:59,000 --> 00:01:02,000 So, let's just get right to it. 19 00:01:02,000 --> 00:01:05,000 I'm going to open up our code, so I'm just going to jump into our code, 20 00:01:05,000 --> 00:01:10,000 and the first thing I want to do is add Authlogic as a gem in our application. 21 00:01:10,000 --> 00:01:14,000 So, we'll open up our gem file. 22 00:01:14,000 --> 00:01:17,000 Here we can see the gems that we're currently using, 23 00:01:17,000 --> 00:01:20,000 and we'll just add another gem for Authlogic. 24 00:01:20,000 --> 00:01:28,000 Then to install we'll go into our terminal here and just do bundle install. 25 00:01:34,000 --> 00:01:42,000 So, we can check to see if Authlogic is installed by typing "rails generate." 26 00:01:42,000 --> 00:01:47,000 Now we can see that Authlogic has installed a generator called "authlogic session." 27 00:01:47,000 --> 00:01:52,000 And we'll be using this in a little bit, but we can see that it is now part of our project. 28 00:01:52,000 --> 00:01:55,000 So, now we have to figure out what it is we're authenticating. 29 00:01:55,000 --> 00:02:00,000 Authlogic is built in such a way that we could actually have multiple sort of channels 30 00:02:00,000 --> 00:02:02,000 of authentication built into our system. 31 00:02:02,000 --> 00:02:07,000 For instance, we could authenticate users or we could authenticate admins 32 00:02:07,000 --> 00:02:10,000 or authenticate really any other type of model that we want to have, 33 00:02:10,000 --> 00:02:14,000 it's just going to be the step of creating a different session 34 00:02:14,000 --> 00:02:17,000 for each type of authentication we want to create. 35 00:02:17,000 --> 00:02:20,000 In our application, we're just creating authentication for users, 36 00:02:20,000 --> 00:02:25,000 so the steps that we need to take are first to define our model of users, 37 00:02:25,000 --> 00:02:30,000 which is going to be a typical Rails model, and we'll want to use a basic scaffolding setup 38 00:02:30,000 --> 00:02:33,000 because we'll want to create users like registering, 39 00:02:33,000 --> 00:02:38,000 and then manage users from the back end, so we'll use a normal Rails scaffold to create that. 40 00:02:38,000 --> 00:02:42,000 And then we'll use the Authlogic generator to create a session for users. 41 00:02:42,000 --> 00:02:46,000 We'll call it a user session, and the user session is what is used 42 00:02:46,000 --> 00:02:50,000 to log in and log out, and we'll see how that works in a moment. 43 00:02:50,000 --> 00:02:52,000 So first, let's go ahead and define our user. 44 00:02:52,000 --> 00:02:55,000 We're going to do this in the normal Rails fashion of creating a scaffold, 45 00:02:55,000 --> 00:03:05,000 so we'll do "rails generate scaffold user," 46 00:03:05,000 --> 00:03:08,000 and then we can go ahead and define what makes up a user. 47 00:03:08,000 --> 00:03:14,000 So basically, a user will be identified by an email, which is a string, 48 00:03:14,000 --> 00:03:18,000 and will have a name field, which will just be another string field, 49 00:03:18,000 --> 00:03:21,000 and that's all we're going to use. 50 00:03:21,000 --> 00:03:24,000 The reason I'm not going to list off everything right here is because we'll actually 51 00:03:24,000 --> 00:03:30,000 go into the migration and add the fields that we want to add before we actually migrate it. 52 00:03:30,000 --> 00:03:34,000 The email and name is really here for generating the default views 53 00:03:34,000 --> 00:03:39,000 just so that in the list view we'll see an email and name, and in the forms 54 00:03:39,000 --> 00:03:41,000 there will be a name and email field, but there's still work 55 00:03:41,000 --> 00:03:44,000 we're going to have to do in the actual views. 56 00:03:44,000 --> 00:03:49,000 For instance, in our registration or editing fields we'll have to add things like password 57 00:03:49,000 --> 00:03:55,000 and password confirmation, but we'll do that manually instead of relying on our scaffold. 58 00:03:55,000 --> 00:03:59,000 So, let's go ahead and generate this. 59 00:03:59,000 --> 00:04:01,000 So, we've generated our user. 60 00:04:01,000 --> 00:04:04,000 We haven't migrated it into the database, 61 00:04:04,000 --> 00:04:07,000 and that's good because we actually want to go into the migration file 62 00:04:07,000 --> 00:04:11,000 and actually add some fields that are going to be used by Authlogic to 63 00:04:11,000 --> 00:04:15,000 authenticate and keep some stats on our users. 64 00:04:15,000 --> 00:04:23,000 So, we're going to flip over to our code, and the migration file is going to be in DB, migrate, 65 00:04:23,000 --> 00:04:25,000 and it's probably going to be the last one down. 66 00:04:25,000 --> 00:04:29,000 It's based on a date stamp, and right now it's a little bit difficult to see, 67 00:04:29,000 --> 00:04:33,000 but you can see it's ultimately called "createusers.rb," 68 00:04:33,000 --> 00:04:38,000 and that date stamp is going to be different when you create it yourself. 69 00:04:38,000 --> 00:04:40,000 So, here we can see the migration. 70 00:04:40,000 --> 00:04:45,000 Basically, we're creating a table called "users," and it has a string field called "email" 71 00:04:45,000 --> 00:04:48,000 and a string field called "name." 72 00:04:48,000 --> 00:04:52,000 It also defines that the default time stamps that Rails provides should be added. 73 00:04:52,000 --> 00:04:58,000 That is, created at and updated at which are two fields that are populated 74 00:04:58,000 --> 00:05:03,000 when the user is created and when any updates happen to that field. 75 00:05:03,000 --> 00:05:05,000 So, I'm going to do a couple of different things here. 76 00:05:05,000 --> 00:05:09,000 First, I'm going to define that email, we should not allow it to be null. 77 00:05:09,000 --> 00:05:14,000 So, we'll say null is false, 78 00:05:14,000 --> 00:05:16,000 and I want to do the same thing for name as well. 79 00:05:16,000 --> 00:05:18,000 I want to make sure that that's filled in. 80 00:05:18,000 --> 00:05:23,000 We'll also add information in the user model to make sure it's validated, 81 00:05:23,000 --> 00:05:25,000 but for the database as well we want to make sure that 82 00:05:25,000 --> 00:05:30,000 there's no accidental insertions of null values here. 83 00:05:30,000 --> 00:05:35,000 Now, it's at this point that that example projects documentation comes in handy. 84 00:05:35,000 --> 00:05:39,000 So, if we flip over to our browser and we take a look at the database fields here, 85 00:05:39,000 --> 00:05:43,000 we can see that there are a few that we're going to definitely want to add, 86 00:05:43,000 --> 00:05:48,000 and a few magic columns that track some different stats about our users. 87 00:05:48,000 --> 00:05:51,000 Now, we're not going to use log in because we're going to log in with email addresses 88 00:05:51,000 --> 00:05:53,000 so we're not going to be adding this field. 89 00:05:53,000 --> 00:05:57,000 We have our email here, so that's already done. 90 00:05:57,000 --> 00:06:00,000 And the next field we want to add is crypted password, 91 00:06:00,000 --> 00:06:05,000 and crypted password is actually where we're going to be storing our password 92 00:06:05,000 --> 00:06:09,000 for our users, but instead of storing the password in plain text, 93 00:06:09,000 --> 00:06:13,000 what Authlogic will do is it will hash the password or encrypt it 94 00:06:13,000 --> 00:06:17,000 so that it can be safely stored in the database, and when somebody logs in, 95 00:06:17,000 --> 00:06:21,000 they will do the same operation to the password that they're submitting 96 00:06:21,000 --> 00:06:26,000 and then compare the crypted password versus the crypted submitted password. 97 00:06:26,000 --> 00:06:29,000 Now, all this is done transparently, but this is the good practice 98 00:06:29,000 --> 00:06:32,000 you want to use when creating a system. 99 00:06:32,000 --> 00:06:35,000 You definitely never want to store a plain text password. 100 00:06:35,000 --> 00:06:40,000 In the next field below it, the password salt is another protection for the password. 101 00:06:40,000 --> 00:06:44,000 The algorithms to create the crypted password are pretty solid. 102 00:06:44,000 --> 00:06:48,000 However, people have created tables of common passwords 103 00:06:48,000 --> 00:06:50,000 to their encrypted equivalents. 104 00:06:50,000 --> 00:06:53,000 So, what the salt is is it's a little bit of random information 105 00:06:53,000 --> 00:06:57,000 that makes sure that the crypted password is different then if you were to have 106 00:06:57,000 --> 00:07:00,000 just encrypted the password itself. 107 00:07:00,000 --> 00:07:03,000 So, combining the salt and the password together, then encrypting it 108 00:07:03,000 --> 00:07:08,000 will result in a completely different result, which will make it harder for an attacker 109 00:07:08,000 --> 00:07:12,000 who has the crypted password to figure out what the original password is. 110 00:07:12,000 --> 00:07:15,000 Again, all of this is handled by Authlogic, so you don't have to worry about 111 00:07:15,000 --> 00:07:17,000 doing any of the algorithms. 112 00:07:17,000 --> 00:07:22,000 All we need to do is add the crypted password and password salt field. 113 00:07:22,000 --> 00:07:25,000 So, we can actually just copy that. 114 00:07:25,000 --> 00:07:28,000 And let's just add it in there. 115 00:07:28,000 --> 00:07:32,000 And I'm going to go ahead and just remove those comments. 116 00:07:32,000 --> 00:07:36,000 So now, we're going to be using a password-based authentication system. 117 00:07:36,000 --> 00:07:39,000 Let's take a look at some of the other columns. 118 00:07:39,000 --> 00:07:43,000 Now, the persistence token is something that is required. 119 00:07:43,000 --> 00:07:48,000 Basically, this token is what is going to be stored in the cookie for the user 120 00:07:48,000 --> 00:07:50,000 saying which user is logged in. 121 00:07:50,000 --> 00:07:53,000 Basically, when somebody logs in with their user name and password, 122 00:07:53,000 --> 00:07:57,000 a persistence token will be generated and will be stored 123 00:07:57,000 --> 00:08:02,000 under that user's database row and that token will also appear in their cookie, 124 00:08:02,000 --> 00:08:06,000 and so whenever somebody requests, they'll send their persistence token 125 00:08:06,000 --> 00:08:10,000 and Rails will be able to figure out which user is requesting this. 126 00:08:10,000 --> 00:08:15,000 Now, we use a persistence token instead of something like a user id 127 00:08:15,000 --> 00:08:18,000 because that persistence token will be something that the user 128 00:08:18,000 --> 00:08:22,000 could change on their end, and we don't want to make it simply an id 129 00:08:22,000 --> 00:08:27,000 that they could change and be logged in as somebody else. 130 00:08:27,000 --> 00:08:30,000 So, having a persistence token is what we're going to need, 131 00:08:30,000 --> 00:08:33,000 and it's required in order to be able to stay logged in. 132 00:08:33,000 --> 00:08:39,000 So, the next field we'll add is our persistence token. 133 00:08:39,000 --> 00:08:43,000 So, then there are fields called single acess token and perishable token 134 00:08:43,000 --> 00:08:48,000 which are different ways that we can log in, giving them a token in order to, for instance, 135 00:08:48,000 --> 00:08:53,000 change their password or a simple way to log in once. 136 00:08:53,000 --> 00:08:56,000 We can add these in, there's no problem for doing that. 137 00:08:56,000 --> 00:09:02,000 And I'm going to add them in, though I don't know for sure if I'm going to end up using them. 138 00:09:02,000 --> 00:09:09,000 But simply by adding them in we add the functionality in order to utilize them. 139 00:09:09,000 --> 00:09:13,000 So, then we have some magic columns, and these are columns a lot like 140 00:09:13,000 --> 00:09:17,000 the created at and updated at fields where if they exist in the database, 141 00:09:17,000 --> 00:09:23,000 Rails or in this case Authlogic will populate them with information that you want. 142 00:09:23,000 --> 00:09:27,000 So, if we have an integer field called log in count, it will update that log in count 143 00:09:27,000 --> 00:09:31,000 every time that they log in as well as the failed log in count, 144 00:09:31,000 --> 00:09:35,000 and it will save the last time that the user made a request. 145 00:09:35,000 --> 00:09:40,000 We can also save the time that they currently logged in and the last time they logged in 146 00:09:40,000 --> 00:09:43,000 as well as the current log in IP and last log in IP. 147 00:09:43,000 --> 00:09:47,000 So, for instance, if you wanted to show the user the IP they're logged into 148 00:09:47,000 --> 00:09:52,000 versus their last log in IP in order to perhaps tell them that they were accessed 149 00:09:52,000 --> 00:09:56,000 from a weird IP across the world, you could use these fields. 150 00:09:56,000 --> 00:10:00,000 And these are also just useful for your own information. 151 00:10:00,000 --> 00:10:03,000 So, what I'm going to do is just add all of these columns because I want to have 152 00:10:03,000 --> 00:10:06,000 all that information for me. 153 00:10:06,000 --> 00:10:09,000 There's no harm in not having them, but they're sort of free, 154 00:10:09,000 --> 00:10:15,000 so let's go ahead and just add them in. 155 00:10:15,000 --> 00:10:21,000 So now, our user field has our email, name, which are really public information 156 00:10:21,000 --> 00:10:25,000 about the user and what we're going to be editing, and it also has our crypted password 157 00:10:25,000 --> 00:10:30,000 and password salt which manage the actual password and storing it safely, 158 00:10:30,000 --> 00:10:34,000 and the persistence token which is what actually keeps somebody logged in. 159 00:10:34,000 --> 00:10:37,000 Then we have some nice fields like single access token and perishable token, 160 00:10:37,000 --> 00:10:40,000 which allow us to enable the user to access their account 161 00:10:40,000 --> 00:10:43,000 in different ways using these tokens. 162 00:10:43,000 --> 00:10:48,000 And then we have our extra magic information that we can use for our own data mining 163 00:10:48,000 --> 00:10:51,000 or even giving more information to the user. 164 00:10:51,000 --> 00:10:54,000 So, now that we have our migration all configured, let's go ahead 165 00:10:54,000 --> 00:11:03,000 and run our database migration by running "rake db:migrate." 166 00:11:03,000 --> 00:11:06,000 And this just saw our new migration for creating users, 167 00:11:06,000 --> 00:11:12,000 and now we have our table of users and based on this and the scaffold we've generated, 168 00:11:12,000 --> 00:11:17,000 we should actually be able to go to our application of Easy Jobs, 169 00:11:17,000 --> 00:11:23,000 switch out jobs and go to /users and we can see our listing of users, 170 00:11:23,000 --> 00:11:27,000 and this is the default scaffolding, so there's no real style applied to it. 171 00:11:27,000 --> 00:11:31,000 So, if we clicked on "new user" we could add a new user. 172 00:11:31,000 --> 00:11:36,000 However, right now it's just an email and a name and no password or anything, 173 00:11:36,000 --> 00:11:42,000 so the next step is to update this new form to take a password and a password confirmation 174 00:11:42,000 --> 00:11:45,000 so we can actually create the user with their password.