Ok, on to part 2 of this subject. Since I covered initialization in the last post, I will mainly be revisiting sessions, authentication and authorization. Since I do have an adminsitrative portion to this site (however basic it may be at the moment), I want to add some level of protection to it.
The first thing I would want to do is create some table that holds administrator information (for authentication purposes). So I create a table with id, username and password using the following SQL:
CREATE TABLE `administrators` (
`id` int(11) NOT NULL auto_increment,
`username` varchar(20) NOT NULL default '',
`password` varchar(255) NOT NULL default '',
PRIMARY KEY (`id`),
UNIQUE KEY `username` (`username`)
);
So with my table created, and my model in place its time to setup a login page (at this point I have also entered some username and password in the table). My login page is relatively simple, it simply contains a form that submits to the admin controller with the username and password I provide. Sparing the HTML details, my login page looks like so:
<%= start_form_tag :action => "authorized?" %>
<%= text_field 'login' , 'username' %>
<%= password_field 'login', 'password' %>
... submit tag, end form tag
Essentially the login page has a form whose target is the 'authorized?' method in my admin controller (the controller my login method is part of). So I should be able to submit my username and password and then have my authorized? method check to see if I am indeed a valid user. If I am, then it should forward me on to the other admin pages (which means my authorized? method needs no corresponding view, since it is simply a gateway to the rest). So what is in my authorized? method:
def authorized?
if Administrator.authenticate(params[:login][:username], params[:login][:password])
session[:admin] = params[:login][:username]
redirect_to :action => "index"
else
flash[:notice] = 'Incorrect Username or Password not Authenticated'
redirect_to :action => "login"
end
end
Since I have my Administrator model (corresponding to my database table), I decided to pass the username and password to it for validation. My model has a simple find(:first, :conditions => [ "username = ? AND password = ?", username, password ]) statement. (Why are the question marks there? that is a RoR feature that escapes the incoming data to prevent the dreaded SQL injection attack!).
If the model finds a row it returns it, thus proving the if to be true which redirects the user to the index method of the admin controller (allowing them to see the secret information). However, if it does not return a row, then the authorized? method stores a message in flash[:message] and redirects back to the login page. Well, everything looks great, users are being authorized before they can see the admin panel. But wait, there is just one problem with this setup:
Anyone can skip the login page and go straight to any other page without reprecussion!
So here comes the really fun part, and one that gave me a bit of trouble (95% caused by my one little oversight, which I will share with you shortly).
Sessions! The way to deal with this in the stateless world of the web is store some data on the server (in my case in a database table) and match it with some cookie you gave the remote machine. Well in the above authenticated? method I had a line that says "session[:admin] ...". That instruction tells Ruby on Rails to store the following information in the always available session variable. So I am already half way there. To enforce that sessions are being checked you need to do two things:
- Have some method for checking if the session data exists.
- Enforce that method across the other methods/controllers that need protecting
First let us create the method that checks for the session variables, then I'll show you the one-liner that will call it before any action (as you see fit). I decided to call this function 'authenticate' and to throw a simple but effective check in there:
unless session[:admin]
redirect_to :action => "login"
flash[:notice] = 'Session not Active'
return false
Pretty simple, right? If the session isn't there then it quickly redirects the user to the login page, with a nice little message. So here comes the one-liner to call this method each time:
before_filter :authenticate, :except => :login
So, before Rails does anything it is instructed to check the authenticate method for a session (excluding the :login method). Well that's it! You now should have a working authentication system. ..what's that? oh,.. thats right, I was supposed to tell you where I got hung up - and if you tried out the code above you would have experienced the same oversight I had.
Don't forget to :except => [:login, :authorized?]
I wasted several hours wondering why it was authorizing but not authenticating my session - it would have helped if I let it set the session in the authorized? method before I checked for it~!
Thats it for today, next I will post on adding additional security built into this extremely basic authentication system (which has it's flaws). Until then, Happy Coding! =)