Basics of Rails Password Protection
EmilyFernschild
Posted on November 18, 2022
In this blog, we will be using bcrypt for authentication in our rails backend. Password protection can be an extensive topic but I am going to keep this to just the 'need to know stuff' for now. Hopefully this will help you be able to implement authentication in your own project!
What is Authentication?
Authentication in simple terms is a way of verifying who you are. I often mix up authentication and authorization:
Authentication is a confirmation of user identity, while authorization determines whether you can access a particular resource [1].Hopefully this quick definition of both will help you not mix them up like me! Having your authentication work properly is important for authorization later, they rely on each other.
Basics of bcrypt
Important concepts to know about how bycrpt works is that it uses hashing and salt algorithms to encrypt passwords for protection. The hashing algorithm turns plain text passwords into a jumble of letters and numbers. A key aspect of this is that they can't be turned back into plain text after they have been hashed. Salting is an added layer on top of hashing that creates a more unique jumble of letters and numbers for every password. The combination of hashing and salting each password ensures that each encrypted password is very secure.
Three Main Steps
1) The first step is to add the bcrypt gem to your Gemfile.
gem install bcrypt
2) In your Users table, the key word to have as your password column is 'password_digest'. ⭐ Note: only use 'password_digest' here and use just password everywhere else (including in your frontend!).
//schema.rb
create_table "users", force: :cascade do |t|
t.string "first_name"
t.string "last_name"
t.string "username"
t.string "password_digest"
t.datetime "created_at", precision: 6, null: false
t.datetime "updated_at", precision: 6, null: false
end
3) In your model, in our case our User model, include the macro 'has_secure_password'.
class User < ApplicationRecord
has_secure_password
//the rest of your model
end
Example of use in a Login
after you do these step you can write something like this for a login feature on your application:
class SessionsController < ApplicationController
skip_before_action :authorize, only: :create
// for login feat
def create
user = User.find_by(username: params[:username])
if user&.authenticate(params[:password])
session[:user_id] = user.id
render json: user
else
render json: { errors: ["Invalid username or password"] }, status: :unauthorized
end
end
end
Conclusion
These are the three steps to get your passwords protected. I hoped this helped in clearing up any confusion you may have had about encrypting passwords! If you missed it, here is the link to bcrypt!
Resources:
[1] D. Mamla, “Authentication and authorization in rails tutorial,” Nopio, 10-May-2021. [Online].
Posted on November 18, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 29, 2024