Basics of Rails Password Protection

emilyfernschild

EmilyFernschild

Posted on November 18, 2022

Basics of Rails Password Protection

In this blog, we will be using bcrypt for authentication in our rails backend. Password protection can be an extensive topic but I am going to keep this to just the 'need to know stuff' for now. Hopefully this will help you be able to implement authentication in your own project!

What is Authentication?

Authentication in simple terms is a way of verifying who you are. I often mix up authentication and authorization:

Authentication is a confirmation of user identity, while authorization determines whether you can access a particular resource [1].
Hopefully this quick definition of both will help you not mix them up like me! Having your authentication work properly is important for authorization later, they rely on each other.

Basics of bcrypt

Important concepts to know about how bycrpt works is that it uses hashing and salt algorithms to encrypt passwords for protection. The hashing algorithm turns plain text passwords into a jumble of letters and numbers. A key aspect of this is that they can't be turned back into plain text after they have been hashed. Salting is an added layer on top of hashing that creates a more unique jumble of letters and numbers for every password. The combination of hashing and salting each password ensures that each encrypted password is very secure.

Three Main Steps

1) The first step is to add the bcrypt gem to your Gemfile.

gem install bcrypt
Enter fullscreen mode Exit fullscreen mode

2) In your Users table, the key word to have as your password column is 'password_digest'. ⭐ Note: only use 'password_digest' here and use just password everywhere else (including in your frontend!).

//schema.rb
 create_table "users", force: :cascade do |t|
    t.string "first_name"
    t.string "last_name"
    t.string "username"
    t.string "password_digest"
    t.datetime "created_at", precision: 6, null: false
    t.datetime "updated_at", precision: 6, null: false
 end
Enter fullscreen mode Exit fullscreen mode

3) In your model, in our case our User model, include the macro 'has_secure_password'.

class User < ApplicationRecord
  has_secure_password
  //the rest of your model 
end
Enter fullscreen mode Exit fullscreen mode

Example of use in a Login

after you do these step you can write something like this for a login feature on your application:

class SessionsController < ApplicationController
    skip_before_action :authorize, only: :create
    // for login feat
    def create
      user = User.find_by(username: params[:username])
      if user&.authenticate(params[:password])
        session[:user_id] = user.id
        render json: user
      else
        render json: { errors: ["Invalid username or password"] }, status: :unauthorized
      end
    end
end
Enter fullscreen mode Exit fullscreen mode

Conclusion

These are the three steps to get your passwords protected. I hoped this helped in clearing up any confusion you may have had about encrypting passwords! If you missed it, here is the link to bcrypt!

Resources:
[1] D. Mamla, “Authentication and authorization in rails tutorial,” Nopio, 10-May-2021. [Online].

💖 💪 🙅 🚩
emilyfernschild
EmilyFernschild

Posted on November 18, 2022

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related