diff options
-rw-r--r-- | app/helpers/sessions_helper.rb | 6 | ||||
-rw-r--r-- | app/models/user.rb | 30 | ||||
-rw-r--r-- | app/views/layouts/application.html.erb | 7 |
3 files changed, 35 insertions, 8 deletions
diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb index 20010c8..046ca6f 100644 --- a/app/helpers/sessions_helper.rb +++ b/app/helpers/sessions_helper.rb @@ -12,11 +12,15 @@ module SessionsHelper self.current_user = user end -#method creating for self.current_user +# The curret_user=(user) is the conversion of self.current_user = user def current_user=(user) @current_user = user end +# sets the @current_user instance virable to the user corresponding +# to the remember token, but only if @current_user is undefined +# since the remember token is hashed, we need to hash the cookie +# to find match the remember token def current_user remember_token = User.hash(cookies[:remember_token]) @current_user ||= User.find_by(remember_token: remember_token) diff --git a/app/models/user.rb b/app/models/user.rb index f302baf..53ccdaf 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -81,12 +81,36 @@ has_secure_password which does all of this for me validates :password, length: { minimum: 6 } - # create a random remember token for the user +=begin + + Create a random remember token for the user. This will be + changed every time the user creates a new session. + + By changing the cookie every new session, any hijacked sessions + (where the attacker steals a cookie to sign in as a certain + user) will expire the next time the user signs back in. + + The random string is of length 16 composed of A-Z, a-z, 0-9 + This is the browser's cookie value. + +=end + def User.new_remember_token SecureRandom.urlsafe_base64 end - - # encrypt the remember token + +=begin + + Encrypt the remember token. + This is the encrypted version of the cookie stored on + the database. + + The reasoning for storing a hashed token is so that even if + the database is compromised, the atacker won't be able to use + the remember tokens to sign in. + +=end + def User.hash(token) Digest::SHA1.hexdigest(token.to_s) end diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index 071c86b..b36c0c5 100644 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -19,6 +19,9 @@ <%= submit_tag("Go", {:class => "btn btn-warning"}) %> <% end %> </div> + <% if signed_in? %> + <li> <%= current_user.user_name.upcase %> </li> + <% end %> <li> <%= if signed_in? do %> <%= link_to "Sign out", signout_path, method: "delete" %> @@ -27,10 +30,6 @@ </header> </div> - <% if signed_in? %> - <li> <%= current_user.user_name %> </li> - <% end %> - <div class="container"> <%= yield %> </div> |