From e6b2993ad072d0cad2e52997c7957aae0a03415c Mon Sep 17 00:00:00 2001 From: DavisLWebb Date: Sun, 2 Mar 2014 20:06:40 -0500 Subject: I changed the user controller --- app/models/user.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'app/models/user.rb') diff --git a/app/models/user.rb b/app/models/user.rb index 6765822..f302baf 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -7,6 +7,7 @@ before_save { self.user_name = user_name.downcase } Rails looks for the create_remember_token and runs it before anything else + =end before_create :create_remember_token -- cgit v1.2.3-2-g168b From 3425bfd0f56495b7d8d9f86ac740fcf90f0fbfdb Mon Sep 17 00:00:00 2001 From: DavisLWebb Date: Mon, 3 Mar 2014 13:52:38 -0500 Subject: I added a lot of documentation to user.rb --- app/models/user.rb | 30 +++++++++++++++++++++++++++--- 1 file changed, 27 insertions(+), 3 deletions(-) (limited to 'app/models/user.rb') diff --git a/app/models/user.rb b/app/models/user.rb index f302baf..53ccdaf 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -81,12 +81,36 @@ has_secure_password which does all of this for me validates :password, length: { minimum: 6 } - # create a random remember token for the user +=begin + + Create a random remember token for the user. This will be + changed every time the user creates a new session. + + By changing the cookie every new session, any hijacked sessions + (where the attacker steals a cookie to sign in as a certain + user) will expire the next time the user signs back in. + + The random string is of length 16 composed of A-Z, a-z, 0-9 + This is the browser's cookie value. + +=end + def User.new_remember_token SecureRandom.urlsafe_base64 end - - # encrypt the remember token + +=begin + + Encrypt the remember token. + This is the encrypted version of the cookie stored on + the database. + + The reasoning for storing a hashed token is so that even if + the database is compromised, the atacker won't be able to use + the remember tokens to sign in. + +=end + def User.hash(token) Digest::SHA1.hexdigest(token.to_s) end -- cgit v1.2.3-2-g168b From c6560f77a771f38b1425250c14d35c9af9291255 Mon Sep 17 00:00:00 2001 From: DavisLWebb Date: Mon, 3 Mar 2014 13:55:47 -0500 Subject: DOCUMENTATION FOR USER.RB --- app/models/user.rb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'app/models/user.rb') diff --git a/app/models/user.rb b/app/models/user.rb index 53ccdaf..04cb87d 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -128,11 +128,13 @@ https://en.wikipedia.org/wiki/SHA-1 =end - # everything under private is hidden so you cannot call - # create_remember_token in order to ensure security + # Everything under private is hidden so you cannot call private - #assign user a create remember token + # Create_remember_token in order to ensure a user always has + # a remember token. + + # Assign user a create remember token def create_remember_token self.remember_token = User.hash(User.new_remember_token) end -- cgit v1.2.3-2-g168b From 39e0c9ca280d16817eb8d7683d80788f2544ae5f Mon Sep 17 00:00:00 2001 From: DavisLWebb Date: Mon, 3 Mar 2014 14:01:55 -0500 Subject: More documentation changes --- app/models/user.rb | 49 +++++++++++++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 22 deletions(-) (limited to 'app/models/user.rb') diff --git a/app/models/user.rb b/app/models/user.rb index 04cb87d..55a7da0 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -5,8 +5,11 @@ before_save { self.user_name = user_name.downcase } =begin -Rails looks for the create_remember_token -and runs it before anything else +Rails looks for the create_remember_token and runs the method +before anything else. + +This method cannot be called by a user since it is denoted +as private. =end @@ -18,17 +21,17 @@ VAILD_EMAIL is the regex used to valid a user given email. A break down of the regex is listed below. -/ -----------> Start of the regex -\A ----------> match start of a string -[\w+\-.]+ ---> at least one owrd character, plus, hyphen, or - dot -@ -----------> literal ampersand -[a-z\d\-.]+ -> at least one letter, digit, hyphen, or dot -(?:\.[a-z]+) > ensures that the error of example@foo..com - does not occur -\z ----------> match end of a string -/ -----------> end of the regex -i -----------> case sensative +/ -------------> Start of the regex +\A ------------> match start of a string +[\w+\-.]+ -----> at least one owrd character, plus, hyphen, or + dot +@ -------------> literal ampersand +[a-z\d\-.]+ ---> at least one letter, digit, hyphen, or dot +(?:\.[a-z]+) --> ensures that the error of example@foo..com + does not occur +\z ------------> match end of a string +/ -------------> end of the regex +i -------------> case sensative =end @@ -73,7 +76,7 @@ attributes, requiring the presence of a password, requirin that pw and pw_com match, and add an authenticate method to compare an encrypted password to the password_digest to authenticate users, I can just add -has_secure_password which does all of this for me +has_secure_password which does all of this for me. =end @@ -128,25 +131,27 @@ https://en.wikipedia.org/wiki/SHA-1 =end - # Everything under private is hidden so you cannot call + # Everything under private is hidden so you cannot call. private - - # Create_remember_token in order to ensure a user always has - # a remember token. - # Assign user a create remember token +=begin + + Create_remember_token in order to ensure a user always has + a remember token. + +=end def create_remember_token self.remember_token = User.hash(User.new_remember_token) end =begin -in order to ensure that someone did not accidently submit +In order to ensure that someone did not accidently submit two accounts rapidly (which would throw off the validates -for user_name and email) I added an index to the Users +for user_name and email), I added an index to the Users email and user_name in the database to ensure uniqueness This also gives and index to the user_name and email -so finding a unique user SHOULD be easier +so finding a user SHOULD be easier for the database. =end -- cgit v1.2.3-2-g168b