From 3425bfd0f56495b7d8d9f86ac740fcf90f0fbfdb Mon Sep 17 00:00:00 2001 From: DavisLWebb Date: Mon, 3 Mar 2014 13:52:38 -0500 Subject: I added a lot of documentation to user.rb --- app/helpers/sessions_helper.rb | 6 +++++- app/models/user.rb | 30 +++++++++++++++++++++++++++--- app/views/layouts/application.html.erb | 7 +++---- 3 files changed, 35 insertions(+), 8 deletions(-) (limited to 'app') diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb index 20010c8..046ca6f 100644 --- a/app/helpers/sessions_helper.rb +++ b/app/helpers/sessions_helper.rb @@ -12,11 +12,15 @@ module SessionsHelper self.current_user = user end -#method creating for self.current_user +# The curret_user=(user) is the conversion of self.current_user = user def current_user=(user) @current_user = user end +# sets the @current_user instance virable to the user corresponding +# to the remember token, but only if @current_user is undefined +# since the remember token is hashed, we need to hash the cookie +# to find match the remember token def current_user remember_token = User.hash(cookies[:remember_token]) @current_user ||= User.find_by(remember_token: remember_token) diff --git a/app/models/user.rb b/app/models/user.rb index f302baf..53ccdaf 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -81,12 +81,36 @@ has_secure_password which does all of this for me validates :password, length: { minimum: 6 } - # create a random remember token for the user +=begin + + Create a random remember token for the user. This will be + changed every time the user creates a new session. + + By changing the cookie every new session, any hijacked sessions + (where the attacker steals a cookie to sign in as a certain + user) will expire the next time the user signs back in. + + The random string is of length 16 composed of A-Z, a-z, 0-9 + This is the browser's cookie value. + +=end + def User.new_remember_token SecureRandom.urlsafe_base64 end - - # encrypt the remember token + +=begin + + Encrypt the remember token. + This is the encrypted version of the cookie stored on + the database. + + The reasoning for storing a hashed token is so that even if + the database is compromised, the atacker won't be able to use + the remember tokens to sign in. + +=end + def User.hash(token) Digest::SHA1.hexdigest(token.to_s) end diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index 92fce3d..67848f6 100644 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -19,16 +19,15 @@ <%= submit_tag("Go", {:class => "btn btn-warning"}) %> <% end %> + <% if signed_in? %> +
  • <%= current_user.user_name.upcase %>
  • + <% end %>
  • <%= link_to "Sign out", signout_path, method: "delete" %>
  • - <% if signed_in? %> -
  • <%= current_user.user_name %>
  • - <% end %> -
    <%= yield %>
    -- cgit v1.2.3-2-g168b