From 3425bfd0f56495b7d8d9f86ac740fcf90f0fbfdb Mon Sep 17 00:00:00 2001
From: DavisLWebb <davislwebb@ymail.com>
Date: Mon, 3 Mar 2014 13:52:38 -0500
Subject: I added a lot of documentation to user.rb

---
 app/helpers/sessions_helper.rb         |  6 +++++-
 app/models/user.rb                     | 30 +++++++++++++++++++++++++++---
 app/views/layouts/application.html.erb |  7 +++----
 3 files changed, 35 insertions(+), 8 deletions(-)

(limited to 'app')

diff --git a/app/helpers/sessions_helper.rb b/app/helpers/sessions_helper.rb
index 20010c8..046ca6f 100644
--- a/app/helpers/sessions_helper.rb
+++ b/app/helpers/sessions_helper.rb
@@ -12,11 +12,15 @@ module SessionsHelper
 		self.current_user = user
 	end
 
-#method creating for self.current_user
+# The curret_user=(user) is the conversion of self.current_user = user
 	def current_user=(user)
 		@current_user = user
 	end
 
+# sets the @current_user instance virable to the user corresponding
+# to the remember token, but only if @current_user is undefined
+# since the remember token is hashed, we need to hash the cookie
+# to find match the remember token
   def current_user
     remember_token = User.hash(cookies[:remember_token])
     @current_user ||= User.find_by(remember_token: remember_token)
diff --git a/app/models/user.rb b/app/models/user.rb
index f302baf..53ccdaf 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -81,12 +81,36 @@ has_secure_password which does all of this for me
 
 	validates :password, length: { minimum: 6 }
 
-	# create a random remember token for the user
+=begin
+
+	Create a random remember token for the user. This will be
+  changed every time the user creates a new session.
+
+	By changing the cookie every new session, any hijacked sessions
+	(where the attacker steals a cookie to sign in as a certain 
+	user) will expire the next time the user signs back in.
+ 
+  The random string is of length 16 composed of A-Z, a-z, 0-9
+	This is the browser's cookie value.
+
+=end
+ 
   def User.new_remember_token
     SecureRandom.urlsafe_base64
   end
-	
-	# encrypt the remember token
+
+=begin
+
+	Encrypt the remember token.
+	This is the encrypted version of the cookie stored on
+  the database.
+
+	The reasoning for storing a hashed token is so that even if
+	the database is compromised, the atacker won't be able to use
+	the remember tokens to sign in.
+
+=end
+
   def User.hash(token)
     Digest::SHA1.hexdigest(token.to_s)
   end
diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb
index 92fce3d..67848f6 100644
--- a/app/views/layouts/application.html.erb
+++ b/app/views/layouts/application.html.erb
@@ -19,16 +19,15 @@
 		<%= submit_tag("Go", {:class => "btn btn-warning"}) %> 
 	<% end %>
 	</div>
+	<% if signed_in? %>
+		<li> <%= current_user.user_name.upcase %> </li>
+	<% end %>
      <li>
       <%= link_to "Sign out", signout_path, method: "delete" %>
      </li>
 </header>
     </div>
 
-	<% if signed_in? %>
-		<li> <%= current_user.user_name %> </li>
-	<% end %>
-
 <div class="container"> 
 <%= yield %>
 </div>
-- 
cgit v1.2.3-2-g168b