Heads up! To view this whole video, sign in with your Courses Plus account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
In this video, we create a new model to represent our user in our authentication system. We see some of the properties that Authlogic requires and provides. Download the Beginning of the Project or the Completed Project
[Master Class] [Designer and Developer Workflow] [Creating the User Model]
0:00
So, we've decided to go with Authlogic for
0:05
handling our authentication in our application.
0:08
Now, if you're learning this for the first time, it can be a little bit confusing.
0:11
The main GitHub repository has a read me in it,
0:14
which gives a good overview of how it works.
0:17
However, the main sort of tutorial and a lot of the documentation
0:20
is lying within some of these links.
0:24
One of the best ones to look at while you're working is this live example
0:26
with tutorial in the read me,
0:30
and this is a basic example of Authlogic implemented in an app,
0:33
but it also has a read me with a great step by step tutorial
0:36
on how to set up your authentication system.
0:41
Now, some of the steps here are a little bit out of date in how we generate things,
0:43
but one of the tables that we'll be using is this piece of information right here,
0:48
which defines some of the behavior that can be implemented simply by adding
0:52
fields to our user model.
0:56
So, let's just get right to it.
0:59
I'm going to open up our code, so I'm just going to jump into our code,
1:02
and the first thing I want to do is add Authlogic as a gem in our application.
1:05
So, we'll open up our gem file.
1:10
Here we can see the gems that we're currently using,
1:14
and we'll just add another gem for Authlogic.
1:17
Then to install we'll go into our terminal here and just do bundle install.
1:20
So, we can check to see if Authlogic is installed by typing "rails generate."
1:34
Now we can see that Authlogic has installed a generator called "authlogic session."
1:42
And we'll be using this in a little bit, but we can see that it is now part of our project.
1:47
So, now we have to figure out what it is we're authenticating.
1:52
Authlogic is built in such a way that we could actually have multiple sort of channels
1:55
of authentication built into our system.
2:00
For instance, we could authenticate users or we could authenticate admins
2:02
or authenticate really any other type of model that we want to have,
2:07
it's just going to be the step of creating a different session
2:10
for each type of authentication we want to create.
2:14
In our application, we're just creating authentication for users,
2:17
so the steps that we need to take are first to define our model of users,
2:20
which is going to be a typical Rails model, and we'll want to use a basic scaffolding setup
2:25
because we'll want to create users like registering,
2:30
and then manage users from the back end, so we'll use a normal Rails scaffold to create that.
2:33
And then we'll use the Authlogic generator to create a session for users.
2:38
We'll call it a user session, and the user session is what is used
2:42
to log in and log out, and we'll see how that works in a moment.
2:46
So first, let's go ahead and define our user.
2:50
We're going to do this in the normal Rails fashion of creating a scaffold,
2:52
so we'll do "rails generate scaffold user,"
2:55
and then we can go ahead and define what makes up a user.
3:05
So basically, a user will be identified by an email, which is a string,
3:08
and will have a name field, which will just be another string field,
3:14
and that's all we're going to use.
3:18
The reason I'm not going to list off everything right here is because we'll actually
3:21
go into the migration and add the fields that we want to add before we actually migrate it.
3:24
The email and name is really here for generating the default views
3:30
just so that in the list view we'll see an email and name, and in the forms
3:34
there will be a name and email field, but there's still work
3:39
we're going to have to do in the actual views.
3:41
For instance, in our registration or editing fields we'll have to add things like password
3:44
and password confirmation, but we'll do that manually instead of relying on our scaffold.
3:49
So, let's go ahead and generate this.
3:55
So, we've generated our user.
3:59
We haven't migrated it into the database,
4:01
and that's good because we actually want to go into the migration file
4:04
and actually add some fields that are going to be used by Authlogic to
4:07
authenticate and keep some stats on our users.
4:11
So, we're going to flip over to our code, and the migration file is going to be in DB, migrate,
4:15
and it's probably going to be the last one down.
4:23
It's based on a date stamp, and right now it's a little bit difficult to see,
4:25
but you can see it's ultimately called "createusers.rb,"
4:29
and that date stamp is going to be different when you create it yourself.
4:33
So, here we can see the migration.
4:38
Basically, we're creating a table called "users," and it has a string field called "email"
4:40
and a string field called "name."
4:45
It also defines that the default time stamps that Rails provides should be added.
4:48
That is, created at and updated at which are two fields that are populated
4:52
when the user is created and when any updates happen to that field.
4:58
So, I'm going to do a couple of different things here.
5:03
First, I'm going to define that email, we should not allow it to be null.
5:05
So, we'll say null is false,
5:09
and I want to do the same thing for name as well.
5:14
I want to make sure that that's filled in.
5:16
We'll also add information in the user model to make sure it's validated,
5:18
but for the database as well we want to make sure that
5:23
there's no accidental insertions of null values here.
5:25
Now, it's at this point that that example projects documentation comes in handy.
5:30
So, if we flip over to our browser and we take a look at the database fields here,
5:35
we can see that there are a few that we're going to definitely want to add,
5:39
and a few magic columns that track some different stats about our users.
5:43
Now, we're not going to use log in because we're going to log in with email addresses
5:48
so we're not going to be adding this field.
5:51
We have our email here, so that's already done.
5:53
And the next field we want to add is crypted password,
5:57
and crypted password is actually where we're going to be storing our password
6:00
for our users, but instead of storing the password in plain text,
6:05
what Authlogic will do is it will hash the password or encrypt it
6:09
so that it can be safely stored in the database, and when somebody logs in,
6:13
they will do the same operation to the password that they're submitting
6:17
and then compare the crypted password versus the crypted submitted password.
6:21
Now, all this is done transparently, but this is the good practice
6:26
you want to use when creating a system.
6:29
You definitely never want to store a plain text password.
6:32
In the next field below it, the password salt is another protection for the password.
6:35
The algorithms to create the crypted password are pretty solid.
6:40
However, people have created tables of common passwords
6:44
to their encrypted equivalents.
6:48
So, what the salt is is it's a little bit of random information
6:50
that makes sure that the crypted password is different then if you were to have
6:53
just encrypted the password itself.
6:57
So, combining the salt and the password together, then encrypting it
7:00
will result in a completely different result, which will make it harder for an attacker
7:03
who has the crypted password to figure out what the original password is.
7:08
Again, all of this is handled by Authlogic, so you don't have to worry about
7:12
doing any of the algorithms.
7:15
All we need to do is add the crypted password and password salt field.
7:17
So, we can actually just copy that.
7:22
And let's just add it in there.
7:25
And I'm going to go ahead and just remove those comments.
7:28
So now, we're going to be using a password-based authentication system.
7:32
Let's take a look at some of the other columns.
7:36
Now, the persistence token is something that is required.
7:39
Basically, this token is what is going to be stored in the cookie for the user
7:43
saying which user is logged in.
7:48
Basically, when somebody logs in with their user name and password,
7:50
a persistence token will be generated and will be stored
7:53
under that user's database row and that token will also appear in their cookie,
7:57
and so whenever somebody requests, they'll send their persistence token
8:02
and Rails will be able to figure out which user is requesting this.
8:06
Now, we use a persistence token instead of something like a user id
8:10
because that persistence token will be something that the user
8:15
could change on their end, and we don't want to make it simply an id
8:18
that they could change and be logged in as somebody else.
8:22
So, having a persistence token is what we're going to need,
8:27
and it's required in order to be able to stay logged in.
8:30
So, the next field we'll add is our persistence token.
8:33
So, then there are fields called single acess token and perishable token
8:39
which are different ways that we can log in, giving them a token in order to, for instance,
8:43
change their password or a simple way to log in once.
8:48
We can add these in, there's no problem for doing that.
8:53
And I'm going to add them in, though I don't know for sure if I'm going to end up using them.
8:56
But simply by adding them in we add the functionality in order to utilize them.
9:02
So, then we have some magic columns, and these are columns a lot like
9:09
the created at and updated at fields where if they exist in the database,
9:13
Rails or in this case Authlogic will populate them with information that you want.
9:17
So, if we have an integer field called log in count, it will update that log in count
9:23
every time that they log in as well as the failed log in count,
9:27
and it will save the last time that the user made a request.
9:31
We can also save the time that they currently logged in and the last time they logged in
9:35
as well as the current log in IP and last log in IP.
9:40
So, for instance, if you wanted to show the user the IP they're logged into
9:43
versus their last log in IP in order to perhaps tell them that they were accessed
9:47
from a weird IP across the world, you could use these fields.
9:52
And these are also just useful for your own information.
9:56
So, what I'm going to do is just add all of these columns because I want to have
10:00
all that information for me.
10:03
There's no harm in not having them, but they're sort of free,
10:06
so let's go ahead and just add them in.
10:09
So now, our user field has our email, name, which are really public information
10:15
about the user and what we're going to be editing, and it also has our crypted password
10:21
and password salt which manage the actual password and storing it safely,
10:25
and the persistence token which is what actually keeps somebody logged in.
10:30
Then we have some nice fields like single access token and perishable token,
10:34
which allow us to enable the user to access their account
10:37
in different ways using these tokens.
10:40
And then we have our extra magic information that we can use for our own data mining
10:43
or even giving more information to the user.
10:48
So, now that we have our migration all configured, let's go ahead
10:51
and run our database migration by running "rake db:migrate."
10:54
And this just saw our new migration for creating users,
11:03
and now we have our table of users and based on this and the scaffold we've generated,
11:06
we should actually be able to go to our application of Easy Jobs,
11:12
switch out jobs and go to /users and we can see our listing of users,
11:17
and this is the default scaffolding, so there's no real style applied to it.
11:23
So, if we clicked on "new user" we could add a new user.
11:27
However, right now it's just an email and a name and no password or anything,
11:31
so the next step is to update this new form to take a password and a password confirmation
11:36
so we can actually create the user with their password.
11:42
You need to sign up for Treehouse in order to download course files.
Sign up