RailsCasts Pro episodes are now free!

Learn more or hide this

Seth Vargo's Profile

This user is a moderator.

GitHub User: sethvargo

Site: sethvargo.com

Comments by Seth Vargo

Avatar

Hey guys, I just packaged this all into a gem called magiconf. It's super simple and easy to use. Based off of this + figaro. https://github.com/sethvargo/magiconf

Avatar

If you want a small solution for generating the form markup, I've created a gem called bootstrap_forms, which eliminates the need for all the messy markup bootstrap requires.

https://github.com/sethvargo/bootstrap_forms

Avatar

I've been working a lot with Spine lately, and it's very nice. There's a spine-rails gem that makes integration really easy.

Avatar

@Javi, the idea is that authentication requires two parts - a username and password. However, there are tools that allow you to brute force attacks on a login form.

If the flash/error message changes depending on whether the username is valid, it will take far less time for a hacker to determine a valid username. Once a valid username is found, it becomes a simple attack (unless you implement some kind of failsafe in your code for multiple incorrect password attempts)

Mathematically, imagine it takes a computer 10 hours to brute-force a field of 64 characters (it's not, but I want easy math). If error messages don't reveal that a given username exists, the computer is required to compute 10x10 = 100 hours (for each username generated, it needs to produce passwords as well). However, if the hacker can determine a valid username first (10 hours), and then only brute-force the password (another 10 hours), it only takes 20 hours to hack the site.

It's not "useless", but it's not full-proof either.

Avatar

This is a really great tutorial, especially in terms of security and understanding authorization, however, I'd just like to caution everyone about rolling their own authentication.

Pre oAuth, every site required it's own username/email and password. This results in countless accounts on multiple servers. However, now, it's easy to authenticate with Facebook, Amazon, or (like Railscasts) github.

I'd just like to encourage developers to consider using an oAuth mechanism in their next project, if deemed fit. Do we really need another account? :)

Avatar

You'd be better doing something like:

ruby
User.find_by_email(email.downcase)

You're making SQL do too much work, and you can't leverage on indexing when using aggregate functions.

Avatar

Kaminari is also SEO-friendly! Add a route like this:

resources :products do
  get 'page/:page', :action => :index, :on => :collection
end

And Rails will automatically rewrite your URLs to be SEO-friendly! Instead of /products?page=32, you'll have a nicer URL - /products/page/32. Because of this, you can also leverage on some page-caching techniques if your index isn't updated frequently.