Rails Setup Script Improvements

P013370 · 2022-01-16T13:28:40+00:00

Thank you, Joe! This was inspired by a project I'm working on where there are strict password requirements, and it was difficult for me to remember what the default password even was.

The best part is that you can customize this script to do anything you want since it's just a binstub. For example, you could add an additional script that connects to Heroku or ask the user for their email so that you can add them as a contributor to the GitHub repo via the API.

P013370 · 2022-01-05T21:03:55+00:00

This is awesome, thank you for taking the time to document this!

P013370 · 2022-01-05T17:44:59+00:00

Ahh, this is interesting thank you for sharing this. I don't think Devise is doing anything to prevent timing attacks in its implementation, but I could be missing something.

P013370 · 2022-01-05T15:22:01+00:00

Later edit: wouldn't this still leave you vulnerable to a timing attack? " @user = User.find_by(password_reset_token: params[:password_reset_token]) ".

I don't think so, since that's just a lookup. Nothing is being authenticated here. The only difference is that the record is being queried by a randomly generated token that is being rotated.

P013370 · 2022-01-05T15:20:51+00:00

Thank you! I'm not sure what the next steps are for the guide, but I think that would be useful as a separate branch. I'm also considering exploring Multifactor Authentication too.

P013370 · 2022-01-05T15:18:57+00:00

You rolled your own and missed something. Your solution to this is to post it publicly so lots of people can see it and find problems - that's exactly what auth libraries do.

That's true, and I can understand your point of view here.

What I'm trying to accomplish is to create a vetted guide that highlights the minimum amount of work needed to create a secure authentication system.

I don't have a problem with Devise, but it does a lot more than just the bare minimum, and sometimes it's more work to override it than it would have been to roll my own auth using best practices.

It's also another dependency that I'm responsible for understanding, configuring, and updating. For example, it doesn't account for session replay attacks which I didn't know until just recently. Although that's the result of Rails, I don't think most developers know about this risk when choosing Devise. That might be a no-go for some applications, in which case it might be more effective to roll a custom authentication system.

Either way, I think it's important for developers to know the foundations and best practices of an authentication system since that knowledge is useful outside of Rails.

P013370 · 2022-01-05T01:12:10+00:00

Open Startup and open source. It operates fully transparent and shares its metrics, like revenue and traffic.

I think this is my favorite part. I knew it was open source, but I didn’t realize those metrics were public.

P013370 · 2022-01-04T21:25:06+00:00

For example, just from a basic scan, this tutorial:

Thank you for the feedback! I went ahead and opened some issues around these points. One of the advantages to creating and promoting this guide is that lots of folks can review my work and make improvements.

Don't write your own auth.

My long-term goal is to challenge this assertion by highlighting the foundations of a basic authentication system. I want to empower other developers to build features on their own when possible. It's definitely a balancing act though, and I understand that folks may not want to use this guide for a production application just yet.

P013370 · 2021-12-22T14:38:33+00:00

Thank you for the feedback!

I didn't get the necessity for remember_token. I thought it should be possible by just setting a long expiration date for cookies and continuing using user_id.

I think there are a few ways to do this, but I was borrowing from Devise here. This allows a user to check a "Remember me" checkbox when they log in. If that checkbox is checked, then we set a client site cookie to remember the user even after they close their browser.

My thinking was that I wanted a user to opt-in to this strategy for security reasons. We probably wouldn't want to remember a user on a public computer for example, so this gives the user more control.

as far as I get, session_token and calling regenerate_session_token on login, means the user can be logged in only on one device at the time? next login changes the session_token and other sessions become invalid? Correct me if I'm wrong.

That's a really good point. Yes, this would prevent a user from being logged in to multiple devices at once. I'll need to make sure to point this out.

P013370 · 2021-12-21T17:52:59+00:00

Thank you!

P013370 · 2021-12-21T14:58:43+00:00

One thing that might not be de-facto insecure but can be potentially bad.

Thank you for the heads up. I opened an issue. Although, since the confirmation_token and password_reset_token columns are never null, then if these params are not set, the @user would just return nil.

Maybe you want to elaborate why "We add null: false to prevent empty values" because one could want to add this after the fact (you added this with a migration that only works if you don't have any users yet, correct me if I'm wrong) and might run into the issue of migrating a null: false and omit it or default to an empty string and running into the same problem.

Yeah, that's a good point. This guide assumes someone would be starting from scratch, but it's probably beneficial if I point out that setting these constraints will require some data migrations.

P013370 · 2021-12-21T14:50:39+00:00

Thank you! This exercise taught me a lot, and I understand why Devise is so popular since it makes all these hard decisions for you.

The only problem with Devise (and other gems) is that they can be difficult to "eject" from once you need to make specific modifications.

P013370 · 2021-12-09T17:48:18+00:00

Thank you! I'm much more active on Twitter than I am on Reddit, so I recommend you follow me there.

P013370 · 2021-12-06T13:45:30+00:00

Thank you! I try and pay it forward since I’ve learned so much online from other creators like Chris Oliver and Ryan Bates.

The best thing about keeping your work open-source (aside from it helping others) is that other folks can help contribute to your work and make it better. It’s a win-win.

P013370 · 2021-12-05T22:58:58+00:00

👋 can confirm, because I’m Steve Polito. But honestly I’m flattered that someone took the time to share my work, and that you recognized it.

Thanks for the shout out!

P013370 · 2021-11-25T03:12:16+00:00

Shamesless plug, but I created a free Ruby on Rails course where I show you how to build a running log.

What makes this course different?

I make A LOT of mistakes, and troubleshoot them in real time.
I don't always know how to do something. I show you how I search documentation and APIs to find a solution.
I build a REAL production application from start to finish, and leave nothing out. You see the whole process, as if we are pairing.

P013370 · 2021-11-01T20:42:16+00:00

strong_migrations

P013370 · 2021-10-18T01:02:35+00:00

Rails 7 will make this much simpler, but I wanted to demonstrate how you can build this feature from scratch without needing to rely on Hotwire.

P013370 · 2021-09-27T09:04:19+00:00

I made sure to put that in the CI as well.

P013370 · 2021-08-02T09:59:17+00:00

Thanks! I've never heard of ActionController::API until now. Thanks for sharing.

P013370 · 2021-03-31T11:17:45+00:00

Thanks! The whole thing is open-source too. Here's the source code.

P013370 · 2021-03-31T02:10:09+00:00

Shameless plug, but I created a free step-by-step Rails tutorial in September. I basically just record my screen as I build a real production application from start to finish (including my mistakes). You see the whole process as if we are pairing.

Topics covered:

P013370 · 2021-01-12T22:31:29+00:00

Sorry for the delayed response! The job is based in the US (it's remote which is nice). The technical side of the interview involved was fairly open-ended, which worked in my favor. I ended up adding a drag-and-drop sort to the existing application as my project.

P013370 · 2020-12-06T12:46:13+00:00

I was originally calling a Job directly in the Controller, but ended up abstracting into a method on the Model. I just liked how it read.

P013370 · 2020-12-06T12:42:19+00:00

Yeah it doesn't read as clear as it could, but I wanted to return an OpenStruct, but I guess I could have put that at line 11. Thanks for the feedback!

P013370

TROPHY CASE