blank?
self.salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--") if
new_record?
self.crypted_password = encrypt(password)
end
def encrypt(password)
Digest::SHA1.hexdigest("--#{salt}--#{password}--")
end
end
The actual authentication is handled by the User.authenticate class method, which
takes a login and password and returns either the corresponding user or nil if the
login or password are incorrect.
class User < ActiveRecord::Base
def self.authenticate(login, password)
u = find_by_login(login)
u && u.authenticated?(password) ? u : nil
end
def authenticated?(password)
crypted_password == encrypt(password)
end
end
Don??™t Trust the Client
ActionPack (ActionController plus ActionView) makes a lot of things easier for you
as a developer. To do so, it abstracts away a lot of the details of the HTTPrequest/
response cycle. This is usually a good thing: you really don??™t want to deal with every
detail of the CGI protocol. But it is important not to let this abstraction get in the
way of writing secure code. One of the foundational principles that you should keep
in mind is that you can never trust the information that the web browser (the client)
sends you.
This is one area where the leaky abstraction that Rails provides can hurt. It really
pays to understand how HTTPworks, at least to the point that you know whether a
particular piece of information comes from the client, the application framework, or
Application Issues | 131
the environment.
Pages:
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203