Skip to content

Instantly share code, notes, and snippets.

@AliciaWatt

AliciaWatt/mod3_intermission_notes.md

Last active May 7, 2022 18:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save AliciaWatt/328a7373d823c133e30441faa46a47d5 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save AliciaWatt/328a7373d823c133e30441faa46a47d5 to your computer and use it in GitHub Desktop.
Download ZIP
Intermission notes Mod 3
Raw
mod3_intermission_notes.md

Authentication / Authorization

  1. In order to store a user, a username, password, and email are needed. First name and last name can also be used.
  2. To store a password in a secure way, store password hashes which can be created using a hashing algorithm including a salt. Salts are used to safeguard passwords in storage. A new salt is randomly generated for each password. Typically, the salt and the password are concatenated and fed to a cryptographic hash function, and the output hash value (but not the original password) is stored with the salt in a database. When authenticating users, the password input is subjected to the same hashing process and the hashes are compared. Never store plain text passwords in databases.
  3. Authentication status
  4. Some things that will make a secure login page - make a seperate login page that can only be accessed with https and submits using https, limit the number of times a user can attempt to login during a period of time, keep the password obscured, log errors that don't show too much info to users, clearly show the thing the user is logging into on the page, consider a password locking system.
  5. Use private cookies to store the user's preferences.
  6. Modify cookies expiration to 7 days.

HTTP Request/Response

  1. An http get request includes a request-line, which is made up of a method (GET) and the path component of the URL, and a header. Http get requests do not include a body. There are three sytems in action:
      1. a client running the browser
      1. a web server serving the site and
      1. a DNS server knowing the IP address of the site. The client request is filtered through a series of servers until it arrives at the desired URI and then the server then builds a response to the request based on the parameters of the request.
  2. The 200 OK success status response code indicates that the request has succeeded and is cacheable by default.
  • GET: The resource has been fetched and is transmitted in the message body.
  • HEAD: The representation headers are included in the response without any message body.
  • POST: The resource describing the result of the action is transmitted in the message body.
  • TRACE: The message body contains the request message as received by the server.

Rails "params" Magic

  1. Params is a method on the ActionController::StrongParameter class. Params appears to be a hash but it is actually an instance of the ActionController::Parameters class. Params are generated by rails when the http request hits routes and are available in the controller as well. Dynamic placeholders are generated automatically from the route information including the action and the controller, but params can also be a query string data and post data.
  2. https://guides.rubyonrails.org/action_controller_overview.html#parameters
  • There are two kinds of parameters possible in a web application. The first are params that are sent as part of the URL, which are query string params (everything after the "?"). The second type of params is usually referred to as POST data and this information usually comes from an HTML form which has been filled in by the user. It's called POST data becuase it can only be sent as part of an HTTP POST request. Both are available in the params hash in your controller.
  • Params hash is not limited to one-dimensional keys and values and can contain nested arrays and hashes:
  • GET /clients?ids[]=1&ids[]=2&ids[]=3
  • The value of params[:ids] will now be ["1", "2", "3"]. Note that parameter values are always strings.
  • To send a hash, include the name inside the brackets:
<form accept-charset="UTF-8" action="/clients" method="post">
  <input type="text" name="client[name]" value="Acme" />
  <input type="text" name="client[phone]" value="12345" />
  <input type="text" name="client[address][postcode]" value="12345" />
  <input type="text" name="client[address][city]" value="Carrot City" />
</form>
  • When this form is submitted, the value of params[:client] will be { "name" => "Acme", "phone" => "12345", "address" => { "postcode" => "12345", "city" => "Carrot City" } }. Note the nested hash in params[:client][:address].
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment