Rails Authentication and 1:M Associations
Objectives
- Create users and store their passwords securely
- Enable the ability to authenticate users and store sessions once logged in
- Utilize filters and validations in Rails
- Establish 1:M relationships
Remember all that hassle of setting up authentication in Node? Rails makes it easy.
Create a new project
You should know how to do this now. If not, see notes from Intro to Rails.
Create a user model
We need to first start creating a user model that has a username/email field and a password_digest
. Note that you have to name the field this.
rails g model user email password_digest
rails db:migrate
Add some validations
http://guides.rubyonrails.org/active_record_validations.html
app/models/user.rb
validates :email,
presence: true,
uniqueness: {case_sensitive: false}
Note that we're only checking for presence and uniqueness of the email. If we want to validate the format of the email, we can use an Regex like so
validates :email,
presence: true,
uniqueness: {case_sensitive: false},
format: /\A[\w+\-.]+@[a-z\d\-.]+\.[a-z]+\z/i
or we can use this gem for a more comprehensive comparrison.
Add password hashing
- Add
has_secure_password
to the user model - uncomment
gem 'bcrypt'
on your Gemfile and run the bundler
Now that we have has_secure_password
, Rails gives out a password setter that we can use in validations even though we don't have a password field in our database.
validates :password, length: { in: 8..72 }, on: :create
Register
We now have everything we need to create a user, and we can do so using Rails Console.
User.create!(email: 'paul@gmail.com', password: '12345678')
But that's no use to our users, so let's add a registration page.
Add the register page
Let's create a users controller to handle registering.
rails g controller users new
Manually add a controller action to create
- as it won't have a view.
Add the routes
get "register" => "users#new"
post "register" => "users#create"
Create a Registration Form
<h1>Register</h1>
<%= form_for @user, url: register_path do |f| %>
<%= f.email_field :email, placeholder: "Enter your email" %>
<%= f.password_field :password, placeholder: "Enter your password" %>
<%= f.password_field :password_confirmation, placeholder: "Please confirm it" %>
<%= f.submit "Register" %>
<% end %>
Controller Actions
We need to fill up our controller to serve these requests.
def new
@user = User.new
end
def create
@user = User.new(user_params)
if @user.save
flash[:success] = "Account Created. Please Login"
redirect_to root_path
else
render :new
end
end
private
def user_params
params.require(:user).permit(:email, :password, :password_confirmation)
end
We should now be able to register a new user, next we want to be able to log them in.
Logging In & Out (Sessions)
Using had_secure_password, we gain an authenticate method that we can call on any instance of a user and compare a password. It will return the user if the password is valid else false, for example...
User.find_by_email('paul@gmail.com').try(:authenticate, '123')
We can add a class method to our User model to wrap this up and find and return a user only if it exists and the password is valid - based on the passed in params from the controller.
Add a helper method to the class
app/models/user.rb
def self.find_and_authenticate_user(params)
User.find_by_email(params[:email]).try(:authenticate, params[:password])
end
The finished User model
class User < ActiveRecord::Base
validates :email,
presence: true,
uniqueness: {case_sensitive: false}
validates :password,
length: { in: 8..72 },
on: :create
has_secure_password
def self.find_and_authenticate_user(params)
User.find_by_email(params[:email]).try(:authenticate, params[:password])
end
end
Add the login pages
Let's create a session controller to handle logging in/out. We'll organize this by calling the controller sessions
, because in reality, we're creating and destroying sessions on login and logout.
rails g controller sessions new
manually add actions create
and destroy
- they won't have views.
Lets create some routes
get "login" => "sessions#new"
post "login" => "sessions#create"
delete "logout" => "sessions#destroy"
Lets generate a form
<h1>Login</h1>
<%= form_for :user do |f| %>
<%= f.email_field :email, placeholder: "Enter your email" %>
<%= f.password_field :password, placeholder: "Enter your password" %>
<%= f.submit "Login" %>
<% end %>
Wait, why are we using the symbol? See this StackOverflow answer
Authenticate
Authenticate the user on sessions#create
def create
user = User.find_and_authenticate_user(user_params)
if user
session[:user_id] = user.id
flash[:success] = "User logged in!!"
redirect_to root_path
else
flash[:danger] = "Credentials Invalid!!"
redirect_to login_path
end
end
def destroy
session[:user_id] = nil
flash[:success] = "User logged out!!"
redirect_to root_path
end
private
def user_params
params.require(:user).permit(:email, :password)
end
Add current User capabilities
class ApplicationController < ActionController::Base
# Prevent CSRF attacks by raising an exception.
# For APIs, you may want to use :null_session instead.
protect_from_forgery with: :exception
def is_authenticated
unless current_user
flash[:danger] = "Credentials Invalid!!"
redirect_to login_path
end
end
def current_user
@current_user ||= User.find_by_id(session[:user_id])
end
helper_method :current_user
end
The final line tells rails that we want the current_user method to be available inside of our views not just our controllers.
Adding Flash Messages
The flash
hash is accessible in every Rails controller and view. To access it, we'll need a way to iterate through the hash and print out the keys and values. The best way is to create a partial and include it on the layout (so it'll be on every page).
Partials have to start with an underscore in Rails. We can render the partial by using the render
helper.
With a partial at app/views/partials/_flash.html.erb
<%= render "partials/flash" %>
_flash.html.erb
<% flash.each do |key, value| %>
<div class="alert alert-<%= key %>">
<%= value %>
</div>
<% end %>
Protect a controller or action
To protect a controller or action we can simply add a before_action :is_authenticated
at the top. For example, let's add a profile page that you can only see when logged in.
class UsersController < ApplicationController
before_action :is_authenticated, only: [:profile]
...
def profile
end
Let's add a view.
users/profile.html.erb
<h1>Hello <%= current_user.email %></h1>
finally add a route to get there. We can also make it the default (root) route of our site.
root 'users#show'
get "profile" => "users#show"
Adding 1:M relationships with another model
Let's first add another model to relate to the user. In order for the user to have many pets, we can create the model by including the model name and references
as the type.
rails g model pet name user:belongs_to
This will make the following migration, which will include a userId in the pet model.
class CreatePets < ActiveRecord::Migration
def change
create_table :pets do |t|
t.string :name
t.references :user, index: true, foreign_key: true
t.timestamps null: false
end
end
end
Then, make sure to migrate and include the associations in each model.
rails db:migrate
models/user.rb
class User < ActiveRecord::Base
has_many :pets
# ...
end
models/pet.rb
class Pet < ActiveRecord::Base
belongs_to :user
end
Now try testing in the Rails console
User.first.pets
User.first.pets.create(name: 'Fido')
Pet.all
Pet.first
Pet.first.user
Once we create the CRUD controller for our pets, we can easily associate models with the logged in user, through the current_user method.
current_user.pets
current_user.pets.create(name: 'Fido')
current_user.pets.find_by(id: params[:id])
The last example is useful for stopping a user accessing a pet they didn't create. The query is effectively looking for a Pet with a particular id and also a particular user_id.
Relationship Constraints
Rails enables us to add additional properties to our associations. For instance we can tell rails to automatically delete all pets, if we delete their owner.
models/user.rb
class User < ActiveRecord::Base
has_many :pets, dependent: :destroy
# ...
end
If you don't want to delete the associated method but you want it to always have an owner then you can use a before_destroy action to reassign it, for example...
models/user.rb
has_many :pets
before_destroy :re_home
private
def re_home
# you can be more specific but here we just randomly pick another user, whose is not this one. If no user is found only then do we destroy the pets
new_owner = User.where.not(id: id).sample(1).first
if new_owner
pets.update_all(user_id: new_owner.id)
else
pets.destroy_all
end
end
Optional Ownership
Rails 5, will also stop us from creating a record that has a belongs_to association, unless that association exists. For example, we cannot create a Pet without an owner.
We can disable this behavior if we want using the optional flag.
models/pet.rb
class Pet < ActiveRecord::Base
belongs_to :user, optional: true
end