There is no need to point how important security is nowadays. Whenever we are using applications first thing we want to make sure is that the application was secured and no one could still our information. Same with the login credentials. We want our applications to open secret files to those who were registered to receive those files and with correct login information they can access them. Therefore, the validation and has_secure_password options in Rails is a great way to make sure that only authorized person can access the information from the application.
I am currently working on my other application and most certainly I will add validation to it. It completes the check of necessary information added to the API if the client wants to add something. For instance
validates :password, presence: true, length: {minimum: 50}
will make sure that password is present and it is at least 50 characters. In this case, a person won't be able to register without entering a 50 character long password, for example. After validations, I could run an error message in case if a password is missing or the length of it is incorrect.
Let's look at password protection and error message that could be used in validations as well.
class UsersController < ApplicationController
def create
user = User.create(user_params)
if user.valid?
render json: user, status: :created
else
render json: { errors: user.errors.full_messages }, status: :unprocessable_entity
end
end
private
def user_params
params.permit(:username, :password, :password_confirmation)
end
end The example above provides a partial code for checking passwords if it's matching with the database and allow you to sign in and if it is not it will give you an error. Let's break it down and see it in detail.
Obviously, we are working in the controller class here which is called user. So from here, we know that we have db that has a table with some user's information. We can definitely say that it contains a password and username since we are giving permission in the private method “user_params” to create (POST) username and password. Method create runs a POST function to db, meaning it takes information (params) from the front end JS and saves it to db. Therefore, when we run “user = User.create(user_params)” we create a user in the database with a password and username. “If user.valid” part checks the validation of password criteria. If the password is matched the user will be created and will have access to the application depending on authorization if it doesn't the user will get an error message 422 that will not create a user.
Under the hood, it is more complicated. Instead of creating manually some descriptions to the password, saving them, and manually checking them before creating a user or giving access to the application, Rails has has_secure_password method that technically does it for us. All you need to do is to add macro has_secure_password to the class User, in this example, make sure that gem ‘bcrypt’ is installed, and add password_digest to the table. has_secure_password provides 2 new instance methods: password and password_confirmation. Technically, has_secure_password takes password compares it to password_confirmation and if they match it allows to create a user and/or log in. has_secure_password also encrypts password for protection and you won't have a password column in the table. Therefore, with this method passwords will be secured and login will be enabled only to those with the correct credentials.
