Securing the Login for a Rails Ecommerce Application
In the first part of this four-part series we started to learn about security for an ecommerce application in Ruby-on-Rails. In this second part we're going to test some of what we did in the first part, and implement some important login features. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).
Securing the Login for a Rails Ecommerce Application - Implementing the Fail Log In User Story (Page 2 of 4 )
To make sure that logging in with incorrect credentials doesn’t work, we can use the same basic code we already have in place in test/integration/authentication_test.rb, with only some slight additions to the DSL:
def post_login(login, password) post "/account/login", :login => login, :password => password end end
def enter_site(name) open_session do |session| session.extend(BrowsingTestDSL) session.name = name yield session if block_given? end end end
As you can see, Harry’s case is similar to George’s, but he tries to log in with an account that doesn’t exist. Inattempts_login_and_fails, we check that he is not redirected and is served the login form again. You can run the test and see that it almost works:
$ ruby test/integration/authentication_test.rb
-------------------------------------------- Loaded suite test/integration/authentication_test Started F. Finished in 0.36565 seconds.
1) Failure: test_failing_login(AuthenticationTest) [test/integration/ authentication_test.rb:45:in 'attempts_login_and_fails' test/integration/ authentication_test.rb:20:in 'test_failing_login' /usr/local/lib/ruby/gems/1.8/gems/actionpack- 1.12.1/lib/action_controller/ integration.rb:427:in 'run']: <"Incorrect login!"> expected but was <nil>.