We've been building an ecommerce application for an online bookstore. Now we've reached one of the most important stages in the application's design: building in the security to prevent malicious hackers from wreaking havoc. This four-part series shows you how to protect your application. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).
Security for a Rails Ecommerce Application (Page 1 of 4 )
Our application is already fairly extensive. George can administer all kinds of things in the application, including books, authors, and publishers. However, the application has one major shortcoming: Anyone can browse to the administrative part of the site and wreak havoc by deleting and editing information.
In this chapter, we will show you how to implement a basic authentication system for an application with the help of theacts_as_authenticatedplugin. We will also take a look at some common security problems in web applications and give you tips on how to use Rails to avoid them.
Getting the Authentication Requirements
We need to support three basic scenarios in the Emporiumís authentication system:
Log in: George has just gotten his hands on Henrik MŚrtenssonís Pro Ruby, and absolutely wants to add it to his catalog. However, as he hasnít logged in already, when he tries to access the admin section of the site, he is redirected to a login page. George gives his credentials and is automatically redirected to the add book page, where he tried to go in the first place.
Fail log in: While George is busy maintaining his catalog, another guy tries to access the admin pages, too. His name is Dirty Harry and his intentions are too evil to print here. Luckily for George, Harry doesnít know the admin username and password. Harry is redirected to the login page, just as George is. Here, he tries to log in with scott/tiger, so his attempts fail, and he is just shown the login form with an error message each time.
Reset password: George has an amazing memory. Itís just sometimes a bit short. Thus, occasionally, he forgets his password to the system. Then he just clicks a link to reset his password, and the system sends him the new one by e-mail. After he has received the new password, he can again log in to the system successfully.
Once we put together the authentication system, George will sleep a lot more peacefullyóhe wonít need to worry about people wreaking havoc on the Emporium site.