Authentication and Authorisation

Another week has flown past!  Last week we learnt a few essential concepts and I also had a few ideas about the type of problems I would like to solve.  We did a bunch of work on authentication and authorisation.

Working on authentication was fascinating.  So when you have an app you obviously would like to customize the experience for your users, which means you need to identify and recognize them.  The easiest way to do this is by getting users to register and choose a password.

Example of User registration page.

Here is an example of a Registration page asking for a password and confirmation

But having users passwords in your database without encryption is a bad idea. Since most people tend to use the same password for many services.  Therefore it is better to encrypt the password, but if you use an encryption service that can be decrypted, somebody can still use the encrypted value you store to get the original password.

The answer to this is to use one-way encryption that is consistent. This means it cannot be decrypted, but every time the same password is encrypted the result is the same so you can compare the encrypted versions to see if they match. Like many other features that most apps use, there is a gem to help in rails. Which once again, makes the whole process a breeze.

Example of login page

Once registered a new user can just log in for future visits

Now you would think that when choosing which encryption method to use, you would want something difficult to crack but that can still do its work as quickly as possible;  but it turns out you actually want one that is slow, which makes it harder to brute force it.  This article on How to safely store a password explains it in detail.  So we ended up using bcrypt.

This next step after authenticating users, involves deciding who should have access to which services in your app.  Once again something that rails makes very easy!

I think The Starter League has done an awesome job so far with the curriculum, it feels like they introduce us to the right concept at the right time in the right dose.  They also leave enough for us to figure out on our own. This week Jeff the Chief Instructor at Starter League shared this video that shows a little of the teaching methodology that they try and follow:

It was another great week, it was fun learning about authentication and authorisation. I have also spent a great deal of time this week thinking about the problems I would like to solve, and will do another post about that.