#67 restful_authentication

There is space in link to
"067_resful_authentication.mov", and some
browser have problem with download.
Use wget is solution.

Yes, k is right. For example my iTunes can't download this episode!

Thanks, this is the one I've been looking for. I'm looking forward the next episode on OpenID's.

I'm downloading the video as i write this so i'm not sure if its covered within or not. The tests generated by the plugin use assert_difference and assert_no_difference methods not yet available on stable Rails (i've heard they are available only on edge rails).

Hi, I'll work out where to send this (I guess to RO) but I thought I'd note here that the before filter method in lib/authenticated system wants to call login in the session controller, but the default routing and setup use new. So if I just bolt in the default before filter it blows up... changing it to call new makes it all go.

Anyway, thanks for another awesome screencast. It really helped me.

Ryan, was wondering if you could describe how to differentiate the flash.now[:error] to tell the difference between an incorrect password and a user who may not have yet activated their account?

I use RESTful Auth a lot and recently ran into a problem with redirects I cant seem to solve. I dont want to clutter up your comments so:

http://railsforum.com/viewtopic.php?id=8794

i love you!

excellent work, was gonna tackle this alone this week...

now i have a podcast, ho ho ho!

;-)

good work

John.

A fantastic screencast as always - RESTful authentication is a excellent start to an authentication system, and nice to build upon. I recently worked in role based authentication (as seen in the Rails Recipes book) into this setup with surprising ease. Which offers a great RESTful way to control access to controller/action pairs through rights and roles.

For those that want to keep the URL of "/login" when you submit, you can do the following in your routes.rb:

map.login '/login', :controller => 'session', :action => 'new', :conditions => { :method => :get }

just add the :conditions part to the current named route map.login

map.connect '/login', :controller => 'sessions', :action => 'create', :conditions => { :method => :post }

and in your form, put login_path. Now when you submit your form it will stay on '/login' instead of '/session'

if you run rake routes, you can see it.

@viniosity, I haven't checked how restful_authentication handles the account activation, so I'm not sure on the details. You would likely have an "if" condition in the controller checking whether or not the account is activated and display the appropriate error message.

Rick handled the activation part really well, you'll just have to tweak the files a bit. I did a quick post to show the ideas on how to extend it with activation: http://rubyurl.com/gFX

Can you post a link for your code to review please

I am getting an error
"NameError in SessionController#new "

when I go to
http://localhost:3000/login or
http://localhost:3000/logout

can anyone help me?

I recommend posting this problem on railsforum.com so you can post the details on what you've done and the full stack trace.

nice screencast!, ey ryan, maybe a railscast of a simple rbac?, it will be nice ;).

anyway great railscasts ryan!

c'ya

Ryan, I think it would be great if you made a quick little episode demonstrating how to add a forgot password function to the restful_authentication system. This would not only demonstrate the function itself, but demonstrate adding custom actions to a restful application. Just a thought!

@bug

I believe the restful_auth plugin has been updated since this railscast.

As such, the users controller no longer exists.

Routes that work for me, YMMV.
map.resources :users
  map.resource :session
  
  map.signup '/signup', :controller => 'session', :action => 'signup'
  map.login '/login', :controller => 'session', :action => 'login'
  map.logout '/logout', :controller => 'session', :action => 'logout'

Hope that helps others, threw me for a while as I've got a few projects using this plugin, all as per the railscast.

I just installed this and somehow didn't notice that there was an activation option. I wrote my own before figuring it out, and it ended up being the same thing anyway.

Just wanted to say that it is super easy to install with activation, and even without knowing that option was there, this screencast made my decision for me on how to authenticate.

Thanks Ryan!!!

Just thought I should add that if you want it to install with activation, just include :include_activation as an option when you install

Great Job Ryan,
One little recommendation; If you could show how to do tests with this plugin that could help some people out. I've been trying to do TDD but having a hard time learning everything at once.
(Mainly referring to before_filter :login_required and how to create a login during a test on a controller)

Keep up the great work!

Andrew

In my case (edge rails and latest plugin) I think it should be "sessions" controller not "session" as this matches the routing.

@KL, yeah, just noticed this myself recently. If you are using the singular name then you will need to specify it in the routes (in edge rails).

map.resource :session, :controller => 'session'

Or alternatively (in Rails > 1.2.3), simply go with Rails' flow and use "sessions" as the controller name:

script/generate authenticated user sessions

:-)

I wonder if they'll change the singular resource name convention again next time?

Nice screencasts, helped a lot! BTW, what software have you made it with?

I wanted user records in my app to have various statuses. Here's how I modified restful_authentication with acts_as_state_machine to accomplish this. I'll call it stateful_authentication

I installed this plugin but encountered the following problems. Thanks in advance, to anyone who help enlighten me.

1. For my case, MVC for HOME (home/index) is not generated automatically. Do I have to create it myself? Anyway, I created Home controller and view.

2. When I entered the wrong password, I do see error message "Authentication failed".

But, when I entered the correct password, I was re-directed to "http://localhost:3000/", but it does not display the Welcome page (/home/index.rhtml). I did change routes.rb to enter the first line - "map.home '', :controller => 'home', :action => 'index'".

@Lucky, I believe I answered this on railsforum.com, but I'll answer it here for completeness. You need to remove the index.html file from the public directory so the home page will work.

If use 'sessions' as plural when i generate, i get this error when i try to start the login page: "uninitialized constant SessionController". I have "map.resource :session, :controller => 'session'" in my routes.rb.

Try this (pluralize sessions):

map.resource :session, :controller => 'sessions'

Do you know why one of the tests fails:
ruby test/unit/user_test.rb

 1) Failure:test_should_require_password(UserTest) [test/unit/user_test.rb:23:in `test_should_require_password' /Users/ia00stai/railsdev/signmeup/trunk/signmeup/config/../lib/authenticated_test_helper.rb:16:in `assert_difference' /Users/ia00stai/railsdev/signmeup/trunk/signmeup/config/../lib/authenticated_test_helper.rb:24:in `assert_no_difference' test/unit/user_test.rb:21:in `test_should_require_password']:<nil> is not true.

@ari, I recommend posting this on railsforum.com as I need to see the code and more details before knowing what's wrong.

Ryan,

Great screencasts, these are incredibly useful. How about a screencast that looks at adding roles/authorization, so admin can edit anything but users can only edit there stuff?

David

@David, I talk a little bit about this in episodes 20 and 21, but I haven't gone into details on role based authorization. Thanks for the suggestion.

http://railscasts.com/tags/9

Thank you for the excellent casts. Executing script/generate authenticated user session as shown in the cast doesn't create the users_controller.
Env:
Windows xp
Ruby 1.8.6
Rails 1.2.3

I got to generate the users_controller by executing "script/generate authenticated user" first, then "script/generate authenticated user session" to generate the session files.

Ryan, in episode #13, "Dangers of Model in Session" you mention that it is a good practice to avoid storing model data within a session, or at least minimizing the amount of model data you store in a session.

In looking through the source code for the restful_authentication plugin, it appears as though that plugin is storing information in a @current_user variable and in a session variable (assuming your model is called user).

Is the approach being used in that plugin to store the user model in the session, I was just a little confused and thought you might be able to chime in on the topic.

hi,

if i override the to_param in user model, I will get more meaningful urls in
localhots:3000/users/peter_permalink/tests

instead of
localhots:3000/users/2/tests

however, that makes my restful_authentication plugin not work so well.

is there a way out?

thanks

going to try this in rails 2.0 right now, i will let you know how it goes. great screencasts ryan they have been helping me out alot!

Best,

Good vid but don't follow the advice about not pluralising your sessionscontroller - rails is notorious for throwing up bugs when it comes to this kind of thing, and it took me several hours to work out why there were weird 'uninitialized constant SessionsController' errors. Totally bad advice.

I followed this using Rails 2.0.2 and found I had to alter line 67 of authenticated_system.rb from:
redirect_to new_session
to
redirect_to :controller => 'session', :action => 'new'

... in order to avoid the "undefined local variable or method `new_session'" error.

Hi,
I followed this using Rails 2.0.2 and Ruby 1.8.6. I had to use:
"generate authenticated user sessions" to get the SessionsController.

Then it works fine and no changes of authenticated_system.rb needed. With
"generate authenticated user session" I got stuck with a Name Error:
uninitialized constant SessionsController

Thanks for the great screencast! One (possibly stupid) question though: Where in the rails app does the third quoted file (index.rhtml) go to make it work?

Okay, sorry, I just answered the question myself. I had to generate the "home" controller and put the index.rhtml in the corresponding views directory.

Is you get sessioncontroller uninitialized controller. then
put those lines to your routes.rb

#-------------------
  map.resources :users
  map.resource :session#, :controller => 'sessions'
  
  map.signup '/signup', :controller => 'users', :action => 'new'
  map.login '/login', :controller => 'sessions', :action => 'new'
  map.logout '/logout', :controller => 'sessions', :action => 'destroy'

#----------------------

@ Premek

See http://beast.caboo.se/forums/2/topics/1077

So instead of
  map.resource :session
use rather
  map.resource :session, :controller => 'session'

Excelente, gracias :)

Hey Ryan,

First of all thanks for casts.
All of them really helpful.

Maybe you can answer my question.
Made several projects with restful_authentication but still didn't figure out bonuses of salt in model. I though salt is required for for decrypting but using sha we don't have such option.

Thanks,
Vince

@vince, from my understanding the salt doesn't have anything to do with decrypting. A salt is just a random string of characters appended to the password before hashing. This helps prevent dictionary attacks if someone is trying to break the hash. I'm no expert on ecryption, so take this with a grain of salt (pun intended).

Ryan,

Thanks for the railscasts! They're great.

I just tested out the restful authentication and noticed the Rails log had the password param unencrypted: "password"=>"abcd1234." I think I've seen documentation about hiding that param in the log file. But, is it also sent in clear text across the wire from browser to server?

Steve,

add something like this to your application.rb file:

filter_parameter_logging :password, :password_confirmation

question about plugins:
I spent alot of time trying to install the restful_authentication plugin, but when I'm at work behind to corporate firewall it doesn't find the install repository. But when I did it on my home DSL connection, it installed first time.
At work I can go to the techno-weenie site in my browser, so is the problem caused by script/plugin install using a protocol other than http?

Thanks for the great screencast!

I found it useful for me, so I've made a summary of your screencast and put it in my blog. The permalink is: http://xucros.com/2008/4/18/restful-authenticationin-rails-quickly

Please, let me know if I should remove or change it.

Thank you for the great webcasts, Ryan. FINALLY some tutorials that work!

If I wanted to break the login controls out onto the home page (say with as the home controller in your example, rather than having the use click on a login link), how would I tell the home controller to get the User controller to make a new session?

Right now if I put the controls on the home page, the submit of course gets me an "uninitialized constant SessionsController" stack trace...

Thanks a lot, Ryan!

This was short and to the point, exactly what I was looking for.

Keep up the great work!

I know I'm asking a question long after the cast was posted, but I'm been having trouble with this for a while.

When I include the AuthenticatedSystem module in the Application controller, the function "logged_in?" works correctly, but whenever I try any other methods such as "authorized?", Rails throws an error saying it's not defined?

Any ideas?
Nick

Why not tell us total noobs about how you created the home controller and where you put that code for index.rhtml (for completeness)
noobs are like gravy we run all over the internet looking for holes

Nick, I'm hitting the same problem you are about the defined methods. Would be great if you or someone figured it out...

aaah, answered my (and your) question. Any methods you add that you want to be available outside of the protected methods in this class need to be added to the self.included call later in authenticated_system.rb.

The correct command is :

script/generate authenticated user sessions

NOTE: use plural sessions and not sigular session as you showed in your screen cast. Else you will have the following error when you try to log in:

uninitialized constant SessionsController

This little thing wasted my 3 hours. You should fix it in your screen cast.

Thanks, good one!

BTW, I also had to use sessions (in plural), got that "uninitialized constant SessionsController" error, no matter what I did in routes...

ruby script/generate authenticated user sessions

I used the "generate authenticated user session" and I get the "uninitialized constant SessionsController" error. The suggested route.rb changes don't fix it, as jack says above.

Do I need to back out and redo the generate script? Or are there files I can edit to make session work? Ryan: Why did it work for you and not others? Thanks for any info

I tried using session singular when using script/generate but I ran into problems. I undid that and used plural sessions as recommended in the README. I still got the uninitialized constant error but that got resolved when I pluralized session in defining the login and logout routes.

IN order for my generate to work with a fresh application is:

1. I had to sym link vendor/plugins/restful_authentication/lib to the main project directory
2. I had to make sure that test/fixtures existed

for those people that used a singular Session and get the "uninitialized constant SessionsController"

So instead of
  map.resource :session
use rather
  map.resource :session, :controller => 'session'

flash.now[:error] is not working. please advice on how can i show errors during login.

thanks a lot for the great video.

The plugin can now be obtained from http://github.com/technoweenie/restful-authentication/tree/master

Thanks a lot, you solved my problem.

Thanks for this great screencast. All of them are very helpful!

I cant get the

flash.now[:error] = "Text here"

to work it never shows up. I tried :notice as well but it does not work.

Any advice on this one?

Cheers Juergen

@Juergen

To get the flash to display I added to following to my sessions/new.html.erb

<% if flash[:error] -%>
  <div id="error"><%= flash[:error] %></div>
<% end -%>

This was an great screen cast.

Once I set this up in my rails application with Passenger, it works fine development wise. But when I switch it to production mode, via passenger or running on mongrel, I'm no longer able to login. Any ideas on what would cause this?

@Steve

Cool, that does it!
Thanks

@Jonathan,

Did you ever get this working? I'm having the same problem.

I'm using Rails 2.3.0; and it all works fine when I run the app with mongrel, but as soon as I run it through a mongrel_cluster behind nginx I can login, but NOT logout.

Anyone else have any ideas why this might be?

Jimminy Cricket.

I figured it out (sort of). I've been pulling my hair out for days and just upgraded to rails 2.3.1 and the problem is gone. specify 2.3.0 in the environment.rb and it's back -- 2.3.1 gone.

So my logout with a mongrel cluster problem was not my problem at all.

Hello, just tried running it on 2.0.2 and I get a NameError in UsersController#new

also the label_tag didn't work, but assuming that's because that method doesn't come into play until 2.1.+?

What is causing this error?

uninitialized constant User::Authentication

Like many folks here I used Ryan's suggestion and used the singular form of "session" during generate and I get the same NameError in SessionsController#new

Paul's suggestion (Posting 84) as below
>map.resource :session
>use rather
> map.resource :session, >:controller => 'session'

makes the whole thing go in an infinite loop that FF aborts out of.

Ryan - It will help the user community save hours of figuring this out if you can suggest the right way to fix it when using singular form of session. Thanks.

For completeness, I tried Ryan's suggestion in comment 34 and changed

map.resource :session

to
map.resource :session, :controller => 'session'

in routes.rb and that caused FF to go in an infinite loop as well. I am on 2.2.2 with FF 3.0.8

Anyone else seeing this problem?

w.r.t postings 99 and 100. The error was a beginner mistake - had the before filter setup that was taking me in a loop.

Ryan - These sessions are very helpful. Appreciate your doing it.

Still not very clear on what map.resource :session, :controller => 'session' accomplishes but will figure that out. Thanks.

I used restful authentication twice. the first time, it was OK. but the 2nd time it's just not working. I've done exactly as in this screencast but I can access to my controllers without logging as if Restful_authentication is not installed.
Thanks for a help!

I try and login (/login) I get: session_url failed to
generate from {:controller=>"sessions", :action=>"show"} - you may
have ambiguous routes, or you may need to supply additional parameters
for this route. content_url has the following required parameters:
["sessions", :id] - are they all satisifed?

Please help... Where is the mismatch?

Hi,

I can't get the message "unauthorized access" from the authorize function to be displayed. Trying to access restricted page when not logged in gets redirected to the home OK but the message isn't displayed. My home model is Type and in the 'index' view (app/views/types/index.html.erb) I have tried:

<%= error_messages_for :type %>

with no success.

... small addition. If I use

<%= flash[:error] %>

in a template the message get's displayed but it's not styled.

... sorry, it seems I should have just read all the comments, see it from

 Steve Feb 14, 2009 at 01:50

now. Thanks Ryan, thanks guys, keep up the great job!

This guy documented all the steps without missing anything, use it it works:

http://snippets.aktagon.com/snippets/167-How-to-install-and-use-the-restful-authentication-Rails-plugin

@Untitled TV: Try restarting script/server. That worked for me.
-Daniel

Rails: a method to develop in 1/3 the time, then spend 10x as long debugging and tracking down obscure missing modules

Thanks comment 79. for saving me time :)

Great screencast, cheers !.

Do you know of any resources for creating controllers/views where users could edit their signup information? I tried creating my own but it seems that there is some code I am missing that was generated that redirects my edit form submission to the create controller method for users. I can't seem to get it to call my edit method, is there some code I should add to my routes.rb file?

I already have

  map.logout '/logout', :controller => 'sessions', :action => 'destroy'
  map.login '/login', :controller => 'sessions', :action => 'new'
  map.register '/register', :controller => 'users', :action => 'create'
  map.signup '/signup', :controller => 'users', :action => 'new'

  map.connect ':controller/:action/:id'
  map.connect ':controller/:action/:id.:format'

Sorry please ignore my last comment, I was forgetting to change my form elements ( form_for @user ).

See http://railsforum.com/viewtopic.php?pid=115502#p115502

I want to use this plugin with sessions table with configuration in environment.rb

config.action_controller.session_store = :active_record_store

and
rake db:sessions:create
rake db:migrate

but strange its not allowing me to login. and if I remove configuration from environment.rb its working
any idea ??
I want to use sessions with sessions table.

Thanks for the tutorial. It was very usefull for me. :-)

thanks!!!

All I'm looking for a site on a very large and beautiful on this site are subject to all of you very
Thanks

Hello,
I am using Rails 3.
script/plugin install git://github.com/technoweenie/restful-authentication.git doesnt seem to work for me.

-bash: script/plugin: No such file or directory
is the error that i get from that command. Anyone, please rectify the error going on/