For this task I decided to diverge from the book. From what I've heard attending Atlanta's local chapter meetings for OWASP (www.owasp.org), own-rolled authentication is at the root of far too many security flaws and breeches in web applications. Granted this book touches on some of the oft overlooked necessities (e.g. salted hash passwords), but for a real live website, I always push to use a robust, tested, peer-reviewed plugin over hand rolled code. At the very least, typical project timelines leave little time for developers and testers to stay current on the ever evolving threat landscape. If your shop is different, please, please help out the rest of us.
I looked around a bit and decided to go with authlogic. Trevmex has provided a fully Rails3 ready example found at https://github.com/trevmex/authlogic_rails3_example . http://www.dixis.com/?p=352 rewrites the tutorial for a few other steps you need to then incorporate the module into the depot code. (I did start first trying more commonly referenced authlogic_example by binarylogic at https://github.com/binarylogic/authlogic_example, but all I succeeded at was proving what I complete noob I am)
What follows is a combination of various sources. Comments indicate what prompted each step to be taken, but not the rationale or theory behind it.
Pre-Iteration Work: Adding authlogic to depot
$ sudo gem install authlogic #binarylogic
To depot Gemfile add:
# Add support for Authlogic authentication
gem 'authlogic', :git => 'git://github.com/odorcicd/authlogic.git', :branch => 'rails3' #trevmex
gem "rails3-generators" #dixis
> bundle install #'cause rake prompted me to run this after the changes.
> rails generate authlogic:session UserSession #dixis
>rake test
And viola! everything now fails because of 'ActiveRecord::StatementInvalid: SQLite3::SQLException: no such table: user_sessions: DELETE FROM "user_sessions" WHERE 1=1'
bummer!
Subscribe to:
Post Comments (Atom)
So far have tried various suggestions and matching code in examples:
ReplyDelete(in various orders over several attempts)
* adding code to test/test_helpers.rb
...
require 'authlogic/test_case'
...
class ActionController::TestCase
setup :activate_authlogic
end
*rake db:test:prepare
*updating session_store.rb with Depot::Application.config.session_store :active_record_store
*rake db:sessions:create
*rolling back and re-running with rails g authlogic:session session to match default sessions table names...
After creating a sessions table, and using 'session' the error changes over to: ActiveRecord::StatementInvalid: SQLite3::SQLException: near ")": syntax error: INSERT INTO "sessions" () VALUES ()
Answer at: http://stackoverflow.com/questions/3340339/controller-tests-with-authlogic-expecting-user-sessions-table
ReplyDeleteThe problem is that the rails g produces an unnecessary user_sessions.yaml file. And then every test attempts to load the fixtures, which fails 'cause is not a typical model object.
Cool! now I know what a bad fixture file looks like in practice.
Deleted offending file and all tests pass. yay!