- Auth SHOULD NOT be a part of skateboard
- This lecture aims to clarify and explain the Auth lab
- There are many ways to implement Auth, Flatiron has chosen to teach you this specific way
- Confirming who you are (Identity)
- Some kind of proof
- Permission
- Based on who you are, what are you allowed to do?
- if you are an admin, you can create a page
- if you are a user, you can post a comment
- not signed in, you can view a page, but nothing else
- When a user logs-in via a React front end, make a fetch to the Rails back end
- Authenticate via a basic controller action in Rails
- Store user data in state on login/signup
- Store token in localStorage
- React app will include the token with future requests to prove that it's still the user
- Rails checks the token and authorizes based on that info
We don't want plain text passwords in your database
- column
password_digest
instead of password - password storage (hashed, salted passwords)
- hashed ('one way' function, can't recover the original value)
- salted - add random string to the password 'password123' + 'aslkdfjalskdfjkasjdf'
has_secure_password
macro
- route accepts the username and password
- authenticate - check the username and password
- start a 'session'
- send back a token with the needed info
- token can be used instead of username / password in the future
- Only logged in users can see their profile
- Single Page app
- Instead of a form submit, we use
fetch
- Cookies not automatically included/managed
- How do we include our authentication when we're using fetch?
- Instead of a session cookie
- send back a 'token' as data
- Plays the same role - authenticate who we are
1 How do we generate the token? 2 How do we send it to the client? 3 How do we store it on the client? 4 How do we send it back and read it?
- identifies user
- Cryptographically Secure
- protection from eavesdropping - no one can read the data
- protection from tampering - signed, no one can forge a signature (JWT)
- encode?
- decode?
- Documentation
- Not the same as encrypting
- React state - cleared out every time we refresh
- Url in react-router
- don't do this!!!
- sharing a link shares someone's identity!
- Cookies (how we did it in rails)
- localStorage
- clear it - on sign out
localStorage.clear()
- maybe expire tokens after a set amount of time
- clear it - on sign out
- Button in Navbar
- clear localStorage
- update the state so that it reflects that we are logged out
- error messages for invalid email / password, failed token
- Redirect on login
- JWT token in Rails -> encode some data and send it to react app (when the react app sends the username and password)
- React app stores user data and sends token back in future requests
- Rails checks validity
- Login Form
- Send the username and password
- Store the token (and user info)
- Send the token on future requests
- On mount, check if there is a token
- If so, fetch user info
- If not... handle that error
[Want to know more?](JWT Auth in Redux and Rails) Cookies vs localStorage