Rails 3.1 Simple Custom Authentication and CanCan Authorization

After adding a simple blog to my Rails 3.1 app, I needed to add security to lock it all down. I'm writing this app for someone else, so a degree of user-friendliness was desired.

My 'requirements' were login with admin account. Anyone can read posts, read comments, and add comments. Admins can add, update, and delete posts. Admins can also remove comments. For usability, the links for these actions should be hidden unless the user is an admin. Of course the urls and actions should be locked down as well.

I decided to write the authentication part from scratch following railscasts Authentication in Rails 3.1 and Authentication from Scratch. For my purposes, I just need one admin account. I don't need to sign up users or any other ui for managing users. I figure, I can create the admin account from the command line, and that'd be about it. So, I skipped the parts from railscasts above that created views for User. I did create a login page of course (no logout).

Here are the authentication commands and code:

User

rails g model user email:string password_digest:string

class CreateUsers < ActiveRecord::Migration
  def change
    create_table :users do |t|
      t.string :email
      t.string :password_digest

      t.timestamps
    end
  end

end

class User < ActiveRecord::Base
  has_secure_password
end

Sessions

rails g controller sessions new

class SessionsController < ApplicationController
  def new
  end
 
  def create
    user = User.find_by_email(params[:email])
    if user && user.authenticate(params[:password])
      session[:user_id] = user.id
      redirect_to posts_path
    else
      flash.now.alert = "Invalid username or password"
      render "new"
    end
  end

end

views/sessions/new.html.erb

<h1>Login</h1>
<%= form_tag sessions_path do %>
<div class="field">
  <%= label_tag "Username" %>
  <%= text_field_tag :email, params[:email] %>
</div>
<div class="field">
  <%= label_tag :password %>
  <%= password_field_tag :password %>
</div>
<div class="actions">
  <%= submit_tag "Login" %>
</div>
<% end %>

BlankRailsMysql::Application.routes.draw do
  resources :sessions
  resources :posts do
    resources :comments
  end

  get "login" => "sessions#new", :as => "login"
end

At this point, a user (if one existed) could go to localhost:3000/login and it would authenticate them and save their user id to the session. By the way, here's the command to add a user:

rails c
User.create(:email => "admin", :password => "password", :password_confirmation => "password")

If you need to run this in your heroku environment, just do:

heroku run rails c --app your_app

Rails 3.1 Asset Pipeline on Heroku

After updating my Rails 3.0.4 app to 3.1 on Heroku, I wanted to use the built in SASS functionality.  What I didn't realize was that you have to also use the asset pipeline to get the built in support.  I had skipped this in my previous step.  Using the same railscast, I converted my app to use the asset pipeline.  This did not work on heroku.

Long story short, you need to use the cedar stack on heroku for the asset pipeline to work well.  Here are the commands I saved for creating new apps on heroku in the future:

heroku create app_name --addons custom_domains -r git_remote -s cedar
heroku run rake db:migrate --app app_name
heroku domains:add www.your_domain.com --app app_name
change dns entry to point to app_name.heroku.com

Heroku References:
http://devcenter.heroku.com/articles/custom-domains
http://devcenter.heroku.com/articles/rails31_heroku_cedar

Upgrading to Rails 3.1 from Rails 3.0.4 with MySQL on Heroku

I ran into a few issues when trying to update my Rails 3.0.4 app to Rails 3.1.0.  I was using a MySQL database (all vanilla stuff) and heroku.  This all worked fine.  I wanted to try SCSS and found that Rails 3.1 has built in support for it; so, I decided to upgrade.  Here's what I did:


Watched the railscast for upgrading: http://railscasts.com/episodes/282-upgrading-to-rails-3-1  Which instructed me to follow these steps:

1. Change Gemfile rails version to 3.0.10
2. bundle update
3. make sure it still works
4. Change Gemfile rails version to 3.1.0
5. Comment out line in development.rb: config.action_view.debug_rjs
6. bundle update
7. make sure it still works

This is where I got my first issue.  It said the mysql2 gem was too old (mine was < 0.3).  I change the Gemfile to use the newest version and ran 'bundle update' again.  

Then there was another issue related to the mysql2 bundle pointing to the correct library.  This is a common issue running on OS X I guess.  Here's the fix and the link where I got it: http://freddyandersen.wordpress.com/2010/10/03/mysql-5-5-snow-leopard-and-rails/

sudo install_name_tool -change libmysqlclient.18.dylib /usr/local/mysql/lib/libmysqlclient.18.dylib /usr/local/lib/ruby/gems/1.9.1/gems/mysql2-0.3.7/lib/mysql2/mysql2.bundle

At this point I can run the app as normal locally.  The next step was to push to heroku.  I created a separate heroku location in case I ran into issues or if they used a different stack for 3.1 vs 3.0.x.  I'll skip those steps.  The error I got when I pushed was: `rescue in establish_connection': Please install the postgresql adapter: `gem install activerecord-postgresql-adapter` (pg is not part of the bundle. Add it to Gemfile.) (RuntimeError)

Unbeknownst to me, heroku actually uses postgress and not mysql.  I guess it just worked before.  I didn't really want to change my local stuff if I didn't need to so I found a solution here: http://stackoverflow.com/questions/6410623/heroku-error-when-launch-rails3-1-app-missing-postgres-gem

The actual fix was to just add the below to the Gemfile and run bundle with the '--without production' flag:

group :production do
  gem 'pg'
end

After that pushing to heroku worked fine.

P.S. I must have run heroku db:migrate at some point, but I can't remember when.  I think it was before I got the postgress error.