C83 commented 6 years ago

Why ?

Because we need the users to be authenticated to do certain actions.

Must have

[x] A user model \o/
[x] Auth with: confirmation and login with email or username
- [x] Confirmation
- [x] Validation d'email
- [x] Reset password
[ ] Postman

Todo

I advise using my fork of devise_auth_token (multiple bug/feature fixes rebased on last stable version). BUT I can understand that you prefer using the normal version of it. If you use my fork, please read the commits to understand how and why I fixed things.

[x] Add Devise token auth (or my fork)
[x] Configure it
[ ] Force users to be auth for accessing to lessons

Reading list

https://github.com/denispasin/devise_token_auth

C83 commented 5 years ago

Authentication

Use the fork : gem 'devise_token_auth', :git => "git@github.com:denispasin/devise_token_auth.git"

Generate the User model :

rails g devise_token_auth:install User The prefix of routes is authby default.

Mail server :

In development, we use mailcatcher. It catchs all out mail of the application. Should not include it in the gemfile. Run gem install mailcatcher then mailcatcher to get started. Configure this part with :

# config/environments/development.rb
Rails.application.configure do
  config.action_mailer.default_url_options = { :host => 'localhost` }
  config.action_mailer.delivery_method = :smtp
  config.action_mailer.smtp_settings = { :address => 'localhost`, :port => 1025 }
end

C83 commented 5 years ago

Devise's module

Devise purpose many modules. We add them in the user'model file app/models/user.rb :

devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable, :confirmable

There are few modules :

Database_authenticatable Module, responsible for hashing the password and validating the authenticity of a user while signing in.
Registerable is responsible for everything related to registering a new resource (ie user sign up).
Recoverable takes care of resetting the user password and send reset instructions. (valid the reset password need)
Trackable trakes information about your user sign in (ips, timestamps, number of signin)
Validatable creates all needed validations for a user email and password. (provide a regex validation of the good syntax of mail adress)
Confirmable is responsible to verify if an account is already confirmed to sign in, and to send emails with confirmation instructions. Confirmation instructions are sent to the user email after creating a record and when manually requested by a new confirmation instruction request. (valid the confirmable need)
Rememberable manages generating and clearing token for remembering the user from a saved cookie.
Timeoutable permits expiration of session.

Followers exist but don't use yet in our project :

Omniauthable adds OmniAuth support to your model.
Lockable adds blocking user access after a certain number of attempts.

Then, we add the user model concern (after devise's modules) :

devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable, :confirmable
  include DeviseTokenAuth::Concerns::User

Now, we don't use omniauthable module. It is included by default. So we tell the route helper to skip mounting the omniauth_callbacks controller in config/routes.rb :

  mount_devise_token_auth_for 'User', at: 'auth', skip: [:omniauth_callbacks]

C83 / THP_2.0

Add authentication #22