search

TheOdinProject / curriculum

The open curriculum for learning web development
https://www.theodinproject.com/
Other
10.01k stars 13.4k forks source link

Ruby On Rails: Authenticity Token is present in a wrong place, confusing the student #25396

Closed stxss closed 1 year ago

stxss commented 1 year ago

Describe your suggestion

In the Project: Forms, before the forms_tag part, the log output examples presented had an authenticity token present, where no mention of it was made anywhere in the lesson.

So, for example, in the HTML form part of the assignment, where the student is asked to create a simple html form and proceed with the guide, the expected output for the Parameters is:

Parameters: {"authenticity_token" => "WUaJBOpLhFo3Mt2vlEmPQ93zMv53sDk6WFzZ2YJJQ0M=", "user" =>{ "username" => "foobar", "email" => "foo@bar.com", "password" => "[FILTERED]" } }

Now, when the student submits data, the actual output is similar to this: Parameters: {"user"=>{"email"=>"foo@bar.com", "username"=>"foobar", "password"=>"[FILTERED]"}}.

Only after this pure HTML form chapter, it is mentioned that the form_tag will remove the need for an authenticity token.

My issue with this is that it induces confusion in the student, where they expect either a) for an authenticity token to somehow appear or b) that they need to provide it themselves.

In the first case, well, that would be impossible until they reach the refactoring with form_tag part of the chapter. In the second case, the student would have to hardcode an authenticity token, which, even though used in this case as a simple example, can create security issues, so that's not a good habit to have.

I propose that either this is mentioned at the beginning, i.e. something along the lines of warning the student that they can use a random authenticity token just for the sake of the exercise, but shouldn't do so in real applications or altering the examples to have the authenticity token absent.

Path

Ruby / Rails

Lesson Url

https://www.theodinproject.com/lessons/ruby-on-rails-forms

Checks

(Optional) Discord Name

stass#6610

(Optional) Additional Comments

No response

CouchofTomato commented 1 year ago

Hey @stxss

Thanks for your feedback.

The lesson before, Form Basics, does mention about this but I agree it's not clear here at all. I think we just need to handle this in part1 of the HTML form section of the project where we can mention that they will need to provide the authenticity token as advised in the previous lesson.

What do you think?

stxss commented 1 year ago

Hello @CouchofTomato

Yup, I agree with your proposition.

Do you think that a quick mention of the form_authenticity_token from the previous lesson as a reminder should be enough?

CouchofTomato commented 1 year ago

@stxss Yes I think so. Are you happy for me to assign it to you?

stxss commented 1 year ago

@CouchofTomato yes, I'm happy to help.

CouchofTomato commented 1 year ago

@stxss all yours mate