Saturday, November 28, 2009

Ramaze - Forgot Password II

Edit 2009-11-30

This in from Jeremy Evans
------------------------------
Looks better, but I recommend a few more changes:

1) You need to salt your password hashes. Unsalted hashes are better
than storing the password in plaintext, but most common hash
algorithms probably already have large rainbow tables that will allow
an easy lookup of most passwords given an unsalted hash.

2) I would recommend at least including random data when generating
the random key for password resets. Your use of the username and
Time.now makes it guessable if you know roughly when the user
requested/will request a password change. encrypt_password is a
poorly named method, since you are hashing, not encrypting (encrypting
implies the possibility of decrypting, while hashing is one way).

3) I generally put a time limit on password resets. That way if
someone requests one, but then remembers their password and doesn't
change it, they are not vulnerable to someone else changing it next
year.
------------------------------------------------

So, add the salt for the password, modify the generate_rand_key() to add a random component (possibly just add a #{rand(1000000)} to the end of the string to add in a 6 digit random component, rename encrypt_password to say hash_password, and finally add a time limit. Here, you'll need to add a date to the user table, add a date when you generate_rand_key(), and check this in change_password() when you also test the existence of a user with the key.

Thanks for the improvements Jeremy.

------------------------------------------------

After my last post, I received, as I noted, some rather stern comments on a) saving passwords in plaintext in the database and b) sending them in plaintext via email. So, I decided to fix the example up to make it a bit better. We'll be saving the password as a hash in the database and also when the user forgets their password, we'll send a link to let them change it. One other suggestion was to add a salt for the password hash which is easy enough to do, but I've left it as an exercise for the reader. I should note that some of the ideas in this post were stolen (and I mean that in the good sense) from JustKez. This post is definitely worth reading over as are others on the site.

OK, let's get started. We'll start out with the database migration.


# dbMigration/001_ForgotPassword.rb
#
# This is the "new" way to do migrations by using the Class.new form.
# It means that a new class name is not required and so there is no chance
# of creating a second class in the migration files that is the same as the
# first causing problems.
Class.new(Sequel::Migration) do
def up
# Create the users table.
create_table(:users) do
primary_key :id
String :user_name
String :password
String :email
String :rand_key
end

end

def down
# Remove the two tables.
drop_table(:users)
end
end



This is a bit simpler than in the previous example. We're only going to have a users table with the user_name, password (which will be encrypted), an email address, and a random key (used for sending the user their password). The down method will just drop the users table. To generate the password, simply type sequel -M dbMigration/ sqlite://forgot.db. This will create the database we'll use for the project.

The model for this is pretty simple too.

# models/models.rb
#
# Create the User model. Each user can have a single challenge question.
require 'digest/sha1'
class User < Sequel::Model

# Return an encrypted password based on the one passed in.
def self.encrypt_password(password)
Digest::SHA1.hexdigest(password)
end

# Generate a random key based on the username and the current time in
# rand_key and save the model back to the database. We'll use this to email
# the user so that they can changer their password.
def generate_rand_key
self.rand_key = Digest::SHA1.hexdigest("#{@username} -- #{Time.now}")
save
end
end



The only model we have is for the User. We have a couple of methods. The first is a Class level method for encrypting the password. We create a hash of the password using SHA1 and return the value (it will be used for creation of the user and changing the password). The second method is for generating a random key which will be passed as part of a link to the user in case they forget or lose their password.

Here's our start code

# start.rb
#
# This is the main program for the example. It loads the Sequel database,
# loads the controllers and models, and then starts up Ramaze.
#
# The database should have been set up using the database migrations in
# the dbMigration directory.
require 'rubygems'
require 'ramaze'
require 'sequel'

# Required for mailing.
require 'net/smtp'
require 'mailit'

# Create the mailer.
MAILER = Mailit::Mailer.new(:server => 'MailServer.MyCompany.COM', :port => 25, :username => 'ApplicationName',
:password => 'ApplicationPassword')


# Open the forgot password database. This must be done before we access the
# models that use it.
DB = Sequel.sqlite("forgot.db")

# Load the controllers and models.
require 'models/models'
require 'controllers/main_controller'

# Start Ramaze.
Ramaze.start



This is pretty much the same as most of our start files. We add in the code for mailit, open the database, and then require our models and controllers. Finally, we start ramaze.

Next up our only controller.

# controllers/main_controller.rb
#
# The mainController has a single method index. First map to / for
# the view. Next, set the layout to page so that we use the layout/page.xhtml for our
# layout.
class MainController < Ramaze::Controller

# The Main controller will be accessed using "main" as in:
# http://localhost:7000/main.
map '/'

# Use page.xhtml in the layout directory for layout except
# for when we're doing AJAX.
layout(:page) { !request.xhr? }

# Set up a helper to check if we're logged in and only allow access
# to the :logged_in page if we are. This is probably the hard way to
# do this for only the single page but will make much more sense if
# we add more pages as we'd do in a real application.
helper :aspect
before(:account_settings, :main) {
unless logged_in?
# Set the flash message which will only be available in the next
# screen. In this case that will be the logged_in screen.
flash[:message] = "You must log in before accessing the requested page."
redirect rs(:index)
end
}

# You can access it now with http://localhost:7000/
def index
@title = "SteamCode - User"
end

# Placeholder for real content.
def main
"<h2>Main</h2>"
end

# Placeholder for real content.
def about
"<h2>About</h2>"
end

# Placeholder for real content.
def help
"<h2>User Help</h2>"
end

# Register a new user with SteamCode. We will get here from the
# views/register.xhtml page where the user will put in their (requested)
# login, password, and email address. First find if the user already
# exists, if it does, then we'll set a message to tell the user so and
# redirect them back to the register screen. If not, we'll go ahead and add
# them to the database with the appropriate login, password, and email
# address. We'll then send them to the login screen to let them log in to
# SteamCode.
def register
@title = "Register with SteamCode"
# Make sure we're getting here from a post request.
if request.post?
# Check the login and password.
# if we find the Account based on the login and password. If we find it
# we'll save the login ID in the session variable and we can use that
# to show if the Account is currently logged in or not. If we can't
# find the Account, we'll set the flash message, set the session to nil
# and just stay on this page.
unless User.find(:user_name => request[:user_name])
# This account does not exist. Grab the user_name, the password,
# and the email and create a new Account with them.
user_name = request[:user_name]
password = request[:password]
email = request[:email]

# Create the account with the user_name, password, and email given.
user = User.create(:user_name => user_name, :password => User.encrypt_password(password), :email => email)
Ramaze::Log.debug "New User Added: user_name = #{user.user_name} password = #{user.password} email = #{user.email}"

# Redirect to the login page.
redirect rs(:login)

else
# This user already exists. Set the flash message for them to
# try again.
flash[:message] = "Login #{request[:user_name]} already used. Please select another."

# Stay on the register page.
redirect rs(:register)
end
end
end

# Login to Steamcode. If the request is a post, then we'll try to find the
# user. If we succeed then we'll set some session variables and redirect to
# the main page (which the user can only access if they're logged in). If they
# can't be logged in, we'll set a flash message, reset the session, and redirect
# back to the login page.
def login
@title = "Login to SteamCode"
if request.post?
if user = User.find(:user_name => request[:user_name], :password => User.encrypt_password(request[:password]))
# Use the name= portion of the input form to grab the data
# from the request variable and save it in the session
# hash table.
session[:user_id] = user.id
session[:user_name] = user.user_name

# Redirect to the main screen.
redirect rs(:main)
else
# The login could not be authorized. Set the flash message
# and stay on this page (index/login). Set the session loginID
# to nil also. This will effectively log the user out. This would
# be reasonable if they are logged in and then try to log in with
# a new login/password.
flash[:message] = "Incorrect user name or password, please try again!!!"
session[:user_id] = nil
session[:user_name] = nil

# Stay on the login page.
redirect rs(:login)
end
end
end

# Let the user change account settings. For now this is
# just the email and password.
def account_settings
@title = "Account Settings for SteamCode"
user = User[session[:user_id]]
if request.post?
user = User[session[:user_id]]
user.email = request[:email]
user.password = User.encrypt_password(request[:password])
user.save
flash[:message] = "New email and/or password saved."
redirect rs(:main)
end
@current_email = user.email
end

# Logout of the system. Set the flash message and then
# set the session values to nil. Finally, redirect back to the
# index page.
def logout
@title = "Logout from SteamCode"
flash[:message] = "#{session[:user_name]} Logged out"
session[:user_id] = nil
session[:user_name] = nil
redirect rs(:index)
end

# The user has requested that we email their password back to them. Generate
# a random key and email it to them to allow them to change their password.
def forgot_password
if request.post?
# Final submit.
if user = User.find(:user_name => request[:user_name])

# Generate a key and associate it with the user_name.
user.generate_rand_key

# Create the mail message and fill it in with the appropriate
# information (to/from/subject/text). Then send it off.
mail = Mailit::Mail.new
mail.to = user.email
mail.from = "Steamcode@MyCompany.com"
mail.subject = "Steamcode Password"
mail.text = "To change your password: http://localhost:7000/change_password/#{user.rand_key}"

# Send the mail message via the MAILER (created in start.rb).
MAILER.send(mail)

# Just go back to the login page.
redirect rs(:login)
else
flash[:message] = "Could not find user: #{request[:user_name]}"

# Could not find user with this user_name.
redirect rs(:forgot_password)
end
end
end

# The key will be the key that we created above when the user asked
# for the password change. It will be passed as a parameter when the user
# clicks on the link that was emailed to them.
def change_password(key)
# Check to make sure that there's a user with this key.
user = User.find(:rand_key => key)
if user
if request.post?
# We got here from a post and there's a user with the key. Go ahead
# and a) change the password, b) reset the random key, and c) save
# the new user information. Then set the flash message and put them
# on the login screen.
user.password = User.encrypt_password(request[:password])
user.rand_key = nil
user.save
flash[:message] = "Your new password saved."
redirect rs(:login)
end
else
# There wasn't a user with this random key. Just flash a message
# and then redirect to the login screen.
flash[:message] = "This does not appear to be a valid request."
redirect rs(:login)
end
end

private

# If the user is logged in, the session will
# contain a non nil user id.
def logged_in?
session[:user_id] != nil
end
end



This is very similar to many of our other controllers from our past posts. We map to '/', Add the layout (which won't be used for AJAX calls (not used here anyway)), and then the aspect which will prevent the user from going to certain pages unless they're logged in to the system. The next four methods, index, main, about, and help are really just place holders. Index is where the user will end up initially and main is where they will end up after logging in. Then we have the register page. This will check if it's a post and if it is, try to find the user. If it can't find the user (note the use of "unless" here. To a certain extend, I'm trying to decide if it helps or hinder readability. Let me know what you think) it will create a new one with the parameters from the request hash. If the user already exists, we'll just flash a message back and redirect them back to the register page. Next we have the login method. We check to make sure this is from a post, then check to see if we can find the user based on their user name and password (using the model's encrypt_password method). If we find them, we go ahead and log them in (set the session variables) and redirect them to the main page. If not, we flash a message, reset the session variables, and redirect them back to the login page. The account_settings page let's the user reset their email and password. The logout page resets the session variables and then redirects back to the index page. Looking at it now, I'd recommend refactoring the session resets here and in login to their own private method (once again we'll leave that as an exercise). The forgot_password method is the reason for all of this. We check that it's a post and contains a valid user. If so, we generate a random key for the user (using the model method) and then create an email with the link containing this key. If we can't find the user, we'll flash a message and redirect back to the same page. Finally (for the pages anyway), we have the change_password page. This checks to see if we have user with this rand_key (from the link generated above) and if we do, we check if this is a post and change their password appropriately, reset the random key (so it's used only once), flash a message and redirect them back to the login page. If there wasn't a user with that random key, we simply flash a message and redirect them back to the login page. Finally, we have the private method that's used to check if a user is logged in to the system.

Here's our layout page.xhtml

<!-- view/page.xhtml -->

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Use the page.css in the public directory and set title based on
what's set in the associated method.
-->

<link rel="stylesheet" type="text/css" href="/page.css"/>

<title>#@title</title>
</head>
<body>
<div id="whole_page">
<div id="header">
<h1>SteamCode</h1>
</div>

<div id="nav">
<!-- Main/User controller -->
<!-- Move this next section over to the right side of the screen. It
will contain the Login/Register if we're not logged in and the Logout
if we are. -->

<span style="float: right">
<!-- We're going to use the private method logged_in? here to test if
we want to show the Login/Register links or the Logout link -->

<?r if !logged_in? ?>
<a href="#{r(:login)}">Login</a>
<a href="#{r(:register)}">Register</a>
<?r else ?>
<a href="#{r(:account_settings)}">Account</a>
<a href="#{r(:logout)}">Logout</a>
<?r end ?>
</span>

<!-- These next three will be on the left side and always there -->
<a href="#{r(:index)}">Home</a> |
<a href="#{r(:about)}">About Us</a> |
<a href="#{r(:help)}">Help</a>
</div>

<div id="content">
<!-- Display the actual content. This will come from the method or the
associated view/*.xhtml file
-->

#@content
</div>

<!-- Set the footer in the center of the screen. -->
<div id="footer" style="text-align: center;">
<h5> Powered by Ramaze </h5>
</div>
</div>
</body>
</html>



It's stripped down a bit from the last post and has all of the administration stuff removed. Since you've seen this in past posts, I won't go through it. It's mostly just code for the navigation with some content and a header and footer tossed in for good measure.

Let's take a look at the views for the project. They're really simple this time. No JavaScript and no AJAX. Here's the index.

#{flashbox}
<h2>Welcome</h2>



Here's the login page

#{flashbox}
<a href="#{r(:forgot_password)}">Forgot your password?</a>
<br/>

<form id="login" method="post">
<fieldset>
<legend> Login </legend>
<div>
<!-- for= goes with id=, the name= is placed in the request variable. -->

<!-- Input for the user_name. -->
<label for="user_name">User Name:</label>
<input id="user_name" name="user_name" type="text" />
<br/>

<!-- Input for the user_name. -->
<label for="password">Password:</label>
<input id="password" name="password" type="password" />
<br/>

<!-- Submit the login request. -->
<input type="submit" value="Login" />
</div>
</fieldset>
</form>



There's just input boxes for the user name and password and a button for submitting.

Here's the registration page.

<!-- view/register.xhtml -->
<form id="register" method="post">
<div>
<!-- for= goes with id=, the name= is placed in the request variable. -->

<!-- Input for the user_name. -->
<label for="user_name">Login:</label>
<input id="user_name" name="user_name" type="text" />
<br/>

<!-- Input for the password. -->
<label for="password">Password:</label>
<input id="password" name="password" type="password" />
<br/>

<!-- Input for the email. -->
<label for="email">Email:</label>
<input id="email" name="email" type="text" />
<br/>

<!-- Submit the new User -->
<input type="submit" value="Register" />
</div>
</form>



As above boxes for user name, password, and email plus the submit button.

Here's the page for changing the account settings.

<!-- Let's the user change their email and/or password -->
<form id="change_password" method="post">
<fieldset>
<legend> Change Settings </legend>
<div>
<!-- Input for the email address. -->
<label for="email">Email:</label>
<input id="email" name="email" type="text" value=#{@current_email} />
<br/>

<!-- Input for the password. -->
<label for="password">Password:</label>
<input id="password" name="password" type="password"/>
<br/>

<!-- Submit the new email and/or password -->
<input type="submit" value="Submit" />
</div>
</fieldset>
</form>



This contains boxes for password and email (the user can't change their user_name) and the submit button.

Next is the forgot_password.xhtml.

<h2>Forgot Password</h2>
#{flashbox}

<form id="forgot_screen" method="post">
<fieldset>
<legend> Forgot Password </legend>
<div id='forgot_password'>

<!-- for= goes with id=, the name= is placed in the request variable. -->
<!-- Input for the user_name. -->
<label for="user_name">User Name:</label>
<input id="user_name" name="user_name" type="text" value="User Name" />
<br/>

</div>

<!-- Once they've put in the challenge answer, they will select -->
<!-- this and the system will send their password via email. -->
<input type="submit" value="Send Password" />
</fieldset>
</form>
<br/>



This has a box for the user_name and the submit button. When the user puts in their user_name and submits, an email is generated (see above) that provides a link to change their password. This page is the change_password.xhtml.

<!-- view/register.xhtml -->
<form id="change_password" method="post">
<div>
<!-- for= goes with id=, the name= is placed in the request variable. -->

<!-- Input for the password. -->
<label for="password">Password:</label>
<input id="password" name="password" type="password" />
<br/>

<!-- Submit the new User -->
<input type="submit" value="Change Password." />
</div>
</form>



Once again, dead simple with the password box and a submit (you'd probably want a confirmation password that would be checked using JavaScript, but we'll just assume that the user won't make any mistakes.

That's pretty much everything except for the CSS which is in public/page.css


#whole_page {
width: 50em;
margin: auto;
padding: 0;
text-align: left;
border-width: 0 1px 1px 1px;
border-color: black;
border-style: solid;
}

#content {
height: 100%;
background: white;
padding: 1em 1em 1em 1em;
}


/* Header CSS */
#header {
background:#9DA9EE;
color: white;
margin-bottom: 0;
padding: 0.25em;
}

#nav {
background:#9DA9EE;
color: black;
padding: 0.5em;
}


/* Footer CSS */
#footer {
background:#9DA9EE;
color: black;
}


So, I hope this works out for everyone a bit better than the last version and gets at least a bit closer to what you might use in a "real" project. Let me know if you have questions or comments.

Thursday, November 12, 2009

Ramaze - Forgot Password (Edited 2009-11-20)

Edit: I received some rather stern comments on this post on the Sequel mail list and probably rather deservedly. The primary complaints were that you really shouldn't even be doing this sort of thing as it a) involves saving the user's password as plaintext in the database and b) sending the user's password in plaintext over the internet via email. The solution is to save the user's password as a hash in the database and then provide a link to them for changing the password if requested. I basically agree with the criticism, so use this only for non-critical applications (i.e. don't use if for a banking app.) or better yet, just use some of the techniqes (email, AJAX) without using the whole idea. Thanks to all who commented to set me straight.

-----------------------------------------------------

For a recent project, I was looking at how to notify the user if they forgot their password. I'd initially thought the interesting piece would be the email part, but really, not so much. Let's start there though. The first thing you'll need to add that we haven't before is install Michael Fellinger's (Manveru) Mailit. So ...
sudo gem install mailit

With that taken care of, let's take a look at our database migrations. There's two of them since I added the admins table later. Here's the first one

# dbMigration/001_ForgotPassword.rb
#
# This is the "new" way to do migrations by using the Class.new form.
# It means that a new class name is not required and so there is no chance
# of creating a second class in the migration files that is the same as the
# first causing problems.
Class.new(Sequel::Migration) do
def up
# Create the users table.
create_table(:users) do
primary_key :id
String :user_name
String :password
String :email
String :challenge_answer
foreign_key :challenge_question_id, :challenge_questions
end

# Create the challenge questions table.
create_table(:challenge_questions) do
primary_key :id
String :question
end

end

def down
# Remove the two tables.
drop_table(:users, :challenge_questions)
end
end



Here we create a user table that has a user_name, password, email, and a challenge_response. It also has a foreign key to the challenge_questions table for the challenge question. The challenge_question table contains a list of potential questions that the user can select. This will be handled as a drop down when they register for the site.

The second migration script contains the admins table. For this application, about the only thing an admin can do is add more challenge questions. We'll also add in an admin since we don't have another way of doing it in this application. Here we'll give the admin the name "admin" (clever) and a password "helloworld" (better anyway), and an email address that's never used.

# dbMigration/002_ForgotPasswordMigration.rb
#
# This is the "new" way to do migrations by using the Class.new form.
# It means that a new class name is not required and so there is no chance
# of creating a second class in the migration files that is the same as the
# first causing problems.
Class.new(Sequel::Migration) do
def up
# Add in the admins table for administrators.
create_table(:admins) do
primary_key :id
String :admin_name
String :password
String :email
end

# Add in an administrator.
from(:admins).insert(:admin_name => 'admin', :password => 'helloworld', :email => 'admin@company.com')

end

def down
# Remove the administrators table.
drop_table(:admins)
end
end



We run our migrations with the following:

sequel -m dbMigration/ sqlite://forgot.db

The models we use for this project are pretty simple. The User model just states that it's many_to_one with the challenge questions (many users can have the same challenge question). The Admin model is about as simple as it gets (empty). The ChallengeQuestion model has the one_to_many with users (one challenge question can be associated with many users). It also has the self.questions method which will return all of the challenge questions in the database and their associated ids. This will be used by the registration page to allow the user to select one challenge question from a drop down.

# Create the User model. Each user can have a single challenge question.
class User < Sequel::Model
many_to_one :challenge_question
end

# Create the Challenge_Question model. Multiple users can have a single
# challenge question.
class ChallengeQuestion < Sequel::Model
one_to_many :users

# Will return an array of all of the questions.
def self.questions
select(:id, :question).all
end
end

# Create the Administrator model.
class Admin < Sequel::Model
end



So now we're ready to move on to the start.rb file.

# start.rb
#
# This is the main program for the example. It loads the Sequel database,
# loads the controllers and models, and then starts up Ramaze.
#
# The database should have been set up using the database migrations in
# the dbMigration directory.
require 'rubygems'
require 'ramaze'
require 'sequel'

# Required for mailing.
require 'net/smtp'
require 'mailit'

# Create the mailer.
MAILER = Mailit::Mailer.new(:server => 'MailServer.MyCompany.COM', :port => 25, :username => 'ApplicationName', :password => 'ApplicationPassword')

# Open the forgot password database. This must be done before we access the
# models that use it.
DB = Sequel.sqlite("forgot.db")

# Load the controllers and models.
require 'models/models'
require 'controllers/main_controller'
require 'controllers/admin_controller'

# Start Ramaze.
Ramaze.start



The difference here from most of our other start.rb files is the addition of the code for the mailer. First we require 'net/smtp' and 'mailit'. The we create the MAILER. We'll pass the server name, the port (will almost certainly be 25), the username, and the password. This will create a mailer that we can then "send" messages to. Next we open the database, forgot.db, and then get the models and the controllers.

Let's take a look at the admin controller first.

# controllers/admin_controller.rb
#
# The AdminController has a single method index. First map to /admin for
# the view. Next, set the layout to page so that we use the layout/page.xhtml for our
# layout. Then we use a helper for the :xhtml which will allow us to use "js" in the
# layout (we use this to generate a javascript link).
class AdminController < Ramaze::Controller
# The Admin controller will be accessed using "admin" as in:
# http://localhost:7000/admin.
map '/admin'

# Use page.xhtml in the layout directory for layout
layout :page

# Let's us put in our "js" lines.
helper(:xhtml)

# Set up a helper to check if we're logged in and only allow access
# to the :logged_in page if we are. This is probably the hard way to
# do this for only the single page but will make much more sense if
# we add more pages as we'd do in a real application.
helper :aspect
before(:main, :add_challenge) {
unless logged_in?
# Set the flash message which will only be available in the next
# screen. In this case that will be the logged_in screen.
flash[:message] = "You must log in before accessing the requested page."
redirect rs(:index)
end
}

# You can access it now with http://localhost:7000/admin
def index
Ramaze::Log.debug "Enter Admin Index"
@title = "SteamCode - Administration Home"
end

def main
end

# Add a new challenge question for the user to select.
def add_challenge
if request.post?
challenge_question = request[:challenge_question]
ChallengeQuestion.create(:question => challenge_question)
end
end

# Login as an administrator. Figure out if this is a correct login/password
# pair and log the admin in and redirect ot main if it is. If not, flash
# a message and redirect back to the login page.
def login
@title = "Library - Administration - Login"
if request.post?
if admin = Admin.find(:admin_name => request[:admin_name], :password => request[:password])
# Use the name= portion of the input form to grab the data
# from the request variable and save it in the session
# hash table.
session[:admin_id] = admin.id

# Redirect to the list_all screen.
redirect rs(:main)
else
# The login could not be authorized. Set the flash message
# and stay on this page (index/login). Set the session loginID
# to nil also. This will effectively log the user out. This would
# be reasonable if they are logged in and then try to log in with
# a new login/password.
flash[:message] = "Incorrect user name or password, please try again!!!"
session[:admin_id] = nil

# Stay on the login page.
redirect rs(:login)
end
end
end

# Log the administrator out.
def logout
session[:admin_id] = nil
flash[:message] = "Admin Logged out"
redirect MainController.r(:index)
end

private

# If the admin is logged in, the session will
# contain a non nil admin id.
def logged_in?
session[:admin_id] != nil
end

end



It starts out with most of the same code as all of our controllers. There's the map command, the layout (here we'll use layout/page.xhtml), the helper for our javascript, the helper for aspect (this will allow us to do before/after commands for selected methods in this controller), the before command which will have us check for being logged in before allowing access to the main page and the add_challenge page. The first method is the index method which is the page that the admin will go to before logging in. This is followed by main which is where the admin will be redirected after login. Next we have the add_challenge method. Here we just grab the question from the request hash (filled in by the add_challenge page input) and create a new ChallengeQuestion from it (also adding it to the database). Next is the login method, which should be pretty familiar from past posts. If we find the admin (and here the only one we have was created by the database migration), we'll set the session admin_id variable and redirect to the main page. If we fail to login the admin, we'll put up a flash message and redirect back to the login page. Next is the logout which just resets the session admin_id, sets a message, and redirects back to the login page. Finally, we have the private method logged_in? which will check if an admin is logged in.

Let's take a look at the admin views. First we have the view/admin/index.xhtml.

#{flashbox}
<p> Welcome to the Library. This is the Administrator's section. Please login and administrate. </p>



Nothing too much here, just a note for the user to login.

Next we have the main view.

<!-- The only thing here is a link to add a challenge question. -->
<h2>Enter Admin</h2>
<a href="#{r(:add_challenge)}">Add Challenge Question</a>



This is the page that the admin will see when they log in to the system. Here, there's just a link to the add challenge question page.

<form id="login" method="post">
<fieldset>
<legend> Add Challenge </legend>
<div>
<!-- for= goes with id=, the name= is placed in the request variable. -->

<!-- Input for the challenge_question. -->
<label for="challenge_question">User Name:</label>
<input id="challenge_question" name="challenge_question" type="text" />
<br/>

<!-- Submit the new challenge question (this should result in it being saved in the database) -->
<input type="submit" value="Add" />
</div>
</fieldset>
</form>



Here we just have the input box for the challenge question and the submit button. This will, as noted above, add a new challenge question to the database.

Here's the login page.

#{flashbox}
<form id="login" method="post">
<fieldset>
<legend> Login </legend>
<div>
<!-- for= goes with id=, the name= is placed in the request variable. -->

<!-- Input for the admin_name. -->
<label for="admin_name">Admin:</label>
<input id="admin_name" name="admin_name" type="text" />
<br/>

<!-- Input for the password. -->
<label for="password">Password:</label>
<input id="password" name="password" type="password" />
<br/>

<!-- Submit the admin name and password. If accepted,
the admin should get logged in. -->

<input type="submit" value="Login" />
</div>
</fieldset>
</form>



It has input boxes for the admin's admin_name and password as well as the submit button. Once again, nothing very interesting. And the end of the admin pages.

Let's turn to the user side now. First we have the user controller, controllers/main_controller.rb.

# controllers/main_controller.rb
#
# The mainController has a single method index. First map to /admin for
# the view. Next, set the layout to page so that we use the layout/page.xhtml for our
# layout. Then we use a helper for the :xhtml which will allow us to use "js" in the
# layout (we use this to generate a javascript link).
class MainController < Ramaze::Controller

# The Main controller will be accessed using "main" as in:
# http://localhost:7000/main.
map '/'

# Use page.xhtml in the layout directory for layout except
# for when we're doing AJAX.
layout(:page) { !request.xhr? }

# Let's us put in our "js" lines.
helper(:xhtml)

# Set up a helper to check if we're logged in and only allow access
# to the :logged_in page if we are. This is probably the hard way to
# do this for only the single page but will make much more sense if
# we add more pages as we'd do in a real application.
helper :aspect
before(:account_settings, :main) {
unless logged_in?
# Set the flash message which will only be available in the next
# screen. In this case that will be the logged_in screen.
flash[:message] = "You must log in before accessing the requested page."
redirect rs(:index)
end
}

# You can access it now with http://localhost:7000/
def index
@title = "SteamCode - User"
end

# Placeholder for real content.
def main
"<h2>Main</h2>"
end

# Placeholder for real content.
def about
"<h2>About</h2>"
end

# Placeholder for real content.
def help
"<h2>User Help</h2>"
end

# Register a new user with SteamCode. We will get here from the
# views/register.xhtml page where the user will put in their (requested)
# login, password, and email address. First find if the user already
# exists, if it does, then we'll set a message to tell the user so and
# redirect them back to the register screen. If not, we'll go ahead and add
# them to the database with the appropriate login, password, and email
# address. We'll then send them to the login screen to let them log in to
# SteamCode.
def register
@title = "Register with SteamCode"
@questions = ChallengeQuestion.questions
# Make sure we're getting here from a post request.
if request.post?
# Check the login and password.
# if we find the Account based on the login and password. If we find it
# we'll save the login ID in the session variable and we can use that
# to show if the Account is currently logged in or not. If we can't
# find the Account, we'll set the flash message, set the session to nil
# and just stay on this page.
if User.find(:user_name => request[:user_name])

# This user already exists. Set the flash message for them to
# try again.
flash[:message] = "Login #{request[:user_name]} already used. Please select another."

# Stay on the register page.
redirect rs(:register)
else
# This account does not exist. Grab the user_name, the password,
# and the email and create a new Account with them.
user_name = request[:user_name]
password = request[:password]
email = request[:email]

# Log the new user (a real application wouldn't probably print
# the password out though).
# Ramaze::Log.debug "New User Added: user_name = #{user_name} password = #{password} email = #{email}"

# Create the account with the user_name, password, and email given.
user = User.create(:user_name => user_name, :password => password, :email => email,
:challenge_answer => request[:challenge_answer],
:challenge_question => ChallengeQuestion[request[:challenge_question]])
Ramaze::Log.debug "New User Added: user_name = #{user.user_name} password = #{user.password} email = #{user.email} question = #{user.challenge_question.question}"

# Redirect to the login page.
redirect rs(:login)
end
end
end

# Login to Steamcode. If the request is a post, then we'll try to find the
# user. If we succeed then we'll set some session variables and redirect to
# the main page (which the user can only access if they're logged in). If they
# can't be logged in, we'll set a flash message, reset the session, and redirect
# back to the login page.
def login
if request.post?
if user = User.find(:user_name => request[:user_name], :password => request[:password])
# Use the name= portion of the input form to grab the data
# from the request variable and save it in the session
# hash table.
session[:user_id] = user.id
session[:user_name] = user.user_name

# Redirect to the main screen.
redirect rs(:main)
else
# The login could not be authorized. Set the flash message
# and stay on this page (index/login). Set the session loginID
# to nil also. This will effectively log the user out. This would
# be reasonable if they are logged in and then try to log in with
# a new login/password.
flash[:message] = "Incorrect user name or password, please try again!!!"
session[:user_id] = nil
session[:user_name] = nil

# Stay on the login page.
redirect rs(:login)
end
end
end

# Let the user change account settings. For now this is
# just the email and password.
def account_settings
user = User[session[:user_id]]
if request.post?
user = User[session[:user_id]]
user.email = request[:email]
user.password = request[:password]
user.save
flash[:message] = "New email and/or password saved."
redirect rs(:main)
end
@current_password = user.password
@current_email = user.email
end

# Logout of the system. Set the flash message and then
# set the session values to nil. Finally, redirect back to the
# index page.
def logout
flash[:message] = "#{session[:user_name]} Logged out"
session[:user_id] = nil
session[:user_name] = nil
redirect rs(:index)
end

# The user has requested that we email their password back to them. When they submit
# their challenge response and we verify it, we'll set up an email response using
# Mailit and send it to them.
def forgot_password
Ramaze::Log.debug "Enter Forgot Password"
@page_javascript = 'forgot_password'
if request.post?
Ramaze::Log.debug "Challenge Question Submitted: Email: #{request[:user_name]} Answer: #{request[:challenge_answer]}"
# Final submit.
if user = User.find(:user_name => request[:user_name], :challenge_answer => request[:challenge_answer])
Ramaze::Log.debug "Found user: #{user.user_name} #{user.email} #{user.password}"


# Create the mail message and fill it in with the appropriate
# information (to/from/subject/text). Then send it off.
mail = Mailit::Mail.new
mail.to = user.email
mail.from = "Steamcode@MyCompany.com"
mail.subject = "Steamcode Password"
mail.text = "Your password is: #{user.password}."

# Send the mail message via the MAILER (created in start.rb).
MAILER.send(mail)

# Just go back to the login page.
redirect rs(:login)
else
Ramaze::Log.debug "Could not find user: #{request[:user_name]} or incorrect challenge response."
flash[:message] = "Could not find user: #{request[:user_name]} or incorrect challenge response."

# Could not find user with this user_name/challenge answer just redirect to forgot password
redirect rs(:forgot_password)
end
end
end

# This is called from an Ajax request. We take in the email address that the
# user submitted and then pass back the challenge question for that user. If
# we can't find the user, we won't respond with anything and we'll let the
# javascript (public/js/forgot_password.js) deal with it. In this case, they'll
# just pop up an alert to let the user know.
def generate_forgot_question
if request.xhr?
# Get the user_name and if it exists, return the challenge question. If not, generate the
# could not find user_name messesage.
if user = User.find(:user_name => request[:user_name])
challenge_question = user.challenge_question.question
Ramaze::Log.debug "Challenge Question Requested: challenge_question = #{challenge_question}"

# It looks like we a) MUST use the respond command and b)MUST use the 200 return value. This was
# determined by just trying different things.
json = "{ challenge_question: \"#{challenge_question}\"}"
respond json, 200
else
# Go ahead and log a message.
Ramaze::Log.debug "Could not find user with user_name: #{request[:user_name]}"
end
end
end

private

# If the user is logged in, the session will
# contain a non nil user id.
def logged_in?
session[:user_id] != nil
end
end



The main controller starts the exact same way that the admin controller does. It has the map, layout, helper, and aspect lines and for all of the exact same reasons. Next is the index method which is the default page before someone logs in and this is followed by the main page which is where a user ends up after they log in. Next are two placeholder methods about and help that can be used for obvious purposes. Next is the registration method. We check if this is called from a post and if it is, we check to see if we already have a user with the user_name that was submitted. If we already have that name registered, we'll flash the user a message and send them back to the registration page. If we don't, we'll create a new user with the user_name, password, email, and challenge question/answer. Then we'll redirect them to the main page. Next, the login page will see if they can find the user with the given user_name and password and if so, we save their information in the session and redirect them to the main page. If not, we'll flash a message and redirect back to the login page so that they can try again. The account_settings allows the user to change their email and/or password. The logout method, like the corresponding admin logout, sets the session id and redirects the user back to the index page. The forgot_password method is the main reason for the post and it's actually pretty simple. We check the user_name and the challenge_answer that they provided and if they match we use the MAILER constant to send the email containing their password and redirect them to the login page. If we can't find the user or if the challenge answer doesn't match, we'll flash a message and send them back to the forgot_password page. The generate_forgot_question will come from an AJAX request. If we find the user_name, we'll send their challenge question back to them using JSON. If not, we'll just stay on the same page and they can try again. Finally, we have the logged_in? method, for checking if the user is logged in (obviously). We use this to protect certain pages from users who aren't logged in.

Now, let's take a look at the views. First is the index page and it's a simple Welcome message.

#{flashbox}
<h2>Welcome</h2>



Next, the registration page contains input boxes for the user_name, password, email, and challenge response. There's also a drop down for the challenge question and the submit button.

<!-- view/register.xhtml -->
<form id="register" method="post">
<div>
<!-- for= goes with id=, the name= is placed in the request variable. -->

<!-- Input for the user_name. -->
<label for="user_name">Login:</label>
<input id="user_name" name="user_name" type="text" />
<br/>

<!-- Input for the password. -->
<label for="password">Password:</label>
<input id="password" name="password" type="password" />
<br/>

<!-- Input for the email. -->
<label for="email">Email:</label>
<input id="email" name="email" type="text" />
<br/>

<!-- Input for the challenge question. The register() method will get the list
of challenge questions from the database table ChallengeQuestion and will
pass the list of questions and ids.
-->

<label for="challenge_question" class="label">Challenge Question:</label>
<select name="challenge_question">
<?r @questions.each do | question | ?>
<option value=#{question.id}>#{question.question} </option>
<?r end ?>
</select>
<br/>

<!-- Input for the challenge_answer. We'll save this and if they need to retrieve
their password, we'll ask the question from above and see if they know the
answer they will submit here.
-->

<label for="challenge_answer">Challenge Response:</label>
<input id="challenge_answer" name="challenge_answer" type="text" />
<br/>

<!-- Submit the new User -->
<input type="submit" value="Register" />
</div>
</form>



The login page only has the input boxes for the user_name and password along with the submit button.

#{flashbox}
<a href="#{r(:forgot_password)}">Forgot your password?</a>
<br/>

<form id="login" method="post">
<fieldset>
<legend> Login </legend>
<div>
<!-- for= goes with id=, the name= is placed in the request variable. -->

<!-- Input for the user_name. -->
<label for="user_name">User Name:</label>
<input id="user_name" name="user_name" type="text" />
<br/>

<!-- Input for the user_name. -->
<label for="password">Password:</label>
<input id="password" name="password" type="password" />
<br/>

<!-- Submit the login request. -->
<input type="submit" value="Login" />
</div>
</fieldset>
</form>



The account_settings page only has the input boxes for the email and password along with the submit button. It would actually be nice to have a way to change the challenge question/response also.

<!-- Let's the user change their email and/or password -->
<form id="change_password" method="post">
<fieldset>
<legend> Change Settings </legend>
<div>
<!-- Input for the email address. -->
<label for="email">Email:</label>
<input id="email" name="email" type="text" value=#{@current_email} />
<br/>

<!-- Input for the password. -->
<label for="password">Password:</label>
<input id="password" name="password" type="password" value=#{@current_password} />
<br/>

<!-- Submit the new email and/or password -->
<input type="submit" value="Submit" />
</div>
</fieldset>
</form>



The forgot_password page is reached from the login page. The user is offered a link for a forgotten password. Here they have an input box for their user name and then they'll put submit for and get their challenge question back. We then use a bit of AJAX magic to display the challenge question. When they put in their answer they can submit that and then get their password mailed to them as outlined above. Here's the XHTML followed by the JavaScript for the AJAX piece.

<h2>Forgot Password</h2>
#{flashbox}

<form id="forgot_screen" method="post">
<fieldset>
<legend> Forgot Password </legend>
<div id='forgot_password'>

<!-- for= goes with id=, the name= is placed in the request variable. -->
<!-- Input for the user_name. -->
<label for="user_name">User Name:</label>
<input id="user_name" name="user_name" type="text" value="User Name" />
<br/>

<!-- Button for getting the challenge question based on the -->
<!-- user_name above -->
<div id='challenge_question'>
<input type="submit" id="get_challenge" value="Get Challenge" />
</div>

</div>

<!-- Once they've put in the challenge answer, they will select -->
<!-- this and the system will send their password via email. -->
<input type="submit" value="Send Password" />
</fieldset>
</form>
<br/>



// public/js/forgot_password.js
$(document).ready(function() {
// Grab the get_challenge so we can add the choiceMarkup to it.
var user_name_container = $("#user_name");

// Add click handler. When the get_challenge button is clicked, we'll send the
// user_name value to the generate_forgot_question() method in the controller.
$("#get_challenge").click(function(e) {

// Don't do the normal thing you'd do when clicking a button.
e.preventDefault();

// Send a post request to the generate_forgot_question method when the
// get_challenge button is clicked. Pass in the JSON "user_name:
// user_name_container.val()" (value in the user_name input field to the
// generate_forgot_question() method. The callback routine gets a
// resultObject(JSON) and a status (not used and not actually
// returned). The generate_forgot_question() method will return JSON,
// the fourth parameter, to post.
$.post(
"/generate_forgot_question",
{user_name: user_name_container.val()},
function(resultObject, resultStatus) {

var answer_container = $("#challenge_answer");

/* Check if the result contains the correct json and that there is no answer_container already. */
if (answer_container.length == 0)
{
if (resultObject.challenge_question != undefined)
{
// Take the resultObject and grab the challenge_question from it and add the
// input for the user to submit.
var result = [
"
Challenge Question: ", resultObject.challenge_question, "
",
"",
"
"
];

// Add the result to the challenge_question at the bottom.
$("#challenge_question").append(result.join(''));
}
else
{
/* There wasn't a challenge answer returned, so let the user know. */
alert("Could not find user name " + user_name_container.val());
}
}
},
'json' );
});
});



I've tried to comment this pretty well, but let's go through it. As always with jQuery we're going to make sure the document is ready before doing anything. Next, we'll grab the user_name container. We're going to use it to get the name the user types in to it and pass it back to the server for processing. Next, we set up a click function for the get_challenge button. We do this so we can use it to send the user name and retrieve the challenge question. Next, we disable the normal thing (submit) that we'd do for a button. Then we set up the post to the generate_forgot_password() method in the main controller. We'll pass the user_name that we get from the user_name_container we grabbed above, set up a function for processing the return value, and finally we'll let everyone know we're passing JSON back as the return value. Now let's look at the processing function. First we check to see if we already have a challenge_answer. If we don't, we check the resultObject and see if we have a challenge_question. If we do, then we put the challenge question and then create an input box for the answer. We then join this new HTML to the end of the challenge_question. There may be (OK probably is) better ways to do this. I'm not really an expert on JavaScript or AJAX or JSON, so if you have suggestions for cleaning this up, please leave some hints in the comments.

Finally, let's take a look at the layout page.

<!-- view/page.xhtml -->

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- Use the page.css in the public directory and set title based on
what's set in the associated method.
-->

<link rel="stylesheet" type="text/css" href="/page.css"/>

<!-- Serve jQuery from Google. This appears to be the accepted way of doing things now. -->
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>

<!-- Need to have the xhtml helper for this next line -->
#{ js @page_javascript }

<title>#@title</title>
</head>
<body>
<div id="whole_page">
<div id="header">
<h1>SteamCode</h1>
</div>

<div id="nav">
<?r if action.node.to_s == "MainController" ?>
<!-- Main/User controller -->
<!-- Move this next section over to the right side of the screen. It
will contain the Login/Register if we're not logged in and the Logout
if we are. -->

<span style="float: right">
<!-- We're going to use the private method logged_in? here to test if
we want to show the Login/Register links or the Logout link -->

<?r if !logged_in? ?>
<a href="#{r(:login)}">Login</a>
<a href="#{r(:register)}">Register</a>
<?r else ?>
<a href="#{r(:account_settings)}">Account</a>
<a href="#{r(:logout)}">Logout</a>
<?r end ?>
</span>

<!-- These next three will be on the left side and always there -->
<a href="#{r(:index)}">Home</a> |
<a href="#{r(:about)}">About Us</a> |
<a href="#{r(:help)}">Help</a>
<?r else ?>
<!-- Admin controller -->
<!-- Move this next section over to the right side of the screen. It
will contain the Login/Register if we're not logged in and the Logout
if we are. -->

<span style="float: right">
<!-- We're going to use the private method logged_in? here to test if
we want to show the Login/Register links or the Logout link -->

<?r if !logged_in? ?>
<a href="#{r(:login)}">Login</a>
<?r else ?>
<a href="#{r(:logout)}">Logout</a>
<?r end ?>
</span>

<!-- These next three will be on the left side and always there -->
<a href="#{r(:main)}">Home</a>
<?r end ?>
</div>

<div id="content">
<!-- Display the actual content. This will come from the method or the
associated view/*.xhtml file
-->

#@content
</div>

<!-- Set the footer in the center of the screen. -->
<div id="footer" style="text-align: center;">
<h5> Powered by Ramaze </h5>
</div>
</div>
</body>
</html>



We've reused this a number of times, so it should look pretty familiar. In the head section, we set up for our JavaScript including for jQuery. This time around, we grab it from Google as per current best practices (possibly the only best practice here). Then we have the JavaScript for our particular page (this being whatever page the user is on that needs JavaScript. Next is the body where we have the "header" (which based on an interesting book I'm reading right now, Transcending CSS by Andy Clark, I'd probably relabel as "branding") with our title. Next is the "nav" section with two parts, one for the admin and one for a normal user. This is followed by the "content" which is really whatever is filled in by each of our methods in the controller and finally we have the footer (once again probably renamed to something like "siteinfo").

Finally, here's our CSS (once again, nothing we haven't seen before).


# public/page.css
#whole_page {
width: 50em;
margin: auto;
padding: 0;
text-align: left;
border-width: 0 1px 1px 1px;
border-color: black;
border-style: solid;
}

#content {
height: 100%;
background: white;
padding: 1em 1em 1em 1em;
}


/* Header CSS */
#header {
background:#9DA9EE;
color: white;
margin-bottom: 0;
padding: 0.25em;
}

#nav {
background:#9DA9EE;
color: black;
padding: 0.5em;
}


/* Footer CSS */
#footer {
background:#9DA9EE;
color: black;
}


So, I think that's everything (let me know if I missed anything). This pretty much started out as an example for using mail, but that really proved to be the least interesting part of this given how easy it is to use the Mailit gem.

Let me know if you have any questions or comments and I'll do my best to answer them.