Rails - Jan 2006 - Salted Hash Login Generator

Does this work with rails 1.0 ?  I saw that people said it failed with rails
14.1, which
practically identical.
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060125/5da24694/attachment.html

http://article.gmane.org/gmane.comp.lang.ruby.rails/29311

I believe Deirdre Saoirse Moen is maintaining this now, although I''ve
not heard anything since that mail.

On 1/25/06, Warren Seltzer <warrens@actcom.net.il>
wrote:
>
> Does this work with rails 1.0 ?  I saw that people said it failed with
rails
> 14.1, which practically identical.
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>

Hmmm... I tried it the other night (with rails 1.0) and was under the
impression that although the tests failed (I *think* it had something to do
with me using an older version of mysql), everything was working for as far
as I know.

I could really with some clear docs somewhere though... The wiki page
contains a lot of info, but mostly without any indication of which versions
of rails and the login generator itself were used, which is a shame.

Piet.
> -----Original Message-----
> 
> http://article.gmane.org/gmane.comp.lang.ruby.rails/29311
> 
> I believe Deirdre Saoirse Moen is maintaining this now, 
> although I''ve not heard anything since that mail.
> 
> On 1/25/06, Warren Seltzer <warrens@actcom.net.il> wrote:
> >
> > Does this work with rails 1.0 ?  I saw that people said it 
> failed with 
> > rails 14.1, which practically identical.
> >

Piet Hadermann wrote:
> Hmmm... I tried it the other night (with rails 1.0) and was under the
> impression that although the tests failed (I *think* it had something to do
> with me using an older version of mysql), everything was working for as far
> as I know.
> 
> I could really with some clear docs somewhere though... The wiki page
> contains a lot of info, but mostly without any indication of which versions
> of rails and the login generator itself were used, which is a shame.
+1 on this... the wiki page is a mess and the Localization wiki page (which is a
required
dependency) is blank! Deirdre Saoirse Moen, are you out there? Are you
maintaining
SaltedHashLoginGenerator? Anyone know enough about either generator to fix up
the wiki pages?

b

PS: Piet, you might dig into where the tests are failing... I was able to find
solutions
to each of the problems until the tests were passing. Sorry I can''t
remember what my
solutions were... Now my problem is that I used it on a brand new project and
none of the
actions/views seem to work... I probably haven''t generated what I
thought I generated.

Hasn''t all of this been moved into the engines framework? If you are 
using rails 1.0 then perhaps you should look into the LoginEngine?

http://rails-engines.org/login_engine

-james


Ben Munat wrote:
> Piet Hadermann wrote:
> 
>> Hmmm... I tried it the other night (with rails 1.0) and was under the
>> impression that although the tests failed (I *think* it had something 
>> to do
>> with me using an older version of mysql), everything was working for 
>> as far
>> as I know.
>>
>> I could really with some clear docs somewhere though... The wiki page
>> contains a lot of info, but mostly without any indication of which 
>> versions
>> of rails and the login generator itself were used, which is a shame.
> 
> 
> +1 on this... the wiki page is a mess and the Localization wiki page 
> (which is a required dependency) is blank! Deirdre Saoirse Moen, are you 
> out there? Are you maintaining SaltedHashLoginGenerator? Anyone know 
> enough about either generator to fix up the wiki pages?
> 
> b
> 
> PS: Piet, you might dig into where the tests are failing... I was able 
> to find solutions to each of the problems until the tests were passing. 
> Sorry I can''t remember what my solutions were... Now my problem is
that
> I used it on a brand new project and none of the actions/views seem to 
> work... I probably haven''t generated what I thought I generated.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

-- 
BlueBin Industries
"Recycling today''s technology into visions of a better
tomorrow"

On Jan 26, 2006, at 9:30 AM, Ben Munat wrote:
> Piet Hadermann wrote:
>> Hmmm... I tried it the other night (with rails 1.0) and was under the
>> impression that although the tests failed (I *think* it had  
>> something to do
>> with me using an older version of mysql), everything was working  
>> for as far
>> as I know.
>> I could really with some clear docs somewhere though... The wiki page
>> contains a lot of info, but mostly without any indication of which  
>> versions
>> of rails and the login generator itself were used, which is a shame.
>
> +1 on this... the wiki page is a mess and the Localization wiki  
> page (which is a required dependency) is blank! Deirdre Saoirse  
> Moen, are you out there? Are you maintaining  
> SaltedHashLoginGenerator? Anyone know enough about either generator  
> to fix up the wiki pages?
>
> b
>
> PS: Piet, you might dig into where the tests are failing... I was  
> able to find solutions to each of the problems until the tests were  
> passing. Sorry I can''t remember what my solutions were... Now my  
> problem is that I used it on a brand new project and none of the  
> actions/views seem to work... I probably haven''t generated what I
> thought I generated.
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

Folks-

	I think you will find that you will have a much easier time using  
the acts_as_authenticated plugin. It does everything that the salted  
has generator does but it is much clearer whats going on, all its  
tests pass and it is very very much easier to customize for your app.  
The salted hash gen is a bit bloated and IMHO it tries to abstract  
things a bit too much and sacrifices readability. PLus it is so  
spread out that it makes it hard to hold it all in your head at  once  
to understand everything thats going on. You will have a much easier  
time grokking the acst_as_authenticate  generator. It has activation,  
mailers and it uses a different salt for every user.

	I use this as the basis for most apps i do that need auth these days  
because it is much less imposing on your app. You will be much more  
able to bend it to what you need then with the salted hash.

Cheers-
-Ezra Zygmuntowicz
Yakima Herald-Republic
WebMaster
http://yakimaherald.com
509-577-7732
ezra@yakima-herald.com

It''s not quite correct to think that the login engine actually
replaces the generator - they''re originally based on the same code,
but their approaches to integrating with your own application are
quite different (engines are basically an alternative to generators).
The login engine is also under constant development through a
community process, whereas the SHLG doesn''t seem to be at the moment.

That said, some people jus'' don''t like the idea of engines,
which is
fair enough.

- james

On 1/26/06, James Ho <jho@bluebinind.com> wrote:
> Hasn''t all of this been moved into the engines framework? If you
are
> using rails 1.0 then perhaps you should look into the LoginEngine?
>
> http://rails-engines.org/login_engine
>
> -james
>
>
> Ben Munat wrote:
> > Piet Hadermann wrote:
> >
> >> Hmmm... I tried it the other night (with rails 1.0) and was under
the
> >> impression that although the tests failed (I *think* it had
something
> >> to do
> >> with me using an older version of mysql), everything was working
for
> >> as far
> >> as I know.
> >>
> >> I could really with some clear docs somewhere though... The wiki
page
> >> contains a lot of info, but mostly without any indication of which
> >> versions
> >> of rails and the login generator itself were used, which is a
shame.
> >
> >
> > +1 on this... the wiki page is a mess and the Localization wiki page
> > (which is a required dependency) is blank! Deirdre Saoirse Moen, are
you
> > out there? Are you maintaining SaltedHashLoginGenerator? Anyone know
> > enough about either generator to fix up the wiki pages?
> >
> > b
> >
> > PS: Piet, you might dig into where the tests are failing... I was able
> > to find solutions to each of the problems until the tests were
passing.
> > Sorry I can''t remember what my solutions were... Now my
problem is that
> > I used it on a brand new project and none of the actions/views seem to
> > work... I probably haven''t generated what I thought I
generated.
> > _______________________________________________
> > Rails mailing list
> > Rails@lists.rubyonrails.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
> --
> BlueBin Industries
> "Recycling today''s technology into visions of a better
tomorrow"
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

Ezra Zygmuntowicz wrote:
> 
> Folks-
> 
>     I think you will find that you will have a much easier time using  
> the acts_as_authenticated plugin. It does everything that the salted  
> has generator does but it is much clearer whats going on, all its  tests 
> pass and it is very very much easier to customize for your app.  The 
> salted hash gen is a bit bloated and IMHO it tries to abstract  things a 
> bit too much and sacrifices readability. PLus it is so  spread out that 
> it makes it hard to hold it all in your head at  once  to understand 
> everything thats going on. You will have a much easier  time grokking 
> the acst_as_authenticate  generator. It has activation,  mailers and it 
> uses a different salt for every user.
> 
>     I use this as the basis for most apps i do that need auth these 
> days  because it is much less imposing on your app. You will be much 
> more  able to bend it to what you need then with the salted hash.
> 
Will take a look... though on a cursory examination, it appears to generate the
same
stuff: a FooSystem mixin, the User model, a mailer, etc.

And actually, I got SHLG to work... I think. Got it all installed and got it to
generate
everything, but I did it on an empty project so I''m not sure if missing
methods/classes
are my fault or SHLG''s.

b

haven''t gotten engines to work yet... sigh....

b

James Ho wrote:
> Hasn''t all of this been moved into the engines framework? If you
are
> using rails 1.0 then perhaps you should look into the LoginEngine?
> 
> http://rails-engines.org/login_engine
> 
> -james
> 
> 
> Ben Munat wrote:
> 
>> Piet Hadermann wrote:
>>
>>> Hmmm... I tried it the other night (with rails 1.0) and was under
the
>>> impression that although the tests failed (I *think* it had
something
>>> to do
>>> with me using an older version of mysql), everything was working
for
>>> as far
>>> as I know.
>>>
>>> I could really with some clear docs somewhere though... The wiki
page
>>> contains a lot of info, but mostly without any indication of which 
>>> versions
>>> of rails and the login generator itself were used, which is a
shame.
>>
>>
>>
>> +1 on this... the wiki page is a mess and the Localization wiki page 
>> (which is a required dependency) is blank! Deirdre Saoirse Moen, are 
>> you out there? Are you maintaining SaltedHashLoginGenerator? Anyone 
>> know enough about either generator to fix up the wiki pages?
>>
>> b
>>
>> PS: Piet, you might dig into where the tests are failing... I was able 
>> to find solutions to each of the problems until the tests were 
>> passing. Sorry I can''t remember what my solutions were... Now
my
>> problem is that I used it on a brand new project and none of the 
>> actions/views seem to work... I probably haven''t generated
what I
>> thought I generated.
>> _______________________________________________
>> Rails mailing list
>> Rails@lists.rubyonrails.org
>> http://lists.rubyonrails.org/mailman/listinfo/rails
> 
> 
>

Well, I managed to make the Login Engine work, but found a small
glitch when changing forgotten passwords, (there is no User instance
when you access the app to change your password from a link with user
token in a received mail) I  posted it to the list some days ago.
> James Ho wrote:
> > Hasn''t all of this been moved into the engines framework? If
you are
> > using rails 1.0 then perhaps you should look into the LoginEngine?
> >
> > http://rails-engines.org/login_engine
--
----------------------------------------------------
http://www.sobrerailes.com

Piet Hadermann wrote:
> Hmmm... I tried it the other night (with rails 1.0) and was under the
> impression that although the tests failed (I *think* it had something to do
> with me using an older version of mysql), everything was working for as far
> as I know.
>
> I could really with some clear docs somewhere though... The wiki page
> contains a lot of info, but mostly without any indication of which versions
> of rails and the login generator itself were used, which is a shame.
>
> Piet.
>
>   
>> -----Original Message-----
>>
>> http://article.gmane.org/gmane.comp.lang.ruby.rails/29311
>>
>> I believe Deirdre Saoirse Moen is maintaining this now, 
>> although I''ve not heard anything since that mail.
>>
>> On 1/25/06, Warren Seltzer <warrens@actcom.net.il> wrote:
>>     
>>> Does this work with rails 1.0 ?  I saw that people said it 
>>>       
>> failed with 
>>     
>>> rails 14.1, which practically identical.
>>>
>>>       
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>   
It''s the same here, it works, have tested all the functions, but rake 
fails ...

Regards,
Jeroen

It''s very helpful if reproducible bugs are posted to the Engines Trac
site - it''s much easier for me to keep track of them there and
consequently ensure they are fixed when they are listed there:

https://opensvn.csie.org/traccgi/rails_engines/trac.cgi/

- james

On 1/27/06, Jeroen van Doorn <jeroen.vandoorn@solide-ict.nl>
wrote:
> Piet Hadermann wrote:
> > Hmmm... I tried it the other night (with rails 1.0) and was under the
> > impression that although the tests failed (I *think* it had something
to do
> > with me using an older version of mysql), everything was working for
as far
> > as I know.
> >
> > I could really with some clear docs somewhere though... The wiki page
> > contains a lot of info, but mostly without any indication of which
versions
> > of rails and the login generator itself were used, which is a shame.
> >
> > Piet.
> >
> >
> >> -----Original Message-----
> >>
> >> http://article.gmane.org/gmane.comp.lang.ruby.rails/29311
> >>
> >> I believe Deirdre Saoirse Moen is maintaining this now,
> >> although I''ve not heard anything since that mail.
> >>
> >> On 1/25/06, Warren Seltzer <warrens@actcom.net.il> wrote:
> >>
> >>> Does this work with rails 1.0 ?  I saw that people said it
> >>>
> >> failed with
> >>
> >>> rails 14.1, which practically identical.
> >>>
> >>>
> > _______________________________________________
> > Rails mailing list
> > Rails@lists.rubyonrails.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
> >
> >
> It''s the same here, it works, have tested all the functions, but
rake
> fails ...
>
> Regards,
> Jeroen
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

James, I think Jeroen was talking about SHLG not the login engine...

b

James Adam wrote:
> It''s very helpful if reproducible bugs are posted to the Engines
Trac
> site - it''s much easier for me to keep track of them there and
> consequently ensure they are fixed when they are listed there:
> 
> https://opensvn.csie.org/traccgi/rails_engines/trac.cgi/
> 
> - james
> 
> On 1/27/06, Jeroen van Doorn <jeroen.vandoorn@solide-ict.nl> wrote:
> 
>>Piet Hadermann wrote:
>>
>>>Hmmm... I tried it the other night (with rails 1.0) and was under
the
>>>impression that although the tests failed (I *think* it had
something to do
>>>with me using an older version of mysql), everything was working for
as far
>>>as I know.
>>>
>>>I could really with some clear docs somewhere though... The wiki
page
>>>contains a lot of info, but mostly without any indication of which
versions
>>>of rails and the login generator itself were used, which is a shame.
>>>
>>>Piet.
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>
>>>>http://article.gmane.org/gmane.comp.lang.ruby.rails/29311
>>>>
>>>>I believe Deirdre Saoirse Moen is maintaining this now,
>>>>although I''ve not heard anything since that mail.
>>>>
>>>>On 1/25/06, Warren Seltzer <warrens@actcom.net.il> wrote:
>>>>
>>>>
>>>>>Does this work with rails 1.0 ?  I saw that people said it
>>>>>
>>>>
>>>>failed with
>>>>
>>>>
>>>>>rails 14.1, which practically identical.
>>>>>
>>>>>
>>>
>>>_______________________________________________
>>>Rails mailing list
>>>Rails@lists.rubyonrails.org
>>>http://lists.rubyonrails.org/mailman/listinfo/rails
>>>
>>>
>>>
>>
>>It''s the same here, it works, have tested all the functions,
but rake
>>fails ...
>>
>>Regards,
>>Jeroen
>>_______________________________________________
>>Rails mailing list
>>Rails@lists.rubyonrails.org
>>http://lists.rubyonrails.org/mailman/listinfo/rails
>>
> 
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

Yup - I replied to the wrong email there - the response was in reply to Juan :)

- james

On 1/27/06, Ben Munat <bent@munat.com> wrote:
> James, I think Jeroen was talking about SHLG not the login engine...
>
> b
>
> James Adam wrote:
> > It''s very helpful if reproducible bugs are posted to the
Engines Trac
> > site - it''s much easier for me to keep track of them there
and
> > consequently ensure they are fixed when they are listed there:
> >
> > https://opensvn.csie.org/traccgi/rails_engines/trac.cgi/
> >
> > - james
> >
> > On 1/27/06, Jeroen van Doorn <jeroen.vandoorn@solide-ict.nl>
wrote:
> >
> >>Piet Hadermann wrote:
> >>
> >>>Hmmm... I tried it the other night (with rails 1.0) and was
under the
> >>>impression that although the tests failed (I *think* it had
something to do
> >>>with me using an older version of mysql), everything was
working for as far
> >>>as I know.
> >>>
> >>>I could really with some clear docs somewhere though... The
wiki page
> >>>contains a lot of info, but mostly without any indication of
which versions
> >>>of rails and the login generator itself were used, which is a
shame.
> >>>
> >>>Piet.
> >>>
> >>>
> >>>
> >>>>-----Original Message-----
> >>>>
> >>>>http://article.gmane.org/gmane.comp.lang.ruby.rails/29311
> >>>>
> >>>>I believe Deirdre Saoirse Moen is maintaining this now,
> >>>>although I''ve not heard anything since that mail.
> >>>>
> >>>>On 1/25/06, Warren Seltzer <warrens@actcom.net.il>
wrote:
> >>>>
> >>>>
> >>>>>Does this work with rails 1.0 ?  I saw that people said
it
> >>>>>
> >>>>
> >>>>failed with
> >>>>
> >>>>
> >>>>>rails 14.1, which practically identical.
> >>>>>
> >>>>>
> >>>
> >>>_______________________________________________
> >>>Rails mailing list
> >>>Rails@lists.rubyonrails.org
> >>>http://lists.rubyonrails.org/mailman/listinfo/rails
> >>>
> >>>
> >>>
> >>
> >>It''s the same here, it works, have tested all the
functions, but rake
> >>fails ...
> >>
> >>Regards,
> >>Jeroen
> >>_______________________________________________
> >>Rails mailing list
> >>Rails@lists.rubyonrails.org
> >>http://lists.rubyonrails.org/mailman/listinfo/rails
> >>
> >
> > _______________________________________________
> > Rails mailing list
> > Rails@lists.rubyonrails.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

On 1/27/06, James Adam <james.adam@gmail.com>
wrote:
> It''s very helpful if reproducible bugs are posted to the Engines
Trac
> site - it''s much easier for me to keep track of them there and
> consequently ensure they are fixed when they are listed there:
>
> https://opensvn.csie.org/traccgi/rails_engines/trac.cgi/
>
> - james
>
I just added a bugtrac that the change_password method should require
the user enter the current password prior to accepting a new password.

Not doing so is a security issue from my perspective.

i.e What if a user at a public internet terminal forgets to logout? 
It is bad enough that someone else could browse the rails site.  It is
even worse that they could change the password and get repeated access
to the site.

Greg
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century