authentication

Currently working on FoR authentication by following this tutorial. Most likely be using SHA1 for hashing the password to be stored/compared with the password on database. Something to note that SHA1's digest is 40 characters long.

I have significantly modified the database table design with respect to the budgeting function. Will post an update on it later.

[edit date="17-08-07"]

Have got the authentication working now. The authentication checking is done in application.rb where all controllers have access to. Controllers that need protection simply need to add:
>> before_filter :authenticate

You can also define which methods within the controller you want to exclude protection by adding this parameter to before_filter:
>> before_filter: authenticate, :except => [ :method1, :method2]

The code for the authentication is:

def authenticate
 unless @session[:user]
   @session[:return_to] = @request.request_uri
   @session[:intended_action] = action_name
   @session[:intended_controller ] = controller_name
   flash[:notice] = 'Login required.';
   redirect_to :action => "login",
                        :controller => "user_admin"
   return false
 end
end

I have a controller called user_admin which handles all the user administrations (login, logout, sign up, etc.). The actual authentication logic is inside the User model. I also did a bit of research and found out that SHA-0 and SHA-1 can be broken through collision attack. Therefore, I decided to use SHA-512 (512 bit output) to hash the password and salted with a randomly generated 32-bit salt.

The actual password and salt creation:

def password=(pass)
   salt = [Array.new(6){rand(256).chr}.join].pack("m").chomp
   self.password_salt, self.password_hash = salt, Digest::SHA512.hexdigest(pass + salt)
end

So when you create a new user, to store the password_hash and password_salt, simply do:
>> @user.password = password

where password is the user's plaintext password.

[/edit]