In this tutorial segment I upgrade the league application to use the new ui-grid (ng-grid 3.0). Note that ui-grid is at this time still early beta, but offers the likelihood of better performance, a cleaner interface, easier edit in place, and removes the previous dependency on jQuery.
In this portion of the tutorial we add Devise integration to provide logon to the application, and provide custom pages for password reset and account unlock. This content is based somewhat on the equivalent content from the rails 3 version of the tutorial.
This will break down into three main elements:
- Provision of a registration page that matches the Devise expectations and calls the Devise register method and password change method
- Provision of a logon page that matches the Devise expectations and that calls the Devise logon method and associated methods such as password resets etc
- Provision of functionality such that AngularJS can detect that a user is not logged on and redirect the user to the logon page, rather than just having each server interaction fail
If you’ve dropped into the middle of the tutorial, you can find the code for the previous section at github: PaulL : tutorial_9. You can go to the index page for this tutorial, or you can hit the tutorial menu above and see all the posts in the Rails 4 tutorial.
In this edition I use a custom matcher to provide tailored failure messages on my Jasmine expect() statements, allowing me to get context information other than “expected ‘true’ to equal ‘false'”.
I’ve been working to flesh out the functional tests for our application – I had allowed them to fall a little into disrepair whilst I did some architectural change, and it was time to refresh the suite.
As part of my architectural changes on the application itself I had refactored a lot of code to make it common. Looking at the functional test suite it looked like it needed the same treatment. In refactoring this code I wrote some helper routines, including one that checked (for each of view, editClean, editDirty modes) whether the correct fields and buttons were enabled. All well and good, but the core of that logic was a loop through a hash, and Jasmine/Protractor reports only the line number – not which iteration through the hash we were on. Making debugging annoying – how do we tell which field it is that is enabled but shouldn’t be?
So, whilst on holiday and pondering the future somewhat, it occurred to me that it’d be nice to register for posterity my current views on some things. The main point being to put a peg in the sand at a point in time and say “I think x”, and to come back in the future and view that to see how your views have changed over time.
I thought I’d start with my views on global warming. If you’re here for the technology stuff, I suggest you don’t read this – it doesn’t relate to technology. :-)
I’ve been working further on my application, and run into a few challenges and issues with CSRF, so I’m elaborating a bit on my earlier post. At some point my tutorials will be updated to deal with this, but for now this is a place holder that describes what CSRF protection does, where the issues lie, and what resolutions I’ve found to the overall problem.
Firstly, it seems that there are two general developer classes with Rails – those who are developing a Rails web application and therefore use Rails to create the pages, and those who are building an API using Rails, and seem to turn off CSRF protection and use an API key to authenticate (in a sense I see an API key as a long-lived username and password, so I’m not a big fan for applications that require strong security).
I’m living in a middle space – the application front-end is all AngularJS, and it’s calling Rails asynchronously using JSON. But I’m still aiming to use Devise as my authentication engine, and I want to use CSRF to protect against malicious scripts that manipulate the API without the user knowing it. The default configurations don’t really appear to deal with this situation well.
In discussing the solution, I’ll start with a simplified discussion of what CSRF protection should and shouldn’t do, and then what pieces are needed to integrate (reasonably) cleanly.
I’ve been building a trial version of our production environment, hosted on AWS. I’m using debian as it’s what I’m most familiar with, and I’ve chosen to use puma to serve the rails end of the site.
Puma comes with an init.d script, and a control process called pumactl. These were non-trivial to get working, particularly when also using rvm, so I thought I’d document what I did in case someone else wants to do the same. The script uses great terminology based around the puma theme, so we have a jungle of pumas which may or may not come out to play. In essence you can have multiple puma instances on your server, each serving a different application.
I’ve been working on creating a sample infrastructure on Amazon. I’m choosing to use the Debian AMI, mostly because all my servers for a number of years have been Debian, and I’m familiar with it. I wanted to install the logcheck package so I could get notifications, and in turn I wanted those messages to be mailed to me on my home mail address so I could review them.
Mail on AWS is sent using Amazon SES. There are instructions in the Amazon documentation for configuring exim, and I found different instructions around the net, but in general they resulted in all local mail also being delivered via SES. This is a problem for me as I haven’t configured any mail receipt for this domain, so lots of mail went into the aether, as well as being generally inefficient to send local mail out via SES. Finally, some of the configurations appeared to be pushing usernames and passwords into the exim config file, which I didn’t like much.
I managed to navigate my way to a more standard exim4 configuration that works, this documents how to achieve that.