[Test Post] Access to a running Whenbot app must be password protected

[M7]

Since Whenbot will be hosted on Heroku, the app itself should be protected by a login and password.

As Tristan suggested below, we'll be going with a single password field for authentication.

Requirements

1. When the User runs the install command, they're asked to include their password.
   • E.g. rails generate whenbot:install --password=my_password
2. There should be a method that can be run as a before_filter in the controllers to ensure that a user is logged in.
3. When the User visits any page without an active, authenticated session, they are redirected to an unlock page that requests their password.
4. The password must be encrypted when stored in the database.
5. Bonus: Allow the user to also include their email address during setup, so that Whenbot can email the User if needed.
   • E.g. rails generate whenbot:install [email protected] --password=my_password

Feel free to ask any questions that you may have.

This feature should be developed via Test Driven Development. Either way, a proper set of tests is required for this to be pulled into the main repository.

Contributing

If you'd like to work on this, and no-one else has assigned this task to themselves yet, assign this task to yourself. You can do this by clicking the gear icon beside the "No on is assigned" text above, and selecting your name.

If someone else beat you to it, do not reassign the task to yourself. Instead, check the comments (below) to see if they added a comment that says "Accepting teammates."

If you see "Accepting teammates" and would to join in, add a post here to say so and connect. You can also try reaching out to the original assignee via a private message or email.

Working in pairs or teams is encouraged. If you managed to snag this task by being the first to assign it to yourself, consider working with a teammate or two. To let people know you'd like to team up, add a comment below saying "Accepting teammates."

Keep an eye on new comments for this task, there may be someone reaching out to work with you.

Implementation

This can be implemented anyway you want. You may choose to use a pre-existing solution, such as Devise, or roll your own.

If you're interested in writing password protected login from scratch, read sections 7.1 and 7.2 of the Rails Tutorial Book for some hints.

You may want to supplement it with this section of the Rails Tutorial book, ignoring the parts about the username and email. It will walk you through creating a user account.

Testing hints:

Here's a few test ideas to get you started:

1. Write a test that
   1. Gets the /whenbot/tasks/ page
   2. Asserts that you're redirected to the login page
2. Run the tests, make sure it fails.
3. Implement the code needed to make the test pass
4. Write a Capybara test that
   1. Visits the /whenbot/tasks/without signing in
   2. Checks that you're redirected to page that has the content "Enter Password"
   3. Fill in the password field with your password (set via a Factory)
   4. Clicks on the "Sign In" button
   5. Checks that you're successfully logged in and brought to the /whenbot/tasks/ page
5. Run the tests, make sure it fails.
6. Implement the code needed to make the test pass
7. Write a test that
   1. Logs into a User's account
   2. Visits the /whenbot/tasks/new page
   3. Asserts that you're not redirected away from the /whenbot/tasks/new page
   4. Asserts that the page contains text that says "Trigger Channel" (as in "Choose a Trigger Channel")
8. Run the test, make sure it fails
9. Write the code needed to make the test pass
10. Add in any other functionality using TDD.

[trishume]

I like the idea of having a generator/rake task that sets up the account. That would ensure that malicious users can't use the signup form to create their own account.

It is also possible to use just a password and no email since there is only a single user. It would decrease security a bit if people used bad passwords but it would increase simplicity and ease of use. I also like the idea of a single-field login form. More of an unlock than a login.

[M7]

Good points Tristan, thanks.

I like the idea of having a single-field login, and grabbing the password through the generator would work nicely for that.

Under the hood, the password should probably be encrypted though. Maybe that could wait until iteration two of this feature, if someone wants to jump on this.

But, I wasn't expecting anyone to see this yet... I was just testing, hah! Did you get a notification email about this, or did you just happen to notice it in the Whenbot repo?

Anyway, here's what I'm thinking, maybe you can give me your thoughts:

1. We can post all of the tasks here as "Issues"
2. Each task would be organized by label (e.g. channel-development, ui, whenbot-app, etc.), so that people can focus on the parts that they'd be interested in contributing to.
3. Each Issue would have a description of the task, along with some sub-tasks to help get them started.
   • For example, this Issue had a few steps to get this started with TDD.
4. Contributors can let others know that they're working on a task by assigning it to themselves.
5. The first person to assign themselves to a task can add a comment saying something like "I'd be up for working on this with a teammate or two," to let others who may be interested in a particular feature / Channel participate as well.

Other possible options are:

1. Use Pivotal Tracker (http://pivotaltracker.com)
2. Use Trello (http://trello.com)

I'm leaning towards Github Issues since it makes it easy to have a discussion about the additions. People can ask questions about implementation and whatnot right in a specific task, if they'd like. And, as an added bonus, it keeps everything in one place.

What do you think?

P.S. @trishume: Ignore being assigned to this issue. I was testing if more than one person can be assigned. Turns out, they can't. :\

Thanks,
Mike

[trishume]

Sounds good to me.

I received an email notification as I am part of the github organization.

Encryption would be very easy to implement as ruby has hashing built in to the standard library. See http://stackoverflow.com/questions/34490/how-do-i-create-a-sha1-hash-in-ruby

[M7]

Dang. Sorry about that everyone, I wasn't expecting the email notifications! :\

Well, ya'll can expect a whole bunch of notifications for the tasks by next Tuesday then, heh. I'll try and write them out beforehand and post them at the same time, so at least it's just one big burst.

(I'll see if there's a way to somehow disable the notifications temporarily for everyone though.)

Cool, thanks for the feedback Tristan!

If anyone has any thoughts or suggestions on this, feel free to post here, or in the Google Group.

Thanks,
Mike