3.5. Authentication
Now that you're creating new users and storing their passwords securely, the next step is to allow the user to log in. This involves setting up two new actions in the user controller — login and logout — and setting up partial views to display the login form and logout link.
3.5.1. The Routes
Because you are adding new actions to the RESTful user controller, the place to start is in the routes.rb file. Change the entry for users to this:
map.resources :users, :new => {:login => :post},
:member => {:logout => :get}
This line adds a new action for login, which operates on a new or unsaved user object, and another action for logout, which operates on a single existing user object. The login action is a POST, because data is being sent to the server, and logout is a GET, which I suppose is arguable but seemed the best choice because no additional data besides the user ID is being sent to the server.
The most commonly used RESTful plugin for authentication, called restful_authentication, does this a bit differently. It creates a Sessions controller where the login method is Sessions#create and logout is Sessions#delete. There's certainly value in maintaining REST consistency, but there's not a whole lot of practical difference between the two designs, unless you have other uses for a Sessions controller.
3.5.2. The Tests
The user tests for password management have already been written. Here are the controller tests for successful login, unsuccessful login, and ...
Get Professional Ruby on Rails™ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
