serial coder

It’s been a while since I started writing about the Rails authenticity token from the scratch.

I decided to finish it today and I was looking for new references to do a best post, I came along to an excellent post at Stack Overflow and decided to re-blog it with the same words [1].

What happens: When the user views a form to create, update, or destroy a resource, the rails app would create a random authenticity_token, store this token in the session, and place it in a hidden field in the form. When the user submits the form, rails would look for the authenticity_token, compare it to the one stored in the session, and if they match the request is allowed to continue.

Why this happens: Since the authenticity token is stored in the session, the client can not know its value. This prevents people from submitting forms to a rails app without viewing the form within that app itself. Imagine that you are using service A, you logged into the service and everything is ok. Now imagine that you went to use service B, and you saw a picture you like, and pressed on the picture to view a larger size of it. Now, if some evil code was there at service B, it might send a request to service A (which you are logged into), and ask to delete your account, by sending a request tohttp://serviceA.com/close_account. This is what is known as CSRF (Cross Site Request Forgery).

If service A is using authenticity tokens, this attack vector is no longer applicable, since the request from service B would not contain the correct authenticity token, and will not be allowed to continue.

Notes: Keep in mind, rails only checks POST, PUT, and DELETE requests. GET request are not checked for authenticity token. Why? because the HTTP specification states that GET requests should NOT create, alter, or destroy resources at the server, and the request should be idempotent (if you run the same command multiple times, you should get the same result every time).

Lessons: Use authenticity_token to protect your POST, PUT, and DELETE requests. Also make sure not to make any GET requests that could potentially modify resources on the server.

[1] http://stackoverflow.com/questions/941594/understand-rails-authenticity-token

I just updated Factory Girl to its last version (3.0.0 at the moment I’m writing it down) and I’ve got lots of deprecation messages about its syntax.

As I have 44 files defining different kinds of factories, I would be a pain in the ass to open all and then update to the new syntax. I’m too lazy for that.

I made a sed command and updated all them at once.

I’m using OS X. It needs to backup your files using -i.bkp. In a linux environment you can remove that, I guess.

Hope it may help you out!

delayed job encapsulates the common pattern of asynchronously executing longer tasks in the background.

I’ve had to implement a way to run tasks in different servers, according to their hostname, using a —server parameter.

As I patched delayed job to run like that, I sent a pull request with someone else would like to use.

They asked me if I could change server to queue and do some more workaround to define a resque-style feature called named queues.

Here is the announcement: http://collectiveidea.com/blog/archives/2012/01/04/the-big-three-oh/

Reasons for contributing to open source: 

1. Different people will review your code. Don’t be ashamed to commit mistakes. You can learn from that.

2. Did something different? Someone may need and might be facing the same problem as you.

3. You use. It is free. Give some love back as well.

A great text that is in my bookmarks about this topic: http://shal.in/post/285909694/why-you-should-contribute-to-open-source

Today I came across a problem trying to access some routing methods where I couldn’t in a Rails app.

I extracted a class to lib directory to build XMLs according to some parameters and this class has no communication to external world. So, to build paths and urls dynamically where there’s no url helpers, you can either:

1. Use include and access all routing helpers as below:

Or:

2. Call the routing helper needed from Rails.application.routes.url_helpers.route_that_i_want_path.

This is a case that you must use it carefully, otherwise, MVC is going through the window.

few days ago, we developed a great feature for our customers at WebStore that the customer can customize its own template. even though, part of it wasn’t finished and properly tested.

at a first sight, we decided to leave it there and add an ‘beta’ flag, but things could go to a wrong way. so we hid it and added something funny: konami code.

it is a very simple jquery lines:

and then you add a listener to element window and pass a function to execute what it should do:

when this hidden feature would be properly tested, there’s no more point to leave a konami code there. if a customer find out, there’s a message to do it on he’s own risk.

(I’ll try to use gist from now on to write down codes if necessary)

OH: “zsh is much better than bash”.

Well, to have my own opinion, only really testing. So I did. And here I am with some great points that make me use zsh as default.

1. Share its history across sessions. It is magnific great to have a command you just type and need it again on another zsh session.

2. Typo correction. It is deadly great. How many times I typed gti instead of git, raek instead of rake, and many other. zsh simple correct you.

3. Tab completion. Bash also does. Even though, believe me, only using zsh you can say this: zsh’s tab completion is smarter than bash.

4. Many others reasons.

If you try zsh, I’m pretty sure you will not turn back to bash.

As I’ve mentioned here about rake, there’s one more rake I usually create on my projects, called rake bootstrap.

Bootstrap means a self-sustaining process that proceeds without external help [1].

It is added to a bootstrap rake all you need to start your development such as a database creation, migration, populate inserting new and fresh registers, some admin user if you have an admin area and so on.

When someone clone your project, to start the development itself, rake bootstrap is a way to go. Run it and you are done.

[1] http://en.wikipedia.org/wiki/Bootstrapping

sometimes, for whatever reason, you need to keep an empty directory on git to be visible to everyone who’s working on the same project.

if you only create the directory, it won’t be recognized on git status.

to track the empty directory, touch a file called .gitkeep into the following directory.

once it’s done, it starts showing up on git status.

Projects I’ve usually worked have at least two different testing frameworks, cucumber and rspec.

It is boring as hell all the times do something like this:

$ rspec

and wait, then when you realize it has finished:

$ cucumber

so, I always create a new rake task named ‘build’ and add something like this:

desc "Run all tests"
task :build do
  system "rm rerun.txt"
  raise 'Error on rspec. Fix it, bro' unless system "bundle exec rspec spec"
  raise 'Error on cucumber plain. Fix it, bro' unless system "bundle exec cucumber"
end

you only need to call ‘rake build’ to run all your test suite.

there are two great methods that might be really helpful when you need to print a hash as a json.

try it out:

>> require 'json'
>> hash = { :foo => 1, :bar => { :baz => 2 } }
>> jj hash


this will print for you:

{

  "foo": 1,

  "bar": {

    "baz": 2

  }

}

if you are a oneline lover, you can also use j instead of jj:

>> j hash
{"foo":1,"bar":{"baz":2}}