I felt absolutely miserable this morning (word to the wise: sukiyaki curry is NOT for the faint of stomach) and took half the day off. After I got home I was feeling rather useless, so I decided to bang out some Ruby code. And bang I did — apparently I covered something like 600 lines in 3 hours. Granted, much of that gets autogenerated for free.
Today’s big accomplishment was getting user verification, account creation, logins, and all that jazz down to a science. I now have the framework to create an account, validate it via one of those lovely “Click here to validate your account” emails, login, restrict page access to those logged in, yadda yadda. One would think that since essentially every webapp needs this functionality there would be an easy, non-repetitive way to do it in Ruby but since the precise specifics differ for every application I think its probably easiest to roll your own rather than doing a search of all the plugins that do it and figuring out which one meets your needs, then adapting it so that it actually meets your needs. This breaks my “Do not write code someone else will write for you” rule, unfortunately.
I am decently sure that the login scheme is secure, at the moment. You can’t do any funny stuff like, e.g., intercepting a validation email to get a free login into the app. Web application developers who allow that or its close cousin an email with your user name and password written in it need to have “SMTP is not secure” carved onto their eyeballs so that they will not forget. As for cross-site scripting and SQL injection attacks, well, put it this way: I’m afraid, very afraid, and will be creating a test script whose only purpose is to try both on every form and see what pops out. My code probably needs a liberal sprinkling of h at the moment (its a Rails convenience method which html_escapes its parameters, saving you from XSS).
One thing I have found which I really like about Rails is the scaffolding. As my program gradually gets more complicated the free scaffolding is getting replaced in functionality by the workflows my users will actually be using, but the free scaffolding with very minor modifications makes for a great development-time admin interface. Some folks apparently like having a Ruby console open and typing things like User.find(:first, :conditions => [‘last_name = ?’, ‘Steve’]) to see if Steve got added like he should have been. I rather prefer going to http://localhost:3030/users and visually scanning the resulting webpage to see if Steve is there. Of course, it would be even easier if I could figure out how to test and assert the existence of Steve, and then actually do that when developing, but one baby step at a time.
I am having some difficulty getting my head around the whole test-driven-development thing. Testing for me has always been “Run, see what breaks, fix, repeat”. This is one of the bad habits I hope to fix by doing this project (no reason you can’t SkillUp* for your day job while working for your uISV).
* Did that look funny? Its probably because its Japanese. I’m fairly sure it entered the language from console RPGs: when you get a level, your skills (e.g. Swords, or whatever) sometimes get points added to them. That is written as SkillUp in Japanese, basically just by transliterating “skill up”, and anybody under the age of fifty or so both understands what it means and, whats more impressive, uses it in daily conversation. For example, my coworker a few weeks ago said “Patrick, help me out here. I need to SkillUp in Powerpoint so I can get a job as a Project Manager at $COMPANY”.