0

I'm building an app that has 3 models (Customer, Points, Admin). Customer has Points, Points belong to Customer. Then Admin has user_name and password_hash as attributes, storing the passwords via Bcrypt. Once a customer searches themselves via phone number, then their points show up. But to add points, an admin has to log in with just a password (code of 4 digits) then get access to adding points.

I'm having trouble how to find the admin via only a password, not user_name and password.

 class AdminsController < ApplicationController

 def new
   @admin = Admin.new
 end

 def create
   @Admin = Admin.new(admin_params)
   if @admin.save
     redirect_to root_path
   else
     flash[:error] = "incorrect data, please check form"
     render new_admin_path
   end
 end

 def login
   @customer = Customer.find(params[:id])

 # Need to get the input password
  params[:password]
 # Change the inputed password into a password hash
 # inputed_password_hash (NEED HELP HERE)

 # Compare the password hash with password hashes in the Admin model/database 
 # to see if it exists.
 # if true, send to add points page
 # if false, send back to customer page

   if Admin.find_by(password_hash: inputed_password_hash)
     redirect_to new_points_path
   else
     render customer_path 
   end
 end

   private

   def admin_params
     params.require(:admin).permit(:user_name, :password, :password_confirmation)
   end
 end
ravip0711
  • 371
  • 5
  • 19
  • Part of what makes password digests secure is that it should not be easy to find a record by its password alone. You have already found the user by phone number though, so can't you get the username from there, and then use that in conjunction with the password that the user entered to verify the login credentials? – Steve Jorgensen Feb 27 '16 at 20:08
  • "password (code of 4 digits): "Doesn't seem you are very interested security. Can I use 0000? If there is any value in the points you need decent security such as two factor authentication. – zaph Feb 27 '16 at 22:04
  • Its for an internal business tool. I will probably even have a super admin that needs to log in to be able to open up the app. Then the app can be used. Its for creating like a retail rewards app. The customer just needs to fill in their telephone number, then brings it to their own show page showing their points. The retail employee "Admin" in this case needs just a quick passcode entered at the bottom of the page to be able add points to the customer's account after they've purchased something. – ravip0711 Feb 28 '16 at 01:31
  • I wanted to be able to track which employee added points to which customer, which is why I even had an Admin model. Otherwise I would have just had a default passcode (one passcode) for all the employees to add points – ravip0711 Feb 28 '16 at 01:40
  • It doesn't have to be crazy secure because the app is only going to be accessible to the retail business and the employees. The passcode is only to prevent customers from adding points to their own account, the employee will do this. But i don't want to have the employee constantly log in with a user_name and password, just a quick password enables adding points and the authorization ends after the points have been added, so next customer, they would use just their password(passcode) again. – ravip0711 Feb 28 '16 at 01:43

0 Answers0